Koozali.org: home of the SME Server

Solved - letsencrypt challenge not completing

Offline pcdoc

  • *
  • 56
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #30 on: June 20, 2017, 06:23:49 PM »
Thanks for your work documenting Royce.

However, I have another issue. Everything ran well for first issue of certificates, but the renewal after 60 days (29 days before cert dies) it comes up with a Status 500 error when requesting a new certificate.

Any thoughts on where to look?

Cheers,

Matt
There are 10 types of people in this world,
   Those that know binary, and those who don't!

Offline mercyh

  • *
  • 824
  • +0/-0
    • http://mercyh.org
Re: letsencrypt challenge not completing
« Reply #31 on: June 20, 2017, 06:35:52 PM »
Can you post the actual output of the script? I would suggest you start a new thread ad this one might get pretty jumbled if we keep putting new/different problems in it.


Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: letsencrypt challenge not completing
« Reply #32 on: June 20, 2017, 10:09:56 PM »
but the renewal after 60 days (29 days before cert dies) it comes up with a Status 500 error when requesting a new certificate.
Most likely that results from a temporary issue on the Let's Encrypt end.  If it recurs (the renewal should run again tomorrow), I'd agree with @mercyh: start a new thread, and include the exact error output, and we'll see what else we can do to troubleshoot.
......

Offline mercyh

  • *
  • 824
  • +0/-0
    • http://mercyh.org
Re: letsencrypt challenge not completing
« Reply #33 on: June 20, 2017, 10:14:29 PM »
If this does complete correctly tomorrow when cron reruns the renew script, be sure to let us know. It would be good to get it in the wiki that if you see this error, you should let the script rerun before digging into the issue.....

Offline mercyh

  • *
  • 824
  • +0/-0
    • http://mercyh.org
Re: letsencrypt challenge not completing
« Reply #34 on: June 23, 2017, 08:25:15 PM »
Pcdoc,

Could you update us on the status of your error 500 on certificate regeneration?

Thanks,

Royce

Offline pcdoc

  • *
  • 56
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #35 on: June 29, 2017, 03:31:08 PM »
Sorry I haven't posted back the results. Have been unwell.

Anyway, reporting that I am still getting the Status 500 error every day. Down to 29 days now, so need to get back into it.

I ran >"dehydrated -c" tonight to see how it would go... not well.

Output follows

Quote
+ Requesting challenge for aap.domainname.org.au...
  + ERROR: An error occurred while sending post-request to https://acme-v01.api.letsencrypt.org/acme/new-authz (Status 429)

Details:
{
  "type": "urn:acme:error:rateLimited",
  "detail": "Error creating new authz :: too many currently pending authorizations",
  "status": 429
}

thoughts?
There are 10 types of people in this world,
   Those that know binary, and those who don't!

Offline mercyh

  • *
  • 824
  • +0/-0
    • http://mercyh.org
Re: letsencrypt challenge not completing
« Reply #36 on: June 29, 2017, 04:18:46 PM »
https://letsencrypt.org/docs/rate-limits/

I wonder if you have multiple cron jobs trying to renew the certificate. Where are you seeing the 500 error?

dehydrated is giving you the 429 error which is something entirely different.....

Offline CharlieBrady

  • *
  • 6,918
  • +3/-0
Re: letsencrypt challenge not completing
« Reply #37 on: June 29, 2017, 04:19:08 PM »
Rate limits are documented here:

https://letsencrypt.org/docs/rate-limits/

In particular, this looks relevant:

"You can have a maximum of 300 Pending Authorizations on your account. Hitting this rate limit is rare, and happens most often when developing ACME clients. It usually means that your client is creating authorizations and not fulfilling them. Please utilize our staging environment if you’re developing an ACME client'.
« Last Edit: June 29, 2017, 04:20:40 PM by CharlieBrady »

Offline mercyh

  • *
  • 824
  • +0/-0
    • http://mercyh.org
Re: letsencrypt challenge not completing
« Reply #38 on: June 29, 2017, 04:27:33 PM »
I am curious about your domain name... I realize you have obfuscated it but....

aap.domainname.org.au

quote from letsencrypt...

Quote
The main limit is Certificates per Registered Domain (20 per week). A registered domain is, generally speaking, the part of the domain you purchased from your domain name registrar. For instance, in the name www.example.com, the registered domain is example.com. In new.blog.example.co.uk, the registered domain is example.co.uk. We use the Public Suffix List to calculate the registered domain.

If you are hosting a subdomain of domainname.org.au and there are many other subdomains in use, you may be hitting this rate limit and it may be out of your control to fix the problem.....

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #39 on: October 01, 2017, 01:47:42 AM »
Not sure if this is relevant to the problem of pcdoc.

Letsencrypt says, they need access to port 80 and do follow re-directions. I do confirm this. As well, as the port 443 has also to be opened. And both ports also in outbound. For me it was not easy to point out, that first choice for letsencrypt is AAAA in the DNS records of the domain and hosts, you want to cert. This point is quite important. If not all hosts you want to cert are set up with an AAAA record dehydrated will fail. The safe way (for me) is to temporarely delete all AAAA records and re-run manually dehydrated -c.

This might depend on my installation as my server is running behind a firewall. If so, there are a few more cavecats. I.e. I have to disable a port-forward rule to the webproxy, for the manually renewal of the certs. The comment in the opnsense forum is: "Status 400 ist ein Syntaxfehler. Vermutlich macht der Client was, was der Proxy nicht versteht... https://forum.opnsense.org/index.php?topic=5201.0" Translation: Syntax error. Probably the client is doing something the proxy does not understand. Worst case would be, that the client does not truely act with the HTTP-protocol. Therefore the proxy rejects the connection ..." I didn't check with i.e. wireshark the packets, so I don't know what really happens.

The interesting thing for me is that the letsencrypt people say, that if .well-known/acme-challenge is accessable through port 80 (I ran several test with different browsers from different IP's to access a file I created in acme-challenge), with and without redirection to ssl, dehydrated should run fine and the renewal should work. Not working in my case. I am able to access my test file through my firewall - but dehydrated fails mostly with a timeout error. All rules on my firewall seems to be correct. Dehydrated is only running through if I bypass the proxy. Besides the IP6 settings in the DNS records. Maybe it's an opnsense issue, I don't know.

One thing is for sure - you need to have full access not only to your server...

regards,
stefan
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)

Offline DanB35

  • ****
  • 764
  • +0/-0
    • http://www.familybrown.org
Re: letsencrypt challenge not completing
« Reply #40 on: October 01, 2017, 03:10:34 AM »
For me it was not easy to point out, that first choice for letsencrypt is AAAA in the DNS records of the domain and hosts, you want to cert. This point is quite important. If not all hosts you want to cert are set up with an AAAA record dehydrated will fail.
Let me clarify/emphasize this point.  If any hostname for which you're seeking a cert has an AAAA record (i.e., an IPv6 record), the Let's Encrypt servers will try to connect to that IPv6 address.  If that connection attempt fails, then the validation process will fail--they won't fall back to IPv4 and try again.

To the best of my knowledge, SME9 doesn't support IPv6 (I don't know if SME10 will or not).  So, if you're trying to validate against an SME9 server, your solution of deleting the AAAA records before getting the cert is a good one.

As to the redirect, I don't know what's happening for you.  In my installation, all http is redirected to https, and I don't have trouble obtaining or renewing certs.
......

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #41 on: October 01, 2017, 09:59:03 PM »
Quote
Letsencrypt says, they need access to port 80 and do follow re-directions. I do confirm this.

Redirection is working, as I said. There seems to be a problem if the SME is behind a firewall and an enabled webproxy. At least for an OPNsense and my configuration. Maybe I misconfigured something, but if so, I don't know what. Everything else is running and behaving as expected. For dehydrated I have to disable port forward from port 80 to the proxy port. Why? This is beyond my knowledge...

Regards,
stefan

And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)


Offline ReetP

  • *
  • 3,722
  • +5/-0
Re: letsencrypt challenge not completing
« Reply #43 on: October 03, 2017, 05:17:31 PM »
Thinking out loud here....

If it is an issue via the Opnsense proxy, could you not get Opnsense to generate all the required certs and then script copying them to the right places ?

Just a thought.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline SchulzStefan

  • *
  • 620
  • +0/-0
Re: letsencrypt challenge not completing
« Reply #44 on: October 13, 2017, 12:50:04 PM »
maybe this helps https://community.letsencrypt.org/t/letsencyrpt-via-proxy/4317/5 or this https://community.letsencrypt.org/t/solved-proxy-settings-in-order-to-use-letsencrypt-auto-behind-a-proxy/5465/5

Thx RequestedDeletion for sharing.

#config show letsencrypt brings up:
letsencrypt=service
    ACCEPT_TERMS=yes
    configure=none
    email=admin@xxx.de
    hookScript=disabled
    status=enabled

Thinking out loud: would this make any sense?

# config setprop letsencrypt http_proxy=http://192.168.x.x:3128/
and
# config setprop letsencrypt https_proxy=http://192.168.x.x:3128/


A rush try fails (as expected) with:

/sbin/e-smith/db dbfile setprop key prop1 val1 [prop2 val2] [prop3 val3] ...

Any thoughts, maybe?

regards,
stefan
« Last Edit: October 13, 2017, 12:54:15 PM by SchulzStefan »
And then one day you find ten years have got behind you.

Time, 1973
(Mason, Waters, Wright, Gilmour)