Koozali.org: home of the SME Server

Solved - letsencrypt challenge not completing

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: letsencrypt challenge not completing
« Reply #15 on: June 11, 2017, 11:40:28 PM »
Yeah, either way you'll need an alias to point everything to the right filesystem path.  I don't have strong feelings either way, but "the user doesn't need to see it" doesn't seem like a strong reason to move it somewhere else--especially since all that's there are two empty directories.
......

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: letsencrypt challenge not completing
« Reply #16 on: June 12, 2017, 12:04:53 AM »
I think the scenario I have is liek this:

mydomain.co.uk=domain
    Content=Primary
    Description=Primary domain
    Nameservers=localhost
    Removable=no
    SystemPrimaryDomain=yes
    letsencryptSSLcert=enabled

crm.mydomain.co.uk=domain
    Content=crm
    Description=CRM direct
    Nameservers=localhost
    letsencryptSSLcert=enabled

I think that is done to fool the system to set the crm ibay as the 'Primary' ibay for that domain with the correct doc_root etc so you can go to crm.mydomain.co.uk and not mydomain.co.uk/crm

However, it seems from looking at the config that the port 80 alias for that domain does redirect to 'Primary'

So the suggested change may not affect it.

However, I agree with Dan - I can't see a good enough reason to change it.

Also I don't understand this :

"This would avoid customized chmod or chown on the Primary ibay to prevent apache to read the content of .well-known."

The only 'customisation' is during install (this is in the spec file) and should then not require changing? No one has picked this up before. If it does then it is just a change in the spec file

chmod -R 0775  /home/e-smith/files/ibays/Primary/html/.well-known
chown -R apache:shared /home/e-smith/files/ibays/Primary/html/.well-known

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mercyh

  • *
  • 824
  • +0/-0
    • http://mercyh.org
Re: letsencrypt challenge not completing
« Reply #17 on: June 12, 2017, 12:52:16 AM »
I guess I am a weird duck... I just installed on a second server at another location. (These are all many generations of SME old and have been through multiple admins and upgrades with restored backups) would you believe I got the same error? Some former website designer had installed WordPress on this one and redirected the primary domain to another ibay. He had either used the primary ibay as a person storage space or for some kind of testing and made himself the owner and used his user as the group on the HTML folder... I think the suggestion of fixing the ownership with the script is ok but might risk breaking someone's non standard usage of that location...

Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: letsencrypt challenge not completing
« Reply #18 on: June 12, 2017, 02:09:21 AM »
Yeah, either way you'll need an alias to point everything to the right filesystem path.  I don't have strong feelings either way, but "the user doesn't need to see it" doesn't seem like a strong reason to move it somewhere else--especially since all that's there are two empty directories.
Well it was only a polite way to say to prevent the user to mess with the validation folder, liker here for instance by playing with rights of a parent folder on the filesystem.
Further more this is not a place where a user is supposed to fo anything manually, like for instance the apache icon folder, or the phpmyadmin contrib... so keeping it out of the user sandbox in /home/e-smith/files is a way to avoid a mess and keeping things just working.

It is pretty frequent people will start messing with chown and chmod in ibays....


Offline Jean-Philippe Pialasse

  • *
  • 2,746
  • +11/-0
  • aka Unnilennium
    • http://smeserver.pialasse.com
Re: letsencrypt challenge not completing
« Reply #19 on: June 12, 2017, 02:19:18 AM »
I think the scenario I have is liek this:

mydomain.co.uk=domain
    Content=Primary
    Description=Primary domain
    Nameservers=localhost
    Removable=no
    SystemPrimaryDomain=yes
    letsencryptSSLcert=enabled

crm.mydomain.co.uk=domain
    Content=crm
    Description=CRM direct
    Nameservers=localhost
    letsencryptSSLcert=enabled

I think that is done to fool the system to set the crm ibay as the 'Primary' ibay for that domain with the correct doc_root etc so you can go to crm.mydomain.co.uk and not mydomain.co.uk/crm

However, it seems from looking at the config that the port 80 alias for that domain does redirect to 'Primary'

So the suggested change may not affect it.

However, I agree with Dan - I can't see a good enough reason to change it.

Also I don't understand this :

"This would avoid customized chmod or chown on the Primary ibay to prevent apache to read the content of .well-known."

The only 'customisation' is during install (this is in the spec file) and should then not require changing? No one has picked this up before. If it does then it is just a change in the spec file

chmod -R 0775  /home/e-smith/files/ibays/Primary/html/.well-known
chown -R apache:shared /home/e-smith/files/ibays/Primary/html/.well-known

The thing is that apache will not be able to access to the folder as soon as somebody play with the folder pr any parent folder. Let's say i do not use the primary folder, so i decided to chmod go-rwx /home/e-smith/files/ibays/Primary/html to prevent users to sneak there. Then apache is not able to serve anymore .well-known even if its rights and ownership are right, just because the parent directory does not let him in.

Again this was a very easy and convenient way to put it there when developping the contrib, but this is not the best place, would you put the apache icon folder in Primary? Would you put the folder of phpmyadmin and the one of phpldapadmin? Yea it could work there, but it has no need to be in the way of what should be the primary website. It would quickly start to be messy, and you never know what subtility the webmaster or admin will have the idea to do :
- deleteting the folder
- messing the rights
- messing the parent directory right
- hacking the content if any
-  let your imagination get wild for more possibilities...

Offline mercyh

  • *
  • 824
  • +0/-0
    • http://mercyh.org
Re: letsencrypt challenge not completing
« Reply #20 on: June 12, 2017, 06:38:04 AM »
I would like to make this comment about the letsencrypt contrib. This work is very beneficial to the koozali project. I want to give the contrib devs a huge thumbs up and would encourage inclusion into the base code as soon as is reasonable.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: letsencrypt challenge not completing
« Reply #21 on: June 12, 2017, 11:03:03 AM »
-  let your imagination get wild for more possibilities...

I have no imagination. Regrettably you cannot allow for every user scenario. They often do the strangest of things.

When I wrote the contrib you all had the opportunity to comment on this sort of thing, and no one did.

Please go ahead and do whatever you want - I'm well beyond caring on this.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mercyh

  • *
  • 824
  • +0/-0
    • http://mercyh.org
Re: letsencrypt challenge not completing
« Reply #22 on: June 12, 2017, 06:19:22 PM »
@ReetP,

Your work goes well beyond my technical abilities. I thank you for allowing me to get away from self signed certificates with an easy install and a few simple settings. I think we have two options here.

#1. change the contrib to relocate the /.well-known paths to a location that is not likely to be tampered with by some ignoramus like myself....

#2. document the issue in the wiki with the exact errors that show and the chown and chmod commands to set all folders in the path to correct ownership and rights.


I am capable of doing the second part but not the first. Would you like me to add to the wiki under the troubleshooting section? Would some of the rest of you be willing to look over my documentation to be sure I do not have it incorrect?

One other issue that would be a possible addition to the wiki is that the following command:

Code: [Select]
config setprop letsencrypt configure all
will likely cause cert generation to fail. When adding a domain, SME automatically adds the ftp. proxy. wpad. hostnames, many folks will not actually point public DNS A records at these names. If so the challenge comes back incomplete and the cert is not issued.


Royce
« Last Edit: June 12, 2017, 06:25:32 PM by mercyh »

Offline Stefano

  • *
  • 10,836
  • +2/-0
Re: letsencrypt challenge not completing
« Reply #23 on: June 12, 2017, 06:40:01 PM »
Royce, go for the wiki, thank you

Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: letsencrypt challenge not completing
« Reply #24 on: June 12, 2017, 08:19:25 PM »
Royce,

the simple answers are

Always test first
Read comprehensively
Don't make assumptions
Follow the SME way. Use the built in stuff where possible and expect issues if you do non standard stuff. If you take over a server, understand it completely before you dive in, and expect the unexpected!

:-)

I am no coder. I did what I could and it works for me, but comes with no warranty.

It needs a greater mind than mine to do more. It is now in SME CVS so anyone cam jump in.

Rgds
John
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mercyh

  • *
  • 824
  • +0/-0
    • http://mercyh.org
Re: letsencrypt challenge not completing
« Reply #25 on: June 12, 2017, 08:38:15 PM »
 :cool:

yep, so I am going to give everyone more to read... :)


Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: letsencrypt challenge not completing
« Reply #26 on: June 12, 2017, 09:11:16 PM »
:cool:

yep, so I am going to give everyone more to read... :)

Good man.....
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline mercyh

  • *
  • 824
  • +0/-0
    • http://mercyh.org
Re: letsencrypt challenge not completing
« Reply #27 on: June 13, 2017, 06:14:37 AM »
Hey guys,

If you could do a quick proof read of the wiki changes at https://wiki.contribs.org/Letsencrypt#Errors, I would appreciate it. I would hate to steer somebody totally wrong...


Offline gwag

  • 16
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #28 on: June 13, 2017, 07:29:12 PM »
 Enable Test Mode......

If this runs without errors, try to connect to your server-manager page. You should see an error that the security certificate wasn't issued by a trusted certification authority; this is perfectly normal. However, there should be a certificate, it should include all the hostnames you wanted included, and it should be valid for the next ninety days. If this was successful, proceed to production.

does it really make changes to your server manager page in test mode?

Offline mercyh

  • *
  • 824
  • +0/-0
    • http://mercyh.org
Re: letsencrypt challenge not completing
« Reply #29 on: June 13, 2017, 07:40:08 PM »
No, but it does issue a certificate to the server that is different from the SME self signed certificate. You can then go into server manager (which forces an https connection) and look at the certificate to verify that a new certificate has been issued that is not self signed by the server.

Once you have the new certificate active, you have verified that everything is working and can then switch over to production and get an actual trusted certificate from them......

In Internet Explorer, from the https://mail.myserver.com/server-manager page, click the padlock icon..

(see attachement)

and go to "view certificate" You should see who the certificate is issued by....

« Last Edit: June 13, 2017, 07:48:35 PM by mercyh »