Koozali.org: home of the SME Server
Obsolete Releases => SME 9.x Contribs => Topic started by: umbi on April 22, 2021, 05:20:21 AM
-
Hello everybody
Im desperated and i hope somebody can help me here.
Im using SME Server 9.2 with letsencrypt. but after i changed to API V2 in config now i get this error allso in testmode:
when i make dehydratet -c it comes:
Error registering account key. See message above for more information.
rm: remove from „/etc/dehydrated/accounts/[OBF]/
registration_info.json“
the file does not exist i checked.
Is there a possibility to clean up completely letsencrypt (remove all files and configs) and start installation from letsencrypt by scratch?
i tried to uninstall, rebootet and reinstalled, but same error cames up again. The problem is all my domains now have no certificate :-(
config:
ACCEPT_TERMS=yes
API=2
configure=all
email=*@*.com
hookScript=disabled
status=test
i tried allso:
config delprop modSSL crt
config delprop modSSL key
config delprop modSSL CertificateChainFile
i think i have installed both contribs:
yum --enablerepo=smecontribs install dehydrated
and
yum install smeserver-letsencrypt --enablerepo=smecontribs
i will really apreciate your help.
Thank you verry much
umbi
-
this should clean your dehydrated installation
rm -rf /etc/dehydrated/accounts/* /etc/dehydrated/certs/* /etc/dehydrated/chains/*
do a backup first ;)
-
Version: dehydrated-0.6.5-13.el6.fws.noarch
Hello Jean-Philippe
Thank you verry much for your fast answer.
I did what you wrote but the error is still here:
# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
+ Generating account key...
+ Registering account key with ACME server...
Certificate authority doesn't allow registrations.
Error registering account key. See message above for more information.
rm: Remove of: „/etc/dehydrated/accounts/[OBF]/registration_info.json“ not possible: File or Directory not found
[root@server ~]#
When i delete manually the directory with:
rm -r [OBF]/
after dehydratet -c it regenarates the same directory again :-(
when i uncomment in the config:
CA="https://acme-staging.api.letsencrypt.org/directory"
to
#CA="https://acme-staging.api.letsencrypt.org/directory"
dehydrated]# dehydrated -c
i get this error:
# INFO: Using main config file /etc/dehydrated/config
+ Generating account key...
+ Registering account key with ACME server...
+ ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-reg (Status 403)
Details:
{
"type": "urn:acme:error:unauthorized",
"detail": "Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.",
"status": 403
}
-
I think the mention the v1 is no longer supported and you must use v2 in the error messages might be a clue.
The wiki makes mention of this and how to resolve it.
https://wiki.koozali.org/Letsencrypt#V2_API
-
Hi Sages
Thank you verry much for your answer.
As you can see i have this config:
# config show letsencrypt
letsencrypt=service
ACCEPT_TERMS=yes
API=2
configure=none
email=####@#####.###
hookScript=disabled
status=test
do you think is bether to change instead from API 2 to API = auto as i had mixed V1 and V2 certificates?
My goal is to make all certificates of all domains new under V2
Is it possible that i have to remove and regenerate: /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge
? That directory is full....
Appreciating your help thank you
Umbi
-
My guess is you did not fully followed the wiki and did set your DB but did not expand your templates.
can you please FIRST paste here what returns
# cat /etc/dehydrated/config
then only after copying here the result, try
rm -rf /etc/dehydrated/accounts/* /etc/dehydrated/certs/* /etc/dehydrated/chains/*
config setprop letsencrypt API 2
expand-template /etc/dehydrated/config
expand-template /etc/dehydrated/domains.txt
expand-template /usr/bin/hook-script.sh
dehydrated -c
beware there is a day limit of tries, after that you get your IP banned. So make sure all your domains listed in /etc/dehydrated/domains.txt DO point to your current IP
-
My guess is you did not fully followed the wiki and did set your DB but did not expand your templates.
can you please FIRST paste here what returns
# cat /etc/dehydrated/config
#!/bin/bash
CA="https://acme-staging-v02.api.letsencrypt.org/directory"
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/bin/hook-script.sh"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=*@*
API="2"
PARAM_ACCEPT_TERMS="yes"
then only after copying here the result, try
rm -rf /etc/dehydrated/accounts/* /etc/dehydrated/certs/* /etc/dehydrated/chains/*
config setprop letsencrypt API 2
expand-template /etc/dehydrated/config
expand-template /etc/dehydrated/domains.txt
expand-template /usr/bin/hook-script.sh
dehydrated -c
beware there is a day limit of tries, after that you get your IP banned. So make sure all your domains listed in /etc/dehydrated/domains.txt DO point to your current IP
sorry for the double post....
at moment im in test mode. So you think i can start with your purpose?
rm -rf /etc/dehydrated/accounts/* /etc/dehydrated/certs/* /etc/dehydrated/chains/*
config setprop letsencrypt API 2
expand-template /etc/dehydrated/config
expand-template /etc/dehydrated/domains.txt
expand-template /usr/bin/hook-script.sh
dehydrated -c
In test mode or productive ?
-
in test mode same error:
server dehydrated]# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
+ Generating account key...
+ Registering account key with ACME server...
Certificate authority doesn't allow registrations.
Error registering account key. See message above for more information.
rm: remove of „/etc/dehydrated/accounts/[OBF]/registration_info.json“ not possible: File or Directory not found
[root@server dehydrated]#
:-(
now i found in log files that here:
[Thu Apr 22 16:14:52 2021] [warn] RSA server certificate CommonName (CN) `host.mydomain.com' does NOT match server name!?
after reboot this error comes no more - host.mydomain.com shows now again to my ip
-
please check you do not have any config file that could be interpreted and overrule what is in /etc/dehydrated/config in the following places
/usr/local/etc/dehydrated/config
./config (current directory)
/usr/bin/config
please paste here the result of
# dehydrated -eyou can hide your email address and account string please. (what is in /etc/dehydrated/accounts/<HERE>/..)
now i found in log files that here:
[Thu Apr 22 16:14:52 2021] [warn] RSA server certificate CommonName (CN) `host.mydomain.com' does NOT match server name!?
after reboot this error comes no more - host.mydomain.com shows now again to my ip
not relevant just noise
edit
also please what returns
rpm -q dehydrated
-
Hello Jean-Philippe
here the answers to your questions:
please check you do not have any config file that could be interpreted and overrule what is in /etc/dehydrated/config in the following places
/usr/local/etc/dehydrated/config
./config (current directory)
/usr/bin/config
-> nothing found
----------------------------------------------
you can hide your email address and account string please. (what is in /etc/dehydrated/accounts/<HERE>/..)
-server accounts]# dir
[OBF]
[OBF]
----------------------------------------------
-server ~]# dehydrated -e
-bash: -server: Kommando nicht gefunden.
[root@gserver ~]# # dehydrated configuration
[root@g-server ~]# # INFO: Using main config file /etc/dehydrated/config
[root@g-server ~]# declare -- CA="https://acme-v02.api.letsencrypt.org/directory"
[root@g-server ~]# declare -- LICENSE=""
[root@g-server ~]# declare -- CERTDIR="/etc/dehydrated/certs"
[root@g-server ~]# declare -- CHALLENGETYPE="http-01"
[root@g-server ~]# declare -- DOMAINS_D=""
[root@gserver ~]# declare -- DOMAINS_TXT="/etc/dehydrated/domains.txt"
[root@gserver ~]# declare -- HOOK="/usr/bin/hook-script.sh"
[root@g-server ~]# declare -- HOOK_CHAIN="no"
[root@g-server ~]# declare -- RENEW_DAYS="30"
[root@g-server ~]# declare -- ACCOUNT_KEY="/etc/dehydrated/accounts/[OBF]/account_key.pem"
[root@g-server ~]# declare -- ACCOUNT_KEY_JSON="/etc/dehydrated/accounts/[OBF]/registration_info.json"
[root@g-server ~]# declare -- KEYSIZE="4096"
[root@g-server ~]# declare -- WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
[root@g-server ~]# declare -- PRIVATE_KEY_RENEW="yes"
[root@g-server ~]# declare -- OPENSSL_CNF="/etc/pki/tls/openssl.cnf"
[root@g-server ~]# declare -- CONTACT_EMAIL="*@*.ch"
[root@g-server ~]# declare -- LOCKFILE="/etc/dehydrated/lock"
i hope it helps
thank you
umbi
-
you did not returned the result of
rpm -q dehydrated
the next possible issue is you have an outdated version
NB: i spitted the topic from where you posted.
-
Sorry here it is:
-server accounts]# rpm -q dehydrated
dehydrated-0.6.5-13.el6.fws.noarch
i will add the information, that when the certs were stopped, i tried to do that what reetP told to me under this post:
https://forums.contribs.org/index.php/topic,54276.msg284403.html#msg284403
Now i see that all hes comments are deleted.
----------
and other information is that i istalled years ago both repos:
smeserver-letsencrypt + dehydratet
it worked under V1 for years.
maybe it helps .... i hope so
Thank you verry much
Umbi
-
please try the following (I see you are in an accounts directory , which I presume is /etc/dehydrated/accounts, i really want you to get away from there and really be in root home when running dehydrated, I have seen weird behaviours already when in some path)
cd
rm -rf /etc/dehydrated/accounts/* /etc/dehydrated/certs/* /etc/dehydrated/chains/*
config setprop letsencrypt API 2
expand-template /etc/dehydrated/config
expand-template /etc/dehydrated/domains.txt
expand-template /usr/bin/hook-script.sh
bash -xv dehydrated --register --accept-terms 2>&1 | tee -a dehydrated.log
then post the output removing sensitive data first
-
thank you
with the last commandline i get this:
-server ~]# bash -xv dehydrated --register --accept-terms 2>&1 | t ee -a dehydrated.log
module () { eval `/usr/bin/modulecmd bash $*`
}
dehydrated: dehydrated: ist an directory.
[root@goldstar-server ~]#
when i put tee -a dehydrated.log terminal is no more responding
-
cd
mv dehydrated dehydrated.old
rm -rf /etc/dehydrated/accounts/* /etc/dehydrated/certs/* /etc/dehydrated/chains/*
config setprop letsencrypt API 2
expand-template /etc/dehydrated/config
expand-template /etc/dehydrated/domains.txt
expand-template /usr/bin/hook-script.sh
bash -xv /usr/bin/dehydrated --register --accept-terms 2>&1 | tee -a dehydrated.log
-
ok i got a big log file....
maskerating sensitive datas takes a fiew minutes... .
-
Jean-Philippe
the logfile is bigger than 20k charakters... i sent you by mail function in forum function
-
from what I have received (the beginning is missing)
you did not used the test staging but the v2
CA=https://acme-v02.api.letsencrypt.org/directory
you successfully registered
+ echo '+ Registering account key with ACME server...'
+ echo '+ Fetching account ID...'
+ echo '+ Done!'
+ Done!
+ exit 0
so you have now an active account and you just have to do the following (yes I want you in root home)
cd
/usr/bin/dehydrated -c
just to check
ll /root/config
and
whereis dehydrated
-
Hi Jean-Philippe
cd
/usr/bin/dehydrated -c
give me this:
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://de*-ver*.ch/.well-known/acme-challenge/GaM1p7****************xNo9K_y_9U7Onw [81.6.*.*]: \"\u003c!DOCTYPE HTML PUBLIC \\\"-//IETF//DTD HTML 2.0//EN\\\"\u003e\\n\u003chtml\u003e\u003chead\u003e\\n\u003ctitle\u003e403 Forbidden\u003c/title\u003e\\n\u003c/head\u003e\u003cbody\u003e\\n\u003ch1\u003eForbidden\u003c/h1\u003e\\n\u003cp\"",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/125*****39/xYL8Ig",
"token": "GaM1p7********************xNo9K_y_9U7Onw",
"validationRecord": [
{
"url": "http://de*-ver*.ch/.well-known/acme-challenge/GaM1p**************_y_9U7Onw",
"hostname": "de*-ver*.ch",
"port": "80",
"addressesResolved": [
"81.6.*.*"
],
"addressUsed": "81.6.*.*"
}
],
"validated": "2021-04-22T20:20:19Z"
})
[root@g-server ~]#
it looks that now the problem is at the domains and not at the hosts...
my scare is that they block me if i make many tries
-------
Code: [Select]
ll /root/config
**** not existing ****
--------
-server ~]# whereis dehydrated
dehydrated: /usr/bin/dehydrated /etc/dehydrated /usr/local/bin/dehydrated
thank you verry verry much - i guess we come the solution nearer... .
-
403 Forbidden
that is why
"addressUsed": "81.6.*.*"
I guess you checked this is really your ip
"Invalid response from http://de*-ver*.ch/.well-known/acme-challenge/GaM1p7****************xNo9K_y_9U7Onw [81.6.*.*]
is your Ibay configured to force SSL connection ?
is the Primary ibay configured to force SSL connection (if domain not linked to the Primary ibay)?
you have to allow non ssl connection on the /.well-known/acme-challenge path, meaning you need to disable force ssl connection Primary ibay. If an important site is there I suggest moving it on another ibay
Finally is the ibay password protected ?
-
Hi Jean-Philippe
im really gracefull for your help.
- the masterdomain of the server points to "primary i-bay" and was SSL forced, now i have it disabled,
but by htaccess there is a rewriteroule with goto https. Think should not be a problem.
- the primary directory is not pw protected.
Should i bether go to test mode to make a retry with etc/dehydrated -c ?
I'm scared that i arrive at the try limits...
umbi
-
classic test is as follow
echo "pk" > /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/testme
then tries to it
http://myserver.ch/.well-known/acme-challenge/testme
from the internet. Your phone on the LTE might be your fiend there.
when you get a correct access you can proceed and delete the test file
rm /home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge/testme
https redirection should not be a problem according to the let's encrypt website...
-
Sorry for the late answer - i had to bring my son to bed :-)
ok first i pointet the server-maindomain to "primary i-bay" and it worked not. Auth. cert. error.
then i pointet the server-maindomain to an other i-bay and it results:
Forbidden
You don't have permission to access /.well-known/acme-challenge/testme on this server because the file is not there - but its the best to point to primary isnt'it ?
db accounts show Primary
Primary=ibay
AllowOverride=All
CgiBin=enabled
FollowSymLinks=enabled
Group=shared
Modifiable=no
Name=Primary i-bay
PasswordSet=no
Passwordable=no
PublicAccess=global
Removable=no
SSL=enabled
UserAccess=wr-*-rd-group
i did:
db accounts setprop Primary SSL disabled
[root@g-server ~]# signal-event console-save
and now is accessable ...
I wait your ok to retry
cd
/usr/bin/dehydrated -c
in test mode or in enabled mode ?
Umbi
-
again i said ssl should be disabled on primary.
or have set an efficient redirection to https for the wel-known.
as soon as the robot it a 403 it will fail
-
nono i did
db accounts setprop Primary SSL disabled
[root@g-server ~]# signal-event console-save
and your file is accessable under http:// without problems.
my question ist only should i go to test mode for requesting the certificate or should i make the dehydrated -c on productive mode ?
-
i tried to get the certificate but failed again :-(
+ Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:dns",
"detail": "Fetching http://www.g-server.domain.ch/.well-known/acme-challenge/uOwts6q_******_KrK-jBU: DNS problem: NXDOMAIN looking up A for www.g-server.domain.ch - check that a DNS record exists for this domain",
"status": 400
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/125*****865/_vV3Vw" ,
"token": "uOwts6q_yF*******J1oNB_KrK-jBU",
"validationRecord": [
{
"url": "http://g-server.domain.ch/.well-known/acme-challenge/uOwt
s6q_yFo8u*****NB_KrK-jBU",
"hostname": "g-server.domain.ch",
"port": "80",
"addressesResolved": [
"81.6.*.*"
],
"addressUsed": "81.6.*.*"
}
],
"validated": "2021-04-22T22:33:51Z"
})
[root@gserver ~]#
-----
why is he now trying to feetch from "http://www.g-server.domain.ch" with "www".
Maybe caused from the htaccess to force www in primary ?
I cannot make an A Record on my dns service now, because the e-mail for validation login is not working of cause the certificate trouble on server.
I cant get any mails at the moment.
Thank you in advance for your help.
Umbi
-
i started to ask you to check the content of domains.txt. it will fetch all of them.
please review the content and follow the wiki page to disable the hosts (www,mail...) and domaines that you do not have actively pointing to your ip
-
thank you
i did it and www.g-server.domain.ch is not listet in domains.txt
he tries to feetch something here:
"type": "urn:ietf:params:acme:error:dns",
"detail": "Fetching http://www.g-server.domain.ch/.well-known/acme-challenge/uOwts6q_
why ? i never putet that double host in server .... - without email access i cannot login to the dns service to add the "A" record www.g-server.domain.ch
im lost...
-
without the full picture and just an isolated error it is hard to help. I am not reading in cristal balls ;)
do your htaccess has a redirection to www? i would wonder why if your dns are not pointing to the server. but still rather inclined that the domain is really the one verified.
as far as you keep on giving partial output, obfuscate all domains as this is dns issue / redirection we can not help you more.
finally you can access your server for mail using a self signed ssl certificate. just need to accept it.
-
Hi Jean-Philippe
Thank you for answering me at that time - im now 24h at work...
Of course
g-server.domain.ch points to my server
www.domain.ch points to my server
but not www.g-server.domain.ch
i cant understand why he says that it needs an "A" record to DNS for www.g-server.domain.ch
i deleted now the htaccess entry which makes from domain.ch -> www.domain.ch because it can be that
it will maybe redirect g-server.domain.ch to www.g-server.domain.ch and that may cause the error 400.
In the past i never changed something. For me unclear i have to change all this settings in primary i-bay.
If you find a cristal-ball, please send me allso one :-)
-
Dear Jean-Philippe
the htaccess redirection was the smoking gun !!!! :lol:
It works and im the tireds and the happiest guy now.
my domains are again with a certificate, you cannot immagine how gracefull i am.
When pandemy is over and you come to swiss, i will invite you in the best restaurant.
This is a promise ! If you want, we can exchange contacts by pm.
Thank you thank you thank you - friend, you had a patience like a rock with me!
i will sleep like a baby now :-)
wish you all the best and a verry good night...
Umbi
-
great news!
have a rest and take also some time with your family.
-
thanks, i will follow your advice with the family.
Please stay healthy and my offer is valid with dinner.
btw. the paypal no: xx is for a Beer for you ;-)
i wish you all so a good rest.
umbi