lewsr
February 20, 2020, 4:45pm
1
I installed letsencrypt on my domain following the instructions from an application installation script for FusionPBX. The encryption worked fine, but I cannot add encryption for a subdomain. I added the subdomain to my A and AAAA records. I get an error when I try to rerun letsencrypt with the subdomain.
Does anyone know the correct way to add a subdomain using dehydrated, which was the method I used when I followed the installation script for FusionPBX.
My domain is: pyrtelcom.net
I ran this command: ./letsencrypt.sh
It produced this output:
root@localhost:/usr/src/fusionpbx-install.sh/debian/resources# ./letsencrypt-auto -d exemple.com -d subdomain.mydomain.com --dry-run
-bash: ./letsencrypt-auto: No such file or directory
root@localhost:/usr/src/fusionpbx-install.sh/debian/resources# ./letsencrypt.sh -d exemple.com -d subdomain.mydomain.com --dry-run
Domain Name: mydomain.com subdomain.mydomain.com
Email Address: me@myemail.com
fatal: destination path ‘dehydrated’ already exists and is not an empty directory.
INFO: Using main config file /etc/dehydrated/config
Account already registered!
INFO: Using main config file /etc/dehydrated/config
Processing mydomain.com with alternative names: subdomain.mydomain.com
Checking domain name(s) of existing cert… changed!
Domain name(s) are not matching!
Names in old certificate: mydomain.com
Configured names: subdomain.mydomain.com mydomain.com
Forcing renew.
Checking expire date of existing cert…
Valid till May 10 12:51:16 2020 GMT Certificate will not expire
(Longer than 30 days). Ignoring because renew was forced!
Signing domains…
Generating private key…
Generating signing request…
Requesting new certificate order from CA…
Received 2 authorizations URLs from the CA
Handling authorization for mydomain.com
Found valid authorization for mydomain.com
Handling authorization for subdomain.mydomain.com
1 pending challenge(s)
Deploying challenge tokens…
Responding to challenge for subdomain.mydomain.com authorization…
Cleaning challenge tokens…
Challenge validation has failed
ERROR: Challenge is invalid! (returned: invalid) (result: {
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:ietf:params:acme:error:connection”,
“detail”: “Fetching https://subdomain.mydomain.com/.well-known/acme-challenge/Abcdef-ghijkl-mnopq-rstuv-wxyz1-2345-678901011: Connection refused”,
“status”: 400
},
“url”: “https://acme-v02.api.letsencrypt.org/acme/chall-v3/1234567890/50s2LA ”,
“token”: “Abcdef-ghijkl-mnopq-rstuv-wxyz1-2345-678901011”,
“validationRecord”: [
{
“url”: “http://subdomain.mydomain.com/.well-known/acme-challenge/Abcdef-ghijkl-mnopq-rstuv-wxyz1-2345-678901011 ”,
“hostname”: “subdomain.mydomain.com ”,
“port”: “80”,
“addressesResolved”: [
“45.xxx.xxx.xxx”,
“2600:xxxx::xxxx:xxxx:xxxx:xxxx”
],
“addressUsed”: “2600:xxxx::xxxx:xxxx:xxxx:xxxx”
},
{
“url”: “http://subdomain.mydomain.com/.well-known/acme-challenge/Abcdef-ghijkl-mnopq-rstuv-wxyz1-2345-678901011 ”,
“hostname”: “subdomain.mydomain.com ”,
“port”: “80”,
“addressesResolved”: [
“45.xxx.xxx.xxx”,
“2600:xxxx::xxxx:xxxx:xxxx:xxxx”
],
“addressUsed”: “45.xxx.xxx.xxx”
},
{
“url”: “https://subdomain.mydomain.com/.well-known/acme-challenge/Abcdef-ghijkl-mnopq-rstuv-wxyz1-2345-678901011 ”,
“hostname”: “subdomain.mydomain.com ”,
“port”: “443”,
“addressesResolved”: [
“45.xxx.xxx.xxx”,
“2600:xxxx::xxxx:xxxx:xxxx:xxxx”
],
“addressUsed”: “2600:xxxx::xxxx:xxxx:xxxx:xxxx”
}
]
})
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
root@localhost:/usr/src/fusionpbx-install.sh/debian/resources#
My web server is (include version):
The operating system my web server runs on is (include version):debian 9
My hosting provider, if applicable, is: linode
I can login to a root shell on my machine (yes or no, or I don’t know):yes
I’m using a control panel to manage my site (no, or provide the name and version of the control panel):no
The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):
Hi @lewsr
there
is your error. Your subdomain port 80 works, but there is a redirect https, port 443 doesn't work.
If you want to use http validation, a working port 80 is required (without a redirect) or a redirect with a working destination is required.
When you get a certificate from Let’s Encrypt, our servers validate that you control the domain names in that certificate using “challenges,” as defined by the ACME standard. Most of the time, this validation is handled automatically by your ACME...
Looks like a bad idea having a redirect http -> https if you don't have a working certificate.
lewsr
February 20, 2020, 5:28pm
3
Hello Sir, and thank you for your response to my question. I checked my iptables and got this output:
root@localhost:/etc/iptables# cat rules.v4
Generated by iptables-save v1.6.0 on Tue Feb 4 15:12:39 2020
*mangle
:PREROUTING ACCEPT [30:1695]
:INPUT ACCEPT [30:1695]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [77:10003]
:POSTROUTING ACCEPT [77:10003]
-A OUTPUT -p udp -m udp --sport 16384:32768 -j DSCP --set-dscp 0x2e
-A OUTPUT -p udp -m udp --sport 5060:5091 -j DSCP --set-dscp 0x1a
-A OUTPUT -p tcp -m tcp --sport 5060:5091 -j DSCP --set-dscp 0x1a
COMMIT
Completed on Tue Feb 4 15:12:39 2020
Generated by iptables-save v1.6.0 on Tue Feb 4 15:12:39 2020
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [77:10003]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string “friendly-scanner” --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string “friendly-scanner” --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string “sipcli/” --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string “sipcli/” --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string “VaxSIPUserAgent/” --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string “VaxSIPUserAgent/” --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string “pplsip” --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string “pplsip” --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string "system " --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string "system " --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string “exec.” --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string “exec.” --algo bm --to 65535 --icase -j DROP
-A INPUT -p udp -m udp --dport 5060:5091 -m string --string “multipart/mixed;boundary” --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 5060:5091 -m string --string “multipart/mixed;boundary” --algo bm --to 65535 --icase -j DROP
-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 7443 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 5060:5091 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060:5091 -j ACCEPT
-A INPUT -p udp -m udp --dport 16384:32768 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
COMMIT
Completed on Tue Feb 4 15:12:39 2020
root@localhost:/etc/iptables#
It appears to my untrained eye that port 443 is open.
FYI, I have never been able to get the wildcard or the subdomain portions of letsencrypt to work when using the dehydrated app.
lewsr
February 20, 2020, 5:52pm
4
I think my server is missing the config files to make the subdomain encryption work, but I cannot find any help files to fix this. I keep getting the following error when I try to add encryption to the subdomain:
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful
cat: /etc/dehydrated/certs/subdomain.mydomain.com/fullchain.pem: No such file or directory
cat: /etc/dehydrated/certs/subdomain.mydomain.com/privkey.pem: No such file or directory
cp: cannot stat ‘/etc/dehydrated/certs/subdomain.mydomain.com/cert.pem’: No such file or directory
cp: cannot stat ‘/etc/dehydrated/certs/subdomain.mydomain.com/chain.pem’: No such file or directory
cp: cannot stat ‘/etc/dehydrated/certs/subdomain.mydomain.com/fullchain.pem’: No such file or directory
cp: cannot stat ‘/etc/dehydrated/certs/subdomain.mydomain.com/privkey.pem’: No such file or directory
Remove your redirect http -> https.
Your port 80 works.