Certbot & Raspberry Pi: which system to select to install?

I don't think you want to proxy the CNAME to your dynamic DNS service

5 Likes

Thanks. I don't understand, but I applied the advice in cloudflare, and it does indeed look better, even from the pi itself:

ddclient-3.9.1> dig berry314.girod.fi | grep -A2 'ANSWER SECTION'
;; ANSWER SECTION:
berry314.girod.fi.	3600	IN	CNAME	berry314.dyndns-pics.com.
berry314.dyndns-pics.com. 3600	IN	A	86.44.5.225

Now, the certificate generation still fails (locally):

ddclient-3.9.1> sudo certbot certonly -d berry314.girod.fi
...
Failed authorization procedure. berry314.girod.fi (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 86.44.5.225: Invalid response from http://berry314.girod.fi/.well-known/acme-challenge/-IyZRmjOEebaImeIXP97--DACdvBJ_g8__wYkqkU1WY: 404

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: berry314.girod.fi
   Type:   unauthorized
   Detail: 86.44.5.225: Invalid response from
   http://berry314.girod.fi/.well-known/acme-challenge/-IyZRmjOEebaImeIXP97--DACdvBJ_g8__wYkqkU1WY:
   404

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
ddclient-3.9.1> sudo tail -27 /var/log/letsencrypt/letsencrypt.log
2022-09-10 11:44:41,153:DEBUG:certbot.error_handler:Calling registered functions
2022-09-10 11:44:41,156:INFO:certbot.auth_handler:Cleaning up challenges
2022-09-10 11:44:41,161:DEBUG:certbot.plugins.webroot:Removing /home/marc/webroot/girod/.well-known/acme-challenge/-IyZRmjOEebaImeIXP97--DACdvBJ_g8__wYkqkU1WY
2022-09-10 11:44:41,170:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2022-09-10 11:44:41,176:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1250, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. berry314.girod.fi (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: 86.44.5.225: Invalid response from http://berry314.girod.fi/.well-known/acme-challenge/-IyZRmjOEebaImeIXP97--DACdvBJ_g8__wYkqkU1WY: 404

On Ubuntu, I have a later version of certbot (0.40.0) with the same stack trace, just different line numbers, as it seems...

1 Like

The 404 error usually means the webroot path you gave to certbot does not match the DocumentRoot in Apache. What does this show?

apachectl -t -D DUMP_VHOSTS
4 Likes

Sorry, the command I ran was:

sudo certbot certonly -d berry314.girod.fi

...to create the certs under:

ddclient-3.9.1> ll /home/marc/webroot/girod
total 8
drwxr-xr-x 2 marc marc 4096 Sep 10 11:44 .
drwxr-xr-x 4 marc marc 4096 Sep  8 11:03 ..

and install them later...
Your command yields:

ddclient-3.9.1> apachectl -t -D DUMP_VHOSTS
AH00526: Syntax error on line 33 of /etc/apache2/sites-enabled/default-ssl.conf:
SSLCertificateKeyFile: file '/etc/ssl/private/ssl-cert-snakeoil.key' does not exist or is empty
Action '-t -D DUMP_VHOSTS' failed.
The Apache error log may have more information.
ddclient-3.9.1> sudo ls -l /etc/ssl/private/ssl-cert-snakeoil.key
-rw-r----- 1 root ssl-cert 1704 Aug 31  2019 /etc/ssl/private/ssl-cert-snakeoil.key

Misprotected? It is the default self-signed cert key...

ddclient-3.9.1> sudo grep APACHE_RUN_ /etc/apache2/envvars 
export APACHE_RUN_USER=www-data
export APACHE_RUN_GROUP=www-data
export APACHE_RUN_DIR=/var/run/apache2$SUFFIX
ddclient-3.9.1> sudo grep SSLCertificate /etc/apache2/sites-enabled/default-ssl.conf 
		#   SSLCertificateFile directive is needed.
		SSLCertificateFile	/etc/ssl/certs/ssl-cert-snakeoil.pem
		SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
		#   Point SSLCertificateChainFile at a file containing the
		#   the referenced file can be the same as SSLCertificateFile
		#SSLCertificateChainFile /etc/apache2/ssl.crt/server-ca.crt
ddclient-3.9.1> sudo ls -l /etc/ssl/private/
total 4
-rw-r----- 1 root ssl-cert 1704 Aug 31  2019 ssl-cert-snakeoil.key
ddclient-3.9.1> sudo ls -l /etc/ssl/private/ssl-cert-snakeoil.key
-rw-r----- 1 root ssl-cert 1704 Aug 31  2019 /etc/ssl/private/ssl-cert-snakeoil.key
ddclient-3.9.1> sudo ls -ld /etc/ssl/certs
drwxr-xr-x 3 root root 12288 Apr 24  2021 /etc/ssl/certs

I try to reprotect...

ddclient-3.9.1> sudo chown -R www-data:www-data /etc/ssl/private
ddclient-3.9.1> sudo ls -l /etc/ssl/private
total 4
-rw-r----- 1 www-data www-data 1704 Aug 31  2019 ssl-cert-snakeoil.key

Dump hosts requires in addition:

ddclient-3.9.1> sudo chmod a+x /etc/ssl/private
ddclient-3.9.1> apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80                   berry314.girod.fi (/etc/apache2/sites-enabled/000-default.conf:1)
*:443                  berry314.girod.fi (/etc/apache2/sites-enabled/default-ssl.conf:2)

But this doesn't affect the certbot run.

Sorry, should have used

sudo apachectl -t -D DUMP_VHOSTS

Can you show this file

/etc/apache2/sites-enabled/000-default.conf
4 Likes
ddclient-3.9.1> sudo chmod a-x /etc/ssl/private
ddclient-3.9.1> sudo apachectl -t -D DUMP_VHOSTS
VirtualHost configuration:
*:80                   berry314.girod.fi (/etc/apache2/sites-enabled/000-default.conf:1)
*:443                  berry314.girod.fi (/etc/apache2/sites-enabled/default-ssl.conf:2)
ddclient-3.9.1> sudo egrep -v '^([ 	]*#|$)' /etc/apache2/sites-enabled/000-default.conf
<VirtualHost *:80>
	ServerAdmin webmaster@localhost
	DocumentRoot /var/www/html
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

The webroot path you gave to certbot earlier was wrong. Should match your DocumentRoot. You can put these on the command line like this:

sudo certbot certonly --webroot -w /var/www/html -d berry314.girod.fi
5 Likes

Thanks!

ddclient-3.9.1> sudo certbot certonly --webroot -w /var/www/html -d berry314.girod.fi
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for berry314.girod.fi
Using the webroot path /var/www/html for all unmatched domains.
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/berry314.girod.fi/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/berry314.girod.fi/privkey.pem
   Your cert will expire on 2022-12-09. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

I assume I must now point to the new key/cert pair in default-ssl.conf...

2 Likes

Yes, and perhaps more. When you chose webroot method you only get a cert. You must then configure your HTTPS VirtualHost manually. This is good tool for that:

@mgirod I would avoid setting Stapling and HTTP Strict Transport Security to start

5 Likes

OK, so far just edited and protected, but apache didn't start...

ddclient-3.9.1> sudo egrep -v '^([ 	]*#|$)' /etc/apache2/sites-enabled/default-ssl.conf | grep SSLCert
		SSLCertificateFile    /etc/letsencrypt/live/berry314.girod.fi/chain.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/berry314.girod.fi/privkey.pem
		SSLCertificateChainFile /etc/letsencrypt/live/berry314.girod.fi/fullchain.pem
ddclient-3.9.1> sudo ls -l /etc/letsencrypt
total 32
drwxr-xr-x 4 root root     4096 Sep  5 09:03 accounts
drwxr-x--- 3 root www-data 4096 Sep 10 13:14 archive
-rw-r--r-- 1 root root      121 May 26  2018 cli.ini
drwxr-xr-x 2 root root     4096 Sep 10 13:13 csr
drwx------ 2 root root     4096 Sep 10 13:13 keys
drwx------ 3 root root     4096 Sep 10 13:14 live
drwxr-xr-x 2 root root     4096 Sep 10 13:14 renewal
drwxr-xr-x 5 root root     4096 Sep  5 08:54 renewal-hooks
ddclient-3.9.1> sudo ls -l /etc/letsencrypt/live
total 8
drwxr-xr-x 2 root root 4096 Sep 10 13:14 berry314.girod.fi
-rw-r--r-- 1 root root  740 Sep 10 13:14 README
ddclient-3.9.1> sudo ls -l /etc/letsencrypt/live/berry314.girod.fi
total 4
lrwxrwxrwx 1 root root  41 Sep 10 13:14 cert.pem -> ../../archive/berry314.girod.fi/cert1.pem
lrwxrwxrwx 1 root root  42 Sep 10 13:14 chain.pem -> ../../archive/berry314.girod.fi/chain1.pem
lrwxrwxrwx 1 root root  46 Sep 10 13:14 fullchain.pem -> ../../archive/berry314.girod.fi/fullchain1.pem
lrwxrwxrwx 1 root root  44 Sep 10 13:14 privkey.pem -> ../../archive/berry314.girod.fi/privkey1.pem
-rw-r--r-- 1 root root 692 Sep 10 13:14 README
ddclient-3.9.1> sudo ls -l /etc/letsencrypt/archive/
total 4
drwxr-xr-x 2 root www-data 4096 Sep 10 13:14 berry314.girod.fi
ddclient-3.9.1>  sudo tail -6 /var/log/apache2/error.log
[Sat Sep 10 13:42:04.492398 2022] [ssl:emerg] [pid 28869:tid 3069271872] AH02565: Certificate and private key berry314.girod.fi:443:0 from /etc/letsencrypt/live/berry314.girod.fi/chain.pem and /etc/letsencrypt/live/berry314.girod.fi/privkey.pem do not match
AH00016: Configuration Failed
[Sat Sep 10 13:43:59.773006 2022] [ssl:emerg] [pid 28898:tid 3069394752] AH02565: Certificate and private key berry314.girod.fi:443:0 from /etc/letsencrypt/live/berry314.girod.fi/chain.pem and /etc/letsencrypt/live/berry314.girod.fi/privkey.pem do not match
AH00016: Configuration Failed
[Sat Sep 10 13:44:06.936615 2022] [ssl:emerg] [pid 28909:tid 3070156608] AH02565: Certificate and private key berry314.girod.fi:443:0 from /etc/letsencrypt/live/berry314.girod.fi/chain.pem and /etc/letsencrypt/live/berry314.girod.fi/privkey.pem do not match
AH00016: Configuration Failed

OK... Used only fullchain...
It started...

OK. Certs look good. You should review that Mozilla guide again. Your score at SSL Labs is just a B and supports older protocols that probably are not needed (and are not as secure).

The Mozilla Guide also would have shown the proper Apache SSL cert file config

5 Likes

OK, Thanks again. I applied Mozilla's instructions, and get now an A+ record.

But... This is when I connect from my own Ubuntu laptop over Mozilla VPN.
If I disconnect the VPN, or connect from my phone, or from my work host, I get a Privacy error, redirecting to http and displaying a certificate unknown to me (from mediarouter.home):

MIIEBjCCAu6gAwIBAgIBATANBgkqhkiG9w0BAQsFADBjMQswCQYDVQQGEwJDTjEOMAwGA1UECAwFSHViZWkxDjAMBgNVBAcMBVd1aGFuMRIwEAYDVQQDDAlyb290LmhvbWUxIDAeBgkqhkiG9w0BCQEWEW1vYmlsZUBodWF3ZWkuY29tMB4XDTE2MDIxNTAxMTEyNloXDTI2MDIxMjAxMTEyNlowSDELMAkGA1UEBhMCQ04xDjAMBgNVBAgMBUh1YmVpMQ4wDAYDVQQHDAVXdWhhbjEZMBcGA1UEAwwQbWVkaWFyb3V0ZXIuaG9tZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANNkazWSQSb7hTTo7N13q4ATnk%2FB5prhK73Ne6BwRgpuabiOgpeW91mG0YSAJ%2BCKi49B6Pqy%2BA5pZXTaDtFyyNA2rtEvy44r6zeMMrWpuQWWNxudiVkXUOraW2Vk8qevryMbF%2BgNPXfxA2WFW%2Beczu7TGY%2FeKQbIUcmjtmx93FbCT7U7k%2FVXl9%2Foi88uKsV1g6okPazFasAu4vOIWfpIeG8yKL1ZgP%2FXNJiZboSZV8uSv%2F87e71GjA%2FsA6QWZysgiB2IQ6Nv7C%2BuaYgnH1oQOydZ7JhiIuatCqnm7cpl%2B%2FqnPJtEHOr1NG64Zs1oYQO2EKwe%2FSRAouAaIXQkPS8%2FeI8CAwEAAaOB3zCB3DAdBgNVHQ4EFgQU8X1v59UvmS9f3MW8ushhj3jV6AswHwYDVR0jBBgwFoAUlmqVMc0ybcEj8%2BhQZpPd7hXv0rAwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwVAYDVR0RBE0wS4IQbWVkaWFyb3V0ZXIuaG9tZYIRbWVkaWFyb3V0ZXIxLmhvbWWCEW1lZGlhcm91dGVyMi5ob21lghFtZWRpYXJvdXRlcjMuaG9tZTAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNhdGUwDQYJKoZIhvcNAQELBQADggEBADc7OHefC73fUL6fOpPiJglCSRt1%2Fq923y33JatYdrBqs7f4%2BsqXr%2FxPPofXL4bzgjcNffFCWEvm1D4y5b2HTYVhW3IhwgpctWa1XbnjUOGAfWLdCocy5ulATG5Y2XZLAMmJasygXri4CHWleCl9OCzCpT7c%2B%2BcFGxAL24tgGsQ1kmVqKLoX%2BrEVYOw2eWi1rq%2Bb3WzjqNHw%2FJ3larJ7QAq6qd8tASQGzxB4ljNeVDvW13m7Nu9gU3RSPl%2F4cJbxvWKXi05myZa1s9S15b88%2FwEjpycu2h7jn3XFSaQv8KrUh6i8Vg7Qz9iccAe8Uu3ZzfGSiTr7z6bvorny5a2pct8%3D

How can I fix this, and know where does this certificate come from?

1 Like

I see your site fine from my own phone. And, a SSL Checker test site sees it fine too.
Link: SSL Checker

I cannot decode that cert as shown. Can you try adding 3 backticks before and after the cert info?

One thing I see is you no longer have port 80 open. You must keep that open for your cert renewal to succeed. You should also have your HTTP (port 80) VirtualHost redirect requests to your HTTPS site.

4 Likes

I added the http forwarding back to my router setup.
And I edited the cert in the previous message to show it as code.

What I get is:

Country:     CN
State:       Hubei
Locality:    Wuhan
Common name: mediarouter.home

Issuer:
common name:   root.home
email address: mobile@huawei.com

etc. and the DNS servers are mediarouter{,1,2,3}.home
Who's picking those DNS?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.