Koozali.org: home of the SME Server

HTTP/1.1 405 Method Not Allowed error creating new Letsencrypt V2 certificate

Offline lurey

  • *
  • 78
  • +0/-0
hi,
You did work..!
I'll have time over the weekend to update and say what about.
I think I could also try a clean new installation on another machine, without any older version ...

I saw in bug 10861 that you are also working on the differences in cron (you did tell me that installing v6.5 would change or add something with cron, that I should have to worry about later). If I can (try to -) help spot things, tell me!
Bricoleur informatique, qui speak très mal english... merci de votre indulgence !

Offline lurey

  • *
  • 78
  • +0/-0
Try the updated smeserver-letsencrypt version in smetest

Code: [Select]
yum --enablerepo=smetest install smeserver-letsencrypt
Should be 0.5-10
I would like to be sure I understand ...
I installed with dehydrated package... it also installed smeserver-letsencrypt, and now, we update this one part, right?
(... which is not yet included in what could become as new dehydrated package...?)
Bricoleur informatique, qui speak très mal english... merci de votre indulgence !

Online ReetP

  • *
  • 3,722
  • +5/-0
There are two separate packages.

Dehydrated itself contains the dehydrated script and some other bits & pieces like cron. 0.6.5-1 comes from upstream at EPEL.

smeserver-letsencrypt 'depends' on dehydrated. It won't install itself without the dehydrated rpm.

So you only need to update the smeserver-letsencrypt part, and then do a console-save to regenerate configurations.

smeserver-letsencrypt has templates and db keys to generate the correct configurations for the dehydrated script itself, and your server. It should generate /etc/dehydrated/config /etc/dehydrated/domain.txt and the cron file.

The bug was the logic that generated the config file.

I have just pushed 0.5-11 to buildsys which updates the cron entries as well. It should remove the old /etc/cron/daily/letsencrypt and add /etc/cron.d/dehydrated

The new package is waiting for signing but should be in smetest fairly soon.

So, run it in test mode and check the certs are deployed correctly using your browser and let me know.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline lurey

  • *
  • 78
  • +0/-0
hi !
First > thank you for these explanation, I understand a little better what I do... So,

- I updated smeserver-letsencrypt to v0.5-11.
- switched letsencrypt to test mode
following config :
Quote
[root@sme-lurey ~]# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=xxxxxx@xxxxxxx.fr
    hookScript=disabled
    status=test


[root@sme-lurey ~]# cat /etc/dehydrated/config
#!/bin/bash
CA="https://acme-staging-v02.api.letsencrypt.org/directory"
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/bin/hook-script.sh"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=xxxxxx@xxxxxxx.fr
API="2"

PARAM_ACCEPT_TERMS="yes"

- run
# dehydrated -c -x (with -x, otherwise nothing was done, since I already had a valid certificate.)

 > Then :
- runs normaly, ends without errors.
- "fake-certificate" deployed, can be seen as told in the wiki

- I returned to enabled mode
following config :
Quote
[root@sme-lurey ~]# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=xxxxxx@xxxxxxx.fr
    hookScript=disabled
    status=enabled


[root@sme-lurey ~]# cat /etc/dehydrated/config
#!/bin/bash
CA="https://acme-v02.api.letsencrypt.org/directory"
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
HOOK="/usr/bin/hook-script.sh"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=xxxxxx@xxxxxxx.fr
API="2"

PARAM_ACCEPT_TERMS="yes"

All right, new (real) certificate is deployed.

« Last Edit: January 18, 2020, 12:41:26 PM by lurey »
Bricoleur informatique, qui speak très mal english... merci de votre indulgence !

Online ReetP

  • *
  • 3,722
  • +5/-0
Yay !!

Thank you for your patiencr and for testing.

We'll release that soon.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline lurey

  • *
  • 78
  • +0/-0
About cron...
- I have a file
/etc/e-smith/templates/etc/cron.d/dehydrated/10dehydrated
Code: [Select]
{
    use strict;
    use warnings;
    use esmith::ConfigDB;

    my $configDB = esmith::ConfigDB->open_ro or die("can't open Config DB");

    my $letsencryptStatus = $configDB->get_prop( 'letsencrypt', 'status' ) || 'disabled';

    if ( $letsencryptStatus eq 'enabled' ) {

        $OUT .= "#!/bin/sh\n\n";
        $OUT .= "32 3 * * 5 root test -s /etc/dehydrated/domains.txt && /usr/bin/dehydrated --cron";
    }

    else {
        $OUT .= "# letsencrypt is disabled\n";
    }
}

- there is no
/etc/cron.daily/letsencrypt

- in /etc/e-smith/templates/etc/cron.daily/letsencrypt/
there is one file <template-begin> ...that is empty

----------------------------------------------------------
to allow backup with dar, I wrote a file
/etc/e-smith/templates-custom/etc/dar/DailyBackup.dcf/43dehydrated
Code: [Select]
--go-into etc/dehydrated
should it be enough ...?
« Last Edit: January 18, 2020, 01:22:37 PM by lurey »
Bricoleur informatique, qui speak très mal english... merci de votre indulgence !

Offline brianr

  • *
  • 988
  • +2/-0
Got the warning message from letsencrypt yesterday.

Updated today from smetest and just run a "dehydrated -c -x" and  the cert has renewed just fine.

Well done guys!
Brian j Read
(retired, for a second time, still got 2 installations though)
The instrument I am playing is my favourite Melodeon.
.........

Online ReetP

  • *
  • 3,722
  • +5/-0
Got the warning message from letsencrypt yesterday.

Updated today from smetest and just run a "dehydrated -c -x" and  the cert has renewed just fine.

Well done guys!

Cool !!

There will be the template-begin but it is harmless and I will fix that.

Also need to update the cron etc. All in good time.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation