I`m trying to sign csr file and use it with Elasticsearch Shield.
Creating the csr file:
cd CONFIG_DIR/shield
keytool -importcert -keystore node01.jks -file letsencrypt_public.pem -alias letsencrypt
keytool -genkey -alias node01 -keystore node01.jks -keyalg RSA -keysize 2048 -validity 712 -ext san=dns:mydomain.com,ip:11.11.11.11
keytool -certreq -alias node01 -keystore node01.jks -file node01.csr -keyalg rsa -ext san=dns:mydomain.com,ip:11.11.11.11
Using letsencrypt official client:
git clone https://github.com/letsencrypt/letsencrypt
cd letsencrypt
./letsencrypt-auto --help
sudo ./letsencrypt-auto auth --csr /etc/elasticsearch/shield/node01.csr
The output:
etc/elasticsearch/shield/node01.csr
Checking for new version...
Requesting root privileges to run letsencrypt...
/home/usera/.local/share/letsencrypt/bin/letsencrypt --no-self-upgrade auth --csr /etc/elasticsearch/shield/node01.csr
No handlers could be found for logger "letsencrypt.crypto_util"
An unexpected error occurred:
The server experienced an internal error :: Error creating new cert
Please see the logfiles in /var/log/letsencrypt for more details.
The error log:
usera@ip-11-11-11-11:~$ sudo cat /var/log/letsencrypt/letsencrypt.log | grep error
raise errors.NoInstallationError
2016-02-21 12:24:30,042:DEBUG:letsencrypt.plugins.disco:Other error: (PluginEntryPoint#webroot): Missing parts of webroot configuration; please set either --webroot-path and --domains, or --webroot-map. Run with -- help webroot for examples.
2016-02-21 12:24:34,354:DEBUG:root:Received <Response [500]>. Headers: {'Content-Length': '88', 'Expires': 'Sun, 21 Feb 2016 12:24:33 GMT', 'Server': 'nginx', 'Connection': 'close', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sun, 21 Feb 2016 12:24:33 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'ldZn123451Bb5D1234godjteu1VLjZ5o7esrty49olv'}. Content: '{"type":"urn:acme:error:serverInternal","detail":"Error creating new cert","status":500}'
2016-02-21 12:24:34,354:DEBUG:acme.client:Received response <Response [500]> (headers: {'Content-Length': '88', 'Expires': 'Sun, 21 Feb 2016 12:24:33 GMT', 'Server': 'nginx', 'Connection': 'close', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sun, 21 Feb 2016 12:24:33 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'ldZn123451Bb5D1234godjteu1VLjZ5o7esrty49olv'}): '{"type":"urn:acme:error:serverInternal","detail":"Error creating new cert","status":500}'
Error: urn:acme:error:serverInternal :: The server experienced an internal error :: Error creating new cert
I suppose I will shut down nginx when I got Shield to work, so what is the problem here? Why cant I sign the csr file?