NethServer Version: 7.9.2009
Module: Let’s Encrypt
Recently it seems like lets encrypt won’t renew my certs, I don’t have any ports blocked, below is what I get when I try to run /usr/libexec/nethserver/letsencrypt-certs
Challenge failed for domain on all my domain entries.
I tried using letsdebug and it seems to be failing http-01 but I am not sure why, because I can browse to port 80 and get the nethserver splash page.
I have tried researching the issue and have not found something to help.
Hi @sektor
If you are seeing any 001 LE entries, that’s another issue. remove all LE, then try as below!
Even though the error is shown for ALL Domains when renewing LE, I’ve often noticed it’s only 1-2 Domains blocking, the rest work…
To find out which one is blocking, reduce the LE request to the server itself. If that works, keep on adding domains and renew LE, until you find the Domain blocking (not working)…
Tht worked in those cases I encountered!
Hope this helps!
My 2 cents
Andy
Salut @sektor,
Only if you have a 001 entry.
Uually the 001 appears when you modify, add, or remove one entry in the list when you renew.
The best is to delete all the domains with a 001 in sub directories: archive, live, and renewal.
Also, delete the same original ones whithout the 001 because it is those original ones that produce the 001.
Remember the 5/7 rule for the exact same list of entries when renewing.
People try to break the rule by adding or removing one entry, then they get the 001.
Renewals are treated specially: they don’t count against your Certificates per Registered Domain limit, but they are subject to a Duplicate Certificate limit of 5 per week. Exceeding the Duplicate Certificate limit is reported with the error message
too many certificates already issued for exact set of domains.
So far, it always worked for me.
Good luck,
Michel-André
No I am not seeing any 001 LE entries.
Ciao Michel, I’m not seeing any 001 entries at all and all I have is 4 variants of my main domain ie subdomains like www, mail, smtp.
I’m looking in the /etc/letsencrypt folder where it has the sub directories of archive, live, and renewal.
Also let me note that my config has been working for years, just not sure what broke all of a sudden and it seems like the last time it was able to get a key was 1/21/24 according to the archive folder.
I was wondering if it’s worth wiping and redoing my whole lets encrypt config/installation maybe something became corrupt.
I’m taking a deeper look and it seems like it is saving the challenges just fine to the /var/www/html/.well-known as I am not seeing any errors in that regard, although the acme-challenge directory is empty?
2024-05-21 23:10:33,201:INFO:certbot._internal.plugins.webroot:Using the webroot path /var/www/html for all unmatched domains.
2024-05-21 23:10:33,201:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge
2024-05-21 23:10:33,202:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge
2024-05-21 23:10:33,202:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge
2024-05-21 23:10:33,203:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge
2024-05-21 23:10:33,203:DEBUG:certbot._internal.plugins.webroot:Creating root challenges validation dir at /var/www/html/.well-known/acme-challenge
2024-05-21 23:10:33,216:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /var/www/html/.well-known/acme-challenge/bvV33ZHOzxcYKMO8oDKtzMH7ml3gYbcm2NiUDmLo1yQ
2024-05-21 23:10:33,222:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /var/www/html/.well-known/acme-challenge/g6d0HNNGaAQIzyq6zDBW_FqlIdXN11EwIsqVELKijhU
2024-05-21 23:10:33,227:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /var/www/html/.well-known/acme-challenge/8_KlPeUmmRsT4_VgVKf9DWevnZQdzpkSs78d0wzPdQc
2024-05-21 23:10:33,233:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /var/www/html/.well-known/acme-challenge/JsLoLghlyLotZSe65tcu3xXLY1P3bHAB5EYflrdvM58
2024-05-21 23:10:33,239:DEBUG:certbot._internal.plugins.webroot:Attempting to save validation to /var/www/html/.well-known/acme-challenge/WklqFXSjbhaLWc3fdRDgDrqV7xtBmZtqYg-Qukq-4nA
2024-05-21 23:10:33,239:INFO:certbot._internal.auth_handler:Waiting for verification…
024-05-21 23:10:33,334:DEBUG:urllib3.connectionpool:“POST /acme/chall-v3/353813454142/h-wLQw HTTP/1.1” 200 187
2024-05-21 23:10:33,335:DEBUG:acme.client:Received response:
HTTP 200
content-length: 187
cache-control: public, max-age=0, no-cache
strict-transport-security: max-age=604800
server: nginx
connection: keep-alive
link: https://acme-v02.api.letsencrypt.org/directory;rel=“index”, https://acme-v02.api.letsencrypt.org/acme/authz-v3/353813454142;rel=“up”
location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/353813454142/h-wLQw
boulder-requester: 41421720
date: Wed, 22 May 2024 03:10:33 GMT
x-frame-options: DENY
content-type: application/json
replay-nonce: YEjsK0piR6hoM6Bx4kDgG-9gKYXBoGc_rT-FltxV407QOXz_D4Y
Salut @sektor,
If you are using WordPress for you web, try to make an update and see if it will ask you for a FTP password.
If so, that means that the owner of the root web folder has changed. I saw that a few times.
To solve it, I changed user:group to apache:apache.
But since you are using Nginx, I do not know.
A question I have is why there are both certbot and acme used ?
It looks like acme received a 200 response meaning it is OK ?
I used acme.sh a few times when testing LOCAL servers and it doesn’t use /etc/letsencrypt.
If you have /etc/letsencrypt, that means you are not using acme.sh.
To display the configuration, try the command:
# config show pki
Sorry, but I do not know so much about Let’s Encrypt,
Michel-André
I’m not using wordpress or running a website per say, I was using lets encrypt for webmail and a few other things on my nethserver and to answer your question regarding certbot and acme, I’m not sure and wasn’t aware both were being used, also I’m not using nginx, I’m using whatever the default setup of nethserver so I’m not sure why it’s reading as nginix.
Are there steps to uninstall or redo the lets encrypt install on nethserver.
Salut @sektor,
I am niot sure but if I remember well, Nginx is used to store some informations about NethServer-7.9.
Anyway, the challenges are stil stored in /var/www/html/.well-known/acme-challenge and all the folders from html to acme-challenge must have apache:apache which is 48:48 as user:group.
Permissions:
html => 755 rwxr-xr-x
,well-known => 2750 rwxr-s—
acme-challenge => 0755 rwxr-xr-x
I do not know more,
Michel-André
I will double check that and let you know, but as a heads up I was able to create a temp file under acme-challenge and was able to get to it from a web browser.
You could use following command to test letsencrypt including verbose output:
/usr/libexec/nethserver/letsencrypt-certs -t -v
I have done that and I don’t recall what it said, but I can try later.
So I do have an /etc/letsencrypt directory and config show pki shows this.
pki=configuration
CertificateDuration=3650
ChainFile=/etc/letsencrypt/live
So I tried the -t -v switches on the command and I get timeout during connect, which doesn’t make sense, I don’t think I am blocking anything related to cloudflare or letsencrypt and I am pretty sure I even tried adding an additional allow rule for my firewall for whatever ip resolved for acme.
You may check the firewall logs to get info about why it’s blocking.
I will try to do that but it is weird because it was working fine up until January from what I can tell when the last renewal happened.
And I don’t know if my firewall which is pfsense is blocking it, I do know I can get to the acme-challenge directory from different devices when I place a test file in there.
Salut @sektor,
I also use Cloudflare but mainly as a DNS server and for Let’s Encrypt DNS challenge.
I didn’t know before that it was possible to use DNS challenge with NethServer-7.9.
But according to the link posted by Markus it is; the next paragraph (DNS Challenges) on his link:
I use DNS challenge with Proxmox ACME module and it is working perfectly.
You can ask a Test or a Production certificate.
It is Cloudflare that receives the challenges.
The server has nothing to do except receiving the certificate and installing it.
With Proxmox ACME, you see the procedure in real time; easy to follow.
If this is not working with your set-up, it means that your server cannot receive/accept the certificate or it cannot install it. Then I would say that the culprit is the firewall.
It cannot be a bad configuration as you wrote that it was working before and you didn’t change nothing.
Another way to see the procedure in real time is to install the script .acme.sh.
With this script, you see the challenges been written to Cloudflare, the responses, the display of the certificate and where it is stored.
Michel-André
Michel-André
Yes, I saw about doing DNS challenges as opposed to http, but I would have to setup cloudflare and do dns that way, I will dig further and perhaps post in the lets encrypt forum as well.
It’s just puzzling that it stopped working.
Salut @sektor,
If you click your domain, on the right near the bottom:
When you get the API token, copy it right away.
On ACME config page, usually you choose CF (Cloudflare) or a line containing Cloudflare.
Zode ID, Account ID, and API Token are the 3 parameters and you email address to configure ACME DNS challenge.
Michel-André
I checked the firewall logs and I am not seeing any obvious blocks on port 80
So the folder owner was originally root:root and probably has been that way I want to say since the beginning, but I changed the owner and permission to what you suggested and also restarted httpd and still having the same issue.
