Koozali.org: home of the SME Server

SSL Help - Lets Encrypt

Offline CMCGREGOR10

  • 10
  • +0/-0
SSL Help - Lets Encrypt
« on: February 14, 2023, 12:00:25 AM »
Hi everyone,

Really looking for some guidance in regards to SSL and Let's encrypt. I have tried following the instructions, etc but I believe it is working and still coming up as self signed. I may have screwed things

My server is in server-only mode

Here are some details if anyone can assist that would be great. Missionbmx is a Shopify store also, our main domain is oceaniacycles and the others are old domains not in use but to catch any stray old emails.

Thanks

modSSL=service
    CipherSuite=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
    CommonName=mail.oceaniacycles.com.au
    TCPPort=443
    access=public
    status=enabled

# INFO: Using main config file /etc/dehydrated/config
Processing oceaniacycles.com.au with alternative names: fujibikes.com.au ftp.fujibikes.com.au ftp.missionbmx.com.au ftp.oceaniabikes.com.au ftp.oceaniacycles.com.au linux.fujibikes.com.au mail.missionbmx.com.au mail.oceaniabikes.com.au mail.oceaniacycles.com.au proxy.fujibikes.com.au proxy.missionbmx.com.au proxy.oceaniabikes.com.au proxy.oceaniacycles.com.au wpad.fujibikes.com.au wpad.missionbmx.com.au wpad.oceaniabikes.com.au wpad.oceaniacycles.com.au www.fujibikes.com.au www.missionbmx.com.au www.oceaniabikes.com.au www.oceaniacycles.com.au missionbmx.com.au ftp.fujibikes.com.au ftp.missionbmx.com.au ftp.oceaniabikes.com.au ftp.oceaniacycles.com.au linux.fujibikes.com.au mail.missionbmx.com.au mail.oceaniabikes.com.au mail.oceaniacycles.com.au proxy.fujibikes.com.au proxy.missionbmx.com.au proxy.oceaniabikes.com.au proxy.oceaniacycles.com.au wpad.fujibikes.com.au wpad.missionbmx.com.au wpad.oceaniabikes.com.au wpad.oceaniacycles.com.au www.fujibikes.com.au www.missionbmx.com.au www.oceaniabikes.com.au www.oceaniacycles.com.au oceaniabikes.com.au ftp.fujibikes.com.au ftp.missionbmx.com.au ftp.oceaniabikes.com.au ftp.oceaniacycles.com.au linux.fujibikes.com.au mail.missionbmx.com.au mail.oceaniabikes.com.au mail.oceaniacycles.com.au proxy.fujibikes.com.au proxy.missionbmx.com.au proxy.oceaniabikes.com.au proxy.oceaniacycles.com.au wpad.fujibikes.com.au wpad.missionbmx.com.au wpad.oceaniabikes.com.au wpad.oceaniacycles.com.au www.fujibikes.com.au www.missionbmx.com.au www.oceaniabikes.com.au www.oceaniacycles.com.au oceaniacycles.com.au ftp.fujibikes.com.au ftp.missionbmx.com.au ftp.oceaniabikes.com.au ftp.oceaniacycles.com.au linux.fujibikes.com.au mail.missionbmx.com.au mail.oceaniabikes.com.au mail.oceaniacycles.com.au proxy.fujibikes.com.au proxy.missionbmx.com.au proxy.oceaniabikes.com.au proxy.oceaniacycles.com.au wpad.fujibikes.com.au wpad.missionbmx.com.au wpad.oceaniabikes.com.au wpad.oceaniacycles.com.au www.fujibikes.com.au www.missionbmx.com.au www.oceaniabikes.com.au www.oceaniacycles.com.au
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 24 authorizations URLs from the CA
 + Handling authorization for ftp.missionbmx.com.au
 + Handling authorization for ftp.oceaniabikes.com.au
 + Handling authorization for ftp.oceaniacycles.com.au
 + Handling authorization for fujibikes.com.au
 + Handling authorization for linux.fujibikes.com.au
 + Handling authorization for mail.missionbmx.com.au
 + Handling authorization for mail.oceaniabikes.com.au
 + Handling authorization for mail.oceaniacycles.com.au
 + Handling authorization for missionbmx.com.au
 + Handling authorization for oceaniabikes.com.au
 + Handling authorization for oceaniacycles.com.au
 + Handling authorization for proxy.fujibikes.com.au
 + Handling authorization for proxy.missionbmx.com.au
 + Handling authorization for proxy.oceaniabikes.com.au
 + Handling authorization for proxy.oceaniacycles.com.au
 + Handling authorization for wpad.fujibikes.com.au
 + Handling authorization for wpad.missionbmx.com.au
 + Handling authorization for wpad.oceaniabikes.com.au
 + Handling authorization for wpad.oceaniacycles.com.au
 + Handling authorization for www.fujibikes.com.au
 + Handling authorization for www.missionbmx.com.au
 + Handling authorization for www.oceaniabikes.com.au
 + Handling authorization for www.oceaniacycles.com.au
 + Handling authorization for ftp.fujibikes.com.au
 + 24 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for ftp.missionbmx.com.au authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]      "http-01"
["status"]      "invalid"
["error","type"]        "urn:ietf:params:acme:error:dns"
["error","detail"]      "DNS problem: NXDOMAIN looking up A for ftp.missionbmx.com.au - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for ftp.missionbmx.com.au - check that a DNS record exists for this domain"
["error","status"]      400
["error"]       {"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up A for ftp.missionbmx.com.au - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for ftp.missionbmx.com.au - check that a DNS record exists for this domain","status":400}
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/202141128416/XCmyIg"
["token"]       "PnWm1HIcE7s6F2xoDj1_8qIcmEgqPltT3DYH-ndhltY"
["validated"]   "2023-02-13T21:43:25Z")

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: SSL Help - Lets Encrypt
« Reply #1 on: February 14, 2023, 01:04:11 AM »
Use test mode so you don't get rate limited.

Fix your DNS here:

Quote
looking up A for ftp.missionbmx.com.au - check that a DNS record exists for this domain;
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline TerryF

  • grumpy old man
  • *
  • 1,821
  • +6/-0
Re: SSL Help - Lets Encrypt
« Reply #2 on: February 14, 2023, 03:59:04 AM »
Server only mode - ensure required ports are forwarded from your router
--
qui scribit bis legit

Offline CMCGREGOR10

  • 10
  • +0/-0
Re: SSL Help - Lets Encrypt
« Reply #3 on: February 14, 2023, 04:16:37 AM »
Server only mode - ensure required ports are forwarded from your router

Thanks, i will look at that also. As I narrowed down the domains and now getting another issue which could be firewall related.

Offline Jean-Philippe Pialasse

  • *
  • 2,747
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: SSL Help - Lets Encrypt
« Reply #4 on: February 14, 2023, 11:51:41 PM »
you have your answer in the error message as pointed by reetp

I would emphize also that you probably have not configured all those subdomain to point to your server (eg wpad, ftp,proxy…) and hence configuring let’s encrypt to try to validate all those subdomains/hosts is a recipe  toward failure. please reread the wiki page to only enable the domain and host you need and that are actually configured pointing toward your server at your dns provider.

Offline CMCGREGOR10

  • 10
  • +0/-0
Re: SSL Help - Lets Encrypt
« Reply #5 on: February 16, 2023, 02:28:06 AM »
you have your answer in the error message as pointed by reetp

I would emphize also that you probably have not configured all those subdomain to point to your server (eg wpad, ftp,proxy…) and hence configuring let’s encrypt to try to validate all those subdomains/hosts is a recipe  toward failure. please reread the wiki page to only enable the domain and host you need and that are actually configured pointing toward your server at your dns provider.

Thanks, I have narrowed down to the one domain/host and have an issue with the firewall which I need to sort out with the port.