Error renewing ssl certificate

Hi,

ssl certificate of my site is going to expire next jun, 26.
For a week now I’m receiving a mail daily complaining that certificate renewal failed.

If I try to verify my site from admin/network settings/https I see this log:

2019-06-18 21:36:29+0200 [-] [E] Unhandled exception raised:
2019-06-18 21:36:29+0200 [-] [E] OSError Base class for I/O related errors.\n\nTraceback (most recent call last):\n\n File “/usr/lib/python3/dist-packages/twisted/internet/defer.py”, line 1386, in _inlineCallbacks\n result = g.send(result)\n\n File “/usr/lib/python3/dist-packages/globaleaks/handlers/admin/operation.py”, line 85, in verify_hostname\n raise EnvironmentError(‘Response unexpected’)\n\nOSError: Response unexpected\n
2019-06-18 21:36:29+0200 [-] Stopping factory _HTTP11ClientFactory(<function HTTPConnectionPool._newConnection..quiescentCallback at 0x7f597b7d31e0>, <twisted.internet.endpoints.HostnameEndpoint object at 0x7f597911b390>)

netstat -ntlp:

tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 60955/python3
tcp 0 0 0.0.0.0:443 0.0.0.0:* LISTEN 60955/python3

telnet host.mydomain.tld 80:

Trying xx.xx.xx.xx…
Connected to host.mydomain.tld.
Escape character is ‘^]’.

globaleaks version: 3.9.6
OS: ubuntu 18.04

Any hints?

Dear @Giuseppe_Barichello, is Globaleaks directly exposed on internet or there is a firewall o any kind in between? Which is domain name?

Globaleaks is exposed directly to the internet.

Domain in pm

Is there anything I can do to help debug this issue?

Actually right now I’ve no clue @Giuseppe_Barichello

Maybe you can disable HTTPS, get in in HTTP, reset the HTTPS configuration and retry?

I tried disabling https, but then I couldn’t “reset” https configuration. The only option was to re-enable https: afterwards I got the same error and was not able to renew certificate.

Is it not possible to manually renew certificate?

@Giuseppe_Barichello: actually the “Reset” button is near the Enable button. Try to disable it and find it again.

I’m sorry it is not possible to manually renew the certificate.

As an alternative, if it is urgent and you could not solve it now you could buy a certificate of traditional kind to cover just one year, till we investigate what happened on your system.

Ok, that did the trick!
Resetting https configuration and setting it up again fixed the issue.
BUT: I still get this error when I hit “verify” button:

2019-06-26 22:10:31+0200 [-] Starting factory _HTTP11ClientFactory(<function HTTPConnectionPool._newConnection..quiescentCallback at 0x7f0db01fa840>, <twisted.internet.endpoints.HostnameEndpoint object at 0x7f0db036e400>)
2019-06-26 22:10:31+0200 [-] [E] Unhandled exception raised:
2019-06-26 22:10:31+0200 [-] [E] OSError Base class for I/O related errors.\n\nTraceback (most recent call last):\n\n File “/usr/lib/python3/dist-packages/twisted/internet/defer.py”, line 1386, in _inlineCallbacks\n result = g.send(result)\n\n File “/usr/lib/python3/dist-packages/globaleaks/handlers/admin/operation.py”, line 85, in verify_hostname\n raise EnvironmentError(‘Response unexpected’)\n\nOSError: Response unexpected\n
2019-06-26 22:10:31+0200 [-] Stopping factory _HTTP11ClientFactory(<function HTTPConnectionPool._newConnection..quiescentCallback at 0x7f0db01fa840>, <twisted.internet.endpoints.HostnameEndpoint object at 0x7f0db036e400>)

Thank you for reporting this @Giuseppe_Barichello

We will perform some recheck and let you know.

Anyway do not mind to this error as it would not cause any failure.

best,

Giovanni Pellerano

Hi, I also have the same error.

Il rinnovo automatico del certificato HTTPS previsto per oggi è appena fallito.

Il sistema effetturerà automaticamente nuovi tentativi.

Data di scadenza: Friday 26 July 2019 23:00 (UTC)

Senza un certificato valido, la piattaforma sarà accessibile in modo sicuro solo via Tor.

https://yyyy.zzzz.it/#/admin/network

Thank you for reporting this @Pyramid.

We are still investigating the issue, for the moment you can leave the system keep retrying till the deadline.

In case it won’t work automatically, a known solution is to reset the https configuration and request a new certificate