Can not see web pages anymore after running ./letsencrypt.sh


#1

Please help
I was following this instuction, but errors were show and I can’t get to the pages even using IP address but I can SSH

2.1.3 Let’s Encrypt
Let’s Encrypt is one of the most recent and widely used form of free SSL security and supports wildcard DNS. You
can use Let’s Encrypt with your FusionPBX install and WebRTC like Verto Communicator.
2.1.3.1 Dehydrated (Recommended)
FusionPBX has an option to easliy and quickly install SSL with Let’s Encrypt using letsencrypt.sh With this script
you can choose either to request an SSL certificate with wildcard (.domain.tld) or hostnames (domain.tld).
The letsencrypt.sh will do the following:
• Download dehydrated.
• Request an SSL certificate from Let’s Encrypt.
• Configure NGINX to use the SSL certificate.
• Combine and place SSL certificate in the proper FreeSWITCH directory for using TLS.
• Test and make sure the SSL cert works and outputs if sucessful.
Using letsencrypt.sh
With letsencrypt.sh you have the choice of creating an SSL certificate for a single domain (domain.tld), multiple sub
domains(sub.domain.tld, sub1.domain.tld, etc.domain.tld) or wildcard (
.domain.tld). The easy way however is using
the hostname method.
Hostname
To create a hostname or multiple hostname SSL certificate go to:
cd /usr/src/fusionpbx-install.sh/debian/resources/
Then execute the script.
./letsencrypt.sh
You should then see and follow the prompts.
Domain Name: domain.tld
Email Address: support@fusionpbx.com
After that, you should see the following output.
Cloning into ‘dehydrated’…
remote: Counting objects: 1914, done.
remote: Total 1914 (delta 0), reused 0 (delta 0), pack-reused 1914
Receiving objects: 100% (1914/1914), 616.01 KiB | 0 bytes/s, done.
Resolving deltas: 100% (1199/1199), done.
(continues on next page)
2.1. Getting Started 9
FusionPBX Documentation
(continued from previous page)

INFO: Using main config file /etc/dehydrated/config

  • Generating account key…
  • Registering account key with ACME server…
  • Done!

INFO: Using main config file /etc/dehydrated/config

  • Creating chain cache directory /etc/dehydrated/chains
    Processing domain.tld
  • Creating new directory /etc/dehydrated/certs/domain.tld …
  • Signing domains…
  • Generating private key…
  • Generating signing request…
  • Requesting new certificate order from CA…
  • Received 1 authorizations URLs from the CA
  • Handling authorization for domain.tld
  • 1 pending challenge(s)
  • Deploying challenge tokens…
  • Responding to challenge for domain.tld authorization…
  • Challenge is valid!
  • Cleaning challenge tokens…
  • Requesting certificate…
  • Checking certificate…
  • Done!
  • Creating fullchain.pem…
  • Done!
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful

My domain is: https://pbx4.numbercard.co.uk/

I ran this command: ./letsencrypt.sh

It produced this output: root@DAAS-PBX3:/usr/src/fusionpbx-install.sh/debian/resources# ./letsencrypt.sh
Domain Name: thenumbercard
Email Address: my@gmail.com
fatal: destination path ‘dehydrated’ already exists and is not an empty directory.

INFO: Using main config file /etc/dehydrated/config

  • Generating account key…
  • Registering account key with ACME server…
  • Done!

INFO: Using main config file /etc/dehydrated/config

  • Creating chain cache directory /etc/dehydrated/chains
    Processing thenumbercard
  • Creating new directory /etc/dehydrated/certs/thenumbercard …
  • Signing domains…
  • Generating private key…
  • Generating signing request…
  • Requesting new certificate order from CA…
  • ERROR: An error occurred while sending post-request to https://acme-v02.api.letsencrypt.org/acme/new-order (Status 400)

Details:
HTTP/1.1 100 Continue
Expires: Sat, 20 Oct 2018 20:34:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache

HTTP/1.1 400 Bad Request
Server: nginx
Content-Type: application/problem+json
Content-Length: 149
Boulder-Requester: 44207997
Replay-Nonce: JW6Hx7xHaZVmyRlX2pLNiJMLD29CJH-R48R1ETGCDu0
Expires: Sat, 20 Oct 2018 20:34:09 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Sat, 20 Oct 2018 20:34:09 GMT
Connection: close

{
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Error creating new order :: DNS name does not have enough labels”,
“status”: 400
}

nginx: [emerg] BIO_new_file("/etc/dehydrated/certs/numbercard.co.uk/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/dehydrated/certs/numbercard.co.uk/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed
cat: /etc/dehydrated/certs/thenumbercard/fullchain.pem: No such file or directory
cat: /etc/dehydrated/certs/thenumbercard/privkey.pem: No such file or directory
cp: cannot stat ‘/etc/dehydrated/certs/thenumbercard/cert.pem’: No such file or directory
cp: cannot stat ‘/etc/dehydrated/certs/thenumbercard/chain.pem’: No such file or directory
cp: cannot stat ‘/etc/dehydrated/certs/thenumbercard/fullchain.pem’: No such file or directory
cp: cannot stat ‘/etc/dehydrated/certs/thenumbercard/privkey.pem’: No such file or directory
root@DAAS-PBX3:/usr/src/fusionpbx-install.sh/debian/resources#

My web server is (include version): nginx version: nginx/1.6.2

The operating system my web server runs on is (include version): Linux 3.16.0-7-amd64 #1 SMP Debian 3.16.59-1 (2018-10-03) x86_64 GNU/Linux

My hosting provider, if applicable, is: digitalocean

I can login to a root shell on my machine (yes or no, or I don’t know): YES

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): FusionPBX GUi


#2

Hi @deltukru

this isn’t a valide domain name. Same there:

Use your complete domain name pbx4.numbercard.co.uk - this domain name has 4 labels.


#3

Hi JuergenAuer,

thanks for your reply, I’m still getting the same problem after using complete domain name pbx4.numbercard.co.uk

also seem to have run into more problems
was getting 502 Bad Gateway after reinstalling nginx, I could see Welcome to nginx on Debian! but was’nt able to get the old files to work

root@DAAS-PBX3:/usr/src/fusionpbx-install.sh/debian/resources# service nginx start
Job for nginx.service failed. See ‘systemctl status nginx.service’ and ‘journalctl -xn’ for details.
root@DAAS-PBX3:/usr/src/fusionpbx-install.sh/debian/resources#

root@DAAS-PBX3:/# cd /usr/src/fusionpbx-install.sh/debian/resources/
root@DAAS-PBX3:/usr/src/fusionpbx-install.sh/debian/resources# ./letsencrypt.sh
Domain Name:
Email Address: ^C
root@DAAS-PBX3:/usr/src/fusionpbx-install.sh/debian/resources#
root@DAAS-PBX3:/usr/src/fusionpbx-install.sh/debian/resources# ./letsencrypt.sh
Domain Name: pbx4.numbercard.co.uk
Email Address: del_64@hotmail.com
fatal: destination path ‘dehydrated’ already exists and is not an empty directory.

INFO: Using main config file /etc/dehydrated/config

  • Account already registered!

INFO: Using main config file /etc/dehydrated/config

Processing pbx4.numbercard.co.uk

  • Creating new directory /etc/dehydrated/certs/pbx4.numbercard.co.uk …
  • Signing domains…
  • Generating private key…
  • Generating signing request…
  • Requesting new certificate order from CA…
  • Received 1 authorizations URLs from the CA
  • Handling authorization for pbx4.numbercard.co.uk
  • 1 pending challenge(s)
  • Deploying challenge tokens…
  • Responding to challenge for pbx4.numbercard.co.uk authorization…
  • Cleaning challenge tokens…
  • Challenge validation has failed :frowning:
    ERROR: Challenge is invalid! (returned: invalid) (result: {
    “type”: “http-01”,
    “status”: “invalid”,
    “error”: {
    “type”: “urn:ietf:params:acme:error:unauthorized”,
    “detail”: “Invalid response from http://pbx4.numbercard.co.uk/.well-known/acme-challenge/TisBzg3gI1TJwKgZ2PA5Zz2ZrYGZhY-H0halbHPmUr8: “\u003chtml\u003e\r\n\u003chead\u003e\u003ctitle\u003e404 Not Found\u003c/title\u003e\u003c/head\u003e\r\n\u003cbody bgcolor=\“white\”\u003e\r\n\u003ccenter\u003e\u003ch1\u003e404 Not Found\u003c/h1\u003e\u003c/center\u003e\r\n\u003chr\u003e\u003ccenter\u003e””,
    “status”: 403
    },
    “url”: “https://acme-v02.api.letsencrypt.org/acme/challenge/hJLfMZg5Kohn7kgrvCHzUaT7a1XKvwNywpSNRFvSrMc/8485476133”,
    “token”: “TisBzg3gI1TJwKgZ2PA5Zz2ZrYGZhY-H0halbHPmUr8”,
    “validationRecord”: [
    {
    “url”: “http://pbx4.numbercard.co.uk/.well-known/acme-challenge/TisBzg3gI1TJwKgZ2PA5Zz2ZrYGZhY-H0halbHPmUr8”,
    “hostname”: “pbx4.numbercard.co.uk”,
    “port”: “80”,
    “addressesResolved”: [
    “104.248.175.19”
    ],
    “addressUsed”: “104.248.175.19”
    },
    {
    “url”: “https://pbx4.numbercard.co.uk/.well-known/acme-challenge/TisBzg3gI1TJwKgZ2PA5Zz2ZrYGZhY-H0halbHPmUr8”,
    “hostname”: “pbx4.numbercard.co.uk”,
    “port”: “443”,
    “addressesResolved”: [
    “104.248.175.19”
    ],
    “addressUsed”: “104.248.175.19”
    }
    ]
    })
    nginx: [emerg] BIO_new_file("/etc/dehydrated/certs/pbx4.numbercard.co.uk/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen(’/etc/dehydrated/certs/pbx4.numbercard.co.uk/fullchain.pem’,‘r’) error:2006D080:BIO routines:BIO_new_file:no such file)
    nginx: configuration file /etc/nginx/nginx.conf test failed
    cat: /etc/dehydrated/certs/pbx4.numbercard.co.uk/fullchain.pem: No such file or directory
    cat: /etc/dehydrated/certs/pbx4.numbercard.co.uk/privkey.pem: No such file or directory
    cp: cannot stat ‘/etc/dehydrated/certs/pbx4.numbercard.co.uk/cert.pem’: No such file or directory
    cp: cannot stat ‘/etc/dehydrated/certs/pbx4.numbercard.co.uk/chain.pem’: No such file or directory
    cp: cannot stat ‘/etc/dehydrated/certs/pbx4.numbercard.co.uk/fullchain.pem’: No such file or directory
    cp: cannot stat ‘/etc/dehydrated/certs/pbx4.numbercard.co.uk/privkey.pem’: No such file or directory
    root@DAAS-PBX3:/usr/src/fusionpbx-install.sh/debian/resources#

#4

Your configuration isn’t good.

http redirects to https, the certificate is invalide (self signed), but this isn’t a problem.

But: Your root

https://pbx4.numbercard.co.uk/

has a 502 - Bad Gateway.

The file Letsencrypt want’s to load

https://pbx4.numbercard.co.uk/.well-known/acme-challenge/long-token

sends a http status 404, not a 502. So it looks that you have two running server or you have a different rule root versus /.well-known/acme-challenge/.

PS: I can’t find an older certificate.

https://transparencyreport.google.com/https/certificates?cert_search_auth=&cert_search_cert=&cert_search=include_expired:true;include_subdomains:false;domain:pbx4.numbercard.co.uk&lu=cert_search

So you should first setup a normal webserver / port 80 without any redirects etc.


#5

Thank you JuergenAuer,

Could you please let me know what get’s changed so as to give a 502 Bad Gateway error after letsenrypt has been run, I’ve been checking all the conf files such as cat /etc/php/7.1/fpm/pool.d/www.conf and they all have the correct values, even after installing another instance so a to check and copy the configs I’m still have problems getting to the web gui.


#6

My question above is a bit long winded, what change would be made and how can it be undone and reversed?


#7

After staring at the screen for more than 20 hours straight, finally, I removed the 502 - Bad Gateway. I guess it goes into and messes with nginx if it fails as per above info.