https timeouts, 503 error SSL handshake taking along time with Let's Encrypt

Discussion in 'Server Operation' started by tjbcham, Mar 18, 2019.

  1. tjbcham

    tjbcham Member

    2 days ago getting site up and down warning for all sites using Let's Encrypt SSL.
    Redirecting sites back to http:// brought sites back running properly.
    Is this due to changes in the way certificates were originally issued and renewed with ISPConfig 3? I see references to Certbot.
    Where the relevant changes not included in ISPConfig 3 updates? Server is unning 3.1.13.
    Any documentation/comments on switching to Cerbot if that is the issue? https://www.howtoforge.com/communit...pconfig-3-1-2-how-to-install-correctly.75425/ ?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    LE auth methods are chosen by certbot automatically, ispconfig is not involved there except of choosing webroot auth as general option, so when you run a recent certbot version, then your system supports recent auth methods. To which warning do you refer, what is the exact text?

    And redirects back to http are not made by ispconfig, if you experience something like that, then you most likely use still http:// url's in a cms system instead of https://, that#s e.g. a common mistake when switching WordPress from http to https that you have to alter the wordüpress urls inside WordPress settings too in two places.
     
  3. tjbcham

    tjbcham Member

    Hi Till, thanks for the quick response.
    Which warning text are you referring too?
    I have updated certbot, but it seems some sites are not using that latest certificates.
    Deleting all certificates in /web#/ssl unchecking SSL and Let'Encrypt in the ISP Config 3 control panel and recreating the certificates by checking the boxes on again, but it is the old certificate that appears. Example with expiry date 27 April 2019
    Firefox Certificate Technical Details give Connection Encrypted : (TLS_ECDHE_RSA_WITH_AES_GCM_SHA384, 256 bit Key, TLS 1.2)
     
  4. tjbcham

    tjbcham Member

  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Let's encrypt SSL certs are not in web/ssl/, this folder contains only custom SSL certs and symlinks to the let#s encrypt certs. So you did not delete any letsencrypt certs, you just deleted a symlink. The Let's encrypt SSL certs are in /etc/letsencrypt.

    Your old ssl cert is still valid, so why do you want to delete it then?

    That's not an SSL error. Seems as if your server is not able to get more slots for the fcgi starters which means you probably reached a limit in apache. Try to switch the site to php-fpm, that's the better and newer PHP mode anyway.
     
  6. tjbcham

    tjbcham Member

    Switched to php-fpm, errors gone, however I see unsually large acces.log files... meaning last few days are 242,000 KB + where as normally would be around 20,000 KB.
    The time out errors and 503 errors are only for https:// sites. I thought it might be a certificate problem hence wanting to delete and renew.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    I doubt that a new cert will help here, if the cert would be wrong then you would get a ssl warning in the browser. Take a look into the log files to find out why they are so large. It might be that there is some kind of brute force attack or dos attack ongoing. or you have a problem with a redirect loop.
     
  8. tjbcham

    tjbcham Member

    Exploring those, but all https:// sites on the server are timing out or taking along time except for the ISPconfig control panel.
    Thanks again
     
  9. tjbcham

    tjbcham Member

    Appears this was an attack on one site on the server - when put into maintenance mode other sites came back to functioning normally on https.
     
    till likes this.

Share This Page