Configuration du certificat pour mon server web

Help Aide (en français)
1

Veuillez remplir les champs ci-dessous pour que nous puissions vous aider. Remarque : vous devez fournir votre nom de domaine pour obtenir de l’aide. Les noms de domaine des certificats émis sont tous rendus publics dans les journaux de Transparence de Certificat (par exemple, https://crt.sh/?q=example.com). Par conséquent, le fait de ne pas indiquer votre nom de domaine ici n’aide pas à le garder secret, mais rend plus difficile pour nous le fait de vous aider.

Je peux lire des réponses en Anglais :

Mon nom de domaine est :speedtest.skyvisiongn

J’ai exécuté cette commande :host acme-v02.api.letsencrypt.org

Elle a produit cette sortie :;; connection timed out; no servers could be reached
com

Mon serveur Web est (inclure la version) :
apache
Le système d’exploitation sur lequel mon serveur Web s’exécute est (version incluse) :
ubuntu 18-04
Mon hébergeur, le cas échéant, est :
hostinger
Je peux me connecter à un shell root sur ma machine (oui ou non, ou je ne sais pas) :oui

J’utilise un panneau de configuration pour gérer mon site (non, ou fournit le nom et la version du panneau de configuration) :non

2

Suite de Cetificat wen ubuntu 18-04 lts server speedtest - #18 by lebasto7

Apparemment la configuration indique que le serveur 127.0.0.53 gère votre DNS:

Êtes-vous l'administrateur de 127.0.0.53 ?

3

oui j’ai acces par root

4

Cette machine arrive-t-elle à résoudre d’autres noms de domaines ? Le problème est-t-il uniquement lié au domaine acme-v02.api.letsencrypt.org ? Est-ce qu’elle est bien à jour (et non en retard de plusieurs années) ?

5

voici erreur
root@speedserver:~# host acme-v02.api.letsencrypt.org
;; connection timed out; no servers could be reached

6

Pouvez-vous essayer les commandes suivantes:

host -v acme-v02.api.letsencrypt.org
host -v www.google.com

dig  www.google.com
dig @8.8.8.8 www.google.com

dig  acme-v02.api.letsencrypt.org
dig @8.8.8.8 acme-v02.api.letsencrypt.org
7

root@speedserver:~# host -v acme-v02.api.letsencrypt.org
Trying “acme-v02.api.letsencrypt.org
;; connection timed out; no servers could be reached

root@speedserver:~# host -v www.google.com
Trying “www.google.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32482
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 115 IN A 216.58.209.228

Received 48 bytes from 127.0.0.53#53 in 0 ms
Trying “www.google.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5876
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com. IN AAAA

;; ANSWER SECTION:
www.google.com. 131 IN AAAA 2a00:1450:4007:805::2004

Received 60 bytes from 127.0.0.53#53 in 0 ms
Trying “www.google.com
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57532
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.google.com. IN MX

Received 32 bytes from 127.0.0.53#53 in 82 ms
root@speedserver:~# dig www.google.com

; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> www.google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43836
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 107 IN A 216.58.209.228

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Wed Mar 06 15:13:43 GMT 2019
;; MSG SIZE rcvd: 59

root@speedserver:~# dig @8.8.8.8 www.google.com

; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> @8.8.8.8 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42203
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;www.google.com. IN A

;; ANSWER SECTION:
www.google.com. 70 IN A 216.58.209.228

;; Query time: 92 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Mar 06 15:13:51 GMT 2019
;; MSG SIZE rcvd: 59

root@speedserver:~# dig acme-v02.api.letsencrypt.org

; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> acme-v02.api.letsencrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 59455
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;acme-v02.api.letsencrypt.org. IN A

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Wed Mar 06 15:14:00 GMT 2019
;; MSG SIZE rcvd: 57

root@speedserver:~# dig @8.8.8.8 acme-v02.api.letsencrypt.org

; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> @8.8.8.8 acme-v02.api.letsencrypt.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22078
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;acme-v02.api.letsencrypt.org. IN A

;; ANSWER SECTION:
acme-v02.api.letsencrypt.org. 7138 IN CNAME api.letsencrypt.org-ng.edgekey.net.
api.letsencrypt.org-ng.edgekey.net. 20826 IN CNAME e14990.dscx.akamaiedge.net.
e14990.dscx.akamaiedge.net. 19 IN A 23.3.51.4

;; Query time: 90 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Wed Mar 06 15:14:10 GMT 2019
;; MSG SIZE rcvd: 158

8

pourquoi au cours de l’installation quand je tape cette commande et je mets mon email l’erreur la sort:
** sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): bangoura@skyvision-ms.net
An unexpected error occurred:
Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 141, in _new_conn
(self.host, self.port), self.timeout, **extra_kw)
File “/usr/lib/python3/dist-packages/urllib3/util/connection.py”, line 60, in create_connection
for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
File “/usr/lib/python3.6/socket.py”, line 745, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -2] Name or service not known

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 601, in urlopen
chunked=chunked)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 346, in _make_request
self._validate_conn(conn)
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 852, in _validate_conn
conn.connect()
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 284, in connect
conn = self._new_conn()
File “/usr/lib/python3/dist-packages/urllib3/connection.py”, line 150, in _new_conn
self, “Failed to establish a new connection: %s” % e)
urllib3.exceptions.NewConnectionError: <urllib3.connection.VerifiedHTTPSConnection object at 0x7f92e43ac860>: Failed to establish a new connection: [Errno -2] Name or service not known

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File “/usr/lib/python3/dist-packages/requests/adapters.py”, line 440, in send
timeout=timeout
File “/usr/lib/python3/dist-packages/urllib3/connectionpool.py”, line 639, in urlopen
_stacktrace=sys.exc_info()[2])
File “/usr/lib/python3/dist-packages/urllib3/util/retry.py”, line 388, in increment
raise MaxRetryError(_pool, url, error or ResponseError(cause))
urllib3.exceptions.MaxRetryError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(’<urllib3.connection.VerifiedHTTPSConnection object at 0x7f92e43ac860>: Failed to establish a new connection: [Errno -2] Name or service not known’,))

During handling of the above exception, another exception occurred:

requests.exceptions.ConnectionError: HTTPSConnectionPool(host=‘acme-v02.api.letsencrypt.org’, port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError(’<urllib3.connection.VerifiedHTTPSConnection object at 0x7f92e43ac860>: Failed to establish a new connection: [Errno -2] Name or service not known’,))
Please see the logfiles in /var/log/letsencrypt for more details.
**

9

Il demande l'email pour la creation du compte utilisateur chez Let's Encrypt, mais il n'arrive pas à joindre les server de Let's Encrypt pour créer le compte.

Tout viens de l'erreur DNS.

Merci pour ces commandes. Apparement votre résolveur DNS n'arrive pas à résoudre (obtenir l'ip correspondante à ) acme-v02.api.letsencrypt.org qui est le serveur d'API de Let's Encrypt. Mais en passant par 8.8.8.8 (resolveur DNS de google) cela fonctionne. Le soucis est donc bien à ce niveau.

10

alors qu’est ce qu’il faut pour resoudre cet probleme parceuque sa fait plus 1mois je travail sur sa mais je ne trouver toujours pas de solution

11

sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache

Which names would you like to activate HTTPS for?

1: speedserver.skyvisiongn.com

Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter ‘c’ to cancel):
Cert not yet due for renewal

You have an existing certificate that has exactly the same domains or certificate name you requested and isn’t close to expiry.
(ref: /etc/letsencrypt/renewal/speedserver.skyvisiongn.com.conf)

What would you like to do?

1: Attempt to reinstall this existing certificate
2: Renew & replace the cert (limit ~5 per 7 days)

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for speedserver.skyvisiongn.com
Waiting for verification…
Cleaning up challenges
Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-default-le-ssl.conf

Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.

1: No redirect - Make no further changes to the webserver configuration.
2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
new sites, or if you’re confident your site works on HTTPS. You can undo this
change by editing your web server’s configuration.

Select the appropriate number [1-2] then [enter] (press ‘c’ to cancel): 2
Redirecting vhost in /etc/apache2/sites-enabled/000-default.conf to ssl vhost in /etc/apache2/sites-enabled/000-default-le-ssl.conf

Your existing certificate has been successfully renewed, and the new certificate
has been installed.

The new certificate covers the following domains:
https://speedserver.skyvisiongn.com

You should test your configuration at:
https://www.ssllabs.com/ssltest/analyze.html?d=speedserver.skyvisiongn.com

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/speedserver.skyvisiongn.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/speedserver.skyvisiongn.com/privkey.pem
    Your cert will expire on 2019-06-04. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot again
    with the “certonly” option. To non-interactively renew all of
    your certificates, run “certbot renew”

  • If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let’s Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le
    voici mon message a nouveau

12

root@speedserver:~# host acme-v02.api.letsencrypt.org
acme-v02.api.letsencrypt.org is an alias for api.letsencrypt.org-ng.edgekey.net.
api.letsencrypt.org-ng.edgekey.net is an alias for e14990.dscx.akamaiedge.net.
e14990.dscx.akamaiedge.net has address 23.3.51.4
e14990.dscx.akamaiedge.net has IPv6 address 2a02:26f0:7400:18f::3a8e
e14990.dscx.akamaiedge.net has IPv6 address 2a02:26f0:7400:188::3a8e

13

Donc tout fonctionne maintenant ?

14

quand je tape la commande c’est ce qu’il envoie comme reponse

15

Vous avez corrigé le soucis de DNS, puisque la commande host réponds correctement.

La génération du certificat avec certbot a aussi fonctionné. Il a bien été créé, car il apparait ici: https://crt.sh/?q=speedserver.skyvisiongn.com

Mais apache semble toujours répondre avec un certificat autosigné au lieu de ce nouveau certificat. Normalement la configuration apache de ce site doit utiliser les fichiers de certificat de /etc/letsencrypt/live/speedserver.skyvisiongn.com/ , pouvez-vous vérifier?

16

Pouvez-vous afficher votre configuration apache /etc/apache2/sites-enabled/ ?
Quelle version d’apache utilisez-vous?

17

root@speedtest:~# host acme-v02.api.letsencrypt.org
acme-v02.api.letsencrypt.org is an alias for api.letsencrypt.org-ng.edgekey.net.
api.letsencrypt.org-ng.edgekey.net is an alias for e14990.dscx.akamaiedge.net.
e14990.dscx.akamaiedge.net has address 23.3.51.4
e14990.dscx.akamaiedge.net has IPv6 address 2a02:26f0:7400:18f::3a8e
e14990.dscx.akamaiedge.net has IPv6 address 2a02:26f0:7400:188::3a8e
root@speedtest:~# dig acme-v02.api.letsencrypt.org

; <<>> DiG 9.11.3-1ubuntu1.5-Ubuntu <<>> acme-v02.api.letsencrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58494
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 13, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 5b11e7713cfcdcbeb9aca66b5c8411387c891140706bee0f (good)
;; QUESTION SECTION:
;acme-v02.api.letsencrypt.org. IN A

;; ANSWER SECTION:
acme-v02.api.letsencrypt.org. 4000 IN CNAME api.letsencrypt.org-ng.edgekey.net.
api.letsencrypt.org-ng.edgekey.net. 13167 IN CNAME e14990.dscx.akamaiedge.net.
e14990.dscx.akamaiedge.net. 3 IN A 23.3.51.4

;; AUTHORITY SECTION:
. 69301 IN NS j.root-servers.net.
. 69301 IN NS g.root-servers.net.
. 69301 IN NS d.root-servers.net.
. 69301 IN NS h.root-servers.net.
. 69301 IN NS i.root-servers.net.
. 69301 IN NS c.root-servers.net.
. 69301 IN NS l.root-servers.net.
. 69301 IN NS e.root-servers.net.
. 69301 IN NS b.root-servers.net.
. 69301 IN NS a.root-servers.net.
. 69301 IN NS m.root-servers.net.
. 69301 IN NS k.root-servers.net.
. 69301 IN NS f.root-servers.net.

;; Query time: 0 msec
;; SERVER: 160.119.131.14#53(160.119.131.14)
;; WHEN: Sat Mar 09 19:17:12 GMT 2019
;; MSG SIZE rcvd: 394

root@speedtest:~#
root@speedtest:~# cat /etc/apache2/sites-enabled/
cat: /etc/apache2/sites-enabled/: est un dossier
root@speedtest:~# cat /etc/apache2/sites-enabled/?
cat: ‘/etc/apache2/sites-enabled/?’: Aucun fichier ou dossier de ce type
root@speedtest:~# /etc/apache2/sites-enabled/?
bash: /etc/apache2/sites-enabled/?: Aucun fichier ou dossier de ce type

18

https://speedtest.skyvisiongn.com/

19

Tout semble fonctionner parfaitement, félicitation !