libcurl certificate error when using mod_md

Problems with the Windows version of XAMPP, questions, comments, and anything related.

libcurl certificate error when using mod_md

Postby Tremolo4 » 31. March 2021 03:33

Hello,

I'm attempting to use mod_md for automatic Let's Encrypt certificates. It does not work. mod_md is unable to connect to the Let's Encrypt ACME server due to a TLS certificate error thrown by libcurl. See the following log output.

Code: Select all
[Wed Mar 31 03:58:17.204934 2021] [md:debug] [pid 3500:tid 688] md_acme.c(769): get directory from https://acme-v02.api.letsencrypt.org/directory
[Wed Mar 31 03:58:17.501775 2021] [md:debug] [pid 3500:tid 688] md_curl.c(385): (20014)Internal error (specific information not available): request failed(60): SSL peer certificate or SSH remote key was not OK
[Wed Mar 31 03:58:17.501775 2021] [md:warn] [pid 3500:tid 688] (20014)Internal error (specific information not available): md[h.tremolo4.tk] while[Contacting ACME server for h.tremolo4.tk at https://acme-v02.api.letsencrypt.org/directory] detail[Unsuccessful in contacting ACME server at <https://acme-v02.api.letsencrypt.org/directory>. If this problem persists, please check your network connectivity from your Apache server to the ACME server. Also, older servers might have trouble verifying the certificates of the ACME server. You can check if you are able to contact it manually via the curl command. Sometimes, the ACME server might be down for maintenance, so failing to contact it is not an immediate problem. Apache will continue retrying this.]


When using the bundled curl.exe directly, like it says in the error message, I can connect to https://acme-v02.api.letsencrypt.org/directory without issue. Wild guess: I noticed that curl does not have a CApath set (see below), even though it still works from the command line.

Code: Select all
$ ./curl.exe --cacert non_existing_file https://www.google.de
curl: (77) error setting certificate verify locations:
  CAfile: non_existing_file
  CApath: none


I'm using xampp-windows-x64-8.0.3-0-VS16-installer.exe on Windows 10

My mod_md config settings are as follows:

Code: Select all
LogLevel md:trace1
MDCertificateAgreement accepted
MDomain mydomain.example.com


I'd appreciate any insights.
Tremolo4
 
Posts: 4
Joined: 31. March 2021 03:04
XAMPP version: 8.0.3-0-VS16
Operating System: Windows 10

Re: libcurl certificate error when using mod_md

Postby Nobbie » 31. March 2021 12:48

I think its a firewall (or antivirus) problem, make sure that ports 80 and port 443 are also cleared for incoming and outgoing request. The problem is NOT that mod_md cannot reach https://acme-v02.api.letsencrypt.org/directory (therefore you can reach it via curl.exe), the problem is that ACME cannot reach YOUR host (it needs to read the certificates).

Switch off Windows firewall if in doubt. Same for any antivirus software.

If you are running behind a router, make sure that incoming requests on port 80 and 443 are routed to your machine (tremolo4.tk). Also look if there is active firewall blocking on your router.

Finally this is not the right forum for third party tools like mod_md, you should ask at Github or so for support. This forum is meant for Xampp distribution and local development only, not for server administration. We cannot debug your host here. There is a very helpful readme on Github: https://github.com/icing/mod_md
Nobbie
 
Posts: 13170
Joined: 09. March 2008 13:04

Re: libcurl certificate error when using mod_md

Postby Tremolo4 » 31. March 2021 17:48

Thank you for your answer.

Nobbie wrote:I think its a firewall (or antivirus) problem, make sure that ports 80 and port 443 are also cleared for incoming and outgoing request.

Nobbie wrote:Switch off Windows firewall if in doubt. Same for any antivirus software.

I do not use any third-party antivirus software and have verified that my webserver is reachable from the outside through ports 443 and 80.

Nobbie wrote:the problem is that ACME cannot reach YOUR host (it needs to read the certificates).

I am quite sure that this is inaccurate. I can access my server from the outside just fine. (I am using dynamic DNS, so the server is only accessible through the domain when I decide to update the DNS record -- which I did of course when trying out mod_md. In case you're wondering, this would explain why you could not access it earlier today). Furthermore, the error message quite clearly states that mod_md was "Unsuccessful in contacting ACME server at <https://acme-v02.api.letsencrypt.org/directory>" and to "check your network connectivity from your Apache server to the ACME server" -- which is what I did with curl.exe.

Nobbie wrote:Finally this is not the right forum for third party tools like mod_md, you should ask at Github or so for support.

That's fair. I would like to point out however that mod_md is part of the xampp distribution. It seems odd to bundle this module in a non-working state. I still believe this is not a problem with mod_md itself, but rather with the certificate validation of libcurl in xampp, unrelated to ACME or Let's Encrypt.
Tremolo4
 
Posts: 4
Joined: 31. March 2021 03:04
XAMPP version: 8.0.3-0-VS16
Operating System: Windows 10

Re: libcurl certificate error when using mod_md

Postby Nobbie » 31. March 2021 20:57

Tremolo4 wrote:It seems odd to bundle this module in a non-working state.


Can you proof it? I think its your environment. Anyway, its not needed for development and that (and only that) is the goal of this forum.

P.S.: Actually - you are not alone. I am struggling with Letsencrypt SSL for my QNAP TS-120 NAS - its a PAIN! Neither certbot nor ACME shell scripts are working, it so sooo annoying. And ZERO support from QNAP. They are running a non-standard Linux distro (no Debian, no OpenSuSE, i dont know...), running Xampp on a Windows PC is far easier!
Nobbie
 
Posts: 13170
Joined: 09. March 2008 13:04

Re: libcurl certificate error when using mod_md

Postby Tremolo4 » 31. March 2021 22:27

Nobbie wrote:Can you proof it? I think its your environment.

I guess the best way to prove it would be for someone else to try it.

I've switched to the Apache Windows builds from ApacheLounge [1] and it works out of the box with that. mod_md successfully got me a valid Let's Encrypt cert. Just replaced the apache folder in my xampp folder with the one from ApacheLounge and migrated the config.

Nobbie wrote:P.S.: Actually - you are not alone. I am struggling with Letsencrypt SSL for my QNAP TS-120 NAS - its a PAIN! Neither certbot nor ACME shell scripts are working, it so sooo annoying. And ZERO support from QNAP. They are running a non-standard Linux distro (no Debian, no OpenSuSE, i dont know...), running Xampp on a Windows PC is far easier!

Aw that's really annoying. I would have hoped it'd always be easier on Linux but I guess anything can be broken...

[1] https://www.apachelounge.com/download/
Tremolo4
 
Posts: 4
Joined: 31. March 2021 03:04
XAMPP version: 8.0.3-0-VS16
Operating System: Windows 10

Re: libcurl certificate error when using mod_md

Postby Altrea » 01. April 2021 06:56

Hi,

XAMPP Apache should base on the Apachelounge releases (it was so in the past at least).
The Apache modules and libraries in XAMPP 8.0.3 are from 17th February. Since then ApacheLounge did release two updates and jumped from OpenSSL 1.1.1i to 1.1.1k.
We don't provide any support via personal channels like PM, email, Skype, TeamViewer!

It's like porn for programmers 8)
User avatar
Altrea
AF Moderator
 
Posts: 11926
Joined: 17. August 2009 13:05
XAMPP version: several
Operating System: Windows 11 Pro x64

Re: libcurl certificate error when using mod_md

Postby Tremolo4 » 01. April 2021 23:01

Altrea wrote:XAMPP Apache should base on the Apachelounge releases (it was so in the past at least).
The Apache modules and libraries in XAMPP 8.0.3 are from 17th February. Since then ApacheLounge did release two updates and jumped from OpenSSL 1.1.1i to 1.1.1k.

Interesting. I can't test with the old (17th February) ApacheLounge version, because they don't seem to host old versions.

Anyway, I tried only copying the libcurl.dll from the newest ApacheLounge to the newest XAMPP release. That also fixes my problem. I think this proves that the issue is caused somehow by XAMPP's libcurl.dll.

I've found my solution so I guess this can be marked as resolved then, if that is a thing you do here :wink:
Tremolo4
 
Posts: 4
Joined: 31. March 2021 03:04
XAMPP version: 8.0.3-0-VS16
Operating System: Windows 10


Return to XAMPP for Windows

Who is online

Users browsing this forum: No registered users and 122 guests