Koozali.org: home of the SME Server

HTTP/1.1 405 Method Not Allowed error creating new Letsencrypt V2 certificate

Offline ldkeen

  • *
  • 401
  • +0/-0
Hi,
I did have Letsencrypt working on this server for quite a while but just today when it went to renew I started getting errors. In the end I removed it all and started from scratch but now I'm getting the error below:

+ Received 2 authorizations URLs from the CA
  + ERROR: An error occurred while sending get-request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/28154020 (Status 405)

Details:
HTTP/1.1 405 Method Not Allowed
Server: nginx
Date: Fri, 20 Dec 2019 09:46:22 GMT
Content-Type: application/problem+json
Content-Length: 103
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Method not allowed",
  "status": 405
}

[root@server dehydrated]# rpm -qa |grep dehydrated
dehydrated-0.6.2-14.el6.sme.noarch
[root@server dehydrated]# rpm -qa |grep letsencrypt
smeserver-letsencrypt-0.5-9.noarch


I have the latest version of Letsencrypt and dehydrated and an up to date SMEServer 9.2. Does anyone know how to fix this error. Not sure if it's related but I have recently installed SoftEther on this server (but I've installed that on others without any problems.

Offline ReetP

  • *
  • 3,722
  • +5/-0
Did you resolve this?

What are your letsencrypt settings? Looks like you are trying to use API2. When did you change from v1, and how?
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline lurey

  • *
  • 78
  • +0/-0
hi,
I just tried to install "dehydrated" according wiki-page https://wiki.contribs.org/Letsencrypt/fr  (it's my first use of letsencrypt), and have same error :
Quote
+ ERROR: An error occurred while sending get-request to https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/32565757 (Status 405)

Details:
HTTP/1.1 405 Method Not Allowed
Server: nginx
Date: Mon, 13 Jan 2020 08:32:57 GMT
Content-Type: application/problem+json
Content-Length: 103
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-staging-v02.api.letsencrypt.org/directory>;rel="index"

{
  "type": "urn:ietf:params:acme:error:malformed",
  "detail": "Method not allowed",
  "status": 405
}
informations :
Quote
root@sme-xxxx #  config show letsencrypt
       letsencrypt=service
            ACCEPT_TERMS=yes
            API=2
           configure=none
           hookScript=disabled
           status=test
root@sme-xxxx #  rpm -qa |grep dehydrated
       dehydrated-0.6.2-14.el6.sme.noarch
root@sme-xxxx #  rpm -qa |grep letsencrypt
       smeserver-letsencrypt-0.5-9.noarch
...What is wrong ?
Thanks for help !
Bricoleur informatique, qui speak très mal english... merci de votre indulgence !

Offline mmccarn

  • *
  • 2,626
  • +10/-0
Searching "letsencrypt" plus the error text sent me to this discussion:
https://community.letsencrypt.org/t/problem-with-renew-certificates-the-request-message-was-malformed-method-not-allowed/107889/21

According to that discussion there have been updates to the letsencrypt server that require updates to the script (certbot or whatever) you're using to update certificates.

dehydrated is currently at v0.6.5 - https://github.com/lukas2511/dehydrated/blob/master/CHANGELOG, while the smeserver-letsencrypt contrib currently (1/13/2020) installs dehydrated v0.6.2

There is work in progress on getting dehydrated updated to the latest version:
* Bug 10812 - epel version of dehydrated
* Bug 10836 - force migration from acme-v1 to acme-v2

There is a note in the forum indicating you may be safe updating dehydrated from epel as long as you are not using any of the dehydrated hooks to distribute changes to other systems outside your SME server:
https://forums.contribs.org/index.php/topic,54106.msg282593.html#msg282593

Offline ReetP

  • *
  • 3,722
  • +5/-0
Yup - that is the problem.

You can use the updated SME version in smetest

DO NOT do a plain update or install from this repo - specific packages only.

yum --enablerepo=smetest install dehydrated

Should be dehydrated-0.6.5-1.el6.noarch.rpm

The continue in test mode until it all works.

It would be good if you tested the one in smetest and we can get it released.

https://bugs.contribs.org/show_bug.cgi?id=10836

You can also try the one from EPEL but it needs a few tweaks as some of the default locations have changed eg hook script  and cron that runs the script. Don't try unless you know what you are doing.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline lurey

  • *
  • 78
  • +0/-0
Hello mmccarn and ReetIP,
Thank you for these fast answords.

I did see this new version 6.5 in dev, but did not dare to try it without knowing  about its state of development.
You encourage me, I'll do it tonight (after work...).
Should I first uninstall version 6.2 ? and some - or all - files generated by its configuration?
If so, how do you make it "completely clean" before installing version 6.5?
Lot of thanks !

(N.B. I specify this is a first use for me, so there is no need to worry about renewal of an old certificate, or migration acme-v1 to acme-v2)
Bricoleur informatique, qui speak très mal english... merci de votre indulgence !

Offline ReetP

  • *
  • 3,722
  • +5/-0
I did see this new version 6.5 in dev, but did not dare to try it without knowing  about its state of development.

If it isn't working at the minute then the worst that will happen is it won't work after installation :-)

Should be fine - just install as above and let us know please.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline lurey

  • *
  • 78
  • +0/-0
OK, I'll do it within a few hours.
 (...and I'll be happy if, despite a relative incompetence, my experience can be a useful test beyond my only case !).

I understand that I should try to upgrade to dehydration-6.5 without uninstalling anything from the last installation.
... Please, "shout" here before tonight  if that is'nt right !   :-?
Bricoleur informatique, qui speak très mal english... merci de votre indulgence !

Offline ReetP

  • *
  • 3,722
  • +5/-0
OK, I'll do it within a few hours.
 (...and I'll be happy if, despite a relative incompetence, my experience can be a useful test beyond my only case !).

Best way to learn - we did!!

[qoute]
I understand that I should try to upgrade to dehydration-6.5 without uninstalling anything from the last installation.
... Please, "shout" here before tonight  if that is'nt right !   :-?
[/quote]

Damn. Terry just reminded me that the version in smetest is actually the EPL version.

Hmmmm OK.

It is OK apart from it uses a different cron setup to do its daily checks.

If you install it over the top of what you already have you will just end up two crons but that's should be fine - we can resolve that !

Just test it and make sure - keep in test mode and you will be fine.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline lurey

  • *
  • 78
  • +0/-0
So,
1) update :
Quote
(...)
Mise à jour de     1 paquet(s)

Taille totale des téléchargements : 85 k
Est-ce correct [o/N] : o
Téléchargement des paquets :
dehydrated-0.6.5-1.el6.noarch.rpm                        |  85 kB     00:00
Lancement de rpm_check_debug
Lancement de la transaction de test
Transaction de test réussie
Lancement de la transaction
  Mise à jour   : dehydrated-0.6.5-1.el6.noarch                             1/2
warning: /etc/dehydrated/config created as /etc/dehydrated/config.rpmnew
  Nettoyage     : dehydrated-0.6.2-14.el6.sme.noarch                        2/2
(...)
# signal-event post-upgrade
# signal-event reboot

2) First try
#  dehydrated -c
gave an error :
Quote
(...)
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:dns",
    "detail": "DNS problem: NXDOMAIN looking up A for mail.lurey.eu",
    "status": 400 

3) then disabled "mail.lurey.eu" in db and retry :
# dehydrated -c
Quote
# INFO: Using main config file /etc/dehydrated/config
Processing lurey.eu with alternative names: www.lurey.eu
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 2 authorizations URLs from the CA
 + Handling authorization for lurey.eu
 + Found valid authorization for lurey.eu
 + Handling authorization for www.lurey.eu
 + Found valid authorization for www.lurey.eu
 + 0 pending challenge(s)
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!
   :hammer:  YES !

4)... BUT... :cry:
When I open www.lurey.eu and ask for certificate, it is the old- self produced- one !
(reconfigure + reboot does'nt change anything…)


« Last Edit: January 13, 2020, 08:07:43 PM by lurey »
Bricoleur informatique, qui speak très mal english... merci de votre indulgence !

Offline ReetP

  • *
  • 3,722
  • +5/-0
Your domains must be reachable via http:80

Are you still in test mode?

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline lurey

  • *
  • 78
  • +0/-0
Your domains must be reachable via http:80
Yes, they are actually.
Quote
Are you still in test mode?
Yes, but with test mode,
Quote from: https://wiki.contribs.org/Letsencrypt
(...)  You should see an error that the security certificate wasn't issued by a trusted certification authority; this is perfectly normal. However,  there should be a certificate, it should include all the hostnames you wanted included, and it should be valid for the next ninety days"
it should have brought me a "test certificate", It is not at all the case ?

Well, I hope you are sleeping peacefully right now ... and I will do the same! Tomorrow will be another day...
« Last Edit: January 14, 2020, 12:06:35 AM by lurey »
Bricoleur informatique, qui speak très mal english... merci de votre indulgence !

Offline lurey

  • *
  • 78
  • +0/-0
Hello,

...the next day I received this message :

from : Cron <root@sme-lurey> test -s /etc/dehydrated/domains.txt && /usr/bin/dehydrated --cron
# INFO: Using main config file /etc/dehydrated/config
Processing lurey.eu with alternative names: www.lurey.eu
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Apr 12 17:09:22 2020 GMT (Longer than 30 days). Skipping renew!


I looked in /etc/dehydrated,


it looks like the certificate did arrive, but is not "installed"?

Bricoleur informatique, qui speak très mal english... merci de votre indulgence !

Offline ReetP

  • *
  • 3,722
  • +5/-0
it looks like the certificate did arrive, but is not "installed"?

Hard to tell as we don't know what has happened...... are you still in test mode?

On your server (or with a terminal or putty) do this:
Code: [Select]
config show letsencrypt
You can clean up old certs with:
Code: [Select]
dehydrated  --cleanup
For options do:
Code: [Select]
dehydrated -h
(-gc) (Move unused certificate files to archive directory)

Then look at this:
Code: [Select]
ll /etc/dehydrated/certs/lurey.eu
It should look similar to this:

Code: [Select]
total 32
-rw------- 1 root root 2106 Dec 16 13:17 cert-1576498657.csr
-rw------- 1 root root 2699 Dec 16 13:18 cert-1576498657.pem
lrwxrwxrwx 1 root root   19 Dec 16 13:18 cert.csr -> cert-1576498657.csr
-rw-r--r-- 1 root root 5925 Dec 16 13:18 certificate.pfx
lrwxrwxrwx 1 root root   19 Dec 16 13:18 cert.pem -> cert-1576498657.pem
-rw------- 1 root root 1648 Dec 16 13:18 chain-1576498657.pem
lrwxrwxrwx 1 root root   20 Dec 16 13:18 chain.pem -> chain-1576498657.pem
-rw------- 1 root root 4347 Dec 16 13:18 fullchain-1576498657.pem
lrwxrwxrwx 1 root root   24 Dec 16 13:18 fullchain.pem -> fullchain-1576498657.pem
-rw------- 1 root root 3243 Dec 16 13:17 privkey-1576498657.pem
lrwxrwxrwx 1 root root   22 Dec 16 13:18 privkey.pem -> privkey-1576498657.pem

You can check if apache is using your certs by doing:

Code: [Select]
grep pem /etc/httpd/conf/httpd.conf
Should see something like this:

Code: [Select]
SSLCertificateChainFile /etc/dehydrated/certs/lurey.eu/chain.pem
SSLCertificateFile /etc/dehydrated/certs/lurey.eu/cert.pem
SSLCertificateKeyFile /etc/dehydrated/certs/lurey.eu/privkey.pem

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Also note this:

+ Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Apr 12 17:09:22 2020 GMT (Longer than 30 days). Skipping renew![/i]

So it has checked the certs and they are OK and do not need renewing..... so it won't touch them.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation