I'm new to letsencrypt SSL certificate.
I have followed the article here, but received the following warning messages upon loading the website :
Warning: stream_socket_client(): Peer certificate CN=`abc.com' did not match expected CN=`1.2.3.4' in /usr/share/nginx/html/wp-includes/class-wp-http-streams.php on line 150
Warning: stream_socket_client(): Failed to enable crypto in /usr/share/nginx/html/wp-includes/class-wp-http-streams.php on line 150
Warning: stream_socket_client(): unable to connect to ssl://1.2.3.4:443 (Unknown error) in /usr/share/nginx/html/wp-includes/class-wp-http-streams.php on line 150
Any clue on what's going on?
I finally found the answer.
I modified my DNS control panel to use 2 nameservers, where previously there were 4 nameservers, from 2 different web hosting providers.
Then I tried :
sudo certbot --nginx -d abc.com -d www.abc.com --force-renewal
Refreshed the browser and voila, it works now.
Hopefully this will be useful to whom encounter the same problem.
Related
My app has 1:1 video calling feature and for that I set up my own turnserver. The turnserver was running perfectly till yesterday. When I try to call from app, turnserver rejects. I tried turnserver url from browser, it shows something like this,
Immediately, I logged collidermain, it shows
root#<machine_name>:~# <timestamp> Starting collider: tls = true, port = 8443, room-server=https://<mydomain>.com
<timestamp> http: TLS handshake error from 182.160.105.186:43243: remote error: tls: unknown certificate
And this kept showing up everytime, my app try to connect with turnserver.
Thought, ssl certificates got something to do with it, replaced ssl certificates, tried re-installing collidermain, restarting google-cloud-sdk, turnserver, collidermain. Still no luck.
Got two similar questions on stakoverflow.
WebSocket open error: WebSocket error, This is not chrome bug, because I got other two turnserver running perfectly fine at the time I am writing this and server health is pretty good
Websocket open error, websocket register error This is not working too. I re-installed collider. No luck
My question is, what is the root cause of this error and how to fix it?
System spces:
OS: Ubuntu 20.04
AppRTC code running with Google-cloud-sdk, version: 330.0.0
Turnserver version: 4.4.3
Signalling server: collidermain
Certificate issued with let's encrypt certbot
It's solved! Here's what happend.
I copied the certificates issued by certbot into another directory /cert/
and in turnserver.conf file, I pointed certificate path to /cert/ directory. So it worked fine for a while. Certbot certificates are valid for 3 months and it's renew automatically when validity expires. So, certbot renewed certificates and put it into /etc/letsencrypt/live/:domain_name/. turnserver.conf still pointing to outdated certificates resides in /cert/ directory. That's why when I try to join a room, turnserver using outdated certificates and shows TLS handshake error
So, I just changed certificate path from /cert/ to /etc/letsencrypt/live/:domain_name/ in turnserver.conf, it's back online! Yay!!
Good afternoon, dear community!
I ask for help from those who had the relevant experience.
I am making an API request to https://ssl.croinform.ru:450. For example, an authentication request: curl -k POST https://ssl.croinform.ru:450/api.test?Type=Login&Login=testUser&Password=testPassword but I get the error. The error text differs depending on the environment where I am running the curl command.
On windows I experiment in git bash (curl version 7.77.0) and Cygwin64 (curl version 7.78.0), get the same error: curl: (35) error: 14094410: SSL routines: ssl3_read_bytes: sslv3 alert handshake failure.
В CentOS7 (curl version 7.78.0): curl: (6) Could not resolve host: POST
curl: (35) Cannot communicate securely with peer: no common encryption algorithm(s).
The service provides certificates that need to be installed on your OS: cacer.p7b, ssl.croinform.cer. As recommended in the service documentation, on windows I installed them in Trusted Root Certification Authorities. There is no support recommendation for CentOS7, but I put the certificates at / etc / pki / ca-trust / source / anchors / and ran the update-ca-trust enable and update-ca-trust extract commands. These actions do not solve the problem.
Please tell me what I am doing wrong.
Thanks in advance!
your error shows the protocol to use is SSL version 3 and the handshake is failing to agree to use this protocol to communicate with SSL.
plus this may be unsupported now, the latest TLS versions are TLS 1.1 and 1.2
you could try a different protocol version for example,
curl --tlsv1.2
To use tls 1.2 but have a look at the documentation for other protocols also.
If this is a test you can allow insecure connections with the curl -k parameter
According to the official ACME.SH documentation link, issuing a certificate is as simple as running the following command:
$ acme.sh --issue --alpn -d example.com
However, I am getting the following error
Error, can not get domain token entry example.com for `tls-alpn-01`
The supported validation types are `http-01` `dns-01` , but you specified: `tls-alpn-01`
I have tried switching from the default ZeroSSL.com to BuyPass.com, but that does not help. It seems that these providers do not allow tls-alpn-01 validation method, but it could be related to something that I am missing.
PS:
To preemptively answer some questions:
I have a valid domain that I replaced with "example.com"
The site is functional on a 443 port, but port 80 is blocked by ISP, hence tls-alpn-01
I am stopping Nginx, and then checking with netstat that port 443 is not bound to a service.
When I run the script with --debug 2 parameter, I get the following value for _authorizations_map variable
_authorizations_map='example.com,{"identifier":{"type":"dns","value":"example.com"},"status":"pending","expires":"2021-08-18T22:53:50Z","challenges":[{"type":"http-01","url":"https://acme.zerossl.com/v2/DV90/chall/wYehJ8kQjUDiDadBJ12qKw", "status":"pending","token":"Sfga2N2KwV-2hg3wo1gYAoyFvqV87dRvG2sHw4I6ups"},{"type":"dns-01","url":"https://acme.zerossl.com/v2/DV90/chall/CkrMQdEJthf-TmWvllW-Bg", "status":"pending","token":"_AlgMGzIfSQs7673Su-njnpieba_zLpSYxiUdXDEFnz"}]}'
Same problem, I switched from ZeroSSL to Let's encrypt CA and now it works without problems.
https://community.letsencrypt.org/t/the-acme-sh-will-change-default-ca-to-zerossl-on-august-1st-2021/144052
Edit: oops, sorry.
To tell acme.sh to use Let's encrypt CA
use:
acme.sh --set-default-ca --server letsencrypt
and then try to issue again the certificate in tls-alpn-01 mode
I'm stuck on how to fix this SSL error --
My SSL certs work fine on Chrome, but in Safari and Firefox I get an error that there is a host name mismatch if I go to www.domain.com instead of just domain.com
I've set up SSL Certificates using Certbot for my domain for both domain.com and www.domain.com
When I check on nginx to make sure that the certificates exist, I run sudo certbot --nginx, then select both of the domains when asked Which names would you like to activate https for?, and for both domain.com and www.domain.com, I get the result "You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry" and asks if I'd like to attempt to reinstall or renew and replace the cert.
I'm not sure what other steps I can take, as last time I installed certbot I simply followed the instructions, did the above for both www and non-www addresses, and it simply worked at both www and non-www!
Does anyone have any suggestions what to do next?
TLDR:
domain.com: works fine in firefox/safari, nginx says cert exists
www.domain.com: host name mismatch in firefox/safari, nginx says cert exists
why?!
After messing with it for a while, and trying #xyz's ssl checker I figured out the following things:
both certs were valid
When I re-installed the certs using certbot, the most recent cert would start working and the previous one would stop working
Turned out that i needed to add the other url as a subdomain to the existing cert and that fixed it!
I used:
sudo certbot -d domain.com -d www.domain.com
and that did the trick
You can check both domains from an external service, e.g. here:
https://www.sslshopper.com/ssl-checker.html
It will tell you if the certificate is correctly installed on both.
You should also open a new tab in Chrome, open developer tools, record network requests, then goto www.domain.com and see what redirects Chrome makes and what URL's it actually makes requests to. Maybe it has some automatic URL changing based on previously successfully resolved URL's.
I have installed mailgun on my local machine.
I am using localhost:8000 to run my laravel project. I tried to send the message and I received this message
RequestException in Client.php line 136:
SSL certificate problem: unable to get local issuer certificate
Can anyone explain how it is solved?
Download curl from https://curl.haxx.se/download.html
Download win64 version then extract.
copy ca-bundle.crt to /apache/bin/
Then open php/php.ini and edit line
curl.cainfo = "/path/to/wamp64/bin/apache/apache2.4.18/bin/ca-bundle.crt"
Restart server