Comments (8)
Do you block access by geographic region or countries? Because Let's Encrypt recently added two additional remote validation server locations. The "secondary validation" points to a problem with one of the 4 secondary sites (the 5th validation center is in the USA)
This has been a common topic on the Let's Encrypt community forum since this change
https://community.letsencrypt.org/t/lets-encrypt-is-adding-two-new-remote-perspectives-for-domain-validation/214123
from getssl.
That was the exact problem. I have spent days trying to track this down, and there is zero chance I would ever have considered this as the issue. Thanks so much for responding!
from getssl.
That did resolve the specific error, but now I'm getting:
- The certificate could not be installed on the domain “DOMAIN.com”.
- Certificate verification failed! The system did not find the root certificate that corresponds to the supplied Certificate Authority Bundle’s intermediate certificate. Please supply a full Certificate Authority Bundle with the root certificate included.
from getssl.
Where do you see that error?
If your last good cert was before Feb8 of this year I would guess that the system reporting the error does not have ISRG Root X1 certificate in its CA store. Is it an older system? On Feb8 the default chain from Let's Encrypt no longer includes the cross-signed DST Root CA X3 and so systems must trust ISRG Root X1.
Temporarily you can request the older "long chain" but this will soon be gone anyway. If this sounds possible see below.
https://community.letsencrypt.org/t/shortening-the-lets-encrypt-chain-of-trust/201580
from getssl.
The expired certificate was issued in January 2024.
"system reporting the error does not have ISRG Root X1 certificate in its CA store."
Is something the webhost needs to do?
Using the long chain option below didn't change the getssl output:
FULL_CHAIN_INCLUDE_ROOT="true"
That's an error from getssl. Full text below:
DOMAIN.com: remote cert expires sooner than local, attempting to upload from local
reloading SSL services
[2024-04-21 13:44:22 -0500] warn [uapi] Cpanel::Wrap::send_cpwrapd_request adminbin Cpanel/ssl/ADD: exit 5: namespace=[Cpanel] module=[ssl] function=[ADD]: raw_response=[{"mode":"full","statusmsg":"adminbin Cpanel/ssl/ADD: exit 5","status":1,"version":"2.4","data":{"message":"Certificate verification failed! The system did not find the root certificate that corresponds to the supplied Certificate Authority Bundle’s intermediate certificate. Please supply a full Certificate Authority Bundle with the root certificate included.","statusmsg":"Certificate verification failed! The system did not find the root certificate that corresponds to the supplied Certificate Authority Bundle’s intermediate certificate. Please supply a full Certificate Authority Bundle with the root certificate included.","action":"install","status":0,"html":"Certificate verification failed! The system did not find the root certificate that corresponds to the supplied Certificate Authority Bundle’s intermediate certificate. Please supply a full Certificate Authority Bundle with the root certificate included."},"exit_code":1280,"error":1,"timeout":0,"action":"fetch"}]
[2024-04-21 13:44:22 -0500] warn [uapi] Cpanel::Wrap::send_cpwrapd_request error: namespace=[Cpanel] module=[ssl] function=[ADD]: statusmsg=[adminbin Cpanel/ssl/ADD: exit 5]
---
apiversion: 3
func: install_ssl
module: SSL
result:
data:
cert_id: DOMAIN_com_9dfc5_73007_1721488995_2cd368d44c64a395a76757dbfdce85cc
key_id: 9dfc5_73007_5e08944e645ddef9d75418b8f918c2bb
errors:
- The certificate could not be installed on the domain “DOMAIN.com”.
- Certificate verification failed! The system did not find the root certificate that corresponds to the supplied Certificate Authority Bundle’s intermediate certificate. Please supply a full Certificate Authority Bundle with the root certificate included.
messages: ~
metadata: {}
status: 0
warnings: ~
DOMAIN.com: certificate is valid for more than 30 days (until Jul 20 15:23:15 2024 GMT)
from getssl.
The error is coming from cPanel. I am not expert at cPanel but you could try copy/paste the cert, chain, and private key yourself into your cPanel screen. You may need to take that up with your hosting service if that fails.
The message is a little puzzling in that it suggests adding the Root certificate to the chain. I didn't think modern cPanel systems require the root cert in the chain. I might be wrong or yours might need it.
The other possibility is the script you use to update cPanel needs updating. Perhaps it is manipulating the chain.pem file wrongly now that it is shorter than before.
Maybe someone else here will be able to help. Or, try the Let's Encrypt community forum.
from getssl.
I tried copy/pasting the certs into cpanel, but it basically throws the same error.
The script being used to update cpanel is the one in the repo cpanel_cert_upload.
I'll try over in the LE forum also. Thanks again for you help here.
from getssl.
UPDATE: removing the existing chain, fullchain, and DOMAIN.com.crt files from .gettssl/DOMAIN.com resolved the issue. Not entirely sure why, but once I did that everything worked and updated cpanel.
from getssl.
Related Issues (20)
- Move from Staging to Production? HOT 1
- DNS verification not working HOT 6
- revoke : Invalid key file ? + --account-id bug ? HOT 3
- cp failing due to identical files is still counted as a failure
- Is there a way to change the administrator email address registered with Let’s Encrypt using getSSL? HOT 3
- DNS CNAME check failed HOT 1
- Certificate on remote domain does not match, ignoring remote certificate (example.com != mydomain.net) HOT 12
- DNS script for Linode needs updating for V4 API
- I need help with CA's and Firefox HOT 3
- comma appended to server name? HOT 2
- Error with Azure DNS + LetsEncrypt domain validation token that starts with a dash char
- More stray http01 tokens
- CNAME issues with dns-01
- Too many server reloads; stale certificate exposed
- DNS-01 validation for non-wildcard names HOT 3
- Upgrading 2.49 HOT 3
- Godaddy api disabled
- incorrect file fetched for CA_CERT_LOCATION HOT 3
- Fixing the warning --> getssl: this script requires one of: nslookup drill dig host HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from getssl.