Error with Let's Encrypt DST Root CA X3 cert
Thana404 opened this issue · 15 comments
Hi,
Since Sept. 30th, DST Root CA X3 certificate, used by Let's Encrypt, expired. It was not an issue for me while accessing my website on Firefox, but API or cUrl calls failed because of it.
While investigating, I figured out that renew_certificate.sh was using https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem as intermediate cert, which is the one that expired (confirmed using https://www.sslshopper.com/certificate-decoder.html for example).
To fix this, I just replaced above URL with https://letsencrypt.org/certs/lets-encrypt-r3.pem (see ISRG Root X1) and executed renew_certificate.sh again. I'm not really into certificates and all, but that worked for me and was pretty easy to fix. If this solution is suitable for you, I'll gladly open a PR :)
Some resources I used while trying to fix it:
Hope that helps.
Hi,
I'm experiencing the same problem and tried the above, but it does not work for me:
renews_certificate.sh prompts:
ERROR: cannot verify letsencrypt.org's certificate, issued by ‘/C=US/O=Let's Encrypt/CN=R3’: Issued certificate has expired. To connect to letsencrypt.org insecurely, use --no-check-certificate'.
An error occured. Restoring system state.
`
Any idea what to do?
Thanks, Alex
@aski71 I think you are having a different issue: Your cacert.pem needs to be updated.
See https://github.com/Yannik/qnap-letsencrypt#setting-up-a-valid-ca-bundle-and-cloning-this-repo
Ok, thanks @Yannik .
I followed the steps and re-initialized everything, made the above modifications in renew_certificate.sh again. Now I'm receiving below error ...
Which probably means all the failed tries no byte me.
How long do I have to wait before I can retry?
Already registered! Account ID: https://acme-v02.api.letsencrypt.org/acme/acct/225094110 Creating new order... Traceback (most recent call last): File "acme-tiny/acme_tiny.py", line 199, in <module> main(sys.argv[1:]) File "acme-tiny/acme_tiny.py", line 195, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port) File "acme-tiny/acme_tiny.py", line 120, in get_crt order, _, order_headers = _send_signed_request(directory['newOrder'], order_payload, "Error creating new order") File "acme-tiny/acme_tiny.py", line 60, in _send_signed_request return _do_request(url, data=data.encode('utf8'), err_msg=err_msg, depth=depth) File "acme-tiny/acme_tiny.py", line 46, in _do_request raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data)) ValueError: Error creating new order: Url: https://acme-v02.api.letsencrypt.org/acme/new-order Data: b'{"signature": "TQ7ic8nLkmlqW1aN6IqWFRX7B7DZnfxscE63du9JpOqQF1cwSCxVYX4zrW1i6YuVGHkNpjnBgSgZiLNsVkqHnmy2ngNZjHoNUBxgNFBwSBegtD96Dp_Loz4zelsKETFBZQUHrzhCq4zKz4fkXmQbzf1uUv0Qj4xEjTC3pKePG-zB9-Oa3TKNUFUT8GduG3auzD_AcD61PYzqPdLVxj7d0e01BmCHdQnMs1-lh-TxKZ-wFdDVyFIuGyY5VD-FeS2SNXiI5NdgLrigaC-wT0haawiuJnw9fgZcHQLz3qbFOtvM7gaGvUNf2KizWumPk0j7ZD2Mv0WTiqWsw4zv1EknKmtvyLGtNyTE6o-LUG4qIIlF4qAHRNvsmfNoylDb7KjlB_X1ZxYrVFuKb4cGKd1qDhaDytWiMQN0lNhBKRcmilAJwEni7a00dKAQFVBCC2V9gYXaPF0sDlbHORauzGBi4LaeHwfPbVrC9byC0VaPgvTRiaYR7mDWDpu5U29Vd8fIjUCwPNnxqMAZ6ZLXazAkUVmSJhb5Gkli5E7j_bB5_gITudUjI0a0Hnsj3eVtzIFKrjMKmfDIKjsFA43llNMuYdSz2PJi0VL36tR2UpuVCR9nePu1Ho000_OjQm9Zgrif6jjLdh-M4jOQ9qtpZkKkALvvz_fxY3ema70W-dlaPjk", "protected": "eyJraWQiOiAiaHR0cHM6Ly9hY21lLXYwMi5hcGkubGV0c2VuY3J5cHQub3JnL2FjbWUvYWNjdC8yMjUwOTQxMTAiLCAiYWxnIjogIlJTMjU2IiwgIm5vbmNlIjogIjAxMDJ3c2FUel8wRk40SV80eW9xYl9oMHVBZnpJLXN2M2Z5dlpEcFhYeDVQbFRvIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ", "payload": "eyJpZGVudGlmaWVycyI6IFt7InR5cGUiOiAiZG5zIiwgInZhbHVlIjogImJpZ2J1ZGR5Lm15cW5hcGNsb3VkLmNvbSJ9LCB7InR5cGUiOiAiZG5zIiwgInZhbHVlIjogImJpZ2J1ZGR5LmFsZXhzZWJhc3RpYW4uZGUifV19"}' Response Code: 429 Response: {'detail': 'Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: bigbuddy.alexsebastian.de,bigbuddy.myqnapcloud.com: see https://letsencrypt.org/docs/rate-limits/', 'type': 'urn:ietf:params:acme:error:rateLimited', 'status': 429} An error occured. Restoring system state. ./renew_certificate.sh: line 13: 30793 Killed "$PYTHON" ../HTTPServer.py (wd: /share/MD0_DATA/letsencrypt/qnap-letsencrypt/tmp-webroot) Start apache proxy: OK Recover apache confiugre Starting Qthttpd services: OK
There is a page which explains rate limiting in the error message:
Response Code: 429 Response: {'detail': 'Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours: bigbuddy.alexsebastian.de,bigbuddy.myqnapcloud.com: see https://letsencrypt.org/docs/rate-limits/', 'type': 'urn:ietf:params:acme:error:rateLimited', 'status': 429}
Yes, but: How long do I have to wait now to be able to issue a new certificate?
Check the link in the error message, otherwise I don't know
Yes, but: How long do I have to wait now to be able to issue a new certificate?
Check https://letsencrypt.org/docs/rate-limits/
There is a Failed Validation limit of 5 failures per account, per hostname, per hour. This limit is higher on our staging environment, so you can use that environment to debug connectivity problems. Exceeding the Failed Validations limit is reported with the error message too many failed authorizations recently.
Also check the overrides section
If you’ve hit a rate limit, we don’t have a way to temporarily reset it. You’ll need to wait until the rate limit expires after a week. We use a sliding window, so if you issued 25 certificates on Monday and 25 more certificates on Friday, you’ll be able to issue again starting Monday. You can get a list of certificates issued for your registered domain by searching on crt.sh, which uses the public Certificate Transparency logs.
If you are a large hosting provider or organization working on a Let’s Encrypt integration, we have a rate limiting form that can be used to request a higher rate limit. It takes a few weeks to process requests, so this form is not suitable if you just need to reset a rate limit faster than it resets on its own.
Ok, danke.
Dann wird mir wohl nix übrig bleiben, als eine Woche auf mein Backup zu verzichten. :-/
Richtig
tried again today. Now I'm getting this again. :-(
ERROR: cannot verify letsencrypt.org's certificate, issued by ‘/C=US/O=Let's Encrypt/CN=R3’: Issued certificate has expired.
Even though I'm using:
wget --no-verbose --secure-protocol=TLSv1_2 -O - https://letsencrypt.org/certs/lets-encrypt-r3.pem > letsencrypt/intermediate.pem
Does wget --ca-certificate=cacert.pem --no-verbose --secure-protocol=TLSv1_2 -O - https://letsencrypt.org/certs/lets-encrypt-r3.pem > letsencrypt/intermediate.pem work?
It doesn't:
[/share/MD0_DATA/letsencrypt/qnap-letsencrypt] # wget --ca-certificate=cacert.pem --no-verbose --secure-protocol=TLSv1_2 -O - https://letsencrypt.org/certs/lets-encrypt-r3.pem > letsencrypt/intermediate.pem ERROR: cannot verify letsencrypt.org's certificate, issued by ‘/C=US/O=Let's Encrypt/CN=R3’: Issued certificate has expired. To connect to letsencrypt.org insecurely, use '--no-check-certificate'. [/share/MD0_DATA/letsencrypt/qnap-letsencrypt] # wget --ca-certificate=cacert.pem --no-verbose --secure-protocol=TLSv1_2 --no-check-certificate -O - https://letsencrypt.org/certs/lets-encrypt-r3.pem > letsencrypt/intermediate.pem WARNING: cannot verify letsencrypt.org's certificate, issued by ‘/C=US/O=Let's Encrypt/CN=R3’: Issued certificate has expired. 2021-10-15 16:52:44 URL:https://letsencrypt.org/certs/lets-encrypt-r3.pem [1826/1826] -> "-" [1]
Tried --no-check-certificate.
Seemed to work.
Now I just have to wait 168 hours again ... 🙄🤪
Tried with --no-check-certificate.
Downloading intermediate certificate... WARNING: cannot verify letsencrypt.org's certificate, issued by ‘/C=US/O=Let's Encrypt/CN=R3’: Issued certificate has expired. 2021-10-26 22:42:10 URL:https://letsencrypt.org/certs/lets-encrypt-r3.pem [1826/1826] -> "-" [1] Stopping stunnel and setting new stunnel certificates...
It keeps saying it can't verify letsencrypt.org's certificate because it has expired.
I don't get it.