odd lets encrypt error? getting funny errors....

Discussion in 'ISPConfig 3 Priority Support' started by craig baker, Nov 26, 2025 at 1:39 PM.

  1. craig baker

    craig baker Member HowtoForge Supporter

    I've been having some browsers not wanting to load a site on my ns10 server - where I thought all was well!
    when I go to ns10.cdbsystems.com:8080 in firefox it gives me a REVOKED CERT error:
    Code:
    Did Not Connect: Potential Security Issue
Firefox detected a potential security threat and did not continue to ns10.cdbsystems.com because this website requires a secure connection.
What can you do about it?
ns10.cdbsystems.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.
Probably nothing, since it’s likely there’s a problem with the site itself.

Learn more…



Firefox blocked your visit to this site because the certificate provided for ns10.cdbsystems.com:8080 has been revoked and isn’t trusted anymore. Error code: SEC_ERROR_REVOKED_CERTIFICATE

View Certificate
    but opera says no problem at all - says site is secure and certificate certainly looks valid!
    from opera:
    Code:
    Common Name (CN)
ns10.cdbsystems.com
Organization (O)
<Not Part Of Certificate>
Organizational Unit (OU)
<Not Part Of Certificate>

Common Name (CN)
R12
Organization (O)
Let's Encrypt
Organizational Unit (OU)
<Not Part Of Certificate>

Issued On
Saturday, November 15, 2025 at 8:13:27 PM
Expires On
Friday, February 13, 2026 at 8:13:26 PM

Certificate
0a86ca6b01d280e76d7db2e9242adc55daa84069cbe6cf493fdab74aff16740b
Public Key
afbada7ede6f6bca88c92727ebda557c76ff5722d9c4d60a83cf81f36931757f
    how do I find what the heck is going on??


    also - on another server I get these errors when changing the site to PHP-FPM:
    from error.log:
    [Wed Nov 26 07:28:33.881458 2025] [ssl:error] [pid 333490:tid 140645182712128] AH02604: Unable to configure certificate 1st-street.com:443:0 for stapling
    [Wed Nov 26 07:28:33.963034 2025] [ssl:error] [pid 333490:tid 140645182712128] AH02218: ssl_stapling_init_cert: no OCSP URI in certificate and no SSLStaplingForceURL set [subject: CN=1st-street.com / issuer: CN=E7,O=Let's Encrypt,C=US / serial: 06F67FD5AF7934ABC9EA21DDD8DE8AC1914B / notbefore: Nov 25 22:04:39 2025 GMT / notafter: Feb 23 22:04:38 2026 GMT]
    [Wed Nov 26 07:28:33.963057 2025] [ssl:error] [pid 333490:tid 140645182712128] AH02604: Unable to configure certificate 1st-street.com:443:0 for stapling

    now from what I read if I change SSLUseStapling to off this error goes away. but surely there is a way to FIX the error? and when I change SSLUseStapling to off in the vhost it gets overwritten by ispconfig next change of course. do I put this in an apache directive? how does it know where to put it in the vhost?
    help!

    further after converting to PHP-FPM in ispconfig on this site and the php version is 8.1 -
    the site is unavailable with errors:

    [Wed Nov 26 07:48:03.457358 2025] [proxy_fcgi:error] [pid 336907:tid 140680927680256] [client 13.41.152.40:44580] AH01067: Failed to read FastCGI header
    [Wed Nov 26 07:48:03.457608 2025] [proxy_fcgi:error] [pid 336765:tid 140680826967808] [client 35.170.3.177:52032] AH01067: Failed to read FastCGI header
    [Wed Nov 26 07:48:03.457629 2025] [proxy_fcgi:error] [pid 337339:tid 140680978036480] [client 90.156.142.27:10856] AH01067: Failed to read FastCGI header
    [Wed Nov 26 07:48:03.458233 2025] [proxy_fcgi:error] [pid 336697:tid 140681003214592] [client 70.184.247.92:64079] AH01067: Failed to read FastCGI header

    I see in the /etc/httpd/conf/sites-available vhost file:
    Code:
                    Action php-fcgi /php-fcgi virtual
                                Alias /php-fcgi /var/www/clients/client0/web5/cgi-bin/php-fcgi-*-80-1st-street.com
                FastCgiExternalServer /var/www/clients/client0/web5/cgi-bin/php-fcgi-*-80-1st-street.com -idle-timeout 300 -socket /var/lib/php5-fpm/web5.sock -pass-header Authorization  -pass-header Content-Type
                </IfModule>
                <IfModule mod_proxy_fcgi.c>
                        #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php5-fpm/web5.sock|fcgi://localhost//var/www/clients/client0/web5/web/$1
                        <Directory /var/www/1st-street.com/web>
                                <FilesMatch "\.php[345]?$">
                                        <If "-f '%{REQUEST_FILENAME}'">
                                                SetHandler "proxy:unix:/var/lib/php5-fpm/web5.sock|fcgi://localhost"
                                        </If>
                                </FilesMatch>
                        </Directory>
                        <Directory /var/www/clients/client0/web5/web>
                                <FilesMatch "\.php[345]?$">
                                        <If "-f '%{REQUEST_FILENAME}'">
                                                SetHandler "proxy:unix:/var/lib/php5-fpm/web5.sock|fcgi://localhost"
                                        </If>
                                </FilesMatch>
                        </Directory>
                        </IfModule>
    how come vhost refers to php5-fpm and not php81-fpm???
    and services php-fpm and php81.fpm are both running! how come we get these errors?
    what a way to start my day!
     
    Last edited: Nov 26, 2025 at 2:03 PM
    craig baker, Nov 26, 2025 at 1:39 PM
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Is there ever anything not odd with your servers?

    then you probably have revoked your certificate and still use it.

    not related to your firefox ssl problem, just ignore it. Alternatively, you can create a custom vhost config template and modify it as needed.

    It does not refer to php5-fpm. It has been explained many times in the forum, you can not see the PHP version in the vhost file at all. Any numbers you see there are not the PHP version. The folder /var/lib/php5-fpm/ is the central system PHP socket folder for all PHP versions.
     
    till, Nov 26, 2025 at 2:37 PM
    #2
  3. craig baker

    craig baker Member HowtoForge Supporter

    sorry till meant to go back and edit - yes I saw elsewhere the /var/lib/php5-fpm is the same folder for all versions.
    sorry about that question!
    but both chrome and opera report the site as just fine. why is firefox complaining???

    NEVER MIND. some silly caching thing maybe. firefox on another computer has no issues!

    I changed the website to use Default php version rather than php81 with php-fpm and now I have other errors:
    AH01095: prefetch request body failed to 0.0.0.0:0 (httpd-UDS) from
    and the website cannot load at all.
    futher the website just spins loading eventualy times out - but no extra line gets appended to error.log?


    I rebooted server. both httpd and php-fpm are running. what IS going on? geez.
    and yes, till, there is NEVER anything NOT odd going on on my servers. even when I thought things were working... I was deluding myself!
     
    Last edited: Nov 26, 2025 at 3:32 PM
    craig baker, Nov 26, 2025 at 2:45 PM
    #3
  4. craig baker

    craig baker Member HowtoForge Supporter

    further info I ran ab -n 100 -c 10 1st-street.com/ (turns out you NEED the trailing / for some reason) and it says:
    Code:
    Server Software:        Apache
Server Hostname:        www.1st-street.com
Server Port:            80

Document Path:          /
Document Length:        235 bytes

Concurrency Level:      10
Time taken for tests:   54.131 seconds
Complete requests:      100
Failed requests:        0
Non-2xx responses:      100
Total transferred:      44600 bytes
HTML transferred:       23500 bytes
Requests per second:    1.85 [#/sec] (mean)
Time per request:       5413.137 [ms] (mean)
Time per request:       541.314 [ms] (mean, across all concurrent requests)
Transfer rate:          0.80 [Kbytes/sec] received

Connection Times (ms)
              min  mean[+/-sd] median   max
Connect:        0    1   0.2      1       2
Processing:   739 5065 1851.0   4810    9238
Waiting:      739 5065 1851.0   4810    9238
Total:        740 5066 1851.0   4811    9239

Percentage of the requests served within a certain time (ms)
  50%   4811
  66%   5444
  75%   6544
  80%   6711
  90%   7911
  95%   8527
  98%   9145
  99%   9239
 100%   9239 (longest request)
    seems SUPER slow doesnt it? what can I do within PHP-MFM?
    all the settings under options are default apart from my usual apache2 directives (for wordpress)
    output_buffering = off
    upload_max_filesize = 2048M
    post_max_size = 2048M
    max_input_vars = 3000
    max_execution_time = 600
    date.timezone = "US/Eastern"
    memory_size = 2048M

    we have 96gb of ram.
    and in the error log I'm seeing now:
    [Wed Nov 26 09:47:33.970029 2025] [proxy:error] [pid 3328:tid 139710194894592] (103)Software caused connection abort: [client 52.215.86.173:47716] AH01095: prefetch request body failed to 0.0.0.0:0 (httpd-UDS) from 52.215.86.173 ()
    [Wed Nov 26 10:08:57.810651 2025] [proxy_fcgi:error] [pid 3395:tid 139709766424320] (70007)The timeout specified has expired: [client 103.60.7.57:2668] AH01075: Error dispatching request to : (reading input brigade), referer: www.google.com

    what on EARTH is going on??
    I'm drowning!
     
    craig baker, Nov 26, 2025 at 5:02 PM
    #4
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    LE no longer supports stapling for quite some months now, so not setting it on or set it off is best.

    About vhost changed, use conf-custom folder for your customized vhost setup as suggested by @till; or use directives that can override, though I am not sure how you do it in apache2, as I am using nginx.
     
    ahrasis, Nov 27, 2025 at 1:51 AM
    #5

Share This Page