Page 1 of 1
TSplus fails to update letsencrypt SSL certificate
Posted: Mon Nov 09, 2020 9:01 am
by bzdega
Hi,
we have more and more installations, where TSplus fails to update the letsencrypt certificate.
How does TSplus trigger letsencrypt to release a new SSL certificate? How often and when tries TSplus to update those certificates?
Michael
Re: TSplus fails to update letsencrypt SSL certificate
Posted: Tue Nov 10, 2020 8:07 pm
by bzdega
I think, i found what causes this error. Someone installed the IIS-Role on this servers, so port 80 had a binding to the IIS.
Letsencrypt needs to access the TSplus webserver on port 80 to deliver the SSL certificate.
After unstallation the IIS and reinstalling TSplus, i was able to request a new SSL certificate from letsencrypt.
Michael
Re: TSplus fails to update letsencrypt SSL certificate
Posted: Fri Nov 13, 2020 9:40 am
by admin
Hello,
The certificate needs to be updated every three month, but TSplus service update it every 2 months as a safety measure to make sure the certificate does not reach the end of its validity before the time limit.
Re: TSplus fails to update letsencrypt SSL certificate
Posted: Mon Nov 16, 2020 1:52 pm
by bzdega
I have to come back to this issue.
Letsencrypt informs me, that another Server was unable to update the SSL certificate.
I looked into the logfiles under C:\Program Files (x86)\TSplus\UserDesktop\files\.lego\logs and found this error:
Code: Select all
2020/11/15 08:54:09 Could not create client: get directory at 'https://acme-v02.api.letsencrypt.org/directory': Get https://acme-v02.api.letsencrypt.org/directory: dial tcp: lookup acme-v02.api.letsencrypt.org: no such host
Seems, that the update process does not find the letsencrypt host.
Is this a problem, TSplus is aware of?
Michael
Re: TSplus fails to update letsencrypt SSL certificate
Posted: Mon Nov 16, 2020 2:36 pm
by bzdega
I discovered a strange behavior when sending a ping to amce-v02.api.letsencrypt.org:
- my first ping shows "unable to reach host"
- my second ping on the same address shows a correct answer from that server
After that, i was able to run the renewal process for the ssl certificate in the TS Admin Tool. Don't ask me why...
Michael