CertBot and GetSSL missing dependencies- acme.sh works on Namecheap/Cloudlinux!


#1

I’ve achieved a much higher level of ignorance!
I have SSH, opened a PuTTY session w dual keys.
Installed Certbot=>
./certbot-auto and ./certbot-auto --apache
give the same error:
“sudo” is not available, will use “su” for installation steps…
** Sorry, I don’t know how to bootstrap Certbot on your operating system!

You will need to install OS dependencies, configure virtualenv, and run pip install manually.
Please see https://letsencrypt.readthedocs.org/en/latest/contributing.html#prerequisites
for more info.

Then tried w getSSL:

[pcmhrdzd@server122 ~]$ curl --silent https://raw.githubusercontent.com/srvrco/getssl/master/getssl > getssl ; chmod 700 getssl

[pcmhrdzd@server122 ~]$ ./getssl -c www.PCMHpcc.com
getssl: this script requires one of: nslookup drill dig host

WGET works, as did curl; YUM does not.

Then tried acme.sh which ALMOST worked- but got
Verify error:Invalid response from http://www.pcmhpcc.com/.well-known/acme-challenge/
I tried several times, w same error, sent a log to the author.

Other than that there were no errors, so Acme.sh is probably my best bet.


Here’s what’s on the server:
CloudLinux 6.x
Apache: 2.2.31
Codeguard: included to all shared plans, more details can be found here
cPanel: 11.58.0
cURL: 7.37.1 and 7.38.0
CXS: installed on all shared servers
Git: enabled
SEO: included to all shared packages; more information can be found in this article
Imagick module: 3.1.2 (3.4.3 for ‘native’ PHP version)
IonCube PHP Loader: 4.6.1
Mod_Rewrite: enabled
Mod_Security: enabled, more details can be found here
MySQL (for older servers): 5.5.32
MariaDB (for newer servers): 10.1.13

NOTE: We are currently performing hosting accounts transfer to the newer servers. Thus, all the accounts will be using MariaDB instead of MySQL in the nearest future.
Mysqli Support: enabled
Perl: 5.10.1
PHP: 5.4.43 (5.4 native), 5.3.29 (5.3 native) with 5.2 - 5.6, 7.0 available, more details can be found here
PHP modules: full list of PHP modules and extensions can be found here
Python: 2.6.6
Rails: 2.3.18
Ruby: 1.8.7
ZendGuard Loader: 3.3



#2

Hi @VWFeature

First of all thanks for providing the information which can help advise you :smiley:

Certbot requires python 2.7 plus and you are running 2.6.6

If you want to go with GetSSL then I think its a good idea

The challenge I believe you are facing is that GetSSL will not modify your Apache files to let the world access the /.well-known/acme-challenge/ directory. Usually we ask you to add a test file with some random numers in it. Note: the test file like the required files from LetsEncrypt must not have an extension.

Once you can serve files reliably you can go and complete the required steps for the challenge

@serverco is the maintanter of this particular client

@serverco - i have a quick look at your script - does it add the challenge to a webroot? if so how do you specify a web root directory?

Andrei


#3

Thanks Andrei,
I went on to use acme.sh which does change ownership of the files in the /.well-known/acme-challenge/ directory. It also sets up the cron job automagically.

I’m getting an error validating the files in the /.well-known/acme-challenge directory even though it’s set to 777. Any ideas?

I have ‘jailed’ SSH which mostly confines me to my directories.


#4

Try putting a text file in the .well-known/acme-challenge/ directory and see if you can access it with a web browser. Try using a filename without the .txt extension, as that’s what acme.sh will do.

If you can’t access that file, you might need to make some changes to your server configuration so that you can. Then try running acme.sh again.


#5

I found a way that worked using acme.sh !!

I tried putting a text file in the .well-known or .well-known/acme-challenge/
directories which absolutely did not work.
I asked support ‘which is the highest level writable directory visible to the web?’ which turns out to be (Cloudlinux) /home/myUsername/public_html
If it put it there, it can be seen on the web. Namecheap installs acme.sh in the
/home/myUsername/ directory, (NOT public_html) so root,=> cd /.acme.sh
and working from there, the Acme.sh command
./acme.sh --issue -d www.WEBSITE.com -w /home/myUsername/public_html -d WEBSITE.com
succeeded! The instructions on GitHub are a little misleading, as the -w should be the highest directory visible on the web. You should not repeat your domain name there as the example on Github seem to show.


#6

Hi @VWFeature, could you tell me which documentation you’re referring to, and maybe we can get it updated?

Maybe there is an example that uses something like /var/www/example.com? This would be because many hosting setups do use the domain name as part of the directory path (to indicate where files for one site go as opposed to files for another site). But if we have an example like that, I can see why it might give the wrong impression that the domain name will always be part of the path.

The way you’ve described it (the highest directory visible on the web) is correct and is what we intended to convey with our documentation. So maybe there’s some way our documentation could be improved.


#7

Or were you looking at acme.sh documentation on GitHub as opposed to Certbot documentation?


#8

All of this refers to acme.sh documentation on GitHub. Since I don’t have root, I can’t use Certbot at all. Suggest you adopt acme.sh methods into Certbot, because it works on shared hosting wo root?

I would recommend all users try acme.sh if Certbox doesn’t work immediately.

Since I’ve installed the certs using cPanel I’m able to use ‘full’ SSL w CloudFlare.
Another useful user instruction would be to tell users to ask their hosting providers which is the highest web-facing, writable directory. If that’s easy, perhaps putting that info in the instructions for specific hosts. I was able to tell acme.sh which directory to use.


#9

@Neilpang, I guess this is a suggestion to you, and probably refers to the documentation where you wrote

The parameter /home/wwwroot/example.com is the web root folder.

Maybe you can more clearly explain what “the web root folder” means by defining it in another way. (I do think that concern also applies to some of our Certbot documentation!)


#10

hi @VWFeature

Suggest you adopt acme.sh methods into Certbot

That’s really up to the writer of the Client. Each client has different approaches for how they solve the problems and what works for one client may not work for another due to language etc. For example something that takes one line in PowerShell maybe 10-30 lines in another language.

I would recommend all users try acme.sh if Certbox doesn’t work immediately.

Thats a very broad statement. Selection of a client is about the right tool for the job not what you can or can’t install. Certbot works really well in most scenarios and acme.sh works really well in other scenarios as well.

cPanel

Are you aware that cPanel has their own LetsEncrypt plugin for exactly what you are describing. It called AutoSSL and you can find out more about it here.

The take home I am trying to get across is making blanket statement use this if this doesn’t work is how we get people who spent lots of time on a client that is not suitable for their needs instead of spending some time selecting a client fit for purpose

Andrei


#11

Hi Andrei,
Does LE have an algorithm to help people choose which client is best for them?

E.g., HAS ROOT? Yes then Certbot (is that correct?),
if not, ok for acme or getssl?

I wasted a lot of time on Certbot.

And to use cPanel for LE (which would be ideal,) the hosting company has to BUY a license letsencrypt-for-cpanel
per server, and of course, that eliminates the business INCOME the hosting company has reselling SSL certificates.

Anyway, I finally succeeded w acme.sh, without root, and the only real problem was knowing where the the hosting company considered the web root. As they say, YMMV.


#12

And to use cPanel for LE (which would be ideal,) the hosting company has to BUY a license letsencrypt-for-cpanel per server, and of course, that eliminates the business INCOME the hosting company has reselling SSL certificates.

Once again be careful - FleetSSL is a separate Client developed by MyOffice24x7 - it’s not AutoSSL which is a CPanel initiative

Does LE have an algorithm to help people choose which client is best for them?

Not that I am aware. Reading the posts most people do not articulate their client choice so it’s something that perhaps needs to be elicited. Once again it’s hard to make a decision tree without knowing how others go about it

I am also hesitant about making recommendations as people tend to have the concept you recommended it so you make it work for me approach. My preference would be a considerations document and then people can post - this is what I have I think this client will work well.

Knowing the root folders of your web servers is something that you should have anyway IMHO.

Andrei


#13

thank you. I will update the doc soon.


#14

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.