I hope this is the right section for this.
In our company, we use locally running Lucee containers in Docker Desktop for development on the local machine. The Lucee version is 188.8.131.52 (yes, not really up-to-date). This has generally been working fine for about a year now.
But starting today, all of us suddenly had trouble using the Websocket extension which is relied upon heavily in our projects.
Checking in the Lucee administrator, it turned out the Websocket extension was no longer installed and not available for installation either, which is curious.
However, pulling the extension list from
https://extension.lucee.org/rest/extension/provider/info with a desktop browser revealed that the Websocket extension should still be available. It (and many other extensions as well) just didn’t show up in the Lucee admin any more.
Issues also arised with the PostgreSQL extension:
So I dug deeper and noticed that Lucee couldn’t access the extension provider on
extension.lucee.org any more. The exception message said “PKIX path building failed”, usually a problem with SSL certificate verification. I tested this with a small script, see screenshots.
The SSL certificate for this domain apparently has been renewed on 2023-11-11, that’s two days ago on Saturday. Probably none of my colleagues have been working over the weekend, so maybe the renewal’s got something to do with why it started acting up today. Or maybe it’s a red herring.
After we manually added the certificate for
extension.lucee.org in the Lucee administrator (Services → SSL Certificates), that resolved the issue. The Websocket extension is working again and re-appeared in the extensions list in Lucee admin as well.
Database connections using the PostgreSQL extension are also working again.
That probably means that without further preparation, our production Lucee installs will display the same symptoms, once they are restarted.
As far as I can tell from a quick search on
https://crt.sh, the current and the previous server certificate are pretty much identical. And web browsers as well as openssl or Qualys’s SSL test don’t report any errors.
Also, it’s not an issue with Let’s Encrypt (CA) certificates in general. Lucee has no problems with other sites with LE certificates like
Date and time are also set correctly in the containers.
Currently I’m a bit stumped as to why
extension.lucee.org can’t be verified but ‘letsencrypt.org’ and others can.
But my main questions are:
- Is it intended behaviour that extensions simply stop working just because the extension provider URL happens to be unreachable or its certificate can’t be verified?
- Has anyone else experienced this issue with
extension.lucee.org(or with the extensions list in Lucee admin after a restart) in the past few days?