letsencrypt problem

General E.F.A. discussion
Post Reply
Woger
Posts: 52
Joined: 15 Mar 2017 10:54

letsencrypt problem

Post by Woger » 15 Feb 2018 12:54

Hi there,
I am running latest version of EFA and was seeing these errors when connecting from external server:
SSL verify error: depth=0 error=unable to get local issuer certificate cert=/CN=<Domain>

So I thought maybe the letsencrypt certificate expired. In the EFA menu I clicked on Letsencrypt and it said you could reinstall letsencrypt. So I deactivated letsencrypt en reactivated again. However, during reactivation, I got this:
Error while running apachectl configtest.

httpd: Syntax error on line 207 of /etc/httpd/conf/httpd.conf: Syntax error on line 221 of /etc/httpd/conf.d/ssl.conf: Could not open configuration file /etc/letsencrypt/options-ssl-apache.conf: No such file or directory

The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError('Error while running apachectl configtest.\n\nhttpd: Syntax error on line 207 of /etc/httpd/conf/httpd.conf: Syntax error on line 221 of /etc/httpd/conf.d/ssl.conf: Could not open configuration file /etc/letsencrypt/options-ssl-apache.conf: No such file or directory\n',)
httpd: no process killed
Starting httpd: httpd: Syntax error on line 207 of /etc/httpd/conf/httpd.conf: Syntax error on line 221 of /etc/httpd/conf.d/ssl.conf: Could not open configuration file /etc/letsencrypt/options-ssl-apache.conf: No such file or directory
[FAILED]

Applying new cert to webmin!
cat: /etc/letsencrypt/live/mailgateway.nedport.net/privkey.pem: No such file or directory
cat: /etc/letsencrypt/live/mailgateway.nedport.net/cert.pem: No such file or directory
Stopping Webmin server in /usr/libexec/webmin
cat: /var/webmin/miniserv.pid: No such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
I've updated the Webmin cert

No apache is running but gives an ssl error.
I tried running certbot-auto certonly which worked but apache is still giving an ssl error. When reactivating centos did some upgrades . Where are the apache virtual server files located? I can't find anything in /etc/httpd.

Thanks,
Roger

Woger
Posts: 52
Joined: 15 Mar 2017 10:54

Re: letsencrypt problem

Post by Woger » 15 Feb 2018 13:52

OK,
I copied over a ssl.conf from another EFA server and now https is working again. However, I had to install the certs manually.
Is it a bug? I have a standard version of EFA.

Roger

User avatar
shawniverson
Posts: 2611
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: letsencrypt problem

Post by shawniverson » 18 Feb 2018 12:04

Yes it is a bug. It is patched, but you would need to fix yourself since the patch lives in the 3.0.2.6 update.
Version 3.0.2.6 released! Update now to keep your eFa secure!

solarthread
Posts: 15
Joined: 04 Mar 2015 11:17

Re: letsencrypt problem

Post by solarthread » 09 May 2018 13:50

I'm seeing this same issue on a system running 3.0.2.6

Any ideas Shawn?

edit: fixed it myself.

You have to -

disable lets encrypt
disable https redirection
modify /etc/httpd/conf.d/ssl.conf and remove the Include lets encrypt line at the end
start webmin
go into webmin, apache, create a new virtual site for port 80 point to /var/www/html
enable lets encrypt
modify /etc/httpd/conf/httpd.conf and remove the Listen 443 line that has been injected
restart httpd
remove the port 80 virtual site via webmin
reenable https redirection

There seems to be a bug in the way letsencrypt works if its already in place. It might need some script adjustments perhaps

e-d-i-t
Posts: 54
Joined: 27 Apr 2016 19:28
Contact:

Re: letsencrypt problem

Post by e-d-i-t » 15 May 2018 13:35

I tried to install a certificate first using the https settings but in the end it failed to start httpd again.
So I tried to use LetsEncrypt but ofcourse that doesn't solve the problem.

I have created a multidomain certificate for both mailserver and EFA gateway.

How do I properly install a valid commercial certificate so that TLS is covered and httpd is running also with that certificate on 443?

pethson
Posts: 7
Joined: 01 Jun 2018 12:12

Re: letsencrypt problem

Post by pethson » 01 Jun 2018 12:18

I have the same problem.
Installed fresh VM image (3.0.2.5) and tried to activate Let Encrypt without luck
I reinstalled the Image and upgraded to 3.0.2.6 and still have the same problem.

I checked that I can access http://my.domain.com/.well-known/acme-c ... index.html and https://my.domain.com/.well-known/acme- ... index.html through my firewall.

But I still get the
httpd: Syntax error on line 207 of /etc/httpd/conf/httpd.conf: Syntax error on line 221 of /etc/httpd/conf.d/ssl.conf: Could not open configuration file /etc/letsencrypt/options-ssl-apache.conf: No such file or directory

Any sugestions?

///Peter!

User avatar
shawniverson
Posts: 2611
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: letsencrypt problem

Post by shawniverson » 01 Jun 2018 19:11

Hi,

Let me spin up an instance and see what is going wrong. I'm sure the script has a few issues...
Version 3.0.2.6 released! Update now to keep your eFa secure!

pethson
Posts: 7
Joined: 01 Jun 2018 12:12

Re: letsencrypt problem

Post by pethson » 02 Jun 2018 23:12

I made a fresh install from OVF to my ESXi 6.5 host
I went through initial setup with IP, hostname, dns, gateway, username and so on

I run a 14 Update Now from the consol, first it upgraded Kernel and rebboted and onse more for all software and rebooted again.
Then I tried to enable Lets Encrypt
And I see that there is some problem with Python Virtual Environment.

This is a screenshot of me enableing Let's Encrypt

Would you like to Enable Let's Encrypt? [y/n/c]
y
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
Loaded plugins: fastestmirror, security
Setting up Install Process
Loading mirror speeds from cached hostfile
* EFA: dl3.efa-project.org
* base: mirror.nsc.liu.se
* epel: mirror.nsc.liu.se
* extras: mirror.nsc.liu.se
* mariadb: mirror.i3d.net
* remi-php72: mirror.netsite.dk
* remi-safe: mirror.netsite.dk
* updates: mirror.nsc.liu.se
Package gcc-4.4.7-18.el6_9.2.x86_64 already installed and latest version
Package augeas-libs-1.0.0-10.el6.x86_64 already installed and latest version
Package openssl-1.0.1e-57.el6.x86_64 already installed and latest version
Package openssl-devel-1.0.1e-57.el6.x86_64 already installed and latest version
Package redhat-rpm-config-9.0.3-51.el6.centos.noarch already installed and latest version
Package ca-certificates-2017.2.14-65.0.1.el6_9.noarch already installed and latest version
Package python-2.6.6-66.el6_8.x86_64 already installed and latest version
Package 1:mod_ssl-2.2.15-60.el6.centos.6.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package libffi-devel.x86_64 0:3.0.5-3.2.el6 will be installed
---> Package python-devel.x86_64 0:2.6.6-66.el6_8 will be installed
---> Package python-pip.noarch 0:7.1.0-1.el6 will be installed
---> Package python-tools.x86_64 0:2.6.6-66.el6_8 will be installed
--> Processing Dependency: tkinter = 2.6.6-66.el6_8 for package: python-tools-2.6.6-66.el6_8.x86_64
---> Package python-virtualenv.noarch 0:12.0.7-1.el6 will be installed
--> Running transaction check
---> Package tkinter.x86_64 0:2.6.6-66.el6_8 will be installed
--> Processing Dependency: libtk8.5.so()(64bit) for package: tkinter-2.6.6-66.el6_8.x86_64
--> Processing Dependency: libtcl8.5.so()(64bit) for package: tkinter-2.6.6-66.el6_8.x86_64
--> Processing Dependency: libTix.so()(64bit) for package: tkinter-2.6.6-66.el6_8.x86_64
--> Running transaction check
---> Package tcl.x86_64 1:8.5.7-6.el6 will be installed
---> Package tix.x86_64 1:8.4.3-5.el6 will be installed
---> Package tk.x86_64 1:8.5.7-5.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
libffi-devel x86_64 3.0.5-3.2.el6 base 18 k
python-devel x86_64 2.6.6-66.el6_8 base 173 k
python-pip noarch 7.1.0-1.el6 epel 1.5 M
python-tools x86_64 2.6.6-66.el6_8 base 871 k
python-virtualenv noarch 12.0.7-1.el6 epel 1.7 M
Installing for dependencies:
tcl x86_64 1:8.5.7-6.el6 base 1.9 M
tix x86_64 1:8.4.3-5.el6 base 252 k
tk x86_64 1:8.5.7-5.el6 base 1.4 M
tkinter x86_64 2.6.6-66.el6_8 base 258 k

Transaction Summary
================================================================================
Install 9 Package(s)

Total download size: 8.1 M
Installed size: 21 M
Downloading Packages:
(1/9): libffi-devel-3.0.5-3.2.el6.x86_64.rpm | 18 kB 00:00
(2/9): python-devel-2.6.6-66.el6_8.x86_64.rpm | 173 kB 00:00
(3/9): python-pip-7.1.0-1.el6.noarch.rpm | 1.5 MB 00:00
(4/9): python-tools-2.6.6-66.el6_8.x86_64.rpm | 871 kB 00:00
(5/9): python-virtualenv-12.0.7-1.el6.noarch.rpm | 1.7 MB 00:00
(6/9): tcl-8.5.7-6.el6.x86_64.rpm | 1.9 MB 00:00
(7/9): tix-8.4.3-5.el6.x86_64.rpm | 252 kB 00:00
(8/9): tk-8.5.7-5.el6.x86_64.rpm | 1.4 MB 00:00
(9/9): tkinter-2.6.6-66.el6_8.x86_64.rpm | 258 kB 00:00
--------------------------------------------------------------------------------
Total 10 MB/s | 8.1 MB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 1:tcl-8.5.7-6.el6.x86_64 1/9
Installing : 1:tk-8.5.7-5.el6.x86_64 2/9
Installing : 1:tix-8.4.3-5.el6.x86_64 3/9
Installing : tkinter-2.6.6-66.el6_8.x86_64 4/9
Installing : python-devel-2.6.6-66.el6_8.x86_64 5/9
Installing : python-virtualenv-12.0.7-1.el6.noarch 6/9
Installing : python-tools-2.6.6-66.el6_8.x86_64 7/9
Installing : libffi-devel-3.0.5-3.2.el6.x86_64 8/9
Installing : python-pip-7.1.0-1.el6.noarch 9/9
Verifying : python-pip-7.1.0-1.el6.noarch 1/9
Verifying : python-devel-2.6.6-66.el6_8.x86_64 2/9
Verifying : tkinter-2.6.6-66.el6_8.x86_64 3/9
Verifying : libffi-devel-3.0.5-3.2.el6.x86_64 4/9
Verifying : python-virtualenv-12.0.7-1.el6.noarch 5/9
Verifying : 1:tcl-8.5.7-6.el6.x86_64 6/9
Verifying : 1:tk-8.5.7-5.el6.x86_64 7/9
Verifying : 1:tix-8.4.3-5.el6.x86_64 8/9
Verifying : python-tools-2.6.6-66.el6_8.x86_64 9/9

Installed:
libffi-devel.x86_64 0:3.0.5-3.2.el6 python-devel.x86_64 0:2.6.6-66.el6_8
python-pip.noarch 0:7.1.0-1.el6 python-tools.x86_64 0:2.6.6-66.el6_8
python-virtualenv.noarch 0:12.0.7-1.el6

Dependency Installed:
tcl.x86_64 1:8.5.7-6.el6 tix.x86_64 1:8.4.3-5.el6
tk.x86_64 1:8.5.7-5.el6 tkinter.x86_64 0:2.6.6-66.el6_8

Complete!
Upgrading certbot-auto 0.18.2 to 0.24.0...
Replacing certbot-auto...
Creating virtual environment...
Cannot find any Pythons; please install one!

Starting httpd: [ OK ]

Applying new cert to webmin!
cat: /etc/letsencrypt/live/efa.mydomain.com/privkey.pem: No such file or directory
cat: /etc/letsencrypt/live/efa.mydomain.com/cert.pem: No such file or directory
Stopping Webmin server in /usr/libexec/webmin
I've updated the Webmin cert
I've added a monthly renewal task.
I'm updating Postfix to use the new cert!
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
Postfix cert has been changed!

Let's Encrypt has been enabled

Press [Enter] key to continue...


Or is this normal?
Anyway the Let's Encrypt certificate do not enroll...

///Peter!
Last edited by pethson on 05 Jun 2018 07:55, edited 1 time in total.

pethson
Posts: 7
Joined: 01 Jun 2018 12:12

Re: letsencrypt problem

Post by pethson » 02 Jun 2018 23:49

Hmmm

I went back to disable Let's Encrypt, only to find that it was not enabled.
I tried to enable it again.
This is the result...

Would you like to Enable Let's Encrypt? [y/n/c]
y
Bootstrapping dependencies for RedHat-based OSes that will use Python3... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
yum is hashed (/usr/bin/yum)
Loaded plugins: fastestmirror, security
Setting up Install Process
Loading mirror speeds from cached hostfile
* EFA: dl3.efa-project.org
* base: mirror.nsc.liu.se
* epel: mirror.nsc.liu.se
* extras: mirror.nsc.liu.se
* mariadb: mirror.i3d.net
* remi-php72: mirror.netsite.dk
* remi-safe: mirror.netsite.dk
* updates: mirror.nsc.liu.se
Package gcc-4.4.7-18.el6_9.2.x86_64 already installed and latest version
Package augeas-libs-1.0.0-10.el6.x86_64 already installed and latest version
Package openssl-1.0.1e-57.el6.x86_64 already installed and latest version
Package openssl-devel-1.0.1e-57.el6.x86_64 already installed and latest version
Package libffi-devel-3.0.5-3.2.el6.x86_64 already installed and latest version
Package redhat-rpm-config-9.0.3-51.el6.centos.noarch already installed and latest version
Package ca-certificates-2017.2.14-65.0.1.el6_9.noarch already installed and latest version
Package 1:mod_ssl-2.2.15-60.el6.centos.6.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package python34.x86_64 0:3.4.5-4.el6 will be installed
--> Processing Dependency: python34-libs(x86-64) = 3.4.5-4.el6 for package: python34-3.4.5-4.el6.x86_64
--> Processing Dependency: libpython3.4m.so.1.0()(64bit) for package: python34-3.4.5-4.el6.x86_64
---> Package python34-devel.x86_64 0:3.4.5-4.el6 will be installed
--> Processing Dependency: python3-rpm-macros for package: python34-devel-3.4.5-4.el6.x86_64
--> Processing Dependency: python-rpm-macros for package: python34-devel-3.4.5-4.el6.x86_64
---> Package python34-tools.x86_64 0:3.4.5-4.el6 will be installed
--> Processing Dependency: python34-tkinter = 3.4.5-4.el6 for package: python34-tools-3.4.5-4.el6.x86_64
--> Running transaction check
---> Package python-rpm-macros.noarch 0:3-11.el6 will be installed
--> Processing Dependency: python-srpm-macros for package: python-rpm-macros-3-11.el6.noarch
---> Package python3-rpm-macros.noarch 0:3-11.el6 will be installed
---> Package python34-libs.x86_64 0:3.4.5-4.el6 will be installed
---> Package python34-tkinter.x86_64 0:3.4.5-4.el6 will be installed
--> Running transaction check
---> Package python-srpm-macros.noarch 0:3-11.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
python34 x86_64 3.4.5-4.el6 epel 50 k
python34-devel x86_64 3.4.5-4.el6 epel 186 k
python34-tools x86_64 3.4.5-4.el6 epel 425 k
Installing for dependencies:
python-rpm-macros noarch 3-11.el6 epel 5.4 k
python-srpm-macros noarch 3-11.el6 epel 4.8 k
python3-rpm-macros noarch 3-11.el6 epel 4.9 k
python34-libs x86_64 3.4.5-4.el6 epel 8.3 M
python34-tkinter x86_64 3.4.5-4.el6 epel 336 k

Transaction Summary
================================================================================
Install 8 Package(s)

Total download size: 9.3 M
Installed size: 32 M
Downloading Packages:
(1/8): python-rpm-macros-3-11.el6.noarch.rpm | 5.4 kB 00:00
(2/8): python-srpm-macros-3-11.el6.noarch.rpm | 4.8 kB 00:00
(3/8): python3-rpm-macros-3-11.el6.noarch.rpm | 4.9 kB 00:00
(4/8): python34-3.4.5-4.el6.x86_64.rpm | 50 kB 00:00
(5/8): python34-devel-3.4.5-4.el6.x86_64.rpm | 186 kB 00:00
(6/8): python34-libs-3.4.5-4.el6.x86_64.rpm | 8.3 MB 00:00
(7/8): python34-tkinter-3.4.5-4.el6.x86_64.rpm | 336 kB 00:00
(8/8): python34-tools-3.4.5-4.el6.x86_64.rpm | 425 kB 00:00
--------------------------------------------------------------------------------
Total 14 MB/s | 9.3 MB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : python34-libs-3.4.5-4.el6.x86_64 1/8
Installing : python34-3.4.5-4.el6.x86_64 2/8
Installing : python34-tkinter-3.4.5-4.el6.x86_64 3/8
Installing : python3-rpm-macros-3-11.el6.noarch 4/8
Installing : python-srpm-macros-3-11.el6.noarch 5/8
Installing : python-rpm-macros-3-11.el6.noarch 6/8
Installing : python34-devel-3.4.5-4.el6.x86_64 7/8
Installing : python34-tools-3.4.5-4.el6.x86_64 8/8
Verifying : python34-3.4.5-4.el6.x86_64 1/8
Verifying : python34-tkinter-3.4.5-4.el6.x86_64 2/8
Verifying : python34-libs-3.4.5-4.el6.x86_64 3/8
Verifying : python-rpm-macros-3-11.el6.noarch 4/8
Verifying : python-srpm-macros-3-11.el6.noarch 5/8
Verifying : python34-tools-3.4.5-4.el6.x86_64 6/8
Verifying : python3-rpm-macros-3-11.el6.noarch 7/8
Verifying : python34-devel-3.4.5-4.el6.x86_64 8/8

Installed:
python34.x86_64 0:3.4.5-4.el6 python34-devel.x86_64 0:3.4.5-4.el6
python34-tools.x86_64 0:3.4.5-4.el6

Dependency Installed:
python-rpm-macros.noarch 0:3-11.el6 python-srpm-macros.noarch 0:3-11.el6
python3-rpm-macros.noarch 0:3-11.el6 python34-libs.x86_64 0:3.4.5-4.el6
python34-tkinter.x86_64 0:3.4.5-4.el6

Complete!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for efa.mydoamin.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. efa.mydoamin.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://efa.mydoamin.com/.well-known/acm ... 9gy_PmiYmo: "<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<style>html{height:100%}body{margin:0 auto;min-height:600px;min-width:800px"


IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: efa.mydoamin.com
Type: unauthorized
Detail: Invalid response from
http://efa.mydoamin.com/.well-known/acm ... 9gy_PmiYmo:
"<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<style>html{height:100%}body{margin:0
auto;min-height:600px;min-width:800px"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
Starting httpd: [ OK ]

Applying new cert to webmin!
cat: /etc/letsencrypt/live/efa.mydoamin.com/privkey.pem: No such file or directory
cat: /etc/letsencrypt/live/efa.mydoamin.com/cert.pem: No such file or directory
Stopping Webmin server in /usr/libexec/webmin
cat: /var/webmin/miniserv.pid: No such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
I've updated the Webmin cert
Monthly renewal task already exists.
I'm updating Postfix to use the new cert!
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
Postfix cert has been changed!

Let's Encrypt has been enabled

Press [Enter] key to continue...


If I check the directory /var/www/html there is no directory named .well-known....
I reverted to a snapshot before trying to enable Let's Encrypt the first time
This time I created the directory structure for acme-challenge first, but I got the same result...

I also created a file named index.html in the acme-challenge folder and managed to access it from internet. Only to be sure the folder was accible...

///Peter

Ps I have covered my domain by changing the domain name here

User avatar
shawniverson
Posts: 2611
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: letsencrypt problem

Post by shawniverson » 03 Jun 2018 08:45

Those having trouble, please do the following and report back:

Code: Select all

sudo mv /var/EFA/lib/EFA-Configure/func_letsencrypt /var/EFA/lib/EFA-Configure/func_letsencrypt.bak
sudo wget -O /var/EFA/lib/EFA-Configure/func_letsencrypt https://raw.githubusercontent.com/E-F-A/v3/3.0.2.6/build/EFA/lib-EFA-Configure/func_letsencrypt
Version 3.0.2.6 released! Update now to keep your eFa secure!

pethson
Posts: 7
Joined: 01 Jun 2018 12:12

Re: letsencrypt problem

Post by pethson » 03 Jun 2018 11:47

OK, I downloaded the file and tried to run again.

I had to enable Let's Encrypt twise this time too, and I get the same result...

[peter@watch ~]$ sudo mv /var/EFA/lib/EFA-Configure/func_letsencrypt /var/EFA/lib/EFA-Configure/func_letsencrypt.bak
[peter@watch ~]$ sudo wget -O /var/EFA/lib/EFA-Configure/func_letsencrypt https://raw.githubusercontent.com/E-F-A ... etsencrypt
--2018-06-03 13:38:50-- https://raw.githubusercontent.com/E-F-A ... etsencrypt
Resolving raw.githubusercontent.com... 151.101.84.133
Connecting to raw.githubusercontent.com|151.101.84.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 7412 (7.2K) [text/plain]
Saving to: “/var/EFA/lib/EFA-Configure/func_letsencrypt”

100%[======================================>] 7,412 --.-K/s in 0s

2018-06-03 13:38:51 (66.9 MB/s) - “/var/EFA/lib/EFA-Configure/func_letsencrypt” saved [7412/7412]

[peter@watch ~]$



Would you like to Enable Let's Encrypt? [y/n/c]
y
Bootstrapping dependencies for RedHat-based OSes... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
Loaded plugins: fastestmirror, security
Setting up Install Process
Loading mirror speeds from cached hostfile
* EFA: dl3.efa-project.org
* base: mirror.nsc.liu.se
* epel: mirror.nsc.liu.se
* extras: mirror.nsc.liu.se
* mariadb: mirror.i3d.net
* remi-php72: mirror.netsite.dk
* remi-safe: mirror.netsite.dk
* updates: mirror.nsc.liu.se
Package gcc-4.4.7-18.el6_9.2.x86_64 already installed and latest version
Package augeas-libs-1.0.0-10.el6.x86_64 already installed and latest version
Package openssl-1.0.1e-57.el6.x86_64 already installed and latest version
Package openssl-devel-1.0.1e-57.el6.x86_64 already installed and latest version
Package redhat-rpm-config-9.0.3-51.el6.centos.noarch already installed and latest version
Package ca-certificates-2017.2.14-65.0.1.el6_9.noarch already installed and latest version
Package python-2.6.6-66.el6_8.x86_64 already installed and latest version
Package 1:mod_ssl-2.2.15-60.el6.centos.6.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package libffi-devel.x86_64 0:3.0.5-3.2.el6 will be installed
---> Package python-devel.x86_64 0:2.6.6-66.el6_8 will be installed
---> Package python-pip.noarch 0:7.1.0-1.el6 will be installed
---> Package python-tools.x86_64 0:2.6.6-66.el6_8 will be installed
--> Processing Dependency: tkinter = 2.6.6-66.el6_8 for package: python-tools-2.6.6-66.el6_8.x86_64
---> Package python-virtualenv.noarch 0:12.0.7-1.el6 will be installed
--> Running transaction check
---> Package tkinter.x86_64 0:2.6.6-66.el6_8 will be installed
--> Processing Dependency: libtk8.5.so()(64bit) for package: tkinter-2.6.6-66.el6_8.x86_64
--> Processing Dependency: libtcl8.5.so()(64bit) for package: tkinter-2.6.6-66.el6_8.x86_64
--> Processing Dependency: libTix.so()(64bit) for package: tkinter-2.6.6-66.el6_8.x86_64
--> Running transaction check
---> Package tcl.x86_64 1:8.5.7-6.el6 will be installed
---> Package tix.x86_64 1:8.4.3-5.el6 will be installed
---> Package tk.x86_64 1:8.5.7-5.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
libffi-devel x86_64 3.0.5-3.2.el6 base 18 k
python-devel x86_64 2.6.6-66.el6_8 base 173 k
python-pip noarch 7.1.0-1.el6 epel 1.5 M
python-tools x86_64 2.6.6-66.el6_8 base 871 k
python-virtualenv noarch 12.0.7-1.el6 epel 1.7 M
Installing for dependencies:
tcl x86_64 1:8.5.7-6.el6 base 1.9 M
tix x86_64 1:8.4.3-5.el6 base 252 k
tk x86_64 1:8.5.7-5.el6 base 1.4 M
tkinter x86_64 2.6.6-66.el6_8 base 258 k

Transaction Summary
================================================================================
Install 9 Package(s)

Total download size: 8.1 M
Installed size: 21 M
Downloading Packages:
(1/9): libffi-devel-3.0.5-3.2.el6.x86_64.rpm | 18 kB 00:00
(2/9): python-devel-2.6.6-66.el6_8.x86_64.rpm | 173 kB 00:00
(3/9): python-pip-7.1.0-1.el6.noarch.rpm | 1.5 MB 00:00
(4/9): python-tools-2.6.6-66.el6_8.x86_64.rpm | 871 kB 00:00
(5/9): python-virtualenv-12.0.7-1.el6.noarch.rpm | 1.7 MB 00:00
(6/9): tcl-8.5.7-6.el6.x86_64.rpm | 1.9 MB 00:00
(7/9): tix-8.4.3-5.el6.x86_64.rpm | 252 kB 00:00
(8/9): tk-8.5.7-5.el6.x86_64.rpm | 1.4 MB 00:00
(9/9): tkinter-2.6.6-66.el6_8.x86_64.rpm | 258 kB 00:00
--------------------------------------------------------------------------------
Total 12 MB/s | 8.1 MB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : 1:tcl-8.5.7-6.el6.x86_64 1/9
Installing : 1:tk-8.5.7-5.el6.x86_64 2/9
Installing : 1:tix-8.4.3-5.el6.x86_64 3/9
Installing : tkinter-2.6.6-66.el6_8.x86_64 4/9
Installing : python-devel-2.6.6-66.el6_8.x86_64 5/9
Installing : python-virtualenv-12.0.7-1.el6.noarch 6/9
Installing : python-tools-2.6.6-66.el6_8.x86_64 7/9
Installing : libffi-devel-3.0.5-3.2.el6.x86_64 8/9
Installing : python-pip-7.1.0-1.el6.noarch 9/9
Verifying : python-pip-7.1.0-1.el6.noarch 1/9
Verifying : python-devel-2.6.6-66.el6_8.x86_64 2/9
Verifying : tkinter-2.6.6-66.el6_8.x86_64 3/9
Verifying : libffi-devel-3.0.5-3.2.el6.x86_64 4/9
Verifying : python-virtualenv-12.0.7-1.el6.noarch 5/9
Verifying : 1:tcl-8.5.7-6.el6.x86_64 6/9
Verifying : 1:tk-8.5.7-5.el6.x86_64 7/9
Verifying : 1:tix-8.4.3-5.el6.x86_64 8/9
Verifying : python-tools-2.6.6-66.el6_8.x86_64 9/9

Installed:
libffi-devel.x86_64 0:3.0.5-3.2.el6 python-devel.x86_64 0:2.6.6-66.el6_8
python-pip.noarch 0:7.1.0-1.el6 python-tools.x86_64 0:2.6.6-66.el6_8
python-virtualenv.noarch 0:12.0.7-1.el6

Dependency Installed:
tcl.x86_64 1:8.5.7-6.el6 tix.x86_64 1:8.4.3-5.el6
tk.x86_64 1:8.5.7-5.el6 tkinter.x86_64 0:2.6.6-66.el6_8

Complete!
Upgrading certbot-auto 0.18.2 to 0.24.0...
Replacing certbot-auto...
Creating virtual environment...
Cannot find any Pythons; please install one!
Starting httpd:

Applying new cert to webmin!
cat: /etc/letsencrypt/live/efa.mydoamin.com/privkey.pem: No such file or directory
cat: /etc/letsencrypt/live/efa.mydoamin.com/cert.pem: No such file or directory
Stopping Webmin server in /usr/libexec/webmin
I've updated the Webmin cert
I've added a monthly renewal task.
I'm updating Postfix to use the new cert!
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
Postfix cert has been changed!

Let's Encrypt has been enabled

Press [Enter] key to continue...










Would you like to Enable Let's Encrypt? [y/n/c]
y
Bootstrapping dependencies for RedHat-based OSes that will use Python3... (you can skip this with --no-bootstrap)
yum is /usr/bin/yum
yum is hashed (/usr/bin/yum)
Loaded plugins: fastestmirror, security
Setting up Install Process
Loading mirror speeds from cached hostfile
* EFA: dl3.efa-project.org
* base: mirror.nsc.liu.se
* epel: mirror.nsc.liu.se
* extras: mirror.nsc.liu.se
* mariadb: mirror.i3d.net
* remi-php72: mirror.netsite.dk
* remi-safe: mirror.netsite.dk
* updates: mirror.nsc.liu.se
Package gcc-4.4.7-18.el6_9.2.x86_64 already installed and latest version
Package augeas-libs-1.0.0-10.el6.x86_64 already installed and latest version
Package openssl-1.0.1e-57.el6.x86_64 already installed and latest version
Package openssl-devel-1.0.1e-57.el6.x86_64 already installed and latest version
Package libffi-devel-3.0.5-3.2.el6.x86_64 already installed and latest version
Package redhat-rpm-config-9.0.3-51.el6.centos.noarch already installed and latest version
Package ca-certificates-2017.2.14-65.0.1.el6_9.noarch already installed and latest version
Package 1:mod_ssl-2.2.15-60.el6.centos.6.x86_64 already installed and latest version
Resolving Dependencies
--> Running transaction check
---> Package python34.x86_64 0:3.4.5-4.el6 will be installed
--> Processing Dependency: python34-libs(x86-64) = 3.4.5-4.el6 for package: python34-3.4.5-4.el6.x86_64
--> Processing Dependency: libpython3.4m.so.1.0()(64bit) for package: python34-3.4.5-4.el6.x86_64
---> Package python34-devel.x86_64 0:3.4.5-4.el6 will be installed
--> Processing Dependency: python3-rpm-macros for package: python34-devel-3.4.5-4.el6.x86_64
--> Processing Dependency: python-rpm-macros for package: python34-devel-3.4.5-4.el6.x86_64
---> Package python34-tools.x86_64 0:3.4.5-4.el6 will be installed
--> Processing Dependency: python34-tkinter = 3.4.5-4.el6 for package: python34-tools-3.4.5-4.el6.x86_64
--> Running transaction check
---> Package python-rpm-macros.noarch 0:3-11.el6 will be installed
--> Processing Dependency: python-srpm-macros for package: python-rpm-macros-3-11.el6.noarch
---> Package python3-rpm-macros.noarch 0:3-11.el6 will be installed
---> Package python34-libs.x86_64 0:3.4.5-4.el6 will be installed
---> Package python34-tkinter.x86_64 0:3.4.5-4.el6 will be installed
--> Running transaction check
---> Package python-srpm-macros.noarch 0:3-11.el6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
python34 x86_64 3.4.5-4.el6 epel 50 k
python34-devel x86_64 3.4.5-4.el6 epel 186 k
python34-tools x86_64 3.4.5-4.el6 epel 425 k
Installing for dependencies:
python-rpm-macros noarch 3-11.el6 epel 5.4 k
python-srpm-macros noarch 3-11.el6 epel 4.8 k
python3-rpm-macros noarch 3-11.el6 epel 4.9 k
python34-libs x86_64 3.4.5-4.el6 epel 8.3 M
python34-tkinter x86_64 3.4.5-4.el6 epel 336 k

Transaction Summary
================================================================================
Install 8 Package(s)

Total download size: 9.3 M
Installed size: 32 M
Downloading Packages:
(1/8): python-rpm-macros-3-11.el6.noarch.rpm | 5.4 kB 00:00
(2/8): python-srpm-macros-3-11.el6.noarch.rpm | 4.8 kB 00:00
(3/8): python3-rpm-macros-3-11.el6.noarch.rpm | 4.9 kB 00:00
(4/8): python34-3.4.5-4.el6.x86_64.rpm | 50 kB 00:00
(5/8): python34-devel-3.4.5-4.el6.x86_64.rpm | 186 kB 00:00
(6/8): python34-libs-3.4.5-4.el6.x86_64.rpm | 8.3 MB 00:00
(7/8): python34-tkinter-3.4.5-4.el6.x86_64.rpm | 336 kB 00:00
(8/8): python34-tools-3.4.5-4.el6.x86_64.rpm | 425 kB 00:00
--------------------------------------------------------------------------------
Total 13 MB/s | 9.3 MB 00:00
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : python34-libs-3.4.5-4.el6.x86_64 1/8
Installing : python34-3.4.5-4.el6.x86_64 2/8
Installing : python34-tkinter-3.4.5-4.el6.x86_64 3/8
Installing : python3-rpm-macros-3-11.el6.noarch 4/8
Installing : python-srpm-macros-3-11.el6.noarch 5/8
Installing : python-rpm-macros-3-11.el6.noarch 6/8
Installing : python34-devel-3.4.5-4.el6.x86_64 7/8
Installing : python34-tools-3.4.5-4.el6.x86_64 8/8
Verifying : python34-3.4.5-4.el6.x86_64 1/8
Verifying : python34-tkinter-3.4.5-4.el6.x86_64 2/8
Verifying : python34-libs-3.4.5-4.el6.x86_64 3/8
Verifying : python-rpm-macros-3-11.el6.noarch 4/8
Verifying : python-srpm-macros-3-11.el6.noarch 5/8
Verifying : python34-tools-3.4.5-4.el6.x86_64 6/8
Verifying : python3-rpm-macros-3-11.el6.noarch 7/8
Verifying : python34-devel-3.4.5-4.el6.x86_64 8/8

Installed:
python34.x86_64 0:3.4.5-4.el6 python34-devel.x86_64 0:3.4.5-4.el6
python34-tools.x86_64 0:3.4.5-4.el6

Dependency Installed:
python-rpm-macros.noarch 0:3-11.el6 python-srpm-macros.noarch 0:3-11.el6
python3-rpm-macros.noarch 0:3-11.el6 python34-libs.x86_64 0:3.4.5-4.el6
python34-tkinter.x86_64 0:3.4.5-4.el6

Complete!
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer apache
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for efa.mydoamin.com
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. efa.mydoamin.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://efa.mydoamin.com/.well-known/acm ... x6NJnAyWzU: "<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<style>html{height:100%}body{margin:0 auto;min-height:600px;min-width:800px"

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: efa.mydoamin.com
Type: unauthorized
Detail: Invalid response from
http://efa.mydoamin.com/.well-known/acm ... x6NJnAyWzU:
"<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<style>html{height:100%}body{margin:0
auto;min-height:600px;min-width:800px"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
Starting httpd: [ OK ]

Applying new cert to webmin!
cat: /etc/letsencrypt/live/efa.mydoamin.com/privkey.pem: No such file or directory
cat: /etc/letsencrypt/live/efa.mydoamin.com/cert.pem: No such file or directory
Stopping Webmin server in /usr/libexec/webmin
cat: /var/webmin/miniserv.pid: No such file or directory
kill: usage: kill [-s sigspec | -n signum | -sigspec] pid | jobspec ... or kill -l [sigspec]
I've updated the Webmin cert
Monthly renewal task already exists.
I'm updating Postfix to use the new cert!
Shutting down postfix: [ OK ]
Starting postfix: [ OK ]
Postfix cert has been changed!

Let's Encrypt has been enabled

Press [Enter] key to continue...




///Peter!

User avatar
shawniverson
Posts: 2611
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: letsencrypt problem

Post by shawniverson » 05 Jun 2018 19:36

Based on that output, besides the script having poor error handling, which I will address in v4, certbot is having trouble validating your site.

Do you have port 80 open so that it can perform the verification?
Version 3.0.2.6 released! Update now to keep your eFa secure!

pethson
Posts: 7
Joined: 01 Jun 2018 12:12

Re: letsencrypt problem

Post by pethson » 05 Jun 2018 22:27

I can access http://efa.mydomain.com/.well-known/acm ... index.html when I put a index.html file in that directory. I can also access it through https.
The firewall (pfSense with HA reverse proxy) is restricting http traffic on port 80 so it will only be able to access sub directories of http://efa.mydomain.com/.well-known
Could that be a problem?

///Peter

pethson
Posts: 7
Joined: 01 Jun 2018 12:12

Re: letsencrypt problem

Post by pethson » 07 Jun 2018 09:17

This is what /var/log/letsencrypt/letsencrypt.log looks like, if that helps...

2018-06-07 10:58:16,272:DEBUG:certbot.main:certbot version: 0.25.0
2018-06-07 10:58:16,273:DEBUG:certbot.main:Arguments: ['--authenticator', 'webroot', '--webroot-path', '/var/www/html', '--installer', 'apache', '--domains', 'watch.mydoamin.com', '--non-interactive', '--no-redirect', '--agree-tos', '-m', 'peter@mydoamin.com', '--rsa-key-size', '4096', '--hsts']
2018-06-07 10:58:16,273:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-06-07 10:58:16,305:DEBUG:certbot.log:Root logging level set at 20
2018-06-07 10:58:16,307:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-06-07 10:58:16,308:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer apache
2018-06-07 10:58:16,373:DEBUG:certbot_apache.configurator:Apache version is 2.2.15
2018-06-07 10:58:17,112:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin - Beta
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
Initialized: <certbot_apache.override_centos.CentOSConfigurator object at 0x7efcf0c867b8>
Prep: True
2018-06-07 10:58:17,123:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7efcf0c48cc0>
Prep: True
2018-06-07 10:58:17,123:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7efcf0c48cc0> and installer <certbot_apache.override_centos.CentOSConfigurator object at 0x7efcf0c867b8>
2018-06-07 10:58:17,124:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer apache
2018-06-07 10:58:17,702:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2018-06-07 10:58:17,711:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2018-06-07 10:58:17,951:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2018-06-07 10:58:17,952:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 658
Replay-Nonce: 2i_11j1DNgtbANqObxEZ0y9l3VEAI_3oItKmcyqM1Dk
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 07 Jun 2018 08:58:17 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 07 Jun 2018 08:58:17 GMT
Connection: keep-alive

{
"key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"terms-of-service": "https://letsencrypt.org/documents/LE-SA ... 5-2017.pdf",
"website": "https://letsencrypt.org"
},
"new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
"new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
"new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
"revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert",
"uP33R8-UjDA": "https://community.letsencrypt.org/t/add ... tory/33417"
}
2018-06-07 10:58:17,953:DEBUG:acme.client:Requesting fresh nonce
2018-06-07 10:58:17,953:DEBUG:acme.client:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-reg.
2018-06-07 10:58:18,146:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "HEAD /acme/new-reg HTTP/1.1" 405 0
2018-06-07 10:58:18,147:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Replay-Nonce: -ifVwLmuC7hWpR2uxCJfKi3BufyMgKWl3_ajTiLlUuI
Expires: Thu, 07 Jun 2018 08:58:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 07 Jun 2018 08:58:18 GMT
Connection: keep-alive


2018-06-07 10:58:18,147:DEBUG:acme.client:Storing nonce: -ifVwLmuC7hWpR2uxCJfKi3BufyMgKWl3_ajTiLlUuI
2018-06-07 10:58:18,147:DEBUG:acme.client:JWS payload:
b'{\n "resource": "new-reg",\n "contact": [\n "mailto:peter@mydoamin.com"\n ]\n}'
2018-06-07 10:58:18,169:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-reg:
{
"protected": "secret",
"payload": "secret",
"signature": "secret"
}
2018-06-07 10:58:18,469:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-reg HTTP/1.1" 201 925
2018-06-07 10:58:18,471:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 925
Boulder-Requester: 36224591
Link: <https://acme-v01.api.letsencrypt.org/ac ... ;rel="next", <https://letsencrypt.org/documents/LE-SA ... of-service"
Location: https://acme-v01.api.letsencrypt.org/acme/reg/36224591
Replay-Nonce: kYSa3R5rKbzvDOT91BMk8sj213rsSK-ytSmSXlMrxTE
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 07 Jun 2018 08:58:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 07 Jun 2018 08:58:18 GMT
Connection: keep-alive

{
"id": a_number,
"key": {
"kty": "RSA",
"n": "secret",
"e": "AQAB"
},
"contact": [
"mailto:peter@mydoamin.com"
],
"initialIp": "my_external_ip",
"createdAt": "2018-06-07T08:58:18.371253165Z",
"status": "valid"
}
2018-06-07 10:58:18,471:DEBUG:acme.client:Storing nonce: kYSa3R5rKbzvDOT91BMk8sj213rsSK-ytSmSXlMrxTE
2018-06-07 10:58:18,472:DEBUG:acme.client:JWS payload:
b'{\n "resource": "reg",\n "key": {\n "n": "4NfHY9moMvBgF3LrsRI0tcIM17XMW1K2KxGwtbJUzTSuDs8BdxVIadPst_5hJncwY7NBp6AZDn4tbCphqVxZJuVvxE6NrJ8r16wRyzzinPYOBWoqh7FroWpqD4lDNEPSqEIpQJddyXL10BjMkf2BusKwJYvCzGUpKTM1GI2slSVInJGMOvnp7QRFIrY6QXXSI3fb_psex5631_CwKGPph_Kmr2poJ5s5g1p9inZY7YZAaptqcsnmUscnn6TdSilTVYHOHBhTCPS_y8zfHKo0LgYUJXPpptWMTqKbqEhgvqEclraWzgbfp0clew74WuQuIADJLlRyeaiMrct4isxKJ4U_5V1PbI4R0U6FLrklnKAtKJqEJvAn_TaLvb3NLkF0BH-TimMUD0RWNCskG0ifel9txjrl9TtyT9D9E2MkbN-R12MdWQoCxbqNKv4mPvPZ5zzwe7aTwoQXRhdTdaFnr3zbHd48Jm69eD6PYPwJVLS1Dyduftlq0MktcQGA5asH_HRaWy9xuWntv7KDvXCn5gLVTlbX9KzOYjAH6oq3HyI1K86C3Id83s1nmzjL8d1dcdxHGfwVnihvEpHd5rMlZKqupd24u0pw-cAhs6zr_LKmQb6zlkB-d35pnZe9pdYx3wa5AcSGnmKYrti_7NbTNxWF9rRdWnfeLm7CUu7Xv00",\n "e": "AQAB",\n "kty": "RSA"\n },\n "agreement": "https://letsencrypt.org/documents/LE-SA ... 17.pdf",\n "status": "valid",\n "contact": [\n "mailto:peter@mydoamin.com"\n ]\n}'
2018-06-07 10:58:18,490:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/reg/36224591:
{
"protected": "secret",
"payload": "secret",
"signature": "secret"
}
2018-06-07 10:58:18,691:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/reg/36224591 HTTP/1.1" 202 999
2018-06-07 10:58:18,692:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 999
Boulder-Requester: 36224591
Link: <https://acme-v01.api.letsencrypt.org/ac ... ;rel="next", <https://letsencrypt.org/documents/LE-SA ... of-service"
Replay-Nonce: hHMRlUjipTUMYWYHhRVdPhFXUoqjXxrzviMonCLhas0
Expires: Thu, 07 Jun 2018 08:58:18 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 07 Jun 2018 08:58:18 GMT
Connection: keep-alive

{
"id": a_number,
"key": {
"kty": "RSA",
"n": "secret",
"e": "AQAB"
},
"contact": [
"mailto:peter@mydoamin.com"
],
"agreement": "https://letsencrypt.org/documents/LE-SA ... 5-2017.pdf",
"initialIp": "my_external_ip",
"createdAt": "2018-06-07T08:58:18Z",
"status": "valid"
}
2018-06-07 10:58:18,693:DEBUG:acme.client:Storing nonce: hHMRlUjipTUMYWYHhRVdPhFXUoqjXxrzviMonCLhas0
2018-06-07 10:58:18,696:DEBUG:certbot.reporter:Reporting to user: Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
2018-06-07 10:58:18,700:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(new_authzr_uri=None, uri='https://acme-v01.api.letsencrypt.org/acme/reg/a_number', terms_of_service='https://letsencrypt.org/documents/LE-SA ... 5-2017.pdf', body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7efced8ab978>)>), status='valid', terms_of_service_agreed=None, contact=('mailto:peter@mydoamin.com',), agreement='https://letsencrypt.org/documents/LE-SA ... 5-2017.pdf')), 2c6a70893bd91f11f9ad763967ea38a5, Meta(creation_host='watch.mydoamin.com', creation_dt=datetime.datetime(2018, 6, 7, 8, 58, 18, tzinfo=<UTC>)))>
2018-06-07 10:58:18,702:INFO:certbot.main:Obtaining a new certificate
2018-06-07 10:58:21,152:DEBUG:certbot.crypto_util:Generating key (4096 bits): /etc/letsencrypt/keys/0000_key-certbot.pem
2018-06-07 10:58:21,169:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0000_csr-certbot.pem
2018-06-07 10:58:21,170:DEBUG:acme.client:JWS payload:
b'{\n "resource": "new-authz",\n "identifier": {\n "type": "dns",\n "value": "watch.mydoamin.com"\n }\n}'
2018-06-07 10:58:21,188:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
{
"protected": "secret",
"payload": "secret",
"signature": "secret"
}
2018-06-07 10:58:21,403:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 727
2018-06-07 10:58:21,404:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 727
Boulder-Requester: 36224591
Link: <https://acme-v01.api.letsencrypt.org/ac ... ;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/secret
Replay-Nonce: ikXtFPHJSGy1-6d6NEqefcKJJl_vaiFpdL0YebLX00w
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 07 Jun 2018 08:58:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 07 Jun 2018 08:58:21 GMT
Connection: keep-alive

{
"identifier": {
"type": "dns",
"value": "watch.mydoamin.com"
},
"status": "pending",
"expires": "2018-06-14T08:58:21Z",
"challenges": [
{
"type": "dns-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/ac ... nge/secret",
"token": "secret"
},
{
"type": "http-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/ac ... nge/secret",
"token": "secret"
}
],
"combinations": [
[
1
],
[
0
]
]
}
2018-06-07 10:58:21,429:DEBUG:acme.client:Storing nonce: ikXtFPHJSGy1-6d6NEqefcKJJl_vaiFpdL0YebLX00w
2018-06-07 10:58:21,432:INFO:certbot.auth_handler:Performing the following challenges:
2018-06-07 10:58:21,432:INFO:certbot.auth_handler:http-01 challenge for watch.mydoamin.com
2018-06-07 10:58:21,432:INFO:certbot.plugins.webroot:Using the webroot path /var/www/html for all unmatched domains.
2018-06-07 10:58:21,433:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge
2018-06-07 10:58:21,440:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/www/html/.well-known/acme-challenge/secret
2018-06-07 10:58:21,440:INFO:certbot.auth_handler:Waiting for verification...
2018-06-07 10:58:21,440:DEBUG:acme.client:JWS payload:
b'{\n "resource": "challenge",\n "type": "http-01",\n "keyAuthorization": "secret.secret"\n}'
2018-06-07 10:58:21,458:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/ac ... nge/secret:
{
"protected": "secret",
"payload": "secret",
"signature": "secret"
}
2018-06-07 10:58:21,663:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/challenge/secret HTTP/1.1" 202 336
2018-06-07 10:58:21,664:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 336
Boulder-Requester: 36224591
Link: <https://acme-v01.api.letsencrypt.org/ac ... t>;rel="up"
Location: https://acme-v01.api.letsencrypt.org/ac ... nge/secret
Replay-Nonce: 78UlKRDWfomZLkxSqmsT3v0rkuk-UFsTy0kyo6V8gK4
Expires: Thu, 07 Jun 2018 08:58:21 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 07 Jun 2018 08:58:21 GMT
Connection: keep-alive

{
"type": "http-01",
"status": "pending",
"uri": "https://acme-v01.api.letsencrypt.org/ac ... nge/secret",
"token": "secret",
"keyAuthorization": "secret"
}
2018-06-07 10:58:21,664:DEBUG:acme.client:Storing nonce: 78UlKRDWfomZLkxSqmsT3v0rkuk-UFsTy0kyo6V8gK4
2018-06-07 10:58:24,668:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/secret.
2018-06-07 10:58:24,973:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /acme/authz/secret HTTP/1.1" 200 1640
2018-06-07 10:58:24,975:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1640
Link: <https://acme-v01.api.letsencrypt.org/ac ... ;rel="next"
Replay-Nonce: R3NYlfkgCeRb3yChAgjTq_YJBTY5fGXGfwN3po2_jxg
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Thu, 07 Jun 2018 08:58:24 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Thu, 07 Jun 2018 08:58:24 GMT
Connection: keep-alive

{
"identifier": {
"type": "dns",
"value": "watch.mydoamin.com"
},
"status": "invalid",
"expires": "2018-06-14T08:58:21Z",
"challenges": [
{
"type": "dns-01",
"status": "invalid",
"uri": "https://acme-v01.api.letsencrypt.org/ac ... nge/secret",
"token": "secret"
},
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:acme:error:unauthorized",
"detail": "Invalid response from http://watch.mydoamin.com/.well-known/a ... nge/secret: \"\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n\u003chead\u003e\n\u003cmeta charset=\"utf-8\"\u003e\n\u003cstyle\u003ehtml{height:100%}body{margin:0 auto;min-height:600px;min-width:800px\"",
"status": 403
},
"uri": "https://acme-v01.api.letsencrypt.org/ac ... nge/secret",
"token": "secret",
"keyAuthorization": "secret",
"validationRecord": [
{
"url": "http://watch.mydoamin.com/.well-known/a ... nge/secret",
"hostname": "watch.mydoamin.com",
"port": "80",
"addressesResolved": [
"my_external_ip"
],
"addressUsed": "my_external_ip"
}
]
}
],
"combinations": [
[
1
],
[
0
]
]
}
2018-06-07 10:58:24,976:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: watch.mydoamin.com
Type: unauthorized
Detail: Invalid response from http://watch.mydoamin.com/.well-known/a ... nge/secret: "<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<style>html{height:100%}body{margin:0 auto;min-height:600px;min-width:800px"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.
2018-06-07 10:58:24,977:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py", line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py", line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. watch.mydoamin.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://watch.mydoamin.com/.well-known/a ... nge/secret: "<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<style>html{height:100%}body{margin:0 auto;min-height:600px;min-width:800px"

2018-06-07 10:58:24,977:DEBUG:certbot.error_handler:Calling registered functions
2018-06-07 10:58:24,977:INFO:certbot.auth_handler:Cleaning up challenges
2018-06-07 10:58:24,977:DEBUG:certbot.plugins.webroot:Removing /var/www/html/.well-known/acme-challenge/secret
2018-06-07 10:58:24,978:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2018-06-07 10:58:24,978:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
load_entry_point('letsencrypt==0.7.0', 'console_scripts', 'letsencrypt')()
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py", line 1323, in main
return config.func(config, plugins)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py", line 1086, in run
certname, lineage)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/main.py", line 120, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py", line 383, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py", line 326, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/client.py", line 362, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
self._respond(aauthzrs, resp, best_effort)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py", line 155, in _respond
self._poll_challenges(aauthzrs, chall_update, best_effort)
File "/opt/eff.org/certbot/venv/lib64/python3.4/site-packages/certbot/auth_handler.py", line 226, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. watch.mydoamin.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://watch.mydoamin.com/.well-known/a ... nge/secret: "<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<style>html{height:100%}body{margin:0 auto;min-height:600px;min-width:800px"


///Peter

pethson
Posts: 7
Joined: 01 Jun 2018 12:12

Re: letsencrypt problem

Post by pethson » 10 Jun 2018 20:04

Thanks for all assistans.
I manage to get it working. It was something with my firewall rule. Sorry!!!

///Peter

gojensen
Posts: 3
Joined: 07 Dec 2016 14:44

Re: letsencrypt problem

Post by gojensen » 31 Jul 2018 10:23

so I got the same issue as OP... it was running fine, but letsencrypt was sending me mails about renewing so I figured I would. Disabled LetsEncrypt and tried to re-enable it and now "nothing" works...

Starting httpd: httpd: Syntax error on line 207 of /etc/httpd/conf/httpd.conf: Syntax error on line 221 of /etc/httpd/conf.d/ssl.conf: Could not open configuration file /etc/letsencrypt/options-ssl-apache.conf: No such file or directory


Which is correct as there is no such file as options-ssl-apache.conf at /etc/letsencrypt

I'm also running the latest version (.6) - further I can't access webmin either (not sure why, though I have 0 experience with it) to try the "fix" someone mentioned. Downloading the func-letsencrypt is no go because the new file is identical to the old one according to diff.

There is a options-ssl-apache.conf file at /opt/eff.org/certbot/venv/lib/python3.4/site-packages/certbot_apache/ but I'm not sure it's the same file? Trying to use it throws an error on SSLCompression.

Actually there doesn't seem to be a lot in the /etc/letsencrypt at all... (only some empty folders after re-enabling letsencrypt in the menu)

which means my postfix certs and everything is messed up now...

User avatar
shawniverson
Posts: 2611
Joined: 13 Jan 2014 23:30
Location: Rushville, Indiana, USA
Contact:

Re: letsencrypt problem

Post by shawniverson » 31 Jul 2018 20:40

Did you follow these steps?
disable lets encrypt
disable https redirection
modify /etc/httpd/conf.d/ssl.conf and remove the Include lets encrypt line at the end
start webmin
go into webmin, apache, create a new virtual site for port 80 point to /var/www/html
enable lets encrypt
modify /etc/httpd/conf/httpd.conf and remove the Listen 443 line that has been injected
restart httpd
remove the port 80 virtual site via webmin
reenable https redirection
I know it is a lot to get it fixed, but it should work. If you need help or additional clarification, let me know.
Version 3.0.2.6 released! Update now to keep your eFa secure!

gojensen
Posts: 3
Joined: 07 Dec 2016 14:44

Re: letsencrypt problem

Post by gojensen » 29 Oct 2018 12:04

The post above worked for me to fix this... seems like letsencrypt did what it was supposed to (getting new certs) but something broken with the httpd injection/config...

Tried looking for a new update as I see .8 is supposed to be out, but my system says I'm on the latest even if it's only running .6 ... guess I need to wait a bit more.

Post Reply