Koozali.org: home of the SME Server

letsencrypt challenge not completing

Offline umbi

  • ***
  • 100
  • +0/-0
letsencrypt challenge not completing
« on: April 22, 2021, 05:20:21 AM »
Hello everybody

Im desperated and i hope somebody can help me here.
Im using SME Server 9.2 with letsencrypt. but after i changed to API V2 in config now i get this error allso in testmode:

when i make dehydratet -c   it comes:

Error registering account key. See message above for more information.
rm: remove from „/etc/dehydrated/accounts/[OBF]/
registration_info.json“

the file does not exist i checked.
Is there a possibility to clean up completely letsencrypt (remove all files and configs) and start installation from letsencrypt by scratch?

i tried to uninstall, rebootet and reinstalled, but same error cames up again. The problem is all my domains now have no certificate :-(

config:

    ACCEPT_TERMS=yes
    API=2
    configure=all
    email=*@*.com
    hookScript=disabled
    status=test

i tried allso:

config delprop modSSL crt
config delprop modSSL key
config delprop modSSL CertificateChainFile

i think i have installed both contribs:

yum --enablerepo=smecontribs install dehydrated 
and
yum install smeserver-letsencrypt --enablerepo=smecontribs


i will really apreciate your help.

Thank you verry much

umbi
« Last Edit: April 22, 2021, 08:27:10 PM by Jean-Philippe Pialasse »

Online Jean-Philippe Pialasse

  • *
  • 2,745
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: letsencrypt challenge not completing
« Reply #1 on: April 22, 2021, 07:41:54 AM »
this should clean your dehydrated installation

Code: [Select]
rm -rf /etc/dehydrated/accounts/* /etc/dehydrated/certs/* /etc/dehydrated/chains/*
do a backup first ;)

Offline umbi

  • ***
  • 100
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #2 on: April 22, 2021, 12:13:04 PM »
Version: dehydrated-0.6.5-13.el6.fws.noarch



Hello Jean-Philippe

Thank you verry much for your fast answer.

I did what you wrote but the error is still here:


# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
+ Generating account key...
+ Registering account key with ACME server...
Certificate authority doesn't allow registrations.


Error registering account key. See message above for more information.
rm: Remove of: „/etc/dehydrated/accounts/[OBF]/registration_info.json“ not possible: File or Directory not found
[root@server ~]#



When i delete manually the directory with:

rm -r [OBF]/

after dehydratet -c   it regenarates the same directory again :-(

when i uncomment in the config:

CA="https://acme-staging.api.letsencrypt.org/directory"
to
#CA="https://acme-staging.api.letsencrypt.org/directory"


 dehydrated]# dehydrated -c


i get this error:

# INFO: Using main config file /etc/dehydrated/config
+ Generating account key...
+ Registering account key with ACME server...
  + ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-reg (Status 403)

Details:
{
  "type": "urn:acme:error:unauthorized",
  "detail": "Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.",
  "status": 403
}





« Last Edit: April 22, 2021, 08:26:56 PM by Jean-Philippe Pialasse »

Offline sages

  • *
  • 182
  • +0/-0
    • http://www.sages.com.au
Re: letsencrypt challenge not completing
« Reply #3 on: April 22, 2021, 02:16:46 PM »
I think the mention the v1 is no longer supported and you must use v2 in the error messages might be a clue.
The wiki makes mention of this and how to resolve it.
https://wiki.koozali.org/Letsencrypt#V2_API
« Last Edit: April 22, 2021, 02:20:50 PM by sages »
...

Offline umbi

  • ***
  • 100
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #4 on: April 22, 2021, 02:23:08 PM »
Hi Sages

Thank you verry much for your answer.

As you can see i have this config:

# config show letsencrypt
letsencrypt=service
   ACCEPT_TERMS=yes
   API=2
   configure=none
   email=####@#####.###
   hookScript=disabled
   status=test

do you think is bether to change instead from API 2  to API = auto as i had mixed V1 and V2 certificates?

My goal is to make all certificates of all domains new under V2


Is it possible that i have to remove and regenerate:  /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge 

?    That directory is full....

Appreciating your help  thank you

Umbi
« Last Edit: April 22, 2021, 06:01:30 PM by umbi »

Online Jean-Philippe Pialasse

  • *
  • 2,745
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: letsencrypt challenge not completing
« Reply #5 on: April 22, 2021, 06:08:17 PM »
My guess is you did not fully followed the wiki and did set your DB but did not expand your templates.

can you please FIRST paste here what returns

Code: [Select]
# cat /etc/dehydrated/config
then only after copying here the result, try
Code: [Select]
rm -rf /etc/dehydrated/accounts/* /etc/dehydrated/certs/* /etc/dehydrated/chains/*
config setprop letsencrypt API 2
expand-template /etc/dehydrated/config
expand-template /etc/dehydrated/domains.txt
expand-template /usr/bin/hook-script.sh
dehydrated -c

beware there is a day limit of tries, after that you get your IP banned. So make sure all your domains listed in /etc/dehydrated/domains.txt DO point to your current IP

Offline umbi

  • ***
  • 100
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #6 on: April 22, 2021, 06:15:53 PM »
My guess is you did not fully followed the wiki and did set your DB but did not expand your templates.

can you please FIRST paste here what returns

Code: [Select]
# cat /etc/dehydrated/config
#!/bin/bash
CA="https://acme-staging-v02.api.letsencrypt.org/directory"
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/bin/hook-script.sh"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=*@*
API="2"
PARAM_ACCEPT_TERMS="yes"



then only after copying here the result, try
Code: [Select]
rm -rf /etc/dehydrated/accounts/* /etc/dehydrated/certs/* /etc/dehydrated/chains/*
config setprop letsencrypt API 2
expand-template /etc/dehydrated/config
expand-template /etc/dehydrated/domains.txt
expand-template /usr/bin/hook-script.sh
dehydrated -c

beware there is a day limit of tries, after that you get your IP banned. So make sure all your domains listed in /etc/dehydrated/domains.txt DO point to your current IP

sorry for the double post....

at moment im in test mode.  So you think i can start with your purpose?

rm -rf /etc/dehydrated/accounts/* /etc/dehydrated/certs/* /etc/dehydrated/chains/*
config setprop letsencrypt API 2
expand-template /etc/dehydrated/config
expand-template /etc/dehydrated/domains.txt
expand-template /usr/bin/hook-script.sh
dehydrated -c

In test mode or productive ?
« Last Edit: April 22, 2021, 06:20:01 PM by umbi »

Offline umbi

  • ***
  • 100
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #7 on: April 22, 2021, 06:34:53 PM »
in test mode same error:

server dehydrated]# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
+ Generating account key...
+ Registering account key with ACME server...
Certificate authority doesn't allow registrations.

Error registering account key. See message above for more information.
rm: remove of „/etc/dehydrated/accounts/[OBF]/registration_info.json“ not possible: File or Directory not found
[root@server dehydrated]#

 :-(

now i found in log files that here:

[Thu Apr 22 16:14:52 2021] [warn] RSA server certificate CommonName (CN) `host.mydomain.com' does NOT match server name!?

after reboot this error comes no more - host.mydomain.com shows now again to my ip
« Last Edit: April 22, 2021, 08:26:01 PM by Jean-Philippe Pialasse »

Online Jean-Philippe Pialasse

  • *
  • 2,745
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: letsencrypt challenge not completing
« Reply #8 on: April 22, 2021, 07:53:17 PM »
please check you do not have any config file that could be interpreted and overrule what is in /etc/dehydrated/config  in the following places
 /usr/local/etc/dehydrated/config
./config  (current directory)
/usr/bin/config



please paste here the result of

Code: [Select]
# dehydrated -eyou can hide your email address and account string please. (what is  in  /etc/dehydrated/accounts/<HERE>/..)


Code: [Select]
now i found in log files that here:

[Thu Apr 22 16:14:52 2021] [warn] RSA server certificate CommonName (CN) `host.mydomain.com' does NOT match server name!?

after reboot this error comes no more - host.mydomain.com shows now again to my ip
not relevant just noise



edit

also please what returns
Code: [Select]
rpm -q dehydrated


« Last Edit: April 22, 2021, 08:01:26 PM by Jean-Philippe Pialasse »

Offline umbi

  • ***
  • 100
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #9 on: April 22, 2021, 08:16:37 PM »
Hello  Jean-Philippe

here the answers to your questions:

please check you do not have any config file that could be interpreted and overrule what is in /etc/dehydrated/config  in the following places
 /usr/local/etc/dehydrated/config

./config  (current directory)
/usr/bin/config

-> nothing found

----------------------------------------------

you can hide your email address and account string please. (what is  in  /etc/dehydrated/accounts/<HERE>/..)


-server accounts]# dir
[OBF]
[OBF]

----------------------------------------------

-server ~]# dehydrated -e
-bash: -server: Kommando nicht gefunden.
[root@gserver ~]# # dehydrated configuration
[root@g-server ~]# # INFO: Using main config file /etc/dehydrated/config
[root@g-server ~]# declare -- CA="https://acme-v02.api.letsencrypt.org/directory"
[root@g-server ~]# declare -- LICENSE=""
[root@g-server ~]# declare -- CERTDIR="/etc/dehydrated/certs"
[root@g-server ~]# declare -- CHALLENGETYPE="http-01"
[root@g-server ~]# declare -- DOMAINS_D=""
[root@gserver ~]# declare -- DOMAINS_TXT="/etc/dehydrated/domains.txt"
[root@gserver ~]# declare -- HOOK="/usr/bin/hook-script.sh"
[root@g-server ~]# declare -- HOOK_CHAIN="no"
[root@g-server ~]# declare -- RENEW_DAYS="30"
[root@g-server ~]# declare -- ACCOUNT_KEY="/etc/dehydrated/accounts/[OBF]/account_key.pem"
[root@g-server ~]# declare -- ACCOUNT_KEY_JSON="/etc/dehydrated/accounts/[OBF]/registration_info.json"
[root@g-server ~]# declare -- KEYSIZE="4096"
[root@g-server ~]# declare -- WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
[root@g-server ~]# declare -- PRIVATE_KEY_RENEW="yes"
[root@g-server ~]# declare -- OPENSSL_CNF="/etc/pki/tls/openssl.cnf"
[root@g-server ~]# declare -- CONTACT_EMAIL="*@*.ch"
[root@g-server ~]# declare -- LOCKFILE="/etc/dehydrated/lock"


i hope it helps

thank you 

umbi
« Last Edit: April 22, 2021, 08:25:42 PM by Jean-Philippe Pialasse »

Online Jean-Philippe Pialasse

  • *
  • 2,745
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: letsencrypt challenge not completing
« Reply #10 on: April 22, 2021, 08:29:25 PM »
you did not returned the result of

Code: [Select]
rpm -q dehydrated
the next possible issue is you have an outdated version

NB: i spitted the topic from where you posted.

Offline umbi

  • ***
  • 100
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #11 on: April 22, 2021, 08:30:07 PM »
Sorry here it is:

-server accounts]# rpm -q dehydrated
dehydrated-0.6.5-13.el6.fws.noarch


i will add the information, that when the certs were stopped, i tried to do that what reetP told to me under this post:

https://forums.contribs.org/index.php/topic,54276.msg284403.html#msg284403

Now i see that all hes comments are deleted.

----------

and other information is that i istalled years ago both repos:

smeserver-letsencrypt + dehydratet

it worked under V1 for years.

maybe it helps .... i hope so

Thank you verry much

Umbi
« Last Edit: April 22, 2021, 08:53:30 PM by umbi »

Online Jean-Philippe Pialasse

  • *
  • 2,745
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: letsencrypt challenge not completing
« Reply #12 on: April 22, 2021, 08:45:56 PM »
please try the following (I see you are in an accounts directory , which I presume is /etc/dehydrated/accounts, i really want you to get away from there and really be in root home when running dehydrated, I have seen weird behaviours already when in some path)


Code: [Select]
cd
rm -rf /etc/dehydrated/accounts/* /etc/dehydrated/certs/* /etc/dehydrated/chains/*
config setprop letsencrypt API 2
expand-template /etc/dehydrated/config
expand-template /etc/dehydrated/domains.txt
expand-template /usr/bin/hook-script.sh
bash -xv dehydrated --register --accept-terms 2>&1 | tee -a dehydrated.log
then post the output removing sensitive data first

Offline umbi

  • ***
  • 100
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #13 on: April 22, 2021, 08:57:42 PM »
thank you

with the last commandline i get this:

-server ~]# bash -xv dehydrated --register --accept-terms 2>&1 | t                                            ee -a dehydrated.log
module () {  eval `/usr/bin/modulecmd bash $*`
}
dehydrated: dehydrated: ist an directory.
[root@goldstar-server ~]#


when i put  tee -a dehydrated.log    terminal is no more responding

« Last Edit: April 22, 2021, 08:59:22 PM by umbi »

Online Jean-Philippe Pialasse

  • *
  • 2,745
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: letsencrypt challenge not completing
« Reply #14 on: April 22, 2021, 09:02:12 PM »
Code: [Select]
cd
mv dehydrated dehydrated.old
rm -rf /etc/dehydrated/accounts/* /etc/dehydrated/certs/* /etc/dehydrated/chains/*
config setprop letsencrypt API 2
expand-template /etc/dehydrated/config
expand-template /etc/dehydrated/domains.txt
expand-template /usr/bin/hook-script.sh
bash -xv /usr/bin/dehydrated --register --accept-terms 2>&1 | tee -a dehydrated.log