Koozali.org: home of the SME Server

Obsolete Releases => SME 9.x Contribs => Topic started by: nicolatiana on June 25, 2019, 10:13:49 AM

Title: LetsEncrypt "ERROR: Certificate authority doesn't allow certificate signing"
Post by: nicolatiana on June 25, 2019, 10:13:49 AM

The certificate does not renew.
Uncommented CA line in config file and performed e test-request with dehydrated -c and this worked fine.
I'm able to reach the .well-known folder form the web
Commented out CA line and running dehydrated -c -x gives the "ERROR: Certificate authority doesn't allow certificate signing"

Is a manual configuration&install via GIT

Nicola

Quote

# INFO: Using main config file /etc/dehydrated/config
Processing web.qbservice.it
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Sep 23 06:38:27 2019 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
ERROR: Certificate authority doesn't allow certificate signing

Quote

cat /etc/dehydrated/domains.txt
web.mydomain.it

Quote

cat /etc/dehydrated/config
#!/bin/bash
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
#CA="https://acme-staging.api.letsencrypt.org/directory (https://acme-staging.api.letsencrypt.org/directory)"
#CA="https://acme-v01.api.letsencrypt.org/directory (https://acme-v01.api.letsencrypt.org/directory)"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=info@mydomain.it
#HOOK="/usr/bin/hook-script.sh"
HOOK="/usr/local/bin/dehydrated-hook"
API="1"
# letsencrypt property ACCEPT_TERMS not set to yes

Title: Re: LetsEncrypt "ERROR: Certificate authority doesn't allow certificate signing"
Post by: ReetP on June 26, 2019, 01:25:36 AM

Not really sure what to do if you are using your own install instead of the contrib.

Beyond that what version are you using?

I can see you have probably tried to copy off an old config. Have you checked it is correct and up to date?

(One thing I would suggest is swapping to API 2)

What about your apache template and SSL settings?

Are you using any other certificates?

Have you checked github for bugs?

Title: Re: LetsEncrypt "ERROR: Certificate authority doesn't allow certificate signing"
Post by: nicolatiana on June 26, 2019, 08:34:05 AM

Many thanks for your reply.

According to your suggestion I've analyzed the sample config file coming from github (/etc/dehydrated/docs/examples) and I've modified the mine in this way:

Quote

WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
#CA="https://acme-v02.api.letsencrypt.org/directory (https://acme-v02.api.letsencrypt.org/directory)"
CONTACT_EMAIL=info@qbservice.it
HOOK="/usr/local/bin/dehydrated-hook"
API="2"

The trick was outdated "CA =" record

All other folder/scripts and apache/SSL settings were right.

Swapped to API2 too.

I've been able to perform correctly both test and getting trusted certificate.

Many thanks again.

P.S.: not using contrib because more or less all of mine letsencrypt install were done before contrib release and I never moved to contrib.  :wink: