Error setting up SSL

JMangini · February 12, 2021, 2:22pm

While trying to set up SSL via the WebUI, I get the below error.

RAN: /usr/bin/certbot certonly --authenticator standalone --pre-hook systemctl stop apache2 --post-hook systemctl start apache2 --preferred-challenges http --agree-tos --non-interactive --domain ***** -m *****

STDOUT:

STDERR:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
An unexpected error occurred:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py”, line 417, in wrap_socket
cnx.do_handshake()
File “/usr/lib/python3/dist-packages/OpenSSL/SSL.py”, line 1426, in do_handshake
self._raise_ssl_error(self._ssl, result)
File “/usr/lib/python3/dist-packages/OpenSSL/SSL.py”, line 1166, in _raise_ssl_error
raise SysCallError(errno, errorcode.get(errno))
OpenSSL.SSL.SysCallError: (104, ‘ECONNRESET’)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-pac… (1425 more, please see e.stderr)

hippy1970 · February 18, 2021, 6:38pm

For SSL I use a reverse proxy service, installed in my opnsense router.

It’s very easy to manage and the letsencrypt service keeps my certs valid.

I highly recommend it.

JMangini · March 22, 2021, 4:52pm

Any additional help here? I am using the AWS web appliance and would like to use a purchased third part certificate, not a self-signed one.

uroni · March 22, 2021, 5:12pm

If you could submit the log files via the “Report problem” link on the bottom?

Since you are on AWS, you could put CloudFront in front of it? The Let’s encrypt certificate should definitely be sufficient, but your instance needs to be reachable form the Let’s encrypt servers on port 80 + 443…

JMangini · March 22, 2021, 5:40pm

At the moment, we do not allow 80 and 443 out so that would be the cause of this error I believe. The third party cert we would like to bind already has it’s chain trusted by our devices. We also would like the domain it is in to match our corporate .com vanity URL. Is there a way to manually bind a cert to the web instance while keeping that change across updates when using the AMI? I agree that couldfront is an option but one we are not set up to take advantage of at the moment.

uroni · March 23, 2021, 7:14pm

Ok, will look into adding that. I guess you have a .pem file and a .key file and they’d both need to be uploaded to the appliance + the domain configured…

JMangini · March 23, 2021, 7:42pm

Correct. If you can add that, it would be super helpful. In the meantime I will try to get a let’s encrypt cert on there.