In this article we investigate an issue related to LetsEncrypt certificates configured for your web applications and services.
Background
Every so often we would notice in our non-production environment the custom contact forms would fail after the user submitted. These forms are built on top of Sitecore MVC and seemed to fail when the backend code attempted to POST to a service hosted by another team/party.
The error message we would see logged in the Sitecore log files looked like the following:
There are a few resources available online that describe possible causes for the error message and ultimately provide some kind of workaround to the problem.
The remote certificate is invalid according to the validation procedure.
- https://stackoverflow.com/questions/2675133/c-sharp-ignore-certificate-errors
- https://stackoverflow.com/a/66882479/1277533
Research
When reviewing our network we could not find anything that immediately stood out as the cause of the issue. If you make the assumption that calls to the web service are not yet happening, then the next logical thing to investigate are the steps .Net performs prior to making the outbound requests.
I first confirmed that the web service URL can be reached. In my case the service has a URL to the Swagger UI available and that worked as expected. Second I checked that the LetsEncrypt root certificate was installed in the Trusted Root of the server; which it was. Finally, I used the certutil to verify the certificate which revealed some interesting results.
Running the utility output some key information we needed to determine next steps. As you can see in each of the following screenshots, the lencr.org domain is being accessed. Turns out that LetsEncrypt has a series of domains used to verify if a certificate is revoked. Read here for more details.
Resolution
Ultimately we had the Network/Security Teams put in place firewall rules to allow traffic to the various domains outlined here.
- *.o.lencr.org
- *.i.lencr.org
- *.c.lencr.org
No comments:
Post a Comment