Installed Debian 11: cant get certificate to activate ssl: Times out EVERY TIME

Help
21

With all due respect, I DONT want to install any more extra stuff, and all I really want is to have SSL working, and in order for me to do this, I would have to understand what they are doing, and it sounds like I am adding and REDOING all of the configs in the apache2.conf

I keep getting errors on:

root@cardinal:~/.acme.sh# ./acme.sh --issue -d www.buddy-baker.org -d buddy-baker.org -w /var/www/bluejay.bbdo/public
[Mon 02 May 2022 02:01:12 PM EDT] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon 02 May 2022 02:01:12 PM EDT] Multi domain='DNS:www.buddy-baker.org,DNS:buddy-baker.org'
[Mon 02 May 2022 02:01:12 PM EDT] Getting domain auth token for each domain
[Mon 02 May 2022 02:01:13 PM EDT] Create new order error. Le_OrderFinalize not found. {
"type": "urn:ietf:params:acme:error:rateLimited",
"detail": "Error creating new order :: too many failed authorizations recently: see Rate Limits - Let's Encrypt",
"status": 429
}
[Mon 02 May 2022 02:01:13 PM EDT] Please add '--debug' or '--log' to check more details.
[Mon 02 May 2022 02:01:13 PM EDT] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub

and

root@cardinal:~/.acme.sh# ./acme.sh --issue -d www.buddy-baker.info -d buddy-baker.info -w /var/www/mallard.dkpi/public
[Mon 02 May 2022 02:05:40 PM EDT] Using CA: https://acme-v02.api.letsencrypt.org/directory
[Mon 02 May 2022 02:05:40 PM EDT] Creating domain key
[Mon 02 May 2022 02:05:40 PM EDT] The domain key is here: /root/.acme.sh/www.buddy-baker.info/www.buddy-baker.info.key
[Mon 02 May 2022 02:05:40 PM EDT] Multi domain='DNS:www.buddy-baker.info,DNS:buddy-baker.info'
[Mon 02 May 2022 02:05:40 PM EDT] Getting domain auth token for each domain
[Mon 02 May 2022 02:05:42 PM EDT] Getting webroot for domain='www.buddy-baker.info'
[Mon 02 May 2022 02:05:42 PM EDT] Getting webroot for domain='buddy-baker.info'
[Mon 02 May 2022 02:05:42 PM EDT] Verifying: www.buddy-baker.info
[Mon 02 May 2022 02:05:43 PM EDT] Pending, The CA is processing your order, please just wait. (1/30)
[Mon 02 May 2022 02:05:46 PM EDT] www.buddy-baker.info:Verify error:174.83.81.140: Invalid response from http://www.buddy-baker.info/.well-known/acme-challenge/9q3Bsqh52X5doFXzJO6TSrADoZkHyFxaLoEzPDADftA: 404
[Mon 02 May 2022 02:05:46 PM EDT] Please add '--debug' or '--log' to check more details.
[Mon 02 May 2022 02:05:46 PM EDT] See: How to debug acme.sh · acmesh-official/acme.sh Wiki · GitHub
root@cardinal:~/.acme.sh#

HOW do I get rid of the errors?

Brian

22

You need maintainability.

This was an entirely avoidable mess. (First of all, why would you use acme.sh? It's powerful, ok, but it's unforgiving as f*ck. Certbot wouldn't have made you scream in pain.)

1 Like
23

Yes, I agree: I need maintainability:

HOWEVER: I was using certbot before and then, I had to go to acme.sh because someone decided to have certbot install snaps/snapd and I dont want to add another installer to the mix.

I am not sure why I am getting errors: all I want is to get the certs for the ones I am missing, so I can restore my websites on ports 80 and 443. How do I do that without redefining the entire installation?

Brian

24

You show the above for your ".com" site but that is not working. If I make an http request your rewrites should redirect to https but it does not. Your Apache server is not doing what you think it is.

curl -I www.buddy-baker.com

HTTP/1.1 200 OK
Date: Mon, 02 May 2022 18:31:03 GMT
Server: Apache/2.4.53 (Debian)
Last-Modified: Wed, 26 Jun 2019 21:29:06 GMT
ETag: "3e0-58c40bc26ac80"
Accept-Ranges: bytes
Content-Length: 992
Vary: Accept-Encoding
Content-Type: text/htm
2 Likes
25

You have to check each port 80 virtualhost, write down what domain goes to what webroot, and issue the proper commands.

Now, if apache isn't serving those webroots, and it's instead serving only some and we don't know which ones, that's a problem.

If apache won't even start because it's looking for certificates that aren't there, that's another problem.

There are several ways to solve this.

2 Likes
26

A post was split to a new topic: Happy Cake Day @9peppe

27

I installed certbot and snaps and snapd:

I now get this when trying to get www.buddy-baker.info running:

oot@cardinal:~# certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 19 of /etc/apache2/sites-enabled/buddy-baker.info-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/www.buddy-baker.info/fullchain.pem' does not exist or is empty

The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError("Error while running apache2ctl configtest.\nAction 'configtest' failed.\nThe Apache error log may have more information.\n\nAH00526: Syntax error on line 19 of /etc/apache2/sites-enabled/buddy-baker.info-le-ssl.conf:\nSSLCertificateFile: file '/etc/letsencrypt/live/www.buddy-baker.info/fullchain.pem' does not exist or is empty\n")

This file is RIGHT at: root@cardinal:/etc/letsencrypt/live/buddy-baker.info# ls -l
total 4
lrwxrwxrwx 1 root root 41 Nov 3 14:02 cert.pem -> ../../archive/buddy-baker.info/cert10.pem
lrwxrwxrwx 1 root root 42 Nov 3 14:02 chain.pem -> ../../archive/buddy-baker.info/chain10.pem
lrwxrwxrwx 1 root root 46 Nov 3 14:02 fullchain.pem -> ../../archive/buddy-baker.info/fullchain10.pem
lrwxrwxrwx 1 root root 44 Nov 3 14:02 privkey.pem -> ../../archive/buddy-baker.info/privkey10.pem
-rw-r--r-- 1 root root 692 Nov 3 14:02 README
root@cardinal:/etc/letsencrypt/live/buddy-baker.info#

What is going on here???

Brian

28

Is the file actually there, or is it just a symlink hanging in the ether?

And how is it that you have 10 different versions if you just installed certbot?

29

Please notice the difference between the two paths.

2 Likes
30

Update: I deleted any mention of the *.le-ssl.conf files for each domain, then reloaded all of the .conf files for DOT US, DOT COM, DOT ORG and DOT INFO.

Then, as suggested, I installed snaps, snapd, snap core, and Finally, Certbot: I allowed that to install, then did 'en2nmod' for any mods I was missing like ssl, then I did:

'certbot apache', and it told me i needed to put the configs into /etc.apache2/sites-availble, and enable them, so I did a a2ensite [domain] and after that happened, I was able to redo the 'certbot apache', and it appears to be working well: I now show you output from 'certbot certificates'

root@cardinal:~# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

Found the following certs:
Certificate Name: buddy-baker.us
Serial Number: 429d03dd4197cbbbcbabcd3e4d4c70d0d0b
Key Type: RSA
Domains: buddy-baker.us buddy-baker.com buddy-baker.info buddy-baker.org www.buddy-baker.com www.buddy-baker.info www.buddy-baker.org www.buddy-baker.us
Expiry Date: 2022-07-31 21:12:18+00:00 (VALID: 88 days)
Certificate Path: /etc/letsencrypt/live/buddy-baker.us/fullchain.pem
Private Key Path: /etc/letsencrypt/live/buddy-baker.us/privkey.pem

root@cardinal:~#

Question is: if you look at the output, I am assuming that I have all of the domains (according to what the info says when you run the 'certbot apache' command: It picked up ALL 8 (4 with www.mydomain, 4 without) and I just went 1,2,3,4,5,6,7,8 and then it made all my *-le-ssl.conf files based on my 4 domains.

I am assuming now that I have all my certificates now? they appear to be working OK now :slight_smile:

Thank You for all your help on this one: FINALLY have the server and all that stuff working, and I just have to tinker now :slight_smile:

Brian

3 Likes
31

Yes, certs look good at SSL Labs

4 Likes
33

Hello @baker7 !

I am glad you sorted out.
For automatic renewal of the certificates you need a cron job.

Create file /etc/cron,d/certbot with this content:

# Manually added by [PaulB] 2022-04-28 to renew yatebts.com SSL cert
# runs at 01:20 on every 5th day-of-month (do not change this)
20 1 */5 * * root certbot renew --post-hook "systemctl restart httpd"

Change file permision with:

chmod u=rw,g=r,o=r /etc/cron.d/certbot

Restart crond service

systemctl restart crond

or

service crond restart

I hope this helps, as certificates are valid 3 month and with this automation you can easely renew them.
Do not need to change anything in the apache configuration files if you configured the symlink of the certificates in the first place - and from your logs seems you did.

Thank you!

1 Like
34

Welcome @afkpaul

Good tip but I think --deploy-hook is more appropriate. (snip from docs)

--deploy-hook DEPLOY_HOOK
                        Command to be run in a shell once for each
                        successfully issued certificate.

Also, only a reload is needed to refresh apache config. A restart is more disruptive

3 Likes
35

If you want to go full haxxor you can use killall -USR1 httpd

https://httpd.apache.org/docs/2.4/stopping.html#graceful

1 Like
36

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.