Koozali.org: home of the SME Server

Contribs.org Forums => Koozali SME Server 10.x Contribs => Topic started by: CMCGREGOR10 on February 14, 2023, 12:00:25 AM

Title: SSL Help - Lets Encrypt
Post by: CMCGREGOR10 on February 14, 2023, 12:00:25 AM

Hi everyone,

Really looking for some guidance in regards to SSL and Let's encrypt. I have tried following the instructions, etc but I believe it is working and still coming up as self signed. I may have screwed things

My server is in server-only mode

Here are some details if anyone can assist that would be great. Missionbmx is a Shopify store also, our main domain is oceaniacycles and the others are old domains not in use but to catch any stray old emails.

Thanks

modSSL=service
    CipherSuite=ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
    CommonName=mail.oceaniacycles.com.au
    TCPPort=443
    access=public
    status=enabled

# INFO: Using main config file /etc/dehydrated/config
Processing oceaniacycles.com.au with alternative names: fujibikes.com.au ftp.fujibikes.com.au ftp.missionbmx.com.au ftp.oceaniabikes.com.au ftp.oceaniacycles.com.au linux.fujibikes.com.au mail.missionbmx.com.au mail.oceaniabikes.com.au mail.oceaniacycles.com.au proxy.fujibikes.com.au proxy.missionbmx.com.au proxy.oceaniabikes.com.au proxy.oceaniacycles.com.au wpad.fujibikes.com.au wpad.missionbmx.com.au wpad.oceaniabikes.com.au wpad.oceaniacycles.com.au www.fujibikes.com.au www.missionbmx.com.au www.oceaniabikes.com.au www.oceaniacycles.com.au missionbmx.com.au ftp.fujibikes.com.au ftp.missionbmx.com.au ftp.oceaniabikes.com.au ftp.oceaniacycles.com.au linux.fujibikes.com.au mail.missionbmx.com.au mail.oceaniabikes.com.au mail.oceaniacycles.com.au proxy.fujibikes.com.au proxy.missionbmx.com.au proxy.oceaniabikes.com.au proxy.oceaniacycles.com.au wpad.fujibikes.com.au wpad.missionbmx.com.au wpad.oceaniabikes.com.au wpad.oceaniacycles.com.au www.fujibikes.com.au www.missionbmx.com.au www.oceaniabikes.com.au www.oceaniacycles.com.au oceaniabikes.com.au ftp.fujibikes.com.au ftp.missionbmx.com.au ftp.oceaniabikes.com.au ftp.oceaniacycles.com.au linux.fujibikes.com.au mail.missionbmx.com.au mail.oceaniabikes.com.au mail.oceaniacycles.com.au proxy.fujibikes.com.au proxy.missionbmx.com.au proxy.oceaniabikes.com.au proxy.oceaniacycles.com.au wpad.fujibikes.com.au wpad.missionbmx.com.au wpad.oceaniabikes.com.au wpad.oceaniacycles.com.au www.fujibikes.com.au www.missionbmx.com.au www.oceaniabikes.com.au www.oceaniacycles.com.au oceaniacycles.com.au ftp.fujibikes.com.au ftp.missionbmx.com.au ftp.oceaniabikes.com.au ftp.oceaniacycles.com.au linux.fujibikes.com.au mail.missionbmx.com.au mail.oceaniabikes.com.au mail.oceaniacycles.com.au proxy.fujibikes.com.au proxy.missionbmx.com.au proxy.oceaniabikes.com.au proxy.oceaniacycles.com.au wpad.fujibikes.com.au wpad.missionbmx.com.au wpad.oceaniabikes.com.au wpad.oceaniacycles.com.au www.fujibikes.com.au www.missionbmx.com.au www.oceaniabikes.com.au www.oceaniacycles.com.au
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 24 authorizations URLs from the CA
 + Handling authorization for ftp.missionbmx.com.au
 + Handling authorization for ftp.oceaniabikes.com.au
 + Handling authorization for ftp.oceaniacycles.com.au
 + Handling authorization for fujibikes.com.au
 + Handling authorization for linux.fujibikes.com.au
 + Handling authorization for mail.missionbmx.com.au
 + Handling authorization for mail.oceaniabikes.com.au
 + Handling authorization for mail.oceaniacycles.com.au
 + Handling authorization for missionbmx.com.au
 + Handling authorization for oceaniabikes.com.au
 + Handling authorization for oceaniacycles.com.au
 + Handling authorization for proxy.fujibikes.com.au
 + Handling authorization for proxy.missionbmx.com.au
 + Handling authorization for proxy.oceaniabikes.com.au
 + Handling authorization for proxy.oceaniacycles.com.au
 + Handling authorization for wpad.fujibikes.com.au
 + Handling authorization for wpad.missionbmx.com.au
 + Handling authorization for wpad.oceaniabikes.com.au
 + Handling authorization for wpad.oceaniacycles.com.au
 + Handling authorization for www.fujibikes.com.au
 + Handling authorization for www.missionbmx.com.au
 + Handling authorization for www.oceaniabikes.com.au
 + Handling authorization for www.oceaniacycles.com.au
 + Handling authorization for ftp.fujibikes.com.au
 + 24 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for ftp.missionbmx.com.au authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: ["type"]      "http-01"
["status"]      "invalid"
["error","type"]        "urn:ietf:params:acme:error:dns"
["error","detail"]      "DNS problem: NXDOMAIN looking up A for ftp.missionbmx.com.au - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for ftp.missionbmx.com.au - check that a DNS record exists for this domain"
["error","status"]      400
["error"]       {"type":"urn:ietf:params:acme:error:dns","detail":"DNS problem: NXDOMAIN looking up A for ftp.missionbmx.com.au - check that a DNS record exists for this domain; DNS problem: NXDOMAIN looking up AAAA for ftp.missionbmx.com.au - check that a DNS record exists for this domain","status":400}
["url"] "https://acme-v02.api.letsencrypt.org/acme/chall-v3/202141128416/XCmyIg"
["token"]       "PnWm1HIcE7s6F2xoDj1_8qIcmEgqPltT3DYH-ndhltY"
["validated"]   "2023-02-13T21:43:25Z")

Title: Re: SSL Help - Lets Encrypt
Post by: ReetP on February 14, 2023, 01:04:11 AM

Use test mode so you don't get rate limited.

Fix your DNS here:

Quote

looking up A for ftp.missionbmx.com.au - check that a DNS record exists for this domain;

Title: Re: SSL Help - Lets Encrypt
Post by: TerryF on February 14, 2023, 03:59:04 AM

Server only mode - ensure required ports are forwarded from your router

Title: Re: SSL Help - Lets Encrypt
Post by: CMCGREGOR10 on February 14, 2023, 04:16:37 AM

Quote from: TerryF on February 14, 2023, 03:59:04 AM

Server only mode - ensure required ports are forwarded from your router

Thanks, i will look at that also. As I narrowed down the domains and now getting another issue which could be firewall related.

Title: Re: SSL Help - Lets Encrypt
Post by: Jean-Philippe Pialasse on February 14, 2023, 11:51:41 PM

you have your answer in the error message as pointed by reetp

I would emphize also that you probably have not configured all those subdomain to point to your server (eg wpad, ftp,proxy…) and hence configuring let’s encrypt to try to validate all those subdomains/hosts is a recipe  toward failure. please reread the wiki page to only enable the domain and host you need and that are actually configured pointing toward your server at your dns provider.

Title: Re: SSL Help - Lets Encrypt
Post by: CMCGREGOR10 on February 16, 2023, 02:28:06 AM

Quote from: Jean-Philippe Pialasse on February 14, 2023, 11:51:41 PM

you have your answer in the error message as pointed by reetp

I would emphize also that you probably have not configured all those subdomain to point to your server (eg wpad, ftp,proxy…) and hence configuring let’s encrypt to try to validate all those subdomains/hosts is a recipe  toward failure. please reread the wiki page to only enable the domain and host you need and that are actually configured pointing toward your server at your dns provider.

Thanks, I have narrowed down to the one domain/host and have an issue with the firewall which I need to sort out with the port.