Apple home-brew certbot


#1

Full domain is GreenRushGeneralStore.net (with subdomains marijuana-news.org , ganja-mon.com , back-pac.org and extraordinary remedies.com all my own domains)

Installed home-brew just fine, then:

==> Summary
:beer: /usr/local/Cellar/openssl@1.1/1.1.0e: 6,303 files, 15.4M
==> Installing certbot
==> Downloading https://homebrew.bintray.com/bottles/certbot-0.11.1.sierra.bottl
######################################################################## 100.0%
==> Pouring certbot-0.11.1.sierra.bottle.tar.gz
:beer: /usr/local/Cellar/certbot/0.11.1: 2,261 files, 15.6M

then:

Hieromonks-MacBook-Air:~ hieromonk$ certbot --apache
The following error was encountered:
[Errno 13] Permission denied: '/etc/letsencrypt’
If running as non-root, set --config-dir, --work-dir, and --logs-dir to writeable paths.

MacOs 10.12.3 Sierra

ehost online is the hosting provider

do I use command --config-dir etc as writable and , um, how?

Hope I made this request for help correctly, I bolluxed it up before thinking I had to get cert through ehost…

thanks for the help!

Karla


#2

Hi Karla,

Try running again as root with sudo certbot [...].


#3

Yikes! here is the transcript

######################################################################## 100.0%
==> Pouring certbot-0.11.1.sierra.bottle.tar.gz
:beer: /usr/local/Cellar/certbot/0.11.1: 2,261 files, 15.6M
Hieromonks-MacBook-Air:~ hieromonk$ certbot --apache
The following error was encountered:
[Errno 13] Permission denied: '/etc/letsencrypt’
If running as non-root, set --config-dir, --work-dir, and --logs-dir to writeable paths.
Hieromonks-MacBook-Air:~ hieromonk$ ertbot renew --dry-ru
-bash: ertbot: command not found
Hieromonks-MacBook-Air:~ hieromonk$ certbot renew --dry-run
The following error was encountered:
[Errno 13] Permission denied: '/etc/letsencrypt’
If running as non-root, set --config-dir, --work-dir, and --logs-dir to writeable paths.
Hieromonks-MacBook-Air:~ hieromonk$ certbot renew --quiet
The following error was encountered:
[Errno 13] Permission denied: '/etc/letsencrypt’
If running as non-root, set --config-dir, --work-dir, and --logs-dir to writeable paths.
Hieromonks-MacBook-Air:~ hieromonk$ certbot --apache
The following error was encountered:
[Errno 13] Permission denied: '/etc/letsencrypt’
If running as non-root, set --config-dir, --work-dir, and --logs-dir to writeable paths.
Hieromonks-MacBook-Air:~ hieromonk$ sudo certbot --apache
Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel):greenrushgeneralstore.net, marijuana-news.org, ganja-mon.com, bac-pac.org, extraordinaryremedies.com
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel):occupysf@unseen.is


Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory

(A)gree/©ancel: A


Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let’s Encrypt project and the non-profit
organization that develops Certbot? We’d like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.

(Y)es/(N)o: Y
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for greenrushgeneralstore.net
tls-sni-01 challenge for marijuana-news.org
tls-sni-01 challenge for ganja-mon.com
tls-sni-01 challenge for bac-pac.org
tls-sni-01 challenge for extraordinaryremedies.com
No vhost exists with servername or alias of: greenrushgeneralstore.net (or it’s in a file with multiple vhosts, which Certbot can’t parse yet). No vhost was selected. Please specify ServerName or ServerAlias in the Apache config, or split vhosts into separate files.
Falling back to default vhost :443…
No vhost exists with servername or alias of: marijuana-news.org (or it’s in a file with multiple vhosts, which Certbot can’t parse yet). No vhost was selected. Please specify ServerName or ServerAlias in the Apache config, or split vhosts into separate files.
Falling back to default vhost :443…
No vhost exists with servername or alias of: ganja-mon.com (or it’s in a file with multiple vhosts, which Certbot can’t parse yet). No vhost was selected. Please specify ServerName or ServerAlias in the Apache config, or split vhosts into separate files.
Falling back to default vhost :443…
No vhost exists with servername or alias of: bac-pac.org (or it’s in a file with multiple vhosts, which Certbot can’t parse yet). No vhost was selected. Please specify ServerName or ServerAlias in the Apache config, or split vhosts into separate files.
Falling back to default vhost :443…
No vhost exists with servername or alias of: extraordinaryremedies.com (or it’s in a file with multiple vhosts, which Certbot can’t parse yet). No vhost was selected. Please specify ServerName or ServerAlias in the Apache config, or split vhosts into separate files.
Falling back to default vhost :443…
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. greenrushgeneralstore.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested ae74dcdea2d746f68558fbb590032435.2c94f59598d770b0336ef654f34d4361.acme.invalid from 192.185.128.162:443. Received 3 certificate(s), first certificate had names "
.ehosts.com, ehosts.com", extraordinaryremedies.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 0b6334b92475bb1f7e4a572c2d55349f.5da847b75e51c08310de03554e4d4dbd.acme.invalid from 192.185.128.162:443. Received 3 certificate(s), first certificate had names "
.ehosts.com, ehosts.com", ganja-mon.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 1c02cc21406cf1251d0edaa7e2622bed.1274a24dc5dd14d77bbee123a15fe1c3.acme.invalid from 192.185.128.162:443. Received 3 certificate(s), first certificate had names "
.ehosts.com, ehosts.com", marijuana-news.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 7fc98064b3e85f4fbefbe85e82a9e9f7.f706b3e5581f901a00dea3b55042202d.acme.invalid from 192.185.128.162:443. Received 3 certificate(s), first certificate had names "
.ehosts.com, ehosts.com", bac-pac.org (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 6c88d5ab44b3b756d4564a1cc9b0c6fa.dcd163b116186d6006bf69fd421d4e66.acme.invalid from 192.185.128.162:443. Received 3 certificate(s), first certificate had names "
.ehosts.com, ehosts.com"

IMPORTANT NOTES:

  • If you lose your account credentials, you can recover through
    e-mails sent to occupysf@unseen.is.

  • The following errors were reported by the server:

    Domain: greenrushgeneralstore.net
    Type: unauthorized
    Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
    Requested
    ae74dcdea2d746f68558fbb590032435.2c94f59598d770b0336ef654f34d4361.acme.invalid
    from 192.185.128.162:443. Received 3 certificate(s), first
    certificate had names “*.ehosts.com, ehosts.com

    Domain: extraordinaryremedies.com
    Type: unauthorized
    Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
    Requested
    0b6334b92475bb1f7e4a572c2d55349f.5da847b75e51c08310de03554e4d4dbd.acme.invalid
    from 192.185.128.162:443. Received 3 certificate(s), first
    certificate had names “*.ehosts.com, ehosts.com

    Domain: ganja-mon.com
    Type: unauthorized
    Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
    Requested
    1c02cc21406cf1251d0edaa7e2622bed.1274a24dc5dd14d77bbee123a15fe1c3.acme.invalid
    from 192.185.128.162:443. Received 3 certificate(s), first
    certificate had names “*.ehosts.com, ehosts.com

    Domain: marijuana-news.org
    Type: unauthorized
    Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
    Requested
    7fc98064b3e85f4fbefbe85e82a9e9f7.f706b3e5581f901a00dea3b55042202d.acme.invalid
    from 192.185.128.162:443. Received 3 certificate(s), first
    certificate had names “*.ehosts.com, ehosts.com

    Domain: bac-pac.org
    Type: unauthorized
    Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
    Requested
    6c88d5ab44b3b756d4564a1cc9b0c6fa.dcd163b116186d6006bf69fd421d4e66.acme.invalid
    from 192.185.128.162:443. Received 3 certificate(s), first
    certificate had names “*.ehosts.com, ehosts.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal.
    Hieromonks-MacBook-Air:~ hieromonk$


#4

and then I tried just the --config etc

Hieromonks-MacBook-Air:~ hieromonk$ sudo certbot --config-dir, --work-dir, --logs-dir
Password:
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert.
certbot: error: argument --logs-dir: expected one argument
Hieromonks-MacBook-Air:~ hieromonk$ sudo certbot --config-dir
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] …

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert.
certbot: error: argument --config-dir: expected one argument
Hieromonks-MacBook-Air:~ hieromonk$


#5

Hi @ganjahji,

I didn’t realize this before, but you’re apparently running Certbot on your personal laptop and not on the web server where the sites are actually hosted. The errors that you’re subsequently seeing are because Certbot expects to be run on the server that hosts the sites. (It will try to make configuration changes to the web site directly, which is the main benefit of Certbot!) The normal way to do this is to log into the web server via ssh and then run Certbot there.

It is possible to run Certbot on your laptop instead of on the web server, but not very highly recommended; for example, in this case it won’t be able to renew the certificates automatically and you’ll have to repeat the process every 90 days. The way to do this is with certbot --manual, which can prompt you for the steps to take to prove your control over the web server. However, in this case there’s comparatively little advantage to using Certbot instead of something like https://zerossl.com/, which will do the same thing inside of a web interface. In either case, you’ll need a way to upload the resulting certificates and keys to the web server and then tell the web server to make use of them.


#6

I am in contact with server…they did generate an CSR but I don’t know how to install and their techs would rather sell an expensive SSL
From my website as admin do I use some css or ???


#7

ok…trying zerossl and how do I do the next step here
To verify domain ownership using HTTP verification, you will need to create appropriate files with specific text strings under your “webroot/.well-known/acme-challenge/” directory, where “webroot” is the main directory with your website pages.
thanks again…getting further


#8

I was going to say that this is a whole other layer and set of technologies than those that you may have used before as a web designer (not directly related to CSS or HTML).

ZeroSSL will probably be a good approach to using the CSR. What it’s asking for there is for you to create a file in a specified location on your sites with specified contents. The location is /.well-known/acme-challenge/ and you need those files to be placed in the right place so that they appear when someone navigates to (for example) http://greenrushgeneralstore.net/.well-known/acme-challenge/the-zerossl-specified-file-name

… replacing the-zerossl-specified-file-name with the name of the file that ZeroSSL told you to use in connection with greenrushgeneralstore.net. Does that make sense?


#9

Sort of. Since these changes need to made at ehost I am contacting them with this current info. :nerd_face::disappointed:


#10

I am confused…I am in cPanel and in files but unable to go further not really knowing what I am doing


#11

Suppose you wanted there to be a file http://greenrushgeneralstore.net/hello.html that contained the word “Hello!”. Would you know how to make that happen?

In this case, ZeroSSL is going to tell you to make there be a file http://greenrushgeneralstore.net/.well-known/acme-challenge/somethinesomethingsomething with specific contents. Can you make that happen?

If you can’t update particular locations within your site with particular contents, you won’t be able to use this method.


#12

Ok…on the server I have file maintenance but I am not sure I know how to do this …it did allow me to make a file in public_html called webfoot so I know I can mess with it and am willing to just make a file called whatever but do not want to bring the system down (which I did to my site when I used zeros for the Mac and tried to import the CSR and key generated)

The fie manager didn’t like putting a “/” if just trying http:/ I am unsure anything will work and I will call the server and see if they can help.

Thank you for your assistance…perhaps you know of a page or manual I need to read (or the appropriate selection) to write what I need to Public_HTML as the server replied earlier.

I can write but the syntax won’t take or I am unfamiliar with the proper syntax to use.


#13

Sorry, I didn’t really understand what you described doing. Could you rephrase it somehow?

The idea that I’m going for here is that you’ll need to be able to post something in a specific exact location on your web site (chosen by someone else). If you could run Certbot on the web server, it could do this for you. If you can’t, you have to be able to do it yourself in order to prove that you control the domain names.


#14

OK, it’s not too easy to follow what exactly you are doing, but if I got this part right, you have public_html folder. Usually it is the directory where your site pages go, so technically it is what’s called “webroot”. You do not need to create any “webroot” or “webfoot” file or directory, you just need to find the directory which serves as so-called “webroot”. In your case it’s public_html.

Within public_html you then need to create a .well-known directory (the dot in front of it is mandatory) and within this newly created one, you create acme-challenge directory. This will be the place where verification files go.

As for the bringing system down - enabling SSL does not mean system needs to go down, once SSL configuration is in place, reloading or restarting the web server will do the job just fine, without any noticeable pause in services.


#15

OK…I created Webfoot and got the text file up then read what you wrote so went back and created .well-known in public_html and then added acme-challenge to .well-known but got this back

sudo certbot --apache certonly
Password:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated) (Enter ‘c’ to cancel):greenrushgeneralstore.net
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for greenrushgeneralstore.net
No vhost exists with servername or alias of: greenrushgeneralstore.net (or it’s in a file with multiple vhosts, which Certbot can’t parse yet). No vhost was selected. Please specify ServerName or ServerAlias in the Apache config, or split vhosts into separate files.
Falling back to default vhost :443…
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. greenrushgeneralstore.net (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge. Requested 5976ab1933e43ebc3d9e5de6f7eb1461.770580869423cd0ff282164bc70dcdff.acme.invalid from 192.185.128.162:443. Received 3 certificate(s), first certificate had names "
.ehosts.com, ehosts.com"

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: greenrushgeneralstore.net
    Type: unauthorized
    Detail: Incorrect validation certificate for TLS-SNI-01 challenge.
    Requested
    5976ab1933e43ebc3d9e5de6f7eb1461.770580869423cd0ff282164bc70dcdff.acme.invalid
    from 192.185.128.162:443. Received 3 certificate(s), first
    certificate had names “*.ehosts.com, ehosts.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

I am so close…I am going to delete webroot and run zerossl again with ehost CSR and see what happens…but you may have some further comments and I am ALL ears if you do. Many thanks !!!


#16

Hi @ganjahji,

When I said that you would have to make a specific .well-known/acme-challenge file, that is only the case with ZeroSSL or with certain ways of running Certbot. And in this case it’s not just that .well-known/acme-challenge has to exist, but that the software that’s obtaining the certificate will specifically tell you “Now, create this file within acme-challenge with these contents…” at the right moment. Since you weren’t told that, you didn’t satisfy the challenge.

sudo certbot --apache certonly does not work this way, and is only applicable if run on the web server, not on your own laptop. What you saw was, just like before, Certbot tried to make the changes itself automatically, and couldn’t because it wasn’t running on the web server. Certbot is primarily designed for people who have administrative access directly to their own web servers and can install it there. In the situation that you’re in, I think would suggest using ZeroSSL instead.


#17

ehost says they will not accept free SSL so I am going to cancel and do yu suggest a compatible hosting service ? hopefully free…


#18

Maybe one of these providers: Web Hosting who support Lets Encrypt

Generally the providers on that list actually obtain the certificate for you (if you want), as opposed to just allowing you to get one on your own.


#19

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.