Centos 6 -- dead-end instructions


#1

I’ve been following the site’s instructions down a rathole for hours, and finally came to a dead end.

My server is Centos 6. The instructions for Centos 6 say:

Certbot’s DNS plugins which can be used to automate obtaining a wildcard certificate from Let’s Encrypt’s ACMEv2 server are not available for your OS yet. This should change soon but if you don’t want to wait, you can use these plugins now by running Certbot in Docker instead of using the instructions on this page.

If you follow that link, then the link for “Install Docker,” then click “Linux” and “Centos 6” in the left column, then the link for “make sure you meet the prerequisites”, you see:

To install Docker CE, you need a maintained version of CentOS 7

Aaargh!


#2

Simple answer: use a different client. Particularly if you want DNS support, look at acme.sh.


#3

Tried it. Got lots of errors. Now I’ve hit some sort of weekly limit at LetsEncrypt, and I’m dead in the water until next week.

The hype: * Automatic: Software running on a web server can interact with Let’s Encrypt to painlessly obtain a certificate, securely configure it for use, and automatically take care of renewal.

The reality: You have to be a f*g professional server admin wizard to make any of this stuff work.


#4

However, I believe the weekly limits only applied if you have successfully requested the certificate…
Other limits are by hours / seconds…

Thank you


#5

…such as…?

The only way you hit a weekly limit is if you’ve successfully issued certs. The limits relating to failed authorizations and such are typically per-hour.

I guess that’s why I, a lawyer whose last tech-related job was phone tech support for an ISP 20 years ago, have been able to successfully use it on over a dozen systems.

Do you want help, or do you just want to complain? If you want to complain, well, carry on, I guess. If you want help, you’re going to need to do a much better job of describing exactly what you’re doing, and what happens when you do it.


#6

First off, please put your brain back in your pants, I’m really not interested in its impressive size.

So, I installed the acme.sh according to instructions. The very first thing it does is print in red letters:

It is recommended to install socat first.
We use socat for standalone server if you use standalone mode.
If you don’t use standalone mode, just ignore this warning.

Well, OK, don’t bother to tell me how to do that, or even what it is – I’m sure I can flail around for a while and become a socat expert. Am I using “standalone mode?” I haven’t the faintest idea, I don’t even know what that means. Maybe I’ll just take the final advice and ignore that warning.

So I set up to create a multiple-name certificate. Every time I run it, it displays a whole bunch of “The new authz request is OK,” then pukes with some variation of: "Verify error:Invalid response from http://server.wickenburg.us/.well-known/acme-challenge/TvmtFclYC4FToM02xIsJ20oU5mHYitei2ZLK7BcW-h0." The script encourages me to read the page on how to debug acme. It basically just says I should add either --debug, --log, or both. I run —log, and it drowns me in irrelevant detail, but it doesn’t tell me anything more enlightening about the actual error. Ditto for —debug.

After a while, I decide maybe this is what standalone mode looks like when you don’t have socat. Fine. So I see there’s an option to use “Apache mode” instead. I try that. It starts running, gets a couple “new authz request is OKs,” then displays in big red letters:

  new-authz error: {"type":"urn:acme:error:rateLimited","detail":"Error creating new authz :: 
        too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/","status": 429}

I go there, and it tells me that the bottom line is that I have to wait a week before I can try to make any more certificates. Lovely.

Now, when I started the “Apache mode,” the script displayed:

JFYI, Config file /etc/apache2/conf/httpd.conf is backuped to /root/.acme.sh/httpd.conf
In case there is an error that can not be restored automatically, you may try restore it yourself.
The backup file will be deleted on success, just forget it.

Well, there was an error. Could it be restored automatically? Hard to tell. There’s no httpd.conf in that dir, but there is an httpd.header. Since I’m not particularly familiar with any of these files, good luck to me.


#7

Hi @macsrwe

This is your limit:

Failed Validation limit of 5 failures per account, per hostname, per hour

One hour later, it’s gone.

PS: There

https://server.wickenburg.us/

is a cPanel-certificate. If you use cPanel, there is a Letsencrypt - Addin, which may work.

And you may use certbot with the --manual - option to create a wildcard certificate manual.


#8

You are right, sir. I ran it again, and hit no limit… but the Apache-method process hit the same sort of “verify error” on the “acme challenge” that the other one did. The log shows this error followed by a raft of separate posts that report codes 202 and 400.


#9

Hi @macsrwe,

Do you specifically need a wildcard certificate? Who is your DNS provider?


#10

Bingo. I was able to activate the cPanel addin and tickle it into working. Thank you!


#11

I needed a certificate with multiple hostnames, not a wildcard certificate.

Since you’re from certbot, perhaps you can get somebody to address the original complaint about the instructions for Centos 6 not really working on Centos 6. Thanks.


#12

OK, the Docker advice was only meant for people who needed a wildcard certificate. You can probably do well with certbot-auto, which is described at the top of the page that you were looking at, probably

(notice the text in bold that you quoted; it’s meant to be specific to “obtaining a wildcard certificate” as opposed to non-wildcard certificates, which have different requirements according to Let’s Encrypt policy)

Yes, definitely. I’m sorry about that and I appreciate your pointing it out. I’ve filed a bug about this issue.


#13

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.