Koozali.org: home of the SME Server
Obsolete Releases => SME 9.x Contribs => Topic started by: beast on October 14, 2017, 09:38:49 AM
-
Hi All
I now get this error when I try to renew my certificates - do not understand why.
It has been running for a long time without problems!
Everything looks fine when I follow the guides at https://wiki.contribs.org/Letsencrypt
https://www.pcrypt.com/.well-known/acme-challenge/ also return fine results as far as I can tell
# INFO: Using main config file /etc/dehydrated/config
Processing beast.dk with alternative names: www.beast.dk passcrypt.com www.passcrypt.com passcrypt.dk www.passcrypt.dk passcrypt.eu www.passcrypt.eu passcrypt.org www.passcrypt.org passwordcrypt.dk www.passwordcrypt.dk passwordcrypt.eu www.passwordcrypt.eu passwordcrypt.org www.passwordcrypt.org pcrypt.com www.pcrypt.com pcrypt.dk www.pcrypt.dk pcrypt.eu www.pcrypt.eu pcrypt.org www.pcrypt.org
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Nov 2 00:31:00 2017 GMT (Less than 30 days). Renewing!
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting challenge for beast.dk...
+ Already validated!
+ Requesting challenge for www.beast.dk...
+ Already validated!
+ Requesting challenge for passcrypt.com...
+ Already validated!
+ Requesting challenge for www.passcrypt.com...
+ Already validated!
+ Requesting challenge for passcrypt.dk...
+ Already validated!
+ Requesting challenge for www.passcrypt.dk...
+ Already validated!
+ Requesting challenge for passcrypt.eu...
+ Already validated!
+ Requesting challenge for www.passcrypt.eu...
+ Already validated!
+ Requesting challenge for passcrypt.org...
+ Already validated!
+ Requesting challenge for www.passcrypt.org...
+ Already validated!
+ Requesting challenge for passwordcrypt.dk...
+ Already validated!
+ Requesting challenge for www.passwordcrypt.dk...
+ Already validated!
+ Requesting challenge for passwordcrypt.eu...
+ Already validated!
+ Requesting challenge for www.passwordcrypt.eu...
+ Already validated!
+ Requesting challenge for passwordcrypt.org...
+ Already validated!
+ Requesting challenge for www.passwordcrypt.org...
+ Already validated!
+ Requesting challenge for pcrypt.com...
+ Already validated!
+ Requesting challenge for www.pcrypt.com...
+ Requesting challenge for pcrypt.dk...
+ Requesting challenge for www.pcrypt.dk...
+ Requesting challenge for pcrypt.eu...
+ Requesting challenge for www.pcrypt.eu...
+ Requesting challenge for pcrypt.org...
+ Requesting challenge for www.pcrypt.org...
+ Responding to challenge for www.pcrypt.com...
+ ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/challenge/vKZpBP6IypKRlw-GRWhQwq5jvX4v7RS86Xc8o_80nRs/2169721171 (Status 400)
Details:
{
"type": "urn:acme:error:malformed",
"detail": "Unable to update challenge :: provided key authorization was incorrect",
"status": 400
}
-
For some unknown reason it worked today after 14 days where it has not worked :-)
-
hello
same error here:
>>umberto nerone (10.04.18 17:48):
>>ERROR: Challenge is invalid! (returned: invalid) (result: {
>> "type": "http-01",
>> "status": "invalid",
>> "error": {
>> "type": "urn:acme:error:connection",
>> "detail": "Fetching http://www.satforum.ch/.well-known/acme-challenge/0pLHyFA1YiiMVXDQcKLMsYUr1SqP598I5eLI06z297o: Timeout",
>> "status": 400
>> },
>> "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/hfvc9xxuQ8G9siUZvBFDA7_zzKU9cF79o5gIz3Lj1lo/4165957598",
>> "token": "0pLHyFA1YiiMVXDQcKLMsYUr1SqP598I5eLI06z297o",
>> "keyAuthorization": "0pLHyFA1YiiMVXDQcKLMsYUr1SqP598I5eLI06z297o.aw0uxAcUUOXtlRXYEw-K4Be5DP7K1vDhx0rV_O-iXGk",
>> "validationRecord": [
>> {
>> "url": "http://www.satforum.ch/.well-known/acme-challenge/0pLHyFA1YiiMVXDQcKLMsYUr1SqP598I5eLI06z297o",
>> "hostname": "www.satforum.ch",
>> "port": "80",
>> "addressesResolved": [
>> "81.6.60.41"
>> ],
>> "addressUsed": "81.6.60.41"
>> }
>> ]
>>})
when i go to well-known directory the key is different not 0pLHyFA1YiiMVXDQcKLMsYUr1SqP598I5eLI06z297o
it worked more than a year perfectly. I did some mods in domain.txt of cause removed domains and started dehydrated -c -x from that moment error apears.
fixed ip wellknown directory with files appears when i call domain/.well-known/acme-challenge/
need urgently help.
-
I now get this error when I try to renew my certificates - do not understand why.
It has been running for a long time without problems!
+ ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/challenge/vKZpBP6IypKRlw-GRWhQwq5jvX4v7RS86Xc8o_80nRs/2169721171 (Status 400)
Details:
{
"type": "urn:acme:error:malformed",
"detail": "Unable to update challenge :: provided key authorization was incorrect",
"status": 400
}
[/code]
Saw this but never a follow up.
https://github.com/lukas2511/dehydrated/issues/268
I can see a while host of files in your acme-challenge dir. Might be worth a cleanout and start again ;-) That may include your PEM files in /etc/dehydrated/certs/ (careful what you do there !)
https://github.com/mailcow/mailcow/issues/465
Another thought - what version of dehydrated are you using and what config keys have you got set ?
config show letsencrypt
rpm -qa |grep dehydrated
-
hello
same error here:
No, it isn't the same error
"type": "urn:acme:error:connection",
"detail": "Fetching http://www.satforum.ch/.well-known/acme-challenge/0pLHyFA1YiiMVXDQcKLMsYUr1SqP598I5eLI06z297o: Timeout",
"status": 400
I tried going here a little earlier:
http://www.satforum.ch/.well-known/acme-challenge (http://www.satforum.ch/.well-known/acme-challenge)
And it seemed to timeout.
I just tried again and can see the directory.
The error seems to suggest your directory was not reachable, hence the timeout.
Is your connection having issues?
You have a lot of domains I presume - again, rate limits?
Post your settings as per my earlier post.
it worked more than a year perfectly. I did some mods in domain.txt of cause removed domains and started dehydrated -c -x from that moment error apears.
How did you modify it and exactly what did you do ?
need urgently help.
Please don't ask this as a refusal can often offend.
If you need urgent then you can always pay someone to do something urgently.
We are all volunteers. We will help as and when we can.
-
Dear ReetP
Thank you for your fast reply. And sorry for the urgend Help request, i had not bad intentions (offending someone) with it.
for Connecting issues question:
No, i reached the directory http://www.satforum.ch/.well-known/acme-challenge from different networks without any problems. I also tryied to change router DNS to 8.8.8.8 from google what makes the answertime of the server verry slow, startet the dehydrated -c command and result: same error 400.
Rate limits
I have a lot of domains, but before it worket with more domains perfectly. Im sure im under the rate limits, maybe i can test making the certificate request with the only 3-4 importantest domains for testing if same issue comes out. If you mean the exceedet rate limit of requests: may be, but should then not come another error code?
My config
#!/bin/bash
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
CA="https://acme-v01.api.letsencrypt.org/directory" (tryed with and without comment out for testing purp.)
#BASEDIR="/etc/dehydrated" (tryed with and without comment out)
CONTACT_EMAIL="xxx@xxx.com"
HOOK="/usr/local/bin/dehydrated-hook"
PARAM_ACCEPT_TERMS="yes"
config show letsencrypt
ACCEPT_TERMS=yes
configure=none
email=xxx@xxx
hookScript=disabled
status=enabled
rpm -qa |grep dehydrated
dehydrated-0.6.1-10.el6.fws.noarch
Apreciating your answer and thank you again :-)
Umbi
-
i cleaned up unnsed domains in /etc/dehydrated/certs/
restartet dehydrate -c with same error 400 (timeout)
i guess i received an update on march 18 of dehydrated. can it be that the prob is caused on update? Im still desperated. If somebody will fix for monney for me, pls write me a pm.
-
Dear ReetP
Thank you for your fast reply. And sorry for the urgend Help request, i had not bad intentions (offending someone) with it.
NP.
No, i reached the directory http://www.satforum.ch/.well-known/acme-challenge from different networks without any problems. I also tryied to change router DNS to 8.8.8.8 from google what makes the answertime of the server verry slow, startet the dehydrated -c command and result: same error 400.
I doubt changing your router DNS will make much difference. The issue is Letsencrypt servers trying to access your server.
dehydrated-0.6.1-10.el6.fws.noarch
That may be your issue then.
That rpm is from Firewall Services. It may well be different than the one from the SME repos which I
think is v0.4.x official and 0.5.0-3 in smetest
I think the dehydrated script from Firewall may be using v2 of the Letencrypt API and that may be causing issues somehow.
You should open a bug here:
https://bugs.contribs.org/enter_bug.cgi?product=SME%20Contribs&component=smeserver-letsencrypt&short_desc=&comment=
Note you are using the FWS dehydrated and your errors.
-
Dear ReetP
Thank you for your answer! It brings light in my darkness...
i allso noted that at the command dehydrated -c it tryes to feetch a keyfile doesent exist in /.well-known/acme-challenge - that causes for me the time-out 400 error.
Have i a chance to downgrade to sme v0.4.x version without losses?
I dont want to loose still valid certs.
If yes how i should prgrogress
Yum remove dehydrated and yum install dehidrated? copy / paste my domain.txt ?
-
I think you can probably downgrade to v0.5 in smetest without any issues (v 0.5 will be released to smecontribs shortly)
(Not sure of an 'official' or clean way to do this !!)
Unless you have made any manual edits anywhere it will probably be ok.
You may need a post-upgrade/ reboot to ensure the config files are regenerated.
-
ReetP
Thank you.
I guess an Bug ticket with same error is listet here:
https://bugs.contribs.org/show_bug.cgi?id=10399
I will try following steps to downgrade
1.) backup config files and domain.txt file
2.) yum remove smeserver-letsencrypt
3.) yum install smeserver-letsencrypt --enablerepo=smecontribs
config setprop letsencrypt ACCEPT_TERMS yes
signal-event console-save
*** I DO NOT : yum update smeserver-letsencrypt dehydrated --enablerepo=smecontribs
4.) config setprop letsencrypt configure none
5.) i edit with nano -w config and my domains.txt with my old values.
6.) i reboot server and make dehydrated -c
Can you confirm my steps?
Greez + Thank you
Umbi
-
I have news:
Before i will start a downgrade i tryed something else:
I saw that i had pointet primary domain to an i-bay.
- I changed the pointing to default Primary directory.
- I restartet dehydrated -c
and i got "challenge is valid!" answers but at the end an error 500...
+ ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/challenge/RG2RF0T9JMffzoSuNtb2KW_raolkuE_waX1y17FPnRg/4171524971 (Status 500)
Details:
<HTML><HEAD><TITLE>Error</TITLE></HEAD><BODY>
An error occurred while processing your request.<p>
Reference #179.55f90a17.1523458288.12f0c5c
</BODY></HTML>
-
IT WORKS !
restartet the command dehydrated -c and:
+ Challenge is valid!
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
+ Done!
So the smoking gun is: * Never point the primary Domain to an i-bay directory * it had worked for me in the past, but not since the update...
Im happy to resolved by my self :-P
-
IT WORKS !
Excellent
So the smoking gun is: * Never point the primary Domain to an i-bay directory * it had worked for me in the past, but not since the update...
Hmmm. I'm not sure exactly what you did, but clearly it messed things up. If this is the case then you really should open a bug for it because the issue is still there.
Note...
I believe for /.well-known/acme-challenge/ every domain is actually pointed to the Primary ibay - check /etc/httpd/conf.httpd.conf regardless of anything else.
e.g.
<VirtualHost 0.0.0.0:80>
Servername host.domain.com
... blah
Alias /.well-known/acme-challenge/ /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/
</VirtualHost>
It is too difficult to try and make letsencrypt/dehydrated add keys to lots of different directories so they all have to go in one place.
Im happy to resolved by my self :-P
Indeed. Next time have a good think of what you might have done to upset things yourself before jumping up and down and saying 'urgent' :-)
Sometimes things that you modify might take a few days for say a reconfigure/reboot to show themselves. So you really ought to check logs etc to see what you might have changed before jumping to conclusions.
However, it is only part resolved (worked before, doesn't work now unless you revert your modification) and you really ought to create a bug.
-
ReetP
Indeed - you are right with what you write...
I can say that it worked for me from the moment where I put my main domain back to the Primary directory.
From this moment i had no more error 400. It can be that i had a strange setting on that i-bay before or some strange htaccess rule, which gave back a time out. I dont know.
I will create a bug report as soon i had a rest :-)
I apreciate verry much your help neverthenless...
Best wishes from switzerland
Umbi
-
Indeed - you are right with what you write...
I try :-)
I will create a bug report as soon i had a rest :-)
Please do.
I apreciate verry much your help neverthenless...
No worries.
For your information there is now v0.5 in the smecontribs repo, and v0.6 in the smetest repo.
v0.6 I am testing at the minute as it allows migration from Letsencrypt v1 -> v2 api
I need to add and modify a couple of keys in smeserver-letsencrypt to ensure a smooth move and I will post something on this in the next few days.
-
I Beast,
You wrote:
i cleaned up unnsed domains in /etc/dehydrated/certs/
Then you said:
i edit with nano -w config and my domains.txt with my old values.
You should clean domains.txt of all unused domains, not /etc/dehydrated/certs/. Make sure domains.txt is only one line.
I think that the first domain in domains.txt should be the one in Primary i-bay (not sure of that)
If I remember right, /etc/dehydrated/certs/ contains a folder with the name of the first domain in domains.txt. This folder contains all the requests, certs and chains.
Also, maybe save accounts keys somewhere and delete everything in accounts directory.
Then
/etc/dehydrated/dehydrated --register --accept-termsAnd then
/etc/dehydrated/dehydrated -cor to force the renewal if still valid.
/etc/dehydrated/dehydrated -c --force
Michel-André
-
It's best to do as little manually as possible.. !
The v0.6 that I am testing has a clean/archive function for old certs that works nicely.