Topic: Thoughts on letsencrypt.com?

[ldkeen]

Thanks John - good work.

[Jean-Philippe Pialasse]

It seems they have updated their conditions:

Code: [Select]

# letsencrypt.sh -c -x
# INFO: Using main config file /etc/letsencrypt.sh/config
+ Generating account key...
+ Registering account key with letsencrypt...
  + ERROR: An error occurred while sending post-request to https://acme-staging.api.letsencrypt.org/acme/new-reg (Status 400)

Details:
{
  "type": "urn:acme:error:malformed",
  "detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]",
  "status": 400
}

[Jean-Philippe Pialasse]

also got this :

Code: [Select]

Set up modSSL db keys
Signal events
Can't open directory /etc/e-smith/events/ssl-update
All complete
 + Done!

[ReetP]

It seems they have updated their conditions:

Code: [Select]

# letsencrypt.sh -c -x
# INFO: Using main config file /etc/letsencrypt.sh/config
+ Generating account key...
+ Registering account key with letsencrypt...
  + ERROR: An error occurred while sending post-request to https://acme-staging.api.letsencrypt.org/acme/new-reg (Status 400)

Details:
{
  "type": "urn:acme:error:malformed",
  "detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf]",
  "status": 400
}

Yes I need to build a new version. Will do ASAP - there was some debate on their list that hard coding this was a pain

https://github.com/lukas2511/letsencrypt.sh/issues/249#issuecomment-236711759

I'll get to it soonest, unless anyone has an alternative solution

[Jean-Philippe Pialasse]

yes, I have seen it could be also in configuration

also check for the event folder missing


last here a suggestion to have the main domain first and not to have it twice ( I have some server with multiple domain, and the alphabetical order, gives one of the client domain as first domain.. not nice)

Code: [Select]

# diff -Nur /etc/e-smith/templates/etc/letsencrypt.sh/domains.txt/10Domains /etc/e-smith/templates-custom/etc/letsencrypt.sh/domains.txt/10Domains
--- /etc/e-smith/templates/etc/letsencrypt.sh/domains.txt/10Domains     2016-07-14 07:47:28.000000000 -0400
+++ /etc/e-smith/templates-custom/etc/letsencrypt.sh/domains.txt/10Domains      2016-08-03 08:06:54.000000000 -0400
@@ -38,6 +38,11 @@
         # We could do this BUT only once as the array drops $vars

         # my $dom = shift @domains;
+       #JP put Primary domain at top
+       my $DomainName= $configDB->get('DomainName')->value;
+       my $mainDomainStatus= $domainsDB->get_prop( "$DomainName", 'letsencryptSSLcert' )
+                  || 'disabled';
+       $OUT .= "$DomainName " unless $mainDomainStatus eq 'disabled';

         foreach my $domain (@domains) {

@@ -62,7 +67,7 @@

                 if ( $domainEnabled eq 'enabled' ) {

-                    $OUT .= "$domain ";
+                    $OUT .= "$domain " unless $DomainName eq $domain;
                 }
             }

@@ -76,7 +81,7 @@

                 # If we are set to all or hosts just do it
                 if ( $letsencryptConfig eq 'all' || $letsencryptConfig eq 'hosts' ) {
-                    $OUT .= "$fqdn ";
+                    $OUT .= "$fqdn " unless $DomainName eq $fqdn;
                 }

                 # Just do selected entries
@@ -107,7 +112,7 @@
                         if ( $type eq 'Self' ) {

                             #   print "$fqdn  $type\n";
-                            $OUT .= "$fqdn ";
+                            $OUT .= "$fqdn " unless $DomainName eq $fqdn;

                         }


[ReetP]

I can see that I need to vary the code depending on the version - it works on v9 but not on v8.

Just done a 'system check' now - the hook commands vary depending on whether you have v8 or a later version in stalled.

Have added a key for 'licence' so if the licence changes you can override the default set in letsencrypt.sh

e.g.

config setprop letsencrypt licence https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf

New RPMs in my repo:

smeserver-letsencrypt-0.2-9
letsencrypt.sh-0.0.9.160803.gitafabfff-1

Please test.

[ReetP]

last here a suggestion to have the main domain first and not to have it twice ( I have some server with multiple domain, and the alphabetical order, gives one of the client domain as first domain.. not nice)

Code: [Select]

# diff -Nur blah

Sorry - I had built most of the new version by the time you sent your patch.

I'll look at adding this soonest

[ReetP]

smeserver-letsencrypt-0.2-10 built and in my repo

Please test

[Jean-Philippe Pialasse]

John great work with this update!


I have set a few servers today and I kept getting the following errors:

either when starting the script

Code: [Select]

# letsencrypt.sh -c -x
# INFO: Using main config file /etc/letsencrypt.sh/config
ERROR: Problem connecting to server (get for https://acme-staging.api.letsencrypt.org/directory; curl returned with 6)


or at the end

Code: [Select]

+ Creating fullchain.pem...
ERROR: Problem connecting to server (get for http://cert.stg-int-x1.letsencrypt.org/; curl returned with 6)
only workaround I found is

Code: [Select]

service dnscache restart
any idea ?

[Jean-Philippe Pialasse]

just to say the servers is able to resolve :

Code: [Select]

# letsencrypt.sh -c -x
# INFO: Using main config file /etc/letsencrypt.sh/config
+ Generating account key...
+ Registering account key with letsencrypt...
Processing ....
 + Signing domains...
....
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
ERROR: Problem connecting to server (get for http://cert.int-x3.letsencrypt.org/; curl returned with 6)
[root@hebergement.sansfrontieres.ca:~]# host cert.int-x3.letsencrypt.org
cert.int-x3.letsencrypt.org is an alias for cert.int-x3.letsencrypt.org.akamaized.net.
cert.int-x3.letsencrypt.org.akamaized.net is an alias for a1466.dscd.akamai.net.
a1466.dscd.akamai.net has address 67.69.196.186
a1466.dscd.akamai.net has address 67.69.196.184
a1466.dscd.akamai.net has IPv6 address 2001:4958:300:45e::b896:a30b
a1466.dscd.akamai.net has IPv6 address 2001:4958:300:45e::b896:a318


[guest22]

I have the exact same problems.

[ReetP]

OK, I just did the following on a v9.x box

[root@photos ~]# yum --enablerepo=reetp update

[root@photos ~]# signal-event post-upgrade; signal-event reboot

[root@photos ~]# rpm -qa |grep letsencrypt
letsencrypt.sh-0.0.9.160803.gitafabfff-1.noarch
smeserver-letsencrypt-0.2-10.noarch


[root@photos ~]# letsencrypt.sh -c
# INFO: Using main config file /etc/letsencrypt.sh/config
! Moving private_key.pem to /etc/letsencrypt.sh/accounts/aHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/account_key.pem
! Moving private_key.json to /etc/letsencrypt.sh/accounts/aHR0cHM6Ly9hY21lLXYwMS5hcGkubGV0c2VuY3J5cHQub3JnL2RpcmVjdG9yeQo/registration_info.json
ERROR: Problem connecting to server (get for https://acme-v01.api.letsencrypt.org/directory; curl returned with 6)


[root@photos ~]# letsencrypt.sh -c
# INFO: Using main config file /etc/letsencrypt.sh/config
Processing photos.reetspetit.info
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Oct 12 11:23:00 2016 GMT (Longer than 30 days). Skipping renew!


[root@photos ~]# letsencrypt.sh -c -x
# INFO: Using main config file /etc/letsencrypt.sh/config
Processing photos.reetspetit.info
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Oct 12 11:23:00 2016 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for photos.reetspetit.info...
 + Responding to challenge for photos.reetspetit.info...
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
Set up modSSL db keys
Signal events
All complete
 + Done!


Here's my asterisk v9 box - it threw errors twice and then resolved:

[root@asterisk letsencrypt.sh]# letsencrypt.sh -c -x
# INFO: Using main config file /etc/letsencrypt.sh/config
ERROR: Problem connecting to server (get for https://acme-v01.api.letsencrypt.org/directory; curl returned with 6)

[root@asterisk letsencrypt.sh]# wget https://acme-v01.api.letsencrypt.org/directory
--2016-08-03 22:41:49--  https://acme-v01.api.letsencrypt.org/directory
Resolving acme-v01.api.letsencrypt.org... 23.206.21.80, 2a02:26f0:2d:480::3d5, 2a02:26f0:2d:487::3d5
Connecting to acme-v01.api.letsencrypt.org|23.206.21.80|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 280 [application/json]
Saving to: “directory”


[root@asterisk letsencrypt.sh]# letsencrypt.sh -c -x
# INFO: Using main config file /etc/letsencrypt.sh/config
+ Generating account key...
+ Registering account key with letsencrypt...
Processing asterisk.impamark.co.uk
 + Signing domains...
 + Creating new directory /etc/letsencrypt.sh/certs/asterisk.impamark.co.uk ...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for asterisk.impamark.co.uk...
 + Responding to challenge for asterisk.impamark.co.uk...
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
ERROR: Problem connecting to server (get for http://cert.int-x3.letsencrypt.org/; curl returned with 6)

[root@asterisk letsencrypt.sh]# letsencrypt.sh -c -x
# INFO: Using main config file /etc/letsencrypt.sh/config
Processing asterisk.impamark.co.uk
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for asterisk.impamark.co.uk...
 + Responding to challenge for asterisk.impamark.co.uk...
 + Challenge is valid!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
Set up modSSL db keys
Signal events
All complete
 + Done!

The Cert looks like it was dated 14/7/2016 (you can view it at the site)

The only things I can guess at (and I am no expert on this) is that the letsencrypt.sh script has changed a bit as you can see from the output above and I wonder if any of those changes have had an effect - you may need to use -x the first time after the update.

Whether it is an issue with letsencrypt servers, or an issue with Koozali SME server I do not know.

[ReetP]

As a note I have had issues with both v8 and v9 boxes. They have all resolved on the second or third attempt with letsencrypt.sh -c -x

[guest22]

The above is all done on boxes that already has a certificate from Letsencrypt right? How about a brand new VM?

[ReetP]

The above is all done on boxes that already has a certificate from Letsencrypt right? How about a brand new VM?

No idea as I have not tried it. If the issue is the same then it may be there end rather than ours but we need more data to debug it