Page 1 of 1

TSplus fails to update letsencrypt SSL certificate

Posted: Mon Nov 09, 2020 9:01 am
by bzdega
Hi,

we have more and more installations, where TSplus fails to update the letsencrypt certificate.

How does TSplus trigger letsencrypt to release a new SSL certificate? How often and when tries TSplus to update those certificates?

Michael

Re: TSplus fails to update letsencrypt SSL certificate

Posted: Tue Nov 10, 2020 8:07 pm
by bzdega
I think, i found what causes this error. Someone installed the IIS-Role on this servers, so port 80 had a binding to the IIS.

Letsencrypt needs to access the TSplus webserver on port 80 to deliver the SSL certificate.

After unstallation the IIS and reinstalling TSplus, i was able to request a new SSL certificate from letsencrypt.

Michael

Re: TSplus fails to update letsencrypt SSL certificate

Posted: Fri Nov 13, 2020 9:40 am
by admin
Hello,

The certificate needs to be updated every three month, but TSplus service update it every 2 months as a safety measure to make sure the certificate does not reach the end of its validity before the time limit.

Re: TSplus fails to update letsencrypt SSL certificate

Posted: Mon Nov 16, 2020 1:52 pm
by bzdega
I have to come back to this issue.

Letsencrypt informs me, that another Server was unable to update the SSL certificate.

I looked into the logfiles under C:\Program Files (x86)\TSplus\UserDesktop\files\.lego\logs and found this error:

Code: Select all

2020/11/15 08:54:09 Could not create client: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: lookup acme-v02.api.letsencrypt.org: no such host
Seems, that the update process does not find the letsencrypt host.

Is this a problem, TSplus is aware of?

Michael

Re: TSplus fails to update letsencrypt SSL certificate

Posted: Mon Nov 16, 2020 2:36 pm
by bzdega
I discovered a strange behavior when sending a ping to amce-v02.api.letsencrypt.org:
  • my first ping shows "unable to reach host"
  • my second ping on the same address shows a correct answer from that server
After that, i was able to run the renewal process for the ssl certificate in the TS Admin Tool. Don't ask me why...

Michael