Topic: let's encrypt question

[JRBATM20192021]

Okay so I tried to get a lets encrypt security certificate for a totally different domain that is on the same server as the domain that already has a lets encrypt security certificate installed.

I followed the wiki here and did everything it said to do.
https://wiki.koozali.org/Letsencrypt

however I got an error for the new domain which is below



 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 12 authorizations URLs from the CA
 + Handling authorization for ftp.xxxx.com
 + Handling authorization for ftp.xxxx.com
 + Handling authorization for xxxx.com
 + Handling authorization for mail.xxxx.com
 + Handling authorization for mail.xxxx.com
 + Handling authorization for proxy.xxxx.com
 + Handling authorization for proxy.xxxx.com
 + Handling authorization for wpad.xxxx.com
 + Handling authorization for wpad.xxxx.com
 + Handling authorization for www.xxxx.com
 + Handling authorization for www.xxxx.com
 + Handling authorization for xxxx.com
 + 12 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for ftp.xxxx.com authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:dns",
    "detail": "DNS problem: NXDOMAIN looking up A for ftp.xxxx.com - c          heck that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up           AAAA for ftp.xxxx.com - check that a DNS record exists for this domain          ",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/194770660857/D0x1KA          ",
  "token": "ufj_S0yZ9RspLiBt-Tosu4juodH09sNjBPQ_ckDkv1A",
  "validated": "2023-01-13T05:25:44Z"
})

What am I doing wrong?? I don't understand what I am missing....

[ReetP]

Okay first problem layout

Internet - Server one SME Server - Server two Icecast Streaming server there both on the same network you would call it but they have different IP addresses.

As you still don't completely describe your network it is still hard to tell you exactly what to do. Just wastes so much of everyones time trying figure out exactly what your layout is and give you the right advice.

We are two pages in and still guessing. Are these Internal addresses or External addresses? Makes a big difference.

https://www.chiark.greenend.org.uk/~sgtatham/bugs.html
http://www.catb.org/esr/faqs/smart-questions.html

How is your router configured? Port forwarding, DHCP? How is SME configured - gateway/server only? Just so much we still don't know.

One of my configs approximately. Use it as a template for your information.

I have a SME server in server only mode behind a router which has a single public static IP address.
The router is on a static local IP 192.168.x.250
The main SME server is on 192.168.x.1 and handles DHCP for clients 192.168.x.30-150
The server is set to handle a couple of domains - say mydomain.com and myotherdomain.com - so the domains all point to the same external IP.
I have also streaming server. It is configured as stream.myotherdomain.com It has a Local IP address of 192.168.x.170
On the router Ports 80 and 443 are forwarded to the main SME server so it can answer Letsencrypt queries.
On the router Port 8123 is forwarded to the streaming server.
I have ssh keys set up to allow copying from the main SME server to the streaming server.
I have these hosts forwarded in the SME server manager....
I have set up external DNS records for these hosts and domains.... blah blah

Try doing something similar for your own setup.

Note that the way letsencrypt is configured on SME currently means that ALL Domains and ALL Hosts that are Letsencrypt enabled go on one certificate.

It is possible to create more certificates on a per domain basis, but to do that requires a massive change to the SME Apache httpd set up that we have not done yet. It is still a NFR.


On my setup I get certificates for the various hosts and domains hosts and then use a hook-script.sh template fragment to copy them to the streaming server like this:

Code: [Select]

  if [ $1 = "deploy_cert" ]; then
            KEY=$3
            CERT=$4
            CHAIN=$6
            scp -P 22 $CERT root@192.168.x.170://etc/dehydrated/certs/mydomain.com/cert.pem
            scp -P 22 $KEY root@192.168.x.170://etc/dehydrated/certs/mydomain.com/privkey.pem
            scp -P 22 $CHAIN root@192.168.x.170://etc/dehydrated/certs/mydomain.com /chain.pem
            scp -P 22 /etc/dehydrated/certs/mydomain.com/fullchain.pem root@192.168.x.170:/etc/dehydrated/certs/mydomain.com/fullchain.pem
            ssh -p 22 root@192.168.x.170 "/bin/systemctl restart apache"
            echo "stream  $2 certificate renewed\n 1 $1 3 $3 4 $4 5 $5 6 $6" | mail -s "Certificate renewal for streamer" admin@mydomain
    fi

The streaming server can now answer as either stream.mydomain OR as stream.mylocaldomain. But if you only point stream.myotherlocaldomain.com to this server it is the only domain that it can answer.

Second Problem
Okay I didn't have access to the wiki earlier it gave me a really weird error..... Now it works. So if I Start at Step by Step Configuration and go all the way up to test mode but not including test mode It should work and I shouldn't mess up my original certificate?

Test mode creates a test certificate. But your server will point to this certificate. It is easy enough to go back, disable the hosts/domains you don't want, and re-generate the original one. Just don't do it too often or you will get rate limited.

DNS problem: NXDOMAIN looking up A for ftp.xxxx.com - check that a DNS record exists for this domain

Read the error.

check that a DNS record exists for this domain

You have enabled Letsencrypt to get a certificate for ftp.xxx.com but have not set up an IP address for it so Letsencrypt tries to contact the host but can't. Fix your DNS.

[JRBATM20192021]

All IPS are external and the SME server operates in server only mode.  Thanks for the info on that one I will give it a try.

Second problem

The problem is a DNS record exists for the new domain it is set to point to the same server as the original domain and ftp is configured on the server I don't understand because what it says doesn't exist already does....

Thanks

[Jean-Philippe Pialasse]

issue is lets’encrypt servers all over the world says they can not resolve this particular entry so the dns might be defined locally but not for the world wide web!

your domain should have a dns resolvable from anywhere in the planet to allow let’s encrypt to test your server is really its target and provides you with the certificate. 

be carefull not to enable all the subdomains available on your server as SME will resolve locally all those even if not defined on your dns provider. 

again as you obfuscate all info we can not help verify this info. 

[ReetP]

All IPS are external and the SME server operates in server only mode. 

Then you likely need a different solution.

again as you obfuscate all info we can not help verify this info. 

Exactly. It is like pulling teeth.

I am not doing any more until the OP documents the layout properly.

Just wasting everyones valuable time.

[JRBATM20192021]

Okay if you can tell me whats wrong DNS wise here is the link to the domain that the lets encrypt challenge failed on
brendasgetzlaw.com I checked this domain side by side with my other domain (which if it would be help to know is kspk.com) that lets encrypt works properly on and the only thing different is that the domain I named first didn't have a txt record and my other domain (that I named second does) that works properly does so I added a txt record for the domain named above waiting for it to be recognized then I will try the certificate again.

For all previous mentioned problems all the layout I can give.

kspk.com - brendasgetzlaw.com forward to one (server only) sme server under one external IP

first problem-layout

stream.kspk.com is the domain to the streaming server which has its own different IP from the main server. This is a completely stand alone server not tied to the one above in any shape or form.

Thanks

[Jean-Philippe Pialasse]

as i pointed you ask a certificate for a domain/hostname/subdomain not defined

a k a ftp.brendasgetzlaw.com

Code: [Select]


dig ftp.brendasgetzlaw.com @nirvana.easydns.net

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.68.rc1.el6_10.8 <<>> ftp.brendasgetzlaw.com @nirvana.easydns.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 35342
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; QUESTION SECTION:
;ftp.brendasgetzlaw.com.                IN      A

;; AUTHORITY SECTION:
brendasgetzlaw.com.     300     IN      SOA     rush.easydns.com. zone.easydns.com. 1673642757 3600 600 604800 300

;; Query time: 9 msec
;; SERVER: 69.164.213.139#53(69.164.213.139)
;; WHEN: Fri Jan 13 17:36:57 2023
;; MSG SIZE  rcvd: 94


so either you define it in dns and all other hostnames/subdomains defined on your SME for this domain, either you remove the unused hostname from the sme or you keep them and set the property according to the wiki page pointed to have let’s encrypt dehydrated script not asking a certificate for it.

[JRBATM20192021]

okay so New error it doesn't like the acme challenge is there a special generator to make a new one that lets encrypt will recognize error below for your reference

[root@www ~]# db domains setprop brendasgetzlaw.com  letsencryptSSLcert enabled
[root@www ~]# db hosts setprop www.brendasgetzlaw.com letsencryptSSLcert enabled   
[root@www ~]# config setprop letsencrypt configure domains
[root@www ~]# config setprop letsencrypt status test
[root@www ~]# signal-event console-save
[root@www ~]# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
Processing kspk.com with alternative names: brendasgetzlaw.com www.brendasgetzlaw.com kspk.com mail.kspk.com www.kspk.com
 + Checking domain name(s) of existing cert... changed!
 + Domain name(s) are not matching!
 + Names in old certificate: kspk.com mail.kspk.com www.kspk.com
 + Configured names: brendasgetzlaw.com kspk.com mail.kspk.com www.brendasgetzlaw.com www.kspk.com
 + Forcing renew.
 + Checking expire date of existing cert...
 + Valid till Mar 30 09:32:10 2023 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 5 authorizations URLs from the CA
 + Handling authorization for kspk.com
 + Handling authorization for mail.kspk.com
 + Handling authorization for www.brendasgetzlaw.com
 + Handling authorization for www.kspk.com
 + Handling authorization for brendasgetzlaw.com
 + 5 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for kspk.com authorization...
 + Challenge is valid!
 + Responding to challenge for mail.kspk.com authorization...
 + Challenge is valid!
 + Responding to challenge for www.brendasgetzlaw.com authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "ip: Invalid response from http://www.brendasgetzlaw.co   m/.well-known/acme-challenge/K0w-Yzs2z96lOWxTiLiQ94Kg3YsnSyG4wDE-Cyrsv30: 403",
    "status": 403
  },
  "url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/4932748973/   lO3a3Q",
  "token": "K0w-Yzs2z96lOWxTiLiQ94Kg3YsnSyG4wDE-Cyrsv30",
  "validationRecord": [
    {
      "url": "http://www.brendasgetzlaw.com/.well-known/acme-challenge/K0w-Yzs2z   96lOWxTiLiQ94Kg3YsnSyG4wDE-Cyrsv30",
      "hostname": "www.brendasgetzlaw.com",
      "port": "80",
      "addressesResolved": [
        "ip"
      ],
      "addressUsed": "ip"
    }
  ],
  "validated": "2023-01-14T03:41:37Z"
})
[root@www ~]# config setprop letsencrypt status enabled
[root@www ~]# signal-event console-save
[root@www ~]# dehydrated -c -x
# INFO: Using main config file /etc/dehydrated/config
Processing kspk.com with alternative names: brendasgetzlaw.com www.brendasgetzlaw.com kspk.com mail.kspk.com www.kspk.com
 + Checking domain name(s) of existing cert... changed!
 + Domain name(s) are not matching!
 + Names in old certificate: kspk.com mail.kspk.com www.kspk.com
 + Configured names: brendasgetzlaw.com kspk.com mail.kspk.com www.brendasgetzlaw.com www.kspk.com
 + Forcing renew.
 + Checking expire date of existing cert...
 + Valid till Mar 30 09:32:10 2023 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 5 authorizations URLs from the CA
 + Handling authorization for brendasgetzlaw.com
 + Handling authorization for kspk.com
 + Handling authorization for mail.kspk.com
 + Handling authorization for www.brendasgetzlaw.com
 + Handling authorization for www.kspk.com
 + 5 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for brendasgetzlaw.com authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:unauthorized",
    "detail": "ip: Invalid response from http://brendasgetzlaw.com/.well-known/acme-challenge/DFRY8EyqhT4IcklaGIfl9uvc6dMe8gJqPnsqpntzzkE: 403",
    "status": 403
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/195011633767/ytsZrQ",
  "token": "DFRY8EyqhT4IcklaGIfl9uvc6dMe8gJqPnsqpntzzkE",
  "validationRecord": [
    {
      "url": "http://brendasgetzlaw.com/.well-known/acme-challenge/DFRY8EyqhT4IcklaGIfl9uvc6dMe8gJqPnsqpntzzkE",
      "hostname": "brendasgetzlaw.com",
      "port": "80",
      "addressesResolved": [
        "ip"
      ],
      "addressUsed": "ip"
    }
  ],
  "validated": "2023-01-14T03:43:10Z"
})
[root@www ~]#

[Jean-Philippe Pialasse]

1/ if you want a certificate for stream.kspk.com, as its public ip is different and is on a different server you need to run a let's encrypt client on this server.


2/ regarding your issue with http://www.brendasgetzlaw.com, you will have the same with  http://brendasgetzlaw.com
 "status": 403 means your server refuse the access to read the validation file/folder

if you try to access https://www.kspk.com/.well-known/ you will be able to see the content of the directory
on the opposite  http://www.brendasgetzlaw.com/.well-known/ you hit a 403 error.
And if you try to access a non existing file you will get:
www.kspk.com : Not Found The requested URL /.well-known/acme-challenge/jpp
www.brendasgetzlaw.com : Forbidden You don't have permission to access /.well-known/acme-challenge/jpp on this server.

those behaviours is because of some modifications you did on your server.

both behaviours are not expected on a standard SME Server, as you should not be able to browse the content of the folder (i.e. list the content of the folder)  for security reason as you are able in https://www.kspk.com/.well-known/ (you should indeed get a 403) but you should be able to read the content of a file you know the path in it, or get a 404 not found if the file does not exist (and not a 403).

So when Let's Encrypt try to validate the token it can not get to it because something has been modified and this is probably one of those:
- chown / chmod of the folder /home/e-smith/files/ibays/Primary/html/.well-known/ (or below)
- a .htaccess in /home/e-smith/files/ibays/Primary/html/ or in the ibay of brendasgetzlaw.com preventing access to .well-known/ and subfolder
- a custom template hidding the fragments intended to allow access to .well-known/ from any virtualhost ibays or any virtualhost related to a webapp installed with a contrib.

[JRBATM20192021]

Makes a lot of sense actually so I am assuming If I can make the /.well-known folder for brendasgetzlaw.com The challenge should work?

How is that folder made? Is it possible to make another for the brendasgetzlaw.com I can't find it in the primary folder for the main domain in ftp so I assume its an invisible folder? I'm guessing in the SSH?

Thanks

[bunkobugsy]

You can always get a free certificate at zerossl.com using email validation, warns you to renew after 90 days.

[Jean-Philippe Pialasse]

the default setting is to share the Primary ibay folder with all the other Virtualhosts (ibays,other webapps).
There are fragments templates to alias this url to this folder for all virtualhost. unless, again, you have put a htaccess that override this setting or any other situation I gave as example in my last comment.

creating a such folder in the ibay won’t help as the validation script can only use one folder for all the tests. So you really have to check all the customizations you did and can mess with the expected behaviour.  Yes this is difficult, but this is the cost of being able to customize a bit things and not being limited to a closed system. 

[JRBATM20192021]

@Jean-Philippe Pialasse
If I override the fragment template to alias the url it was not intentional. How would I set up a fragments template to alias a url or check to see if it exists on my server?

@bunkobugsy

Thanks for the suggestion how am I supposed to associate it with the Server though? I created a certificate but it gave me a certificate to download and upload to the server so not sure what to do with that.

[bunkobugsy]

Thanks for the suggestion how am I supposed to associate it with the Server though? I created a certificate but it gave me a certificate to download and upload to the server so not sure what to do with that.

https://wiki.koozali.org/Certificates_Concepts#Commercial_certificates

[JRBATM20192021]

Understood thanks will this interfere with my lets encrypt certificate for my other domain since it is going to be on the same server?