PHABRICATOR on NS


(Nitram Oneito) #121


Domains

Failed authorization procedure. sub.domain.tld (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sub.domain.tld/.well-known/acme-challenge/CswmQ5QUFFKOv48jpo71ja-OYunnmumLQpyYG84bjz8: "<!DOCTYPE html><html><head><meta charset=“UTF-8” /><title>Login</title><meta name=“viewport” content=“width=device-width, initia”

thats the error am getting. This I go to ssl certs, then request ssl via the same method.

What is this acme dns thing


(Dan) #122

https://wiki.nethserver.org/doku.php?id=userguide:let_s_encrypt_acme-dns

Note that you only need one installation of acme-dns for any Neth or other servers you’d want to use it with. I have it installed on my main Neth server, and then all my internal stuff (pfSense, my two Proxmox hosts, my FreeNAS boxes, etc.), as well as my Phab VPS, connect with that instance to do DNS validation.

As to your error, check the virtual host template fragment which should be at /etc/e-smith/templates-custom/etc/httpd/conf.d/virtualhosts.conf/15_phabricator. Does it match what’s in the wiki?


(Nitram Oneito) #123

either my mind currently is not fit or something else.
I just got confused on the acme setup…

Question, if a person has multiple domains to different servers for different scenarios. Yet have one anycast dns that is used for all domains being managed.

does that setup have to be setup for each domain for it to work, or is there a way to setup one acme for all domains if required at any given point.

does below have to be set for each domain8
ns1.acme.example.com A $EXTERNAL_IP
ns2.acme.example.com A $EXTERNAL_IP
acme.example.com NS ns1.acme.example.com
acme.example.com NS ns2.acme.example.com


(Dan) #124

This would probably be better continued in the discussion thread for acme-dns (Acme-dns on Nethserver (now with RPM-y goodness!)), but here’s the overview:

When Let’s Encrypt attempts DNS validation for $FQDN, it looks for a DNS record for _acme-challenge.$FQDN. If there’s a TXT record there, Let’s Encrypt reads the value and determines if validation succeeds or fails. If there’s a CNAME record instead, Let’s Encrypt will follow that CNAME and see what its target says. So, if you have a record of _acme-challenge.$FQDN CNAME somethingelse.acme.$OTHERFQDN, Let’s Encrypt will query somethingelse.acme.$OTHERFQDN for the TXT record.

When you configure acme-dns, you’re setting it up as the authoritative DNS server for a subdomain of one of your domains. If you have a domain of example.com, the subdomain is acme.example.com. So the NS records above make ns{1|2}.acme.example.com the authoritative nameservers for that subdomain, and then set your external IP address is the IP address for both of them (it isn’t essential to set two nameservers, but it seems to be common practice).

The real magic happens in the CNAME records. The python hook script keeps track of which hostnames already have issued certs. When you request a cert for a hostname that you haven’t previously issued, it will ask you to create a CNAME record for that host, which you’ll only need to do once.

So, no, you don’t need to set the NS records for each domain. Set them for one (pick one, it doesn’t really matter, though I think my module works best if you use your primary domain). Then set CNAME records for all the other hostnames as you need them.


(Dan) #125

To summarize my last post, no. Set it for your primary domain. Then, as requested by the hook script, create CNAME records for any other domains you need. You can even bypass installing acme-dns entirely and use the author’s test server at https://auth.acme-dns.io (just enter that URL in the hook script instead of your own domain)–though that isn’t recommended, particularly for long-term use.


(Nitram Oneito) #126

@danb35 I updated my configuration on /etc/e-smith/templates-custom/etc/httpd/conf.d/virtualhosts.conf/15_phabricator .
I was able to successfully renew my letsencrypt ssl.

The biggest problem I am facing is that, when I visit that page, I get the default nethserver page, instead of the phabricator login page.


(Nitram Oneito) #127

anyone there to assist


(Dan) #128

No clue at all. What is “that page” in the below?


(Nitram Oneito) #129

the link subdomain that phabricator is supposed to have been installed
phabricator login page that is


(Nitram Oneito) #130

@danb35 did you understand what I mean?


(Markus Neuberger) #131

To see your virtualhosts configuration and order you may use

httpd -S

Maybe it shows us the error…


(Nitram Oneito) #132

VirtualHost configuration:
*:443 is a NameVirtualHost
default server ns.geniusdynamics.com (/etc/httpd/conf.d/nethserver.conf:42)
port 443 namevhost ns.geniusdynamics.com (/etc/httpd/conf.d/nethserver.conf:42)
port 443 namevhost ns.geniusdynamics.com (/etc/httpd/conf.d/ssl.conf:56)
port 443 namevhost phab.$geniusdynamics.com (/etc/httpd/conf.d/virtualhosts.conf:23)
port 443 namevhost phab.geniusdynamics.com (/etc/httpd/conf.d/virtualhosts.conf:53)
*:80 is a NameVirtualHost
default server phab.$geniusdynamics.com (/etc/httpd/conf.d/virtualhosts.conf:9)
port 80 namevhost phab.$geniusdynamics.com (/etc/httpd/conf.d/virtualhosts.conf:9)
port 80 namevhost ns.geniusdynamics.com (/etc/httpd/conf.d/virtualhosts.conf:41)
port 80 namevhost phab.geniusdynamics.com (/etc/httpd/conf.d/virtualhosts.conf:95)
ServerRoot: “/etc/httpd”
Main DocumentRoot: “/var/www/html”
Main ErrorLog: “/etc/httpd/logs/error_log”
Mutex rewrite-map: using_defaults
Mutex authdigest-client: using_defaults
Mutex ssl-stapling: using_defaults
Mutex proxy: using_defaults
Mutex authn-socache: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/run/httpd/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex proxy-balancer-shm: using_defaults
PidFile: “/run/httpd/httpd.pid”
Define: _RH_HAS_HTTPPROTOCOLOPTIONS
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
User: name=“apache” id=48
Group: name=“apache” id=48


(Dan) #133

I’m pretty sure the $ shouldn’t be here, or in the other places it’s appearing. Check your template files.