Problem with Certificate Renewal for HTTPS

Damian's Avatar

Damian

21 Mar, 2024 04:30 PM

First: Thanks for making AppVeyor, we have been using it successfully for years without any issues whatsoever. We run the self-hosted Team Edition on a Windows server, but since a few days unfortunately cannot reach it via HTTPS anymore. The browser shows "Secure Connection Failed" (PR_END_OF_FILE_ERROR).

After trying to refresh the Let's Encrypt certificate in the AppVeyor system configuration, we get a red error message saying Can not find issuer 'C=US,O=Internet Security Research Group,CN=ISRG Root X1' for certificate 'C=US,O=Let's Encrypt,CN=R3'. A quick internet research shows that many users of Let's Encrypt appear to have the same issue, and it seems to be caused by Let's Encrypt since they are Shortening the Let's Encrypt Chain of Trust.

As I haven't seen any update version from your side, I just wanted to double-check whether that is indeed something which would need to be fixed on our side (i.e. in Windows Server), and if so, what in particular we'd need to do to make HTTPS work again?

  1. Support Staff 1 Posted by Feodor Fitsner on 21 Mar, 2024 04:54 PM

    Feodor Fitsner's Avatar

    What version of AppVeyor Server do you have?

  2. 2 Posted by Damian on 21 Mar, 2024 05:00 PM

    Damian's Avatar

    Thanks a lot for the quick response. We're using the newest available version 7.0.3212.

  3. Support Staff 3 Posted by Feodor Fitsner on 21 Mar, 2024 05:14 PM

    Feodor Fitsner's Avatar

    OK, I see we could apply this fix to AppVeyor Server, but as the last commenter suggests it will be valid till June only: https://github.com/ffMathy/FluffySpoon.AspNet.EncryptWeMust/pull/22...

    I guess the proper fix would be installing "ISRG Root X1" to a computer's trust store: https://community.letsencrypt.org/t/fixing-windows-installs-that-do...

  4. 4 Posted by Damian on 21 Mar, 2024 05:20 PM

    Damian's Avatar

    Thanks indeed for your help. I'll need to study your resources in detail tomorrow, but do I understand you correctly that it would suffice to install the "ISRG Root X1" in our Windows Server to resolve the problem?

  5. Support Staff 5 Posted by Feodor Fitsner on 21 Mar, 2024 05:47 PM

    Feodor Fitsner's Avatar

    That's my understanding. We haven't received that error while testing locally - root trust store should be updated with Windows updates.

  6. 6 Posted by Damian on 21 Mar, 2024 05:59 PM

    Damian's Avatar

    Excellent, that's fantastic news. I shall try to do so tomorrow and will report back. Thanks again for the superb support (and product)!

  7. 7 Posted by Damian on 22 Mar, 2024 09:23 AM

    Damian's Avatar

    We have manually installed the certificate for the time being, I do reckon there is an issue with the Microsoft Trusted Root Program of Windows Update, as the root certificate indeed would have had to be installed automatically.

    I've unfortunately hit the threshold for certificate renewals of Let's Encrypt and will need to wait until Monday, but shall report back at once after I will have been able to try the renewal again.

  8. 8 Posted by Damian on 04 Apr, 2024 03:41 PM

    Damian's Avatar

    It appears that my last comment was lost somehow. We did in the meantime manage to get the Microsoft Trusted Root Program working on our Windows Server and it installed a bunch of new root certificates (including those of the ISRG).

    Most unfortunately, it still does not work, we keep receiving the same error message when attempting to renew the Let's Encrypt certificate. Thus our question: Could it be that there is an issue in AppVeyor itself regarding the certificate renewal? Or is there anything else we could try?

    This issue is unfortunately rather urgent for us, as our build server is down for outside collaborators (resp. only accessible via HTTP, not HTTPS) as well as not accessible to our GitHub integrations.

  9. 9 Posted by Damian on 07 May, 2024 09:12 AM

    Damian's Avatar

    We were not able to resolve the issue and thus had no other option than to buy an SSL certificate.

  10. Support Staff 10 Posted by Feodor Fitsner on 07 May, 2024 05:43 PM

    Feodor Fitsner's Avatar

    Please use email as a support channel. We often don't receive notifications from these forums - so frustrating.

    Purchasing an SSL is an option. I'm sorry Let's encrypt didn't work for you - too bad we couldn't replicate the issue locally. Another option would be using some ACME-based command tools to issue/renew SSL from let's encrypt. Not sure how to make it automatically work with AppVeyor Server though.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac