Could not connect to the inwx api about letsencrypt-inwx HOT 11 CLOSED

Hi,
I see two possible causes:

• The call is blocked by your firewall or you are using a proxy
• The CA of the inwx api certificate is not trusted on your server

Can you try if you can make https calls to the inwx api on that machine at all? For example:

curl "https://api.domrobot.com/xmlrpc/"
should print

<?xml version="1.0" encoding="UTF-8"?><methodResponse><fault><value><struct><member><name>faultString</name><value><string>parse error. not well formed.

error occurred at line 1, column 0, byte index -1</string></value></member><member><name>faultCode</name><value><int>-32700</int></value></member></struct></value></fault></methodResponse>

from letsencrypt-inwx.

Response:

<?xml version="1.0" encoding="UTF-8"?><methodResponse><fault><value><struct><member><name>faultString</name><value><string>parse error. not well formed.

error occurred at line 1, column 0, byte index -1</string></value></member><member><name>faultCode</name><value><int>-32700</int></value></member></struct></value></fault></methodResponse>

from letsencrypt-inwx.

The only real difference to the other servers - where it's working fine - is that on this server I have OpenSSL 1.1.1 Pre8 installed instead of the Debian 9 default (I think it's 1.0.2f). Does it use systems OpenSSL? Could that be a problem?

from letsencrypt-inwx.

Yes it uses reqwest for http(s) requests which itself uses rust-openssl which uses your system openssl library. So that might be the issue. To be sure you can download the new 1.0.2 version I just pushed which should print out more useful error messages in your case. I think your only option would be to compile letsencrypt-inwx yourself on that server if openssl should be the problem.

from letsencrypt-inwx.

Output:

Creating TXT record...
=> Error: The inwx api call failed: Could not connect to the inwx api: https://api.domrobot.com/xmlrpc/: The OpenSSL library reported an error: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed:s3_clnt.c:1191:

Seems like I have to compile. I tried that yesterday before I used the .deb, but I think it hang on openssl compile - but I could be wrong. I will try again.

from letsencrypt-inwx.

I still have openssl_1.1.0f on the system. Is it somehow possible to use /usr/bin/openssl_1.1.0f instead of /usr/bin/openssl without compiling?

from letsencrypt-inwx.

Maybe I should put that a new issue, but this is what happens when I compile:

error: failed to run custom build command for `openssl v0.9.24`
process didn't exit successfully: `/root/letsencrypt-inwx/target/release/build/openssl-51b12a3c459663c2/build-script-build` (exit code: 101)
--- stderr
thread 'main' panicked at 'Unable to detect OpenSSL version', /root/.cargo/registry/src/github.com-1ecc6299db9ec823/openssl-0.9.24/build.rs:16:14
note: Run with `RUST_BACKTRACE=1` for a backtrace.

from letsencrypt-inwx.

I don't know much about binary openssl compatibility.

Concerning the compile error: Do you have openssl-devel and pkg-config installed?

from letsencrypt-inwx.

Both are installed and functionally

from letsencrypt-inwx.

Hi,

I have solved my problem. I have reinstalled my Debian 9 and left the default OpenSSL version of it untouched. I could not use your .deb due to you strictly requiring libssl1.0.0 which is not available for many new Linux distributions including Debian 9. So I build my own .deb installed it and it works just fine.

I would recommend that you investigate making your plugin compatible with OpenSSL1.1.1, because it probability will be adopted pretty fast by many distributions due to it's support of TLS1.3.

Still, thank you really much for your help and fast responses! Keep the great work up!

from letsencrypt-inwx.

Nice to hear that you could solve your problem. The thing is that this project does not use openssl directly. It only uses rust-openssl as an indirect dependency so we have to wait for them to support new openssl versions. At least openssl 1.1.0 seems to be supported according to their Readme.

from letsencrypt-inwx.