Error message running ./letsencrypt-auto


#1

Hello,

My name is Ken but on the internet I go by Spork Schivago. I have a domain but I’m very new to having a website. I get it hosted through GoDaddy. I haven’t really wrote my website yet but I wanted to get the SSL certificates taken care of first. My domain name is JetBBS.com. GoDaddy gives me access to a mail server that they control, webmail.JetBBS.com. I wanted to try creating a valid SSL certificate for this site. From what I’ve read on the internet, I need to use the manual method with letsencrypt-auto and then use the cPanel at GoDaddy to enter the SSL stuff.

This is the command line I used:

./letsencrypt-auto certonly --manual --test-cert -d www.webmail.JetBBS.com -d webmail.JetBBS.com

Everything was going fine. I got to a message that said:

Please read the Terms of Service at                                   
https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf. You  
must agree in order to register with the ACME server at               
https://acme-staging.api.letsencrypt.org/directory

I went to the first site, I read the agreement. I went to the second site, even though I don’t think I was supposed to. When I hit Agree back in the letsencrypt-auto window, I got the following error message:

An unexpected error occurred:
UnexpectedUpdate: AuthorizationResource(body=Authorization(status=Status(pending), challenges=(ChallengeBody(chall=HTTP01(token='5\xaf7LGQ-\xfd;isY\xe7g\x11\x84y\x08\xe2\x8c\xbc\xf0\x9fb\n\xdd\xf9_}3\x87\x1c'), status=Status(pending), validated=None, uri=u'https://acme-staging.api.letsencrypt.org/acme/challenge/rCQfOU3i7mw9tXucJBiaCNJxcGzn5RRIw1hE0-55KwU/1025717', error=None), ChallengeBody(chall=TLSSNI01(token='Ocz:\x16\xcd\xfd#\x94\xd5\r\x02i\xe9:\xefl\x95\xaf\xfe\\\xf8\xb9)\x12g\x90;\xfe\xb0;5'), status=Status(pending), validated=None, uri=u'https://acme-staging.api.letsencrypt.org/acme/challenge/rCQfOU3i7mw9tXucJBiaCNJxcGzn5RRIw1hE0-55KwU/1025718', error=None), ChallengeBody(chall=UnrecognizedChallenge(), status=Status(pending), validated=None, uri=u'https://acme-staging.api.letsencrypt.org/acme/challenge/rCQfOU3i7mw9tXucJBiaCNJxcGzn5RRIw1hE0-55KwU/1025719', error=None)), identifier=Identifier(typ=IdentifierType(dns), value=u'www.webmail.jetbbs.com'), expires=datetime.datetime(2016, 1, 25, 3, 8, 42, 126844, tzinfo=<UTC>), combinations=((2,), (1,), (0,))), new_cert_uri='https://acme-staging.api.letsencrypt.org/acme/new-cert', uri='https://acme-staging.api.letsencrypt.org/acme/authz/rCQfOU3i7mw9tXucJBiaCNJxcGzn5RRIw1hE0-55KwU')
Please see the logfiles in /var/log/letsencrypt for more details.

I don’t really know Python very well. I’ve looked at /var/log/letsencrypt/letsencrypt.log but couldn’t really figure out what went wrong or how I go about fixing it…here’s a copy of the log file.

2016-01-18 02:59:58,552:DEBUG:letsencrypt.cli:Root logging level set at 30
2016-01-18 02:59:58,554:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-01-18 02:59:58,555:DEBUG:letsencrypt.cli:letsencrypt version: 0.2.0
2016-01-18 02:59:58,555:DEBUG:letsencrypt.cli:Arguments: ['--manual', '--test-cert', '-d', 'www.webmail.JetBBS.com', '-d', 'webmail.JetBBS.com']
2016-01-18 02:59:58,557:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-01-18 02:59:58,565:DEBUG:letsencrypt.cli:Requested authenticator manual and installer None
2016-01-18 02:59:58,574:DEBUG:letsencrypt.display.ops:Single candidate plugin: * manual
Description: Manually configure an HTTP server
Interfaces: IAuthenticator, IPlugin
Entry point: manual = letsencrypt.plugins.manual:Authenticator
Initialized: <letsencrypt.plugins.manual.Authenticator object at 0x7f0099801e50>
Prep: True
2016-01-18 02:59:58,575:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt.plugins.manual.Authenticator object at 0x7f0099801e50> and installer None
2016-01-18 03:00:17,986:DEBUG:root:Sending GET request to https://acme-staging.api.letsencrypt.org/directory. args: (), kwargs: {}
2016-01-18 03:00:18,007:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2016-01-18 03:00:18,876:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 279
2016-01-18 03:00:18,879:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '279', 'Expires': 'Mon, 18 Jan 2016 03:00:18 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Mon, 18 Jan 2016 03:00:18 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'w2CnXtWt2-J3fdHa18MkrTJCc0h-jY_WvgLD3MiamSw'}. Content: '{"new-authz":"https://acme-staging.api.letsencrypt.org/acme/new-authz","new-cert":"https://acme-staging.api.letsencrypt.org/acme/new-cert","new-reg":"https://acme-staging.api.letsencrypt.org/acme/new-reg","revoke-cert":"https://acme-staging.api.letsencrypt.org/acme/revoke-cert"}'
2016-01-18 03:00:18,880:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '279', 'Expires': 'Mon, 18 Jan 2016 03:00:18 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Mon, 18 Jan 2016 03:00:18 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'w2CnXtWt2-J3fdHa18MkrTJCc0h-jY_WvgLD3MiamSw'}): '{"new-authz":"https://acme-staging.api.letsencrypt.org/acme/new-authz","new-cert":"https://acme-staging.api.letsencrypt.org/acme/new-cert","new-reg":"https://acme-staging.api.letsencrypt.org/acme/new-reg","revoke-cert":"https://acme-staging.api.letsencrypt.org/acme/revoke-cert"}'
2016-01-18 03:00:18,880:DEBUG:root:Requesting fresh nonce
2016-01-18 03:00:18,881:DEBUG:root:Sending HEAD request to https://acme-staging.api.letsencrypt.org/acme/new-reg. args: (), kwargs: {}
2016-01-18 03:00:18,882:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2016-01-18 03:00:19,203:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-reg HTTP/1.1" 405 0
2016-01-18 03:00:19,207:DEBUG:root:Received <Response [405]>. Headers: {'Content-Length': '78', 'Pragma': 'no-cache', 'Expires': 'Mon, 18 Jan 2016 03:00:19 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Allow': 'POST', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Mon, 18 Jan 2016 03:00:19 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'LnacanESu6R5aUnHBT5w6kB6rAPw8dN-uFAUSNf9Xe8'}. Content: ''
2016-01-18 03:00:19,208:DEBUG:acme.client:Storing nonce: '.v\x9cjq\x12\xbb\xa4yiI\xc7\x05>p\xea@z\xac\x03\xf0\xf1\xd3~\xb8P\x14H\xd7\xfd]\xef'
2016-01-18 03:00:19,209:DEBUG:acme.jose.json_util:Omitted empty fields: key=None, agreement=None, authorizations=None, certificates=None
2016-01-18 03:00:19,210:DEBUG:acme.client:Serialized JSON: {"contact": ["mailto:Spork@JetBBS.com"], "resource": "new-reg"}
2016-01-18 03:00:19,211:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), alg=None, jku=None, x5t=None, typ=None, kid=None, cty=None, jwk=None, x5tS256=None, x5u=None
2016-01-18 03:00:19,217:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), jku=None, nonce=None, x5t=None, typ=None, kid=None, cty=None, x5tS256=None, x5u=None
2016-01-18 03:00:19,218:DEBUG:root:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/new-reg. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "vU1knwqKCxQdSF1BjC_wbW9yIpTYY2ofnPAYiDSJjhxUNwkX77g0swo4lQEHgTvJe-9LGq-Ukh8jJMjI9MmshgiZVYMCVDkFqX_MSQKCh-x3OBY_wtrLQ7EKo6F0ufmRLWVpH5SePQ4DQn5WwET70BK3MloO_xEv4HMneWLaI-UvXZID61EGX2MaGeG76F4H_6Vq--dHfu_kvU_ZmaoHVSoOrnYuN8Xzq7jj-9GZn9u-05qFbYqeQ6FPDbWWbR9Ptm4T21MISIulT5eyyCLdqBboo7_iGVXuc3uIxQJF4mLVt9xvy8DMRaxk0nPv-WwtYLomhTcQSsKpZ0MZtTRwrQ"}}, "protected": "eyJub25jZSI6ICJMbmFjYW5FU3U2UjVhVW5IQlQ1dzZrQjZyQVB3OGROLXVGQVVTTmY5WGU4In0", "payload": "eyJjb250YWN0IjogWyJtYWlsdG86U3BvcmtASmV0QkJTLmNvbSJdLCAicmVzb3VyY2UiOiAibmV3LXJlZyJ9", "signature": "ivsaHUKbeUqbD2H7499kGrbAylSlngJO4Br6OYlILp3_vQLfRCdoUMZ0daaIyKHa4rM8i3p29dDfsJaYgiwwXVZdkQ_6d_PS2emi01T1nSuilgJlDiOUVhfvi7qpx9xVLtfPM8rRux04UaR0Jvy_ok8QBM06116eogYQdN0-0qorCh6scb2bmMZjFTkpr1K_RViLuV--4oXk3gJmss0NBZZ2GSYFBt5Jw9bof2j32KaPnxmu7llf5-2WAoK7vNT-9GvRwbDCp7OcCop1aavjrFghztohUfNIiGNUx2R8bUguZRCgCm4c9MAkc8mdk7Pz3c56UVoMF_nZwW0xXsdaGQ"}'}
2016-01-18 03:00:19,219:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2016-01-18 03:00:20,139:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-reg HTTP/1.1" 201 504
2016-01-18 03:00:20,142:DEBUG:root:Received <Response [201]>. Headers: {'Content-Length': '504', 'Expires': 'Mon, 18 Jan 2016 03:00:20 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-staging.api.letsencrypt.org/acme/new-authz>;rel="next", <https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf>;rel="terms-of-service"', 'Location': 'https://acme-staging.api.letsencrypt.org/acme/reg/112132', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Mon, 18 Jan 2016 03:00:20 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'B95ucyrffI3E7z2_esZufv2eiR34iirzi96KKZHuEbA'}. Content: '{"id":112132,"key":{"kty":"RSA","n":"vU1knwqKCxQdSF1BjC_wbW9yIpTYY2ofnPAYiDSJjhxUNwkX77g0swo4lQEHgTvJe-9LGq-Ukh8jJMjI9MmshgiZVYMCVDkFqX_MSQKCh-x3OBY_wtrLQ7EKo6F0ufmRLWVpH5SePQ4DQn5WwET70BK3MloO_xEv4HMneWLaI-UvXZID61EGX2MaGeG76F4H_6Vq--dHfu_kvU_ZmaoHVSoOrnYuN8Xzq7jj-9GZn9u-05qFbYqeQ6FPDbWWbR9Ptm4T21MISIulT5eyyCLdqBboo7_iGVXuc3uIxQJF4mLVt9xvy8DMRaxk0nPv-WwtYLomhTcQSsKpZ0MZtTRwrQ","e":"AQAB"},"contact":["mailto:Spork@JetBBS.com"],"initialIp":"74.65.109.246","createdAt":"2016-01-18T03:00:20.095487099Z"}'
2016-01-18 03:00:20,143:DEBUG:acme.client:Storing nonce: '\x07\xdens*\xdf|\x8d\xc4\xef=\xbfz\xc6n~\xfd\x9e\x89\x1d\xf8\x8a*\xf3\x8b\xde\x8a)\x91\xee\x11\xb0'
2016-01-18 03:00:20,144:DEBUG:acme.client:Received response <Response [201]> (headers: {'Content-Length': '504', 'Expires': 'Mon, 18 Jan 2016 03:00:20 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-staging.api.letsencrypt.org/acme/new-authz>;rel="next", <https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf>;rel="terms-of-service"', 'Location': 'https://acme-staging.api.letsencrypt.org/acme/reg/112132', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Mon, 18 Jan 2016 03:00:20 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'B95ucyrffI3E7z2_esZufv2eiR34iirzi96KKZHuEbA'}): '{"id":112132,"key":{"kty":"RSA","n":"vU1knwqKCxQdSF1BjC_wbW9yIpTYY2ofnPAYiDSJjhxUNwkX77g0swo4lQEHgTvJe-9LGq-Ukh8jJMjI9MmshgiZVYMCVDkFqX_MSQKCh-x3OBY_wtrLQ7EKo6F0ufmRLWVpH5SePQ4DQn5WwET70BK3MloO_xEv4HMneWLaI-UvXZID61EGX2MaGeG76F4H_6Vq--dHfu_kvU_ZmaoHVSoOrnYuN8Xzq7jj-9GZn9u-05qFbYqeQ6FPDbWWbR9Ptm4T21MISIulT5eyyCLdqBboo7_iGVXuc3uIxQJF4mLVt9xvy8DMRaxk0nPv-WwtYLomhTcQSsKpZ0MZtTRwrQ","e":"AQAB"},"contact":["mailto:Spork@JetBBS.com"],"initialIp":"74.65.109.246","createdAt":"2016-01-18T03:00:20.095487099Z"}'
2016-01-18 03:08:40,486:DEBUG:acme.jose.json_util:Omitted empty fields: authorizations=None, certificates=None
2016-01-18 03:08:40,487:DEBUG:acme.client:Serialized JSON: {"contact": ["mailto:Spork@JetBBS.com"], "resource": "reg", "agreement": "https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf", "key": {"e": "AQAB", "kty": "RSA", "n": "vU1knwqKCxQdSF1BjC_wbW9yIpTYY2ofnPAYiDSJjhxUNwkX77g0swo4lQEHgTvJe-9LGq-Ukh8jJMjI9MmshgiZVYMCVDkFqX_MSQKCh-x3OBY_wtrLQ7EKo6F0ufmRLWVpH5SePQ4DQn5WwET70BK3MloO_xEv4HMneWLaI-UvXZID61EGX2MaGeG76F4H_6Vq--dHfu_kvU_ZmaoHVSoOrnYuN8Xzq7jj-9GZn9u-05qFbYqeQ6FPDbWWbR9Ptm4T21MISIulT5eyyCLdqBboo7_iGVXuc3uIxQJF4mLVt9xvy8DMRaxk0nPv-WwtYLomhTcQSsKpZ0MZtTRwrQ"}}
2016-01-18 03:08:40,488:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), alg=None, jku=None, x5t=None, typ=None, kid=None, cty=None, jwk=None, x5tS256=None, x5u=None
2016-01-18 03:08:40,492:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), jku=None, nonce=None, x5t=None, typ=None, kid=None, cty=None, x5tS256=None, x5u=None
2016-01-18 03:08:40,493:DEBUG:root:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/reg/112132. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "vU1knwqKCxQdSF1BjC_wbW9yIpTYY2ofnPAYiDSJjhxUNwkX77g0swo4lQEHgTvJe-9LGq-Ukh8jJMjI9MmshgiZVYMCVDkFqX_MSQKCh-x3OBY_wtrLQ7EKo6F0ufmRLWVpH5SePQ4DQn5WwET70BK3MloO_xEv4HMneWLaI-UvXZID61EGX2MaGeG76F4H_6Vq--dHfu_kvU_ZmaoHVSoOrnYuN8Xzq7jj-9GZn9u-05qFbYqeQ6FPDbWWbR9Ptm4T21MISIulT5eyyCLdqBboo7_iGVXuc3uIxQJF4mLVt9xvy8DMRaxk0nPv-WwtYLomhTcQSsKpZ0MZtTRwrQ"}}, "protected": "eyJub25jZSI6ICJCOTV1Y3lyZmZJM0U3ejJfZXNadWZ2MmVpUjM0aWlyemk5NktLWkh1RWJBIn0", "payload": "eyJjb250YWN0IjogWyJtYWlsdG86U3BvcmtASmV0QkJTLmNvbSJdLCAicmVzb3VyY2UiOiAicmVnIiwgImFncmVlbWVudCI6ICJodHRwczovL2xldHNlbmNyeXB0Lm9yZy9kb2N1bWVudHMvTEUtU0EtdjEuMC4xLUp1bHktMjctMjAxNS5wZGYiLCAia2V5IjogeyJlIjogIkFRQUIiLCAia3R5IjogIlJTQSIsICJuIjogInZVMWtud3FLQ3hRZFNGMUJqQ193Ylc5eUlwVFlZMm9mblBBWWlEU0pqaHhVTndrWDc3ZzBzd280bFFFSGdUdkplLTlMR3EtVWtoOGpKTWpJOU1tc2hnaVpWWU1DVkRrRnFYX01TUUtDaC14M09CWV93dHJMUTdFS282RjB1Zm1STFdWcEg1U2VQUTREUW41V3dFVDcwQkszTWxvT194RXY0SE1uZVdMYUktVXZYWklENjFFR1gyTWFHZUc3NkY0SF82VnEtLWRIZnVfa3ZVX1ptYW9IVlNvT3JuWXVOOFh6cTdqai05R1puOXUtMDVxRmJZcWVRNkZQRGJXV2JSOVB0bTRUMjFNSVNJdWxUNWV5eUNMZHFCYm9vN19pR1ZYdWMzdUl4UUpGNG1MVnQ5eHZ5OERNUmF4azBuUHYtV3d0WUxvbWhUY1FTc0twWjBNWnRUUndyUSJ9fQ", "signature": "X4K97nO68Et4-1pVaqtI6En6bwLlAk7xQ1BPFQu6OMf0Mg9q5Pm1vL5Rwa_p7TfM8RSxjYXbuUvcxxwX29vrT4tPjk8wr3smBKfYogeyb7MHxUHrVslj4ZoJDto28zuZdGSd0LHBkBQ75CFLhBALek4EyxgJhTSW1rQyT3YmjlE6Vy81z6-y-tOnueBxDLPI7iycOi1fRYxEkR2lgZQPq6egBj5E2dr4BkzRwJI-M0H3ZtPMFGRPsSBdpZBRG9WmPoAYWZieoRLyA7nUY12nGGgCkka8WwJk6vZcYYvylGgIPZl2qvLvLdcWMRakYfPhi2CLcnGvaeAL7zzARr4j7A"}'}
2016-01-18 03:08:40,496:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2016-01-18 03:08:41,431:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/reg/112132 HTTP/1.1" 202 572
2016-01-18 03:08:41,434:DEBUG:root:Received <Response [202]>. Headers: {'Content-Length': '572', 'Expires': 'Mon, 18 Jan 2016 03:08:41 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-staging.api.letsencrypt.org/acme/new-authz>;rel="next", <https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf>;rel="terms-of-service"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Mon, 18 Jan 2016 03:08:41 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': '-A8Fp8E-CKFwmjx3s02ub9fdlVzmI1NKsK4h3kEngIY'}. Content: '{"id":112132,"key":{"kty":"RSA","n":"vU1knwqKCxQdSF1BjC_wbW9yIpTYY2ofnPAYiDSJjhxUNwkX77g0swo4lQEHgTvJe-9LGq-Ukh8jJMjI9MmshgiZVYMCVDkFqX_MSQKCh-x3OBY_wtrLQ7EKo6F0ufmRLWVpH5SePQ4DQn5WwET70BK3MloO_xEv4HMneWLaI-UvXZID61EGX2MaGeG76F4H_6Vq--dHfu_kvU_ZmaoHVSoOrnYuN8Xzq7jj-9GZn9u-05qFbYqeQ6FPDbWWbR9Ptm4T21MISIulT5eyyCLdqBboo7_iGVXuc3uIxQJF4mLVt9xvy8DMRaxk0nPv-WwtYLomhTcQSsKpZ0MZtTRwrQ","e":"AQAB"},"contact":["mailto:Spork@JetBBS.com"],"agreement":"https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf","initialIp":"74.65.109.246","createdAt":"2016-01-18T03:00:20Z"}'
2016-01-18 03:08:41,435:DEBUG:acme.client:Storing nonce: "\xf8\x0f\x05\xa7\xc1>\x08\xa1p\x9a<w\xb3M\xaeo\xd7\xdd\x95\\\xe6#SJ\xb0\xae!\xdeA'\x80\x86"
2016-01-18 03:08:41,435:DEBUG:acme.client:Received response <Response [202]> (headers: {'Content-Length': '572', 'Expires': 'Mon, 18 Jan 2016 03:08:41 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-staging.api.letsencrypt.org/acme/new-authz>;rel="next", <https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf>;rel="terms-of-service"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Mon, 18 Jan 2016 03:08:41 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': '-A8Fp8E-CKFwmjx3s02ub9fdlVzmI1NKsK4h3kEngIY'}): '{"id":112132,"key":{"kty":"RSA","n":"vU1knwqKCxQdSF1BjC_wbW9yIpTYY2ofnPAYiDSJjhxUNwkX77g0swo4lQEHgTvJe-9LGq-Ukh8jJMjI9MmshgiZVYMCVDkFqX_MSQKCh-x3OBY_wtrLQ7EKo6F0ufmRLWVpH5SePQ4DQn5WwET70BK3MloO_xEv4HMneWLaI-UvXZID61EGX2MaGeG76F4H_6Vq--dHfu_kvU_ZmaoHVSoOrnYuN8Xzq7jj-9GZn9u-05qFbYqeQ6FPDbWWbR9Ptm4T21MISIulT5eyyCLdqBboo7_iGVXuc3uIxQJF4mLVt9xvy8DMRaxk0nPv-WwtYLomhTcQSsKpZ0MZtTRwrQ","e":"AQAB"},"contact":["mailto:Spork@JetBBS.com"],"agreement":"https://letsencrypt.org/documents/LE-SA-v1.0.1-July-27-2015.pdf","initialIp":"74.65.109.246","createdAt":"2016-01-18T03:00:20Z"}'
2016-01-18 03:08:41,567:INFO:letsencrypt.reporter:Reporting to user: Your account credentials have been saved in your Let's Encrypt configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Let's Encrypt so making regular backups of this folder is ideal.
2016-01-18 03:08:41,567:INFO:letsencrypt.reporter:Reporting to user: If you lose your account credentials, you can recover through e-mails sent to Spork@JetBBS.com.
2016-01-18 03:08:41,568:DEBUG:acme.jose.json_util:Omitted empty fields: authorizations=None, certificates=None
2016-01-18 03:08:41,570:DEBUG:letsencrypt.cli:Picked account: <Account(277dca8623c8510d519b25727cff1e7f)>
2016-01-18 03:08:41,841:INFO:letsencrypt.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0000_key-letsencrypt.pem
2016-01-18 03:08:41,846:INFO:letsencrypt.crypto_util:Creating CSR: /etc/letsencrypt/csr/0000_csr-letsencrypt.pem
2016-01-18 03:08:41,846:DEBUG:letsencrypt.client:CSR: CSR(file='/etc/letsencrypt/csr/0000_csr-letsencrypt.pem', data='0\x82\x02\xae0\x82\x01\x96\x02\x01\x000!1\x1f0\x1d\x06\x03U\x04\x03\x0c\x16www.webmail.JetBBS.com0\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xc4\x0ft\xa5yWQ\xf9\xe7\xc1\xa1\x91\xa9\xf7\x93\xe7\xad\xea\x8b\xb2Bj\xd0\xc5\xad\'W\xca\x03\xfcl\xcf\xc7#?\x7f5\xe4v\xa02\xf7\xe3\xbe\x98K\xcf}\xd1C\xdb\xedo`(\x0f\x1dn\x05\xe1\xc1\xd1x\xff\xc8|0\xd6\xf2\xc1\x085p4\xb2\xb9\x00,\xd2\x9c\x07\xd7\xc3\xae~a\xf8ya\t\x9fi\xb1\xab\xf7\xc9\x8e%\xc1*\xb3\xf5\xd9n"\xdc\x15N\xabk\x17\xea\xd3at\x87\xcc\xfc\xed\xe0\xbcm#\xabl\\\xd9^\x18\xa4\xaf\x9c\xcf\xa87\r\xb1W\xcc\x08N\xde\x98\x0c\x9f\x8f\x04\xd5\xec$\x17;\xdf\xdcx]\xffe3\xfd\xe1\xf9\xe3\xd6`]\xcb?\x1cvQ0\xae\x05\x94\x00\xd6\xb2\xb2\xde\x1e4\xc8\xed\xf7\xfe\x99H\x81\xddBX\xb4\x9e}G:Tg\xf1.\xd6R\xba\x14&t\x0c>1\x02\x1e3\x17\x80oq\xbfp\x04\xa3\xed\xa4\x84\xb9\x13\xc1Va\xb1\x83\xe5\xb8zE\xab\x1fS\xaa_\x13\xb2~E\xc2Q\x0c.c0>P\xd48\xb4;\x02\x03\x01\x00\x01\xa0H0F\x06\t*\x86H\x86\xf7\r\x01\t\x0e190705\x06\x03U\x1d\x11\x04.0,\x82\x16www.webmail.JetBBS.com\x82\x12webmail.JetBBS.com0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00\x1b\xd1\xe0V\xbe\x08\xf3T\x84\xe39I1\x13i_\x8d\xe4%\x04\x0bS\xaapX\x88\x02Z{lO\xbbWKm\xa4W\xa2\xdf\xa4\xfa\xead\x87\xcf\x17\x16:\xbc\xb1{\xff\xf2\x84~\xbb\x1f{\x183\xc2\xfe\xd8\xd1\xc7\x94\xfbc\x0b{\xbfF\x149=\xfb\x14WH\xa4\xb7\xd0D\xd39\xf9\xd7c\xef\xff\x90\x95\x89\xbc\xfb/\x96+,\xeb\x1e\x99\xc7\xab\x1c\x0f\x19\xda]\xdf}\t\xe9\x11CE)\x182p.\n|\xf6\xf6n\x915\xa5H|\x87\xf7\xfcX1\xa1E\x86\xd9\xc0\xfe\xa8\n@\xb6\xf8\xf6\xb4\x96\xdd\x86\xf2\xa5\xa8$\x7f\xf1\xec\xca\xed\xf2,\xd7M\x0f\xc1\xb3\x99d^9>\xc3\xb6^jR\\\xf7\x07\xa3\xf8*L\x1f\xe0\xc9_\xf1\x90:%\x0b\x99\xd8\x16\xc0\x0c\x8e\x02\x1d\x88\xa6\x1er4c\xe4rz\x1d\xa7~\xe8\xf8\x8c\xb9N!oN\xd6\xc1\x95\xab\xcc\xd7\xb0}\xe6\xfd&\x9dT^<\x87\x91\xa3\x98O\xa2\x13\x87\x91e\xa53\xe1\xecM\x83\xc5\xe3\x17', form='der'), domains: ['www.webmail.JetBBS.com', 'webmail.JetBBS.com']
2016-01-18 03:08:41,847:DEBUG:acme.jose.json_util:Omitted empty fields: challenges=None, expires=None, combinations=None, status=None
2016-01-18 03:08:41,847:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "www.webmail.JetBBS.com"}, "resource": "new-authz"}
2016-01-18 03:08:41,848:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), alg=None, jku=None, x5t=None, typ=None, kid=None, cty=None, jwk=None, x5tS256=None, x5u=None
2016-01-18 03:08:41,852:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), jku=None, nonce=None, x5t=None, typ=None, kid=None, cty=None, x5tS256=None, x5u=None
2016-01-18 03:08:41,853:DEBUG:root:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "vU1knwqKCxQdSF1BjC_wbW9yIpTYY2ofnPAYiDSJjhxUNwkX77g0swo4lQEHgTvJe-9LGq-Ukh8jJMjI9MmshgiZVYMCVDkFqX_MSQKCh-x3OBY_wtrLQ7EKo6F0ufmRLWVpH5SePQ4DQn5WwET70BK3MloO_xEv4HMneWLaI-UvXZID61EGX2MaGeG76F4H_6Vq--dHfu_kvU_ZmaoHVSoOrnYuN8Xzq7jj-9GZn9u-05qFbYqeQ6FPDbWWbR9Ptm4T21MISIulT5eyyCLdqBboo7_iGVXuc3uIxQJF4mLVt9xvy8DMRaxk0nPv-WwtYLomhTcQSsKpZ0MZtTRwrQ"}}, "protected": "eyJub25jZSI6ICItQThGcDhFLUNLRndtangzczAydWI5ZmRsVnptSTFOS3NLNGgza0VuZ0lZIn0", "payload": "eyJpZGVudGlmaWVyIjogeyJ0eXBlIjogImRucyIsICJ2YWx1ZSI6ICJ3d3cud2VibWFpbC5KZXRCQlMuY29tIn0sICJyZXNvdXJjZSI6ICJuZXctYXV0aHoifQ", "signature": "pWzibZkeIZHZFY1bV3nhbXK_r7UJbuOWlmzMu5MV9EHxWU3rhI-qcGzO5sRcbFAdIFcmZFcqt-zBV-sDukZqW-j0Nr8ewsW3LBi1OIfU0TmhFIgz0AF_lPom5td9a3REq9BTWQsrqPPZzse8OFgcZcdwJthx-57srkd-gLIlo6Jn2odpFcgRWqJX3t8wa_JnOjolvUFVeCXxtOLtSYauVIanVO1_uMHn80JhNMWi6aMzIiSI_F5__NMDVGywkYAApkGYx9-TTxj0-k6Tmn3KI62w8bG78q1ne2D1I6H-So6oyHzCqK16DrD7kSyObsb6E4AUO4u9UeA5nig20nvIhw"}'}
2016-01-18 03:08:41,854:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org
2016-01-18 03:08:42,174:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 794
2016-01-18 03:08:42,176:DEBUG:root:Received <Response [201]>. Headers: {'Content-Length': '794', 'Expires': 'Mon, 18 Jan 2016 03:08:42 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Location': 'https://acme-staging.api.letsencrypt.org/acme/authz/rCQfOU3i7mw9tXucJBiaCNJxcGzn5RRIw1hE0-55KwU', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Mon, 18 Jan 2016 03:08:42 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'amUhF9FPZKZSbBCuPCaFf3TLRe-HVvMZQ4cZwSRDSHA'}. Content: '{"identifier":{"type":"dns","value":"www.webmail.jetbbs.com"},"status":"pending","expires":"2016-01-25T03:08:42.126844254Z","challenges":[{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/rCQfOU3i7mw9tXucJBiaCNJxcGzn5RRIw1hE0-55KwU/1025717","token":"Na83TEdRLf07aXNZ52cRhHkI4oy88J9iCt35X30zhxw"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/rCQfOU3i7mw9tXucJBiaCNJxcGzn5RRIw1hE0-55KwU/1025718","token":"T2N6OhbN_SOU1Q0Caek672yVr_5c-LkpEmeQO_6wOzU"},{"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/rCQfOU3i7mw9tXucJBiaCNJxcGzn5RRIw1hE0-55KwU/1025719","token":"l-eOo9KkmNBy3AbSgbTdvxoJM9_uqnnjHBabJhXfqSg"}],"combinations":[[2],[1],[0]]}'
2016-01-18 03:08:42,178:DEBUG:acme.client:Storing nonce: 'je!\x17\xd1Od\xa6Rl\x10\xae<&\x85\x7ft\xcbE\xef\x87V\xf3\x19C\x87\x19\xc1$CHp'
2016-01-18 03:08:42,178:DEBUG:acme.client:Received response <Response [201]> (headers: {'Content-Length': '794', 'Expires': 'Mon, 18 Jan 2016 03:08:42 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-staging.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Location': 'https://acme-staging.api.letsencrypt.org/acme/authz/rCQfOU3i7mw9tXucJBiaCNJxcGzn5RRIw1hE0-55KwU', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Mon, 18 Jan 2016 03:08:42 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'amUhF9FPZKZSbBCuPCaFf3TLRe-HVvMZQ4cZwSRDSHA'}): '{"identifier":{"type":"dns","value":"www.webmail.jetbbs.com"},"status":"pending","expires":"2016-01-25T03:08:42.126844254Z","challenges":[{"type":"http-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/rCQfOU3i7mw9tXucJBiaCNJxcGzn5RRIw1hE0-55KwU/1025717","token":"Na83TEdRLf07aXNZ52cRhHkI4oy88J9iCt35X30zhxw"},{"type":"tls-sni-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/rCQfOU3i7mw9tXucJBiaCNJxcGzn5RRIw1hE0-55KwU/1025718","token":"T2N6OhbN_SOU1Q0Caek672yVr_5c-LkpEmeQO_6wOzU"},{"type":"dns-01","status":"pending","uri":"https://acme-staging.api.letsencrypt.org/acme/challenge/rCQfOU3i7mw9tXucJBiaCNJxcGzn5RRIw1hE0-55KwU/1025719","token":"l-eOo9KkmNBy3AbSgbTdvxoJM9_uqnnjHBabJhXfqSg"}],"combinations":[[2],[1],[0]]}'
2016-01-18 03:08:42,179:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'l-eOo9KkmNBy3AbSgbTdvxoJM9_uqnnjHBabJhXfqSg', u'type': u'dns-01', u'uri': u'https://acme-staging.api.letsencrypt.org/acme/challenge/rCQfOU3i7mw9tXucJBiaCNJxcGzn5RRIw1hE0-55KwU/1025719'}
2016-01-18 03:08:42,183:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 1398, in main
    return args.func(args, config, plugins)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 600, in obtain_cert
    _auth_from_domains(le_client, config, domains)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py", line 404, in _auth_from_domains
    lineage = le_client.obtain_and_enroll_certificate(domains)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 283, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 266, in obtain_certificate
    return self._obtain_certificate(domains, csr) + (key, csr)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py", line 224, in _obtain_certificate
    authzr = self.auth_handler.get_authorizations(domains)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 74, in get_authorizations
    domain, self.account.regr.new_authzr_uri)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 215, in request_domain_challenges
    typ=messages.IDENTIFIER_FQDN, value=domain), new_authz_uri)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 198, in request_challenges
    return self._authzr_from_response(response, identifier)
  File "/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py", line 179, in _authzr_from_response
    raise errors.UnexpectedUpdate(authzr)
UnexpectedUpdate: AuthorizationResource(body=Authorization(status=Status(pending), challenges=(ChallengeBody(chall=HTTP01(token='5\xaf7LGQ-\xfd;isY\xe7g\x11\x84y\x08\xe2\x8c\xbc\xf0\x9fb\n\xdd\xf9_}3\x87\x1c'), status=Status(pending), validated=None, uri=u'https://acme-staging.api.letsencrypt.org/acme/challenge/rCQfOU3i7mw9tXucJBiaCNJxcGzn5RRIw1hE0-55KwU/1025717', error=None), ChallengeBody(chall=TLSSNI01(token='Ocz:\x16\xcd\xfd#\x94\xd5\r\x02i\xe9:\xefl\x95\xaf\xfe\\\xf8\xb9)\x12g\x90;\xfe\xb0;5'), status=Status(pending), validated=None, uri=u'https://acme-staging.api.letsencrypt.org/acme/challenge/rCQfOU3i7mw9tXucJBiaCNJxcGzn5RRIw1hE0-55KwU/1025718', error=None), ChallengeBody(chall=UnrecognizedChallenge(), status=Status(pending), validated=None, uri=u'https://acme-staging.api.letsencrypt.org/acme/challenge/rCQfOU3i7mw9tXucJBiaCNJxcGzn5RRIw1hE0-55KwU/1025719', error=None)), identifier=Identifier(typ=IdentifierType(dns), value=u'www.webmail.jetbbs.com'), expires=datetime.datetime(2016, 1, 25, 3, 8, 42, 126844, tzinfo=<UTC>), combinations=((2,), (1,), (0,))), new_cert_uri='https://acme-staging.api.letsencrypt.org/acme/new-cert', uri='https://acme-staging.api.letsencrypt.org/acme/authz/rCQfOU3i7mw9tXucJBiaCNJxcGzn5RRIw1hE0-55KwU')

I was hoping someone here would be able to help me with this. I was reading in one of the manuals that I should be using the --test-cert option until I’m sure everything is good. I wouldn’t think that’d be causing the problem. Does anyone have any idea what I’m doing wrong?

Any help is greatly appreciated. Thank you!


#2

Hello @Spork_Schivago,

Domain www.webmail.jetbbs.com does not resolve via DNS so you never could get a cert for it. I don’t know if you really want/need a cert for that domain, but if you really want/need it the first thing you should do is make this domain to resolve to the right ip.

Also, keep in mind that to validate your domain webmail.jetbbs.com you should be able to connect to this site http://webmail.jetbbs.com/.well-known/acme-challenge/here_some_file. I mean, in manual method, in the middle of the process, you should be requested to put a challenge file with a specific name and a specific content into the directory .well-known/acme-challenge/ in your web server. Once uploaded this challenge file to your web server, you should continue the validation process.

Note: the first thing you should check before trying to issue a certificate is that you can create a dir .well-known/acme-challenge/ in the root document of your web server for your domain webmail.jetbbs.com and create a test file, for example testing-lets and with whatever content, once created, if you can reach it using this url http://webmail.jetbbs.com/.well-known/acme-challenge/testing-lets then you can start again the process to issue a cert.

Cheers,
sahsanu


#3

Dang it all. Thanks, I forgot about the whole .well-known/acme-challenge/some_file thing. This sucks. I can create that file for JetBBS.com, but because I don’t control the webmail stuff, I can’t. Every time I go to https://webmail.JetBBS.com, it says the cert is invalid because it points to iprod.whatever.whatever. GoDaddy said purchasing a wildcard cert would fix this but I didn’t want to pay the cash for one. Was hoping I could use this Let’s Encrypt to fix it.

Thanks for the help.


#4

Just out of curiosity, why do you say this? I’m just really new to having a domain and everything.


#5

Is not usual to have a www subdomain for a 3rd level subdomain like webmail.domain.tld. Of course, is your domain and you can do whatever you want and if you like it in that way, go ahead, there is nothing wrong using it.


#6

Thank you Sahsanu. I made a mistake. It’s not www.webmail.JetBBS.com. It’s just webmail.JetBBS.com. I just figured with all websites, you could through a www in front of it. I was wrong. Thank you!


#7

I’ve upgraded my account to a virtual private server. That means I have root access now so hopefully I can get an SSL cert installed, at least for the mail stuff, and go from there! Thanks for all the help!


#8

You can set a hostname however you like, and having www.example.com be equivalent to example.com is very common. It’s less common, but certainly not unheard-of, to have www.subdomain.example.com equivalent to subdomain.example.com. It isn’t wrong, nor is it particularly “right”–it’s simply a matter of preference.


#9

Thanks Danb35.

I think I like it without the www for the sub-domains. I’m having issues again with my domain. Now that I have root access, I’ve been able to do some looking into getting an SSL cert for webmail.JetBBS.com. It looks like webmail.JetBBS.com isn’t actually a sub-domain. Or at least, I don’t think it is. It looks like it’s some sort of virtual host or something? I was looking at the Apache .conf file and saw some alias stuff under virtual hosts for the webmail stuff. Not really sure how I’m supposed to proceed. I got full control of the server now. It’s CentOS 6. I can create directories wherever but creating a directory and then going to something like webmail.JetBBS.com/my-test/test.html, that doesn’t seem to be possible at this point in time.

I tried running letsencrypt-auto, just by itself, but it failed. It couldn’t install virtualenv or whatever it was, automatically. It looks like I gotta install it manually.


#10

There are some issues with lesencrypt-auto on CentOS 6, and a couple of ways to address them. First, you’ll want to make sure you have the EPEL repository active on your system–I think this will address the virtualenv problem. Second, at least with an earlier version of the script, it worked better with Python 2.7, while CentOS 6 ships with Python 2.6. There are a number of ways to deal with this; I did it using Software Collections, which will let you install 2.7 alongside 2.6, and only use 2.7 when you explicitly call for it.


#11

Thanks Danb35. I’ve used maybe 7 or 8 distros over the years but I’ve never used CentOS. I realized that CentOS 6 came with Python 2.6 and was reading into how to update it to 2.7. Yum didn’t have 2.7 listed. From what I’ve read, the actual OS depends on Python 2.6 and I will need to do what you’re talking about here, install 2.7 alongside 2.6 and only use 2.7 when I explicitly call for it.

Not really sure how to make the EPEL repository active. I’ll have to research that as well. Not sure what Software Collections is but I’ll look into that as well. I started following a tutorial, https://www.digitalocean.com/community/tutorials/how-to-set-up-python-2-7-6-and-3-3-3-on-centos-6-4

It shows me how to install 2.7.6 without breaking CentOS 6. If I’m remembering this correctly though, I want at least 2.7.8 I think or higher. So I’ll probably follow the instructions but try to install 2.7.9 of Python. Thanks for helping!


#12

To enable the EPEL repo, you should be able to do ‘yum install epel-release’. If that doesn’t work, this should:
wget https://dl.fedoraproject.org/pub/epel/epel-release-latest-6.noarch.rpm
sudo rpm -Uvh epel-release-6*.rpm

Edit: for more information about software collections, see https://www.softwarecollections.org/en/.


#13

Sorry for the late reply Danb35. I was following the original tutorial but used the more up-to-date packages (ie, python 2.7.11, setuptools 19.4, etc). I’ve successfully installed Python 2.7 (while leaving Python 2.6 still installed and the default). I’ve successfully installed pip for Python 2.7 and I’ve successfully installed virtualenv using pip.

Now, I just run letsencrypt-auto with no options? Will it automatically create ssl certs for my site, by looking at the Apache’s httpd.conf file? I can post the httpd.conf file, so you can see the webmail stuff I was talking about. It’s a bit confusing. I think they’re using some sort of regex expression but I’m not very good with those.


#14

I think I’m going to have to defer to others at this point, as to whether that should be expected to work. What I did, which worked for me, was to stop apache, then do:
./letsencrypt-auto certonly --standalone --email me@mydomain.com -d first.hostname.tld -d second.hostname.tld

…and once that had created the certificate files, configure Apache to use them, and then restart apache. After you have the first cert configured, renewals shouldn’t require any configuration changes to Apache.


#15

Wow, thanks! So you have GoDaddy’s Virtual Private Servers as well? Or do you use something else? I would be all about trying your example there. Just not sure how I’d configure Apache to use them. I’ve never had SSL before because of how much it costs and everything.

I see there’s a way to generate test-certs by passing a switch to letsencrypt-auto. Does anyone know what the differences between test certs and real certs are? I’d like to try the test ones first, because I read there’s only so many I can generate for a domain before they stop issuing them for me or something. By that, I just mean if I try generating something like 10 certs for webmail.JetBBS.com, I might not be able to generate them. I can only see me doing something like if I keep messing up or something.


#16

No, I’m running my own box with a customized build of CentOS 6.7 (SME Server 9, to be specific; see www.contribs.org for information about it). With the way that works, I tell the configuration database where the cert and key are, and it updates all the relevant config files. Great for me, but it means I can’t help you much with the nuts and bolts of the apache config.

You can find the latest information about rate limiting here: https://community.letsencrypt.org/t/quick-start-guide/1631

Certificates from the test server have two significant differences, compared to certs from the production server:

  • They’re issued by the “happy hacker fake CA”, and
  • They aren’t trusted by browsers
    However, the rate limits are very much relaxed on the test server.

#17

Great! I’ll play around with the test-certs until I get this figured out. I’m a little worried here. I believe I found the place in Apache where I need to change the configuration stuff. I’ll copy and paste a snippet here for people to see.

# CPANEL/WHM/WEBMAIL/WEBDISK PROXY SUBDOMAINS

<VirtualHost 104.238.117.105:443 127.0.0.1:443>
    ServerName jetbbs.secureserver.net

    ServerAlias cpanel.* whm.* webmail.* webdisk.* cpcalendars.* cpcontacts.*

    DocumentRoot /usr/local/apache/htdocs
    ServerAdmin info@jetbbs.secureserver.net
    <IfModule mod_suphp.c>
        suPHP_UserGroup nobody nobody
    </IfModule>
    <IfModule mod_security2.c>
        SecRuleEngine Off
    </IfModule>
    RewriteEngine On
    <IfModule mod_ssl.c>
        SSLEngine on
        SSLProxyEngine On
            SSLCertificateFile /var/cpanel/ssl/cpanel/cpanel.pem
        SSLCertificateKeyFile /var/cpanel/ssl/cpanel/cpanel.pem
        SSLCertificateChainFile /var/cpanel/ssl/cpanel/cpanel.pem

    </IfModule>
    RewriteCond %{HTTP_HOST} !^jetbbs.secureserver.net$
    RewriteCond %{HTTP_HOST} ^cpanel.
#...more stuff that I didn't copy.

Even though I’m not 100% sure I’m reading this right, I think I have an idea of what’s going on…Apache checks to see if the user is trying to go to cpanel.JetBBS.com whm.JetBBS.com webmail.JetBBS.com webdisk.JetBBS.com cpcalendars.JetBBS.com or cpcontacts.JetBBS.com

If the user is trying to go there, then use the SSL certificate located in /var/cpanel/ssl/cpanel/cpanel.pem. I wonder if I would do something like:

./letsencrypt-auto certonly --test-cert --standalone --email me@JetBBS.com -d cpanel.JetBBS.com -d whm.JetBBS.com -d webmail.JetBBS.com -d webdisk.JetBBS.com -d cpcalendars.JetBBS.com -d cpcontacts.JetBBS.com

And then copy the files to the /var/cpanel/ssl/cpanel directory and replace the cpanel.pem file with whatever Let’s Encrypt creates…


#18

The only thing that confuses me about the config section you posted is that it’s pointing to the same file for the cert, the key, and the chain. That doesn’t sound right. The exact values you’d use for those fields would depend on which version of Apache you’re running, but if you’re using CentOS 6, you’re probably running Apache 2.2. In that case, SSLCertificateFile would be set to cert.pem and SSLCertificateChainFile would be set to chain.pem.

Your command line looks correct. Again, Apache will have to be stopped before running it this way.


#19

Yes, 2.2 seems to be the version. I run httpd -v, this is the output:

Server version: Apache/2.2.29 (Unix)
Server built:   Oct  7 2014 11:35:25
Cpanel::Easy::Apache v3.26.8 rev9999

I also got confused about the httpd.conf SSL stuff all pointing to the same file, the cpanel.pem file. I’ll back it up before I replace it, in case it breaks something. It’s a weird setup. The httpd.conf file stuff I posted, above it, there’s a line that says don’t change anything below this line, use the include files to modify it. There’s a directory called includes in that conf directory but it doesn’t include anything about SSL stuff. I believe the information is actually getting added by /var/cpanel/templates/apache2/main.default.

Here’s a snippet of that file:

    <IfModule mod_ssl.c>
        SSLEngine on
        SSLProxyEngine On
    [% IF file_test('f', '/var/cpanel/ssl/cpanel/mycpanel.pem') -%]
        SSLCertificateFile /var/cpanel/ssl/cpanel/mycpanel.pem
        SSLCertificateKeyFile /var/cpanel/ssl/cpanel/mycpanel.pem
        SSLCertificateChainFile /var/cpanel/ssl/cpanel/mycpanel.pem
    [% ELSIF file_test('f', '/var/cpanel/ssl/cpanel/cpanel.pem') -%]
        SSLCertificateFile /var/cpanel/ssl/cpanel/cpanel.pem
        SSLCertificateKeyFile /var/cpanel/ssl/cpanel/cpanel.pem
        SSLCertificateChainFile /var/cpanel/ssl/cpanel/cpanel.pem
    [% ELSIF file_test('f', '/var/cpanel/ssl/cpanel/cpanel.crt') && file_test('f', '/var/cpanel/ssl/cpanel/cpanel.key') %]
        SSLCertificateFile /var/cpanel/ssl/cpanel/cpanel.crt
        SSLCertificateKeyFile /var/cpanel/ssl/cpanel/cpanel.key
        [% IF file_test('f', '/var/cpanel/ssl/cpanel/cpanel.cab') %]
        SSLCertificateChainFile /var/cpanel/ssl/cpanel/cpanel.cab
        [% END %]
    [% ELSE %]
        # No service SSL installed for cPanel
    [% END %]
    </IfModule>

Maybe that sheds some light on it? I wonder what the file extension for the cert, the key and the chain are. If it’s something like .cab for the chain file, .key for the key file and .crt for the cert file, I think once I put all those three files in the /var/cpanel/ssl/cpanel/ directory, the script will set the values accordingly.

If this is the case, I will backup the .pem file and then make the appropriate changes. From what I was reading, letsencrypt-auto will put the files inside the /etc/letsencrypt directory. Which ones do I need to move from there do you think? I was reading there was some private key that I should put some place where no one can use it but it needs to stay on the server…not sure where I put that.


#20

I had some stuff to do around the house with my Logic Analyzer but I’m back to working on the site. I ran the let’s encrypt command that I posted, but I added a -d JetBBS.com and a -d www.JetBBS.com as well. I had another question.

Just to make sure I’m clear on this…I create a bunch today. In a month, I create a sub-domain, forums.JetBBS.com. In 90 days will I be able to renew that subdomain at the same time when I renew the certs I’m creating today? Or will I have to wait a month?

I also see the script tries to install Python2.6 using yum. I’ve manually installed 2.7.11. I should probably check to see if there’s a way to tell it what version of Python to use.