Koozali.org: home of the SME Server
Obsolete Releases => SME 9.x Contribs => Topic started by: mikecoan on July 28, 2020, 08:54:06 PM
-
Hi to all,
I am running SME Server 9.2. A number of years ago I used the "manual" method to install dehydrated and obtain certificates for my domain and the mail host. I don't believe the SME contrib for this existed. The steps I followed seem to be the ones currently specified in the WiKI. It worked flawlessly for years. I did get a message about Let's Encrypt changing to V2 of the API. I thought I fixed that by putting API="2" in the /etc/dehydrated/config file.
My certificates expire on August 1. When I run dehydrated -c -x I get the following message
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Aug 1 06:41:39 2020 GMT (Less than 30 days). Renewing!
+ Signing domains...
ERROR: Certificate authority doesn't allow certificate signing.
Naturally I would like to correct this error. I am not averse to using the SME contrib, but I am not completely clear on what I have to remove from the manual method to return to the original state. Do I remove the /etc/dehydrated/config and domains.txt files? do I also remove the custom template? What about the old certificates?
Perhaps there is a simple fix for the manual method. Any suggestions would be appreciated. I checked the forums for similar problems, but did not see one.
Mike
-
Check the version of dehydrated on your server, in case your install process is preventing updates using 'yum'.
Here's what I get on a test server with a fresh install of smeserver-letsencrypt:
# yum install smeserver-letsencrypt --enablerepo=smecontribs
...
# rpm -qa dehydrated
dehydrated-0.6.5-1.el6.noarch
-
Dear mmccarn,
Thanks for the reply. Unfortunately, rpm -qa dehydrated yields
dehydrated-0.6.5-1.el6.noarch
the same as yours.
Mike
-
-Deleted-
-
Hi Stefano,
smeserver-letsencrypt-0.5-15.noarch
As I mentioned in my original post, I used the manual method originally. Maybe there is a conflict between smeserver-letsencrypt and what I did manually. Should I just follow the steps in the WIKI for smeserver-letsencrypt? Do I need to remove anything I did before before doing that, or will following the steps in the WIKI for smeserver-letsencrypt overwrite te steps and correct it?
Mike
-
-Deleted-
-
Stefano,
I removed letsencrypt and dehydrated, removed all my handwritten files, and then reinstalled letsencrypt and dehydrated contribs. I followed all the steps, enabled test mode, and ran dehydrated -c. I got the following error.
ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:connection",
"detail": "Fetching http://woodlawnfoundation.org/.well-known/acme-challenge/9WdoLkRdNdBTOoMJ77Mtm1PogVbD0DYi1otGx5OtTbQ: Connection refused",
"status": 400
},
"url": "https://acme-staging-v02.api.letsencrypt.org/acme/chall-v3/85606385/InGEaw",
"token": "9WdoLkRdNdBTOoMJ77Mtm1PogVbD0DYi1otGx5OtTbQ",
"validationRecord": [
{
"url": "http://woodlawnfoundation.org/.well-known/acme-challenge/9WdoLkRdNdBTOoMJ77Mtm1PogVbD0DYi1otGx5OtTbQ",
"hostname": "woodlawnfoundation.org",
"port": "80",
"addressesResolved": [
"96.56.34.181"
],
"addressUsed": "96.56.34.181"
}
]
})
I will research the cause of that error, but if anyone has a fix that would be greatly appreciated.
Mike
-
-Deleted-
-
Further info.
The reason the challenge failed is because the webserver is not up. The webserver is not up because in starting over I deleted the dehydrated directory. That is where the existing certs were stored. when I type config show modSSL I get
modSSL=service
CertificateChainFile=/etc/dehydrated/certs/woodlawnfoundation.org/chain.pem
TCPPort=443
access=public
crt=/etc/dehydrated/certs/woodlawnfoundation.org/cert.pem
key=/etc/dehydrated/certs/woodlawnfoundation.org/privkey.pem
status=enabled
Unfortunately, the chain.pem, cert.pem and privkey.pem files don't exist anymore. I need to revert modSSL to its default which doesn't make reference to to those files. I am looking for that file, but haven't located it yet.
Mike
-
-Deleted-
-
Stefano,
Thank you for your reply. I know the standard entries for modSSL. Unfortunately, when I installed manually I created a dehydrated-hook script that modified the standard modSSL file. I see that the entrees in /db/configuration/defaults/modSSL are fine. The problem is that on rebooting there is an error in /etc/http.conf/httpd.conf at line 133.
It says that /etc/dehydrated/certs/woodlawnfoundation.org/cert.pem does not exist of is empty and then the webserver fails to load. Since the webserver does not start, it is not accessible and the challenge fails. I need to find what file to change so that config show modSSL reads
modSSL=service
TCPPort=443
access=public
status=enabled
That is what is shown in the WIKI. Somewhere in the templates lines are added to /etc/httpd/conf/httpd.conf that makes it look for these certificate files. If I put in blank files for cert.pem.privkey.pem and chain.pem, the errors go away and the web site comes up. dehydrated -c gives a new error
# INFO: Using main config file /etc/dehydrated/config
Processing woodlawnfoundation.org with alternative names: mail.woodlawnfoundation.org www.woodlawnfoundation.org
+ Checking domain name(s) of existing cert...unable to load certificate
140038517884744:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE
Not sure how to proceed at this point. A trusted certificate was issued and now is no longer on the machine since I deleted the /etc/dehydrated directory when I began from scratch. I thought I made a backup, but I only backed up the modSSL file. The certicate expires August 1, so maybe when it expires and a trusted certificate no longer exists, the challenge will work.
Any thoughts are appreciated.
Mike
-
-Deleted-
-
Stefano,
Thank you. Thank you. Thank you. All is well now. I used the config delprop commands to get back to the start, deleted all the .pem files in /etc/dehydrated and reran dehydrated -c in test mode and got no errors. I then ran dehydrated -c -c in production mode and got new certificates. Thank you so much for your patience and perseverance.
Mike
-
-Deleted-
-
A good outcome all round guys, thumbs up, with the first cutoff date now gone, increasing errors are going to effect anyone still on V1 certs, will be more than a few who were early users and had manual setups. Saving this post for future ref.
June 2020 they will stop allowing new domains to validate via ACMEv1.
Starting at the beginning of 2021 they will occasionally disable ACMEv1 issuance and renewal for periods of 24 hours, no more than once per month (OCSP service will not be affected). The intention is to induce client errors that might encourage subscribers to update to clients or configurations that use ACMEv2.
Renewal failures should be limited since new domain validations will already be disabled and we recommend renewing certificates 30 days before they expire.
In June of 2021 they will entirely disable ACMEv1 as a viable way to get a Let’s Encrypt certificate.
-
Hi to all
I allso have a problem and i will apreciate any help...
My Server: SME Server 9.2 and unfortunately with both Letsencrypt versions (smeserver-letsencrypt and the dehydrated manually) / all updates done.
Config file is API 2 (tried allso with "auto").
If i genarate under V2 a new domain, all is no problem after "dehydratet -c command" it works perfecty.
But if i add a new host-address in an old domain where (i think is an old V1 certificate) i get following error:
+ Requesting challenge for www.mydomain.com...
+ Already validated!
+ Requesting challenge for newhost.mydomain.com...
+ ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-authz ( Status 403)
Details:
{
"type": "urn:acme:error:unauthorized",
"detail": "Error creating new authz :: Validations for new domains are disabled in the V1 API (https://communi ty.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430)",
"status": 403
}
in my case is that here the command to renew all certificates i have to V2 api? - im scared to do it :
config delprop modSSL crt
config delprop modSSL key
config delprop modSSL CertificateChainFile
Thank you in advance for any help
Umbi
-
-Deleted-
-
Hello ReetP
Thank you verry much for your fast reply.
Just to be sure to do the right i do the following steps:
1.)
config delprop modSSL crt
config delprop modSSL key
config delprop modSSL CertificateChainFile
2.)
signal-event console-save
reboot
3.)
config setprop letsencrypt status test
signal-event console-save
4.)
dehydrated -c
If all ok,
5.)
config setprop letsencrypt status enabled
signal-event console-save
+
dehydrated -c -x
6.) at the end
dehydrated --cleanup (-gc)
is that the right order and everything right?
I prefer to ask again to be on the safe side and I appreciate your help very much. :-)
Umbi
-
-Deleted-
-
Hi ReetP
Thank you for your answer and all the first: HAPPY NEW YEAR!
When are you back from Holliday?
I feel bether if you test before because its an productive server ;-)
kind regards
Umbi
-
-Deleted-
-
Hello !
Since I have the same problem, but all the answers are deleted: whas that the way to get dehydrated with API2 running?
Thank you very much for answering!
Hello ReetP
Thank you verry much for your fast reply.
Just to be sure to do the right i do the following steps:
1.)
config delprop modSSL crt
config delprop modSSL key
config delprop modSSL CertificateChainFile
2.)
signal-event console-save
reboot
3.)
config setprop letsencrypt status test
signal-event console-save
4.)
dehydrated -c
If all ok,
5.)
config setprop letsencrypt status enabled
signal-event console-save
+
dehydrated -c -x
6.) at the end
dehydrated --cleanup (-gc)
is that the right order and everything right?
I prefer to ask again to be on the safe side and I appreciate your help very much. :-)
Umbi