Topic: problem setting up letsencrypt

[Paperguides]

I'm trying to set up letsencrypt but cannot get the dehydrate script to complete successfully.  I think I know why - it cannot connect to one of the subdomains but I cannot understand how to fix it.

I run the server for a UK charity called The Silvers' Workshop.  We have 4 domain names:
thesilversworkshop.org.uk
thesilversworkshop.co.uk
silversworkshop.org.uk
silversworkshop.co.uk
 
all hosted on the same server - the-shed.
 
The dehyrate script 'finds' most of the sites:

+ Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for thesilversworkshop.org.uk...
 + Already validated!
 + Requesting challenge for silversworkshop.co.uk...
 + Already validated!
 + Requesting challenge for mail.silversworkshop.co.uk...
 + Already validated!
 + Requesting challenge for the-shed.silversworkshop.co.uk...
 + Already validated!
 + Requesting challenge for www.silversworkshop.co.uk...
 + Already validated!
 + Requesting challenge for silversworkshop.org.uk...
 + Already validated!
 + Requesting challenge for mail.silversworkshop.org.uk...
 + Already validated!
 + Requesting challenge for the-shed.silversworkshop.org.uk...
 + Already validated!
 + Requesting challenge for www.silversworkshop.org.uk...
 + Already validated!
 + Requesting challenge for thesilversworkshop.co.uk...
 + Already validated!
 + Requesting challenge for mail.thesilversworkshop.co.uk...
 + Already validated!
 + Requesting challenge for the-shed.thesilversworkshop.co.uk...
 + Requesting challenge for thesilversworkshop.org.uk...
 + Already validated!
 + Requesting challenge for mail.thesilversworkshop.org.uk...
 + Already validated!
 + Requesting challenge for the-shed.thesilversworkshop.org.uk...
 + Responding to challenge for the-shed.thesilversworkshop.co.uk...
 + Responding to challenge for the-shed.thesilversworkshop.org.uk...
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:acme:error:connection",
    "detail": "DNS problem: NXDOMAIN looking up A for the-shed.thesilversworkshop.org.uk",
    "status": 400
  },
  "uri": "https://acme-staging.api.letsencrypt.org/acme/challenge/kdga93z1nEFLE-XKHoavBhbWSWZEEIRTZEQIW7S-LhE/99886702",
  "token": "ukgvJPYikl-PTA-2AsAQaJcZ4giN22bR3fkd53KKeZ8",
  "keyAuthorization": "ukgvJPYikl-PTA-2AsAQaJcZ4giN22bR3fkd53KKeZ8.OK_3YRWBiaDphNzDFUNj-ax6XMZGg7F6J_bOLHYrej0",
  "validationRecord": [
    {
      "url": "http://the-shed.thesilversworkshop.org.uk/.well-known/acme-challenge/ukgvJPYikl-PTA-2AsAQaJcZ4giN22bR3fkd53KKeZ8",
      "hostname": "the-shed.thesilversworkshop.org.uk",
      "port": "80"
    }
  ]
})
 As you can see, it works on the-shed.silversworkshop.org.uk but fails on the-shed.thesilversworkshop.org.uk.  As far as I can see the DNS records are the same for both domains with A records for www, the-shed and mail.

I suspect something obvious but I'm going round in circles trying to fix it so any help most welcome.

Tony

[mmccarn]

You might learn what's up by looking for "acme-challenge" in the apache log files.  You should see entries for each successfully validated domain in one of the "access" logs; anything appearing in an "error" log needs research:

Code: [Select]

grep acme-challenge /var/log/httpd/*

Look in /etc/httpd/conf/httpd.conf to see if there are any directives that affect the failing domain: 'alias', 'rewrite', etc.

[Jean-Philippe Pialasse]

http://www.thesilversworkshop.org.uk/.well-known/acme-challenge/ gives a 403 error, might be related.
this path (and parent folders) should be readable by www.

Code: [Select]

# ll /home/e-smith/files/ibays/Primary/html/.well-known/
total 20
drwxrwxr-x 2 www shared 20480  7 févr. 00:02 acme-challenge


[Paperguides]

Run that on my server gives:

[root@the-shed html]#  ll /home/e-smith/files/ibays/Primary/html/.well-known/
total 4
drwxrwsr-x 2 apache shared 4096 Feb  9 21:45 acme-challenge

Which looks like the response you got.

[Jean-Philippe Pialasse]

Run that on my server gives:

Which looks like the response you got.

This is only one folder, your www user should be able to read and x  all folder from the root. So either be part of the group or the other is rx.

Then check your httpd error log when trying to hit the url i pointed it could say more about the reason you get the 403.

Also to note that trying to reach the root of the domaincreate a redirection... to http://thesilversworkshop.mike-brading.com

And trying to access to http://thesilversworkshop.mike-brading.com/.well-known/acme-challenge/ gives a 404 error

You have to debug your webserver configuration to allow access on all your domains to the .well-known/acme-challenge/  there seems to have some redirection or rewrite url configured.

First check with your primary domain (the one pointing on Primary) then get it right for all others.

There are usually 2 sources for your issue : file permissions or conflicting url rewrite.


Also i just assume your sme is directly connected to the internet, if you have a firewall or a reverse proxy in between you have to configure it too.

Also assuming you used this to install letsencrypt https://wiki.contribs.org/Letsencrypt#Contrib_Installation_of_Dehydrated

[SchulzStefan]

Also i just assume your sme is directly connected to the internet, if you have a firewall or a reverse proxy in between you have to configure it too.

If you are behind a proxy, you might want to read this:

This seems to work:

I added in the script dehydrated

export http_proxy=http://ip-of-the-proxy:port-of-the-proxy, and
export https_proxy=http://ip-of-the-proxy:port-of-the-proxy

i.e.

export http_proxy=http://192.168.92.100:3128 and
export https_proxy=http://192.168.92.100:3128

the result of
# dehydrated -c -x is

# INFO: Using main config file /etc/dehydrated/config
Processing ivbonline.de with alternative names: mail.xxx.de saturn.xxx.de www.xxx.de
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Dec 31 08:26:36 2017 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting challenge for xxx.de...
 + Already validated!
 + Requesting challenge for mail.xxx.de...
 + Already validated!
 + Requesting challenge for saturn.xxx.de...
 + Already validated!
 + Requesting challenge for www.xxx.de...
 + Already validated!
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
Set up modSSL db keys
Signal events
All complete
 + Done!

I'll template this and it should be alright.

edit: is there a way to template a bash sript?

regards,
stefan

and this:

Bug raised

https://bugs.contribs.org/show_bug.cgi?id=10521

regards,
stefan