Koozali.org: home of the SME Server

HTTP/1.1 405 Method Not Allowed error creating new Letsencrypt V2 certificate

Offline lurey

  • *
  • 78
  • +0/-0
After cleaning, here is what's left in /etc/dehydrated/certs/lurey.eu :

Code: [Select]
-rw------- 1 root root 1655 13 janv. 19:09 cert-1578938955.csr
-rw------- 1 root root 2216 13 janv. 19:09 cert-1578938955.pem
lrwxrwxrwx 1 root root   19 13 janv. 19:09 cert.csr -> cert-1578938955.csr
lrwxrwxrwx 1 root root   19 13 janv. 19:09 cert.pem -> cert-1578938955.pem
-rw------- 1 root root 1680 13 janv. 19:09 chain-1578938955.pem
lrwxrwxrwx 1 root root   20 13 janv. 19:09 chain.pem -> chain-1578938955.pem
-rw------- 1 root root 3896 13 janv. 19:09 fullchain-1578938955.pem
lrwxrwxrwx 1 root root   24 13 janv. 19:09 fullchain.pem -> fullchain-1578938955.pem
-rw------- 1 root root 3243 13 janv. 19:09 privkey-1578938955.pem
lrwxrwxrwx 1 root root   22 13 janv. 19:09 privkey.pem -> privkey-1578938955.pem
it's clearer ! (compared to your example, there is no < certificate.pfx > file...)

BUT...
Code: [Select]
grep pem /etc/httpd/conf/httpd.conf gives no answer !

...looking for "SSLCertificate" in httpd.conf gives :
Code: [Select]
[root@sme-lurey lurey.eu]# grep SSLCertificate /etc/httpd/conf/httpd.conf
SSLCertificateFile /home/e-smith/ssl.crt/sme-lurey.lurey.eu.crt
SSLCertificateKeyFile /home/e-smith/ssl.key/sme-lurey.lurey.eu.key

..editing conf-file, there are 3 lines :
Code: [Select]
# modSSL{CertificateChainFile} not set
SSLCertificateFile /home/e-smith/ssl.crt/sme-lurey.lurey.eu.crt
SSLCertificateKeyFile /home/e-smith/ssl.key/sme-lurey.lurey.eu.key

... tried to replace with :
Code: [Select]
SSLCertificateChainFile /etc/dehydrated/certs/lurey.eu/chain.pem
SSLCertificateFile /etc/dehydrated/certs/lurey.eu/cert.pem
SSLCertificateKeyFile /etc/dehydrated/certs/lurey.eu/privkey.pem

...restart httpd, and...  :grin: YES ! the LE "fake-certificat" (test-mode) is displayed for all my domains and subdomains !
I think, I found out at least wher "my" error is...

but this conf-file is made of templates.
Code: [Select]
# expand-template /etc/httpd/conf/httpd.conf
# /etc/rc7.d/S*httpd-e-smith restart
...and I lose my certificate again
"my" error is in "SSL Global Context Configuration" section, I think the 3 original lines comes from the two following templates
(in /etc/e-smith/templates/etc/httpd/conf/httpd.conf )
35SSL10SSLCertificateChainFile
35SSL10SSLCertificateFile

Is there a template (? custom) missing in my dehydrated/letsencrypt installation ?
I am not able to go further, nor to know, without the help of those who know the principles of this installation, if the error comes from my manipulations or from the installation script...


Bricoleur informatique, qui speak très mal english... merci de votre indulgence !

Offline ReetP

  • *
  • 3,722
  • +5/-0
You haven't answered the most important question.

That may give a clue what has happened.

Code: [Select]
config show letsencrypt
Also

cat /etc/dehydrated/config

For whatever good reason your post certificate generation script hasn't fired.

At a guess because you are still in test mode.

Please just answer the questions above and don't try messing about too much or you may make stuff a whole lot worse.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline lurey

  • *
  • 78
  • +0/-0
Hi,

Code: [Select]
[root@sme-lurey ~]# config show letsencrypt
letsencrypt=service
    ACCEPT_TERMS=yes
    API=2
    configure=none
    email=xxxxxxxxxxxxxx
    hookScript=disabled
    status=test
I forgot to indicate it, because it hasn't changed since my first post !

Code: [Select]
[root@sme-lurey ~]# cat /etc/dehydrated/config
#!/bin/bash
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
CA="https://acme-staging-v02.api.letsencrypt.org/directory"

PARAM_ACCEPT_TERMS="yes"

I looked the templates, it looks like parameters "my $chain_file" , "my $crt" and "my $key" don't find value,
and then default value are set, as if there was no certificate.
for example, this is the code in template <35SSL10SSLCertificateChainFile > :
Code: [Select]
{
    my $chain_file = $modSSL{CertificateChainFile}
or return "# modSSL{CertificateChainFile} not set";

    $OUT = "SSLCertificateChainFile $chain_file";
}
Bricoleur informatique, qui speak très mal english... merci de votre indulgence !

Offline ReetP

  • *
  • 3,722
  • +5/-0
I forgot to indicate it, because it hasn't changed since my first post !

And that is exactly why I asked it because you have dived down rabbit holes that are not necessary and wasted a load of your time.

If you refer back to the documentation

https://wiki.contribs.org/Letsencrypt#Enable_Test_Mode

You will see that the instructions effectively say:

1. Install software
2. Run test mode to check certificates are correctly made
3. Change to 'enabled' to generate real certificates and deploy them

It will NOT deploy test certificates so you don't break your server. That is what TEST means.

So, if your test certificates all create correctly without errors then follow the documentation.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline lurey

  • *
  • 78
  • +0/-0
(...)
If you refer back to the documentation

https://wiki.contribs.org/Letsencrypt#Enable_Test_Mode

You will see that the instructions effectively say:

1. Install software
2. Run test mode to check certificates are correctly made
... it says precisely (before enabling product mode !):
Quote
If this runs without errors, try to connect to your server-manager page. You should see an error that the security certificate wasn't issued by a trusted certification authority;  this is perfectly normal. However, there should be a certificate, it should include all the hostnames you wanted included, and it should be valid for the next ninety days.
.

I'll try to bee clearer... my problem is :
1) I tried to install "dehydrated" according wiki-page https://wiki.contribs.org/Letsencrypt/fr, with  dehydrated v0.6.2 (contrib 9 repo)
> in test mode, had the error that makes the tittle of this (older) thread, and posted I had the same.
2) with help and indications that I found here, I updated to dehydrated v0.6.5 (Devel 9 repo)
in mode test, had no more error, but...
could'nt verify, as said in the wiki (see above), the "fake certificate" delivered in test mode :
the auto certificate produced at the installation of SME was still shown, while everything shows (as you confirmed to me) that the LE-certificate is well generated.


That'is why I searched, why the well delivered (fake- because of test mode) certificat is not used, except handly modifying httpd.conf - but I'm sure, this is'nt the good way !
Bricoleur informatique, qui speak très mal english... merci de votre indulgence !

Offline ReetP

  • *
  • 3,722
  • +5/-0
You are tying yourself in knots here. You really need to go and read up and understand EXACTLY what is happening with the certificate generation process.

When you run test mode it tests to check the certificates can be correctly generated (it essentially just tests your domains and general setup), but they are fake certificates so will not be deployed to Apache because it can be difficult to revert them if you have an issue.

Yes, dehydrated 0.6.2 had an issue generating certs. Once you updated to 0.6.5 you no longer had the issue:

Code: [Select]
in mode test, had no more error, but
Exactly this. So it can generate a certificate but they are FAKE so will NOT be deployed.

If you generate the test certificates without errors as above you can then proceed to generate real certificates which the system will deploy. We DO NOT deploy fake certificates to use in Apache because they will cause problems with your server.

So if it CREATES (but does not DEPLOY) the test certs then do:

3. Change to 'enabled' to generate real certificates and deploy them

If the real generation completes correctly the system will deploy them to Apache. You do not have to touch anything.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline lurey

  • *
  • 78
  • +0/-0
Hello ReetP,
thank you for your patience...
I'm sorry if I asked questions and let you search because of bad reasons.
My misunderstanding comes from : what you explain me there, is different from what I understoud in the wiki:
Quote
Enable Test Mode
You can now run dehydrated for the first time, and make sure it's able to connect to the Let's Encrypt servers,
validate the hostnames you're requesting, and issue certificates. To do this, run

# dehydrated -c

If this runs without errors, try to connect to your server-manager page. You should see an error that the security certificate wasn't issued by a trusted certification authority; this is perfectly normal.
However, there should be a certificate, it should include all the hostnames you wanted included, and it should be valid for the next ninety days. If this was successful, proceed to production.

Also lower in the wiki page, under "Rush jobs / for the test"
Quote
Check that the certificates are available ( your browser will still issue an error, but you can explore the content of the certificate to see that the Let's Encrypt test CA was used to sign your SSL certificate and that all your domains and hosts are in the "Certificate Subject Alt Name" property.

If, as you explain to me, the fake certificat is not deployed, the above verification (try to connect to your server-manager page ...etc...) cannot be made.
However, I thought that this check HAD TO BE done and successfull before switching into production mode, that's why I was worried about not getting there...

Tonight back from work, I'll switch status to enable and run dehydrated -c -x , everything will be in order then !
Thank you for this help !
« Last Edit: January 16, 2020, 02:32:20 PM by lurey »
Bricoleur informatique, qui speak très mal english... merci de votre indulgence !

Offline ReetP

  • *
  • 3,722
  • +5/-0
I didn't think the test ones deployed, but it is so long since I wrote the contrib originally, and I now never bother testing the fake certs, that I forget.

I'll get someone to test.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Your issue is that for whatever reason your config file is wrong.

It has no HOOK line so runs the wrong script.

Should look like this:

Code: [Select]
cat /etc/dehydrated/config
Code: [Select]
#!/bin/bash
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-know
n/acme-challenge"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=admin@here.com
HOOK="/usr/bin/hook-script.sh"
API="auto"

PARAM_ACCEPT_TERMS="yes"

Try:

Code: [Select]
expand-template /etc/dehydrated/config
Then cat the file & paste here.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline lurey

  • *
  • 78
  • +0/-0
Hello !  :-P

You are (naturally) wright!
In production mode, the certificate is deployed.
logs ends in test mode with
Code: [Select]
(...for each challenge)
+ Challenge is valid!
 + Cleaning challenge tokens...
 + Requesting certificate...
 + Checking certificate...
 + Done!
 + Creating fullchain.pem...
 + Done!
IN prod mode, it adds :
Code: [Select]
(...)
 + Creating fullchain.pem...
Set up modSSL db keys
Signal events
All complete
 + Done!

I looked in httpd.conf, the three lines were automatically modified (as I had tested by hand to arrive to take into account the fake-certificate).

1°) My (?non-)problem is solved.
Thank you for your precious support !

2°) assuming that this is'nt due to my installation (with its stacked steps  :sad:)
...it would be usefull to report this modification in the wiki (unless you prefer to modify the installation to allow verification again at the test stage...).

EDIT : our posts crossed !!!
« Last Edit: January 16, 2020, 08:27:18 PM by lurey »
Bricoleur informatique, qui speak très mal english... merci de votre indulgence !

Offline lurey

  • *
  • 78
  • +0/-0
Code: [Select]
[root@sme-lurey ~]# cat /etc/dehydrated/config
#!/bin/bash
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
CA="https://acme-v02.api.letsencrypt.org/directory"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=xxxxxx@xxxxxxx.fr
HOOK="/usr/bin/hook-script.sh"
API="2"

PARAM_ACCEPT_TERMS="yes"
!!! I can't tell you what caused this ordering ...
in /usr/bin with ls -l
Code: [Select]
-rwxr-xr-x 1 root root          691 13 janv. 09:31 hook-script.sh
13 jan 09:31 is my first installation (with older version 6.2)

/etc/dehydrated/hooks_deploy_cert.d/   is empty, I allways saw it empty ...

« Last Edit: January 18, 2020, 12:39:19 PM by lurey »
Bricoleur informatique, qui speak très mal english... merci de votre indulgence !

Offline lurey

  • *
  • 78
  • +0/-0
I tried re-switch test mode, (without running !)
Code: [Select]
[root@sme-lurey bin]# config setprop letsencrypt status test
[root@sme-lurey bin]# signal-event console-save
[root@sme-lurey bin]# cat /etc/dehydrated/config
#!/bin/bash
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
CA="https://acme-staging-v02.api.letsencrypt.org/directory"

PARAM_ACCEPT_TERMS="yes"

then switch again enabled mode :
Code: [Select]
[root@sme-lurey bin]# config setprop letsencrypt status enabled
[root@sme-lurey bin]# signal-event console-save
[root@sme-lurey bin]# cat /etc/dehydrated/config
#!/bin/bash
WELLKNOWN="/home/e-smith/files/ibays/Primary/html/.well-known/acme-challenge"
CA="https://acme-v02.api.letsencrypt.org/directory"
BASEDIR="/etc/dehydrated"
CONTACT_EMAIL=xxxxxx@xxxxxxx.fr
HOOK="/usr/bin/hook-script.sh"
API="2"

PARAM_ACCEPT_TERMS="yes"


No HOOK with test mode...
« Last Edit: January 18, 2020, 12:39:55 PM by lurey »
Bricoleur informatique, qui speak très mal english... merci de votre indulgence !

Offline ReetP

  • *
  • 3,722
  • +5/-0
Ahhh ok. Got it. Whilst lying in bed!!

That's a bug here:

cat /etc/e-smith/templates/etc/dehydrated/con
fig/10Default

It doesn't fix the hook script entry. It only adds in 'real' mode, not test mode.

I never noticed because the standard dehydrated script defaulted to /usr/bin so if there was no config item it was still correct.

With EPEL moving the hook script (why FFS??) this has revealed itself.

Please open a bug and I'll try and fix it later tomorrow.

If you want to test a solution....

Copy /etc/e-smith/templates/etc/dehydrated/con
fig/10Default to
/etc/e-smith/templates-custom/etc/dehydrated/con
fig/10Default

Edit and paste this at line 21

Code: [Select]
$OUT .= "HOOK=\"/usr/bin/hook-script.sh\"\n";
expand-template /etc/dehydrated/config

See if HOOK entry is there.

Ironically, if the certs are generated ok and you then go to 'normal' it will work !!

I might move hook script out so it is always there.

I'll look when I can.
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation

Offline ReetP

  • *
  • 3,722
  • +5/-0
Try the updated smeserver-letsencrypt version in smetest

Code: [Select]
yum --enablerepo=smetest install smeserver-letsencrypt
Should be 0.5-10

This should generate a HOOK line in test mode and deploy the test certificates.

Please try it and also paste a copy of your config.

...
1. Read the Manual
2. Read the Wiki
3. Don't ask for support on Unsupported versions of software
4. I have a job, wife, and kids and do this in my spare time. If you want something fixed, please help.

Bugs are easier than you think: http://wiki.contribs.org/Bugzilla_Help

If you love SME and don't want to lose it, join in: http://wiki.contribs.org/Koozali_Foundation