Koozali.org: home of the SME Server

LetsEncrypt "ERROR: Certificate authority doesn't allow certificate signing"

Offline nicolatiana

  • *
  • 721
  • +0/-0
The certificate does not renew.
Uncommented CA line in config file and performed e test-request with dehydrated -c and this worked fine.
I'm able to reach the .well-known folder form the web
Commented out CA line and running dehydrated -c -x gives the "ERROR: Certificate authority doesn't allow certificate signing"

Is a manual configuration&install via GIT

Nicola

Quote

# INFO: Using main config file /etc/dehydrated/config
Processing web.qbservice.it
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Sep 23 06:38:27 2019 GMT (Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
ERROR: Certificate authority doesn't allow certificate signing

Quote

cat /etc/dehydrated/domains.txt
web.mydomain.it
Quote

cat /etc/dehydrated/config
#!/bin/bash
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
#CA="https://acme-staging.api.letsencrypt.org/directory"
#CA="https://acme-v01.api.letsencrypt.org/directory"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=info@mydomain.it
#HOOK="/usr/bin/hook-script.sh"
HOOK="/usr/local/bin/dehydrated-hook"
API="1"
# letsencrypt property ACCEPT_TERMS not set to yes



« Last Edit: June 25, 2019, 10:37:32 AM by nicolatiana »
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Not really sure what to do if you are using your own install instead of the contrib.

Beyond that what version are you using?

I can see you have probably tried to copy off an old config. Have you checked it is correct and up to date?

(One thing I would suggest is swapping to API 2)

What about your apache template and SSL settings?

Are you using any other certificates?

Have you checked github for bugs?

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline nicolatiana

  • *
  • 721
  • +0/-0
Many thanks for your reply.

According to your suggestion I've analyzed the sample config file coming from github (/etc/dehydrated/docs/examples) and I've modified the mine in this way:

Quote
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
#CA="https://acme-v02.api.letsencrypt.org/directory"
CONTACT_EMAIL=info@qbservice.it
HOOK="/usr/local/bin/dehydrated-hook"
API="2"

The trick was outdated "CA =" record

All other folder/scripts and apache/SSL settings were right.

Swapped to API2 too.

I've been able to perform correctly both test and getting trusted certificate.

Many thanks again.

P.S.: not using contrib because more or less all of mine letsencrypt install were done before contrib release and I never moved to contrib.  :wink:




« Last Edit: June 26, 2019, 08:42:00 AM by nicolatiana »
Consulente di Smeserver.it -  Soluzioni e supporto su Sme server in Italia.