Problem with Certificate Renewal for HTTPS
First: Thanks for making AppVeyor, we have been using it successfully for years without any issues whatsoever. We run the self-hosted Team Edition on a Windows server, but since a few days unfortunately cannot reach it via HTTPS anymore. The browser shows "Secure Connection Failed" (PR_END_OF_FILE_ERROR).
After trying to refresh the Let's Encrypt certificate in the AppVeyor system configuration, we get a red error message saying Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'
. A quick internet research shows that many users of Let's Encrypt appear to have the same issue, and it seems to be caused by Let's Encrypt since they are Shortening the Let's Encrypt Chain of Trust.
As I haven't seen any update version from your side, I just wanted to double-check whether that is indeed something which would need to be fixed on our side (i.e. in Windows Server), and if so, what in particular we'd need to do to make HTTPS work again?
Comments are currently closed for this discussion. You can start a new one.
Keyboard shortcuts
Generic
? | Show this help |
---|---|
ESC | Blurs the current field |
Comment Form
r | Focus the comment reply box |
---|---|
^ + ↩ | Submit the comment |
You can use Command ⌘
instead of Control ^
on Mac
Support Staff 1 Posted by Feodor Fitsner on 21 Mar, 2024 04:54 PM
What version of AppVeyor Server do you have?
2 Posted by Damian on 21 Mar, 2024 05:00 PM
Thanks a lot for the quick response. We're using the newest available version
7.0.3212
.Support Staff 3 Posted by Feodor Fitsner on 21 Mar, 2024 05:14 PM
OK, I see we could apply this fix to AppVeyor Server, but as the last commenter suggests it will be valid till June only: https://github.com/ffMathy/FluffySpoon.AspNet.EncryptWeMust/pull/22...
I guess the proper fix would be installing "ISRG Root X1" to a computer's trust store: https://community.letsencrypt.org/t/fixing-windows-installs-that-do...
4 Posted by Damian on 21 Mar, 2024 05:20 PM
Thanks indeed for your help. I'll need to study your resources in detail tomorrow, but do I understand you correctly that it would suffice to install the "ISRG Root X1" in our Windows Server to resolve the problem?
Support Staff 5 Posted by Feodor Fitsner on 21 Mar, 2024 05:47 PM
That's my understanding. We haven't received that error while testing locally - root trust store should be updated with Windows updates.
6 Posted by Damian on 21 Mar, 2024 05:59 PM
Excellent, that's fantastic news. I shall try to do so tomorrow and will report back. Thanks again for the superb support (and product)!
7 Posted by Damian on 22 Mar, 2024 09:23 AM
We have manually installed the certificate for the time being, I do reckon there is an issue with the Microsoft Trusted Root Program of Windows Update, as the root certificate indeed would have had to be installed automatically.
I've unfortunately hit the threshold for certificate renewals of Let's Encrypt and will need to wait until Monday, but shall report back at once after I will have been able to try the renewal again.
8 Posted by Damian on 04 Apr, 2024 03:41 PM
It appears that my last comment was lost somehow. We did in the meantime manage to get the Microsoft Trusted Root Program working on our Windows Server and it installed a bunch of new root certificates (including those of the ISRG).
Most unfortunately, it still does not work, we keep receiving the same error message when attempting to renew the Let's Encrypt certificate. Thus our question: Could it be that there is an issue in AppVeyor itself regarding the certificate renewal? Or is there anything else we could try?
This issue is unfortunately rather urgent for us, as our build server is down for outside collaborators (resp. only accessible via HTTP, not HTTPS) as well as not accessible to our GitHub integrations.
9 Posted by Damian on 07 May, 2024 09:12 AM
We were not able to resolve the issue and thus had no other option than to buy an SSL certificate.
Support Staff 10 Posted by Feodor Fitsner on 07 May, 2024 05:43 PM
Please use email as a support channel. We often don't receive notifications from these forums - so frustrating.
Purchasing an SSL is an option. I'm sorry Let's encrypt didn't work for you - too bad we couldn't replicate the issue locally. Another option would be using some ACME-based command tools to issue/renew SSL from let's encrypt. Not sure how to make it automatically work with AppVeyor Server though.
Feodor Fitsner closed this discussion on 07 Jul, 2024 09:03 PM.