Letsencrypt on CentOS7


#1

Hello,

I’m trying to install Letsencrypt on a freshly installed CentOS7 server, but no luck so far.

I issued the following command inspired by another thread here related to CentOs7:

./letsencrypt-auto certonly -a standalone -d mydomain.com -d www.mydomain.com --server https://acme-v01.api.letsencrypt.org/directory --agree-dev-preview

which returns

Error: unauthorized :: The client lacks sufficient authorization :: Error creating new authz :: Name is not whitelisted.

I’m running Python v2.7.5 on a server managed by Plex 12.5

When I ran the command for the first time, I received "InsecurePlatformWarning: A true SSLContext object is not available. (…) on which I ran
easy_install https://pypi.python.org/packages/source/p/pyOpenSSL/pyOpenSSL-0.15.1.tar.gz .

Would it help to figure out what’s going on if I post a section of the logfile?

I found .pem files but no .crt files in /etc/letsencrypt.


#2

I’m assuming that the domain in question was whitelisted.

Yes, I think any extra info would help ( from logs) and also worth trying with the debug option.


#3

Here’s the logfile:

2015-11-24 20:43:46,222:DEBUG:letsencrypt.cli:Root logging level set at 30 2015-11-24 20:43:46,222:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2015-11-24 20:43:46,222:DEBUG:letsencrypt.cli:letsencrypt version: 0.0.0.dev20151123 2015-11-24 20:43:46,222:DEBUG:letsencrypt.cli:Arguments: ['-a', 'standalone', '-d', 'mydomain.com', '-d', 'www.mydomain.com', '--server', 'https://acme-v01.api.letsencrypt.org/directory', '--agree-dev-preview'] 2015-11-24 20:43:46,223:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone) 2015-11-24 20:43:46,228:DEBUG:letsencrypt.cli:Requested authenticator standalone and installer None 2015-11-24 20:43:46,361:DEBUG:letsencrypt.display.ops:Single candidate plugin: * standalone Description: Automatically use a temporary webserver Interfaces: IAuthenticator, IPlugin Entry point: standalone = letsencrypt.plugins.standalone:Authenticator Initialized: <letsencrypt.plugins.standalone.Authenticator object at 0x2c4c4d0> Prep: True 2015-11-24 20:43:46,361:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt.plugins.standalone.Authenticator object at 0x2c4c4d0> and installer None 2015-11-24 20:43:46,382:DEBUG:letsencrypt.cli:Picked account: <Account(e0714b8e65f65ea4b1d0109704ecd319)> 2015-11-24 20:43:46,382:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {} 2015-11-24 20:43:46,388:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org 2015-11-24 20:43:46,954:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 263 2015-11-24 20:43:46,957:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '263', 'Expires': 'Tue, 24 Nov 2015 20:43:46 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 20:43:46 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'hBzjB90_9BQEeEmFivLnzJ0j0dudlcKWFzjUVVuA8wc'}. Content: '{"new-authz":"https://acme-v01.api.letsencrypt.org/acme/new-authz","new-cert":"https://acme-v01.api.letsencrypt.org/acme/new-cert","new-reg":"https://acme-v01.api.letsencrypt.org/acme/new-reg","revoke-cert":"https://acme-v01.api.letsencrypt.org/acme/revoke-cert"}' 2015-11-24 20:43:46,958:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '263', 'Expires': 'Tue, 24 Nov 2015 20:43:46 GMT', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 24 Nov 2015 20:43:46 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'hBzjB90_9BQEeEmFivLnzJ0j0dudlcKWFzjUVVuA8wc'}): '{"new-authz":"https://acme-v01.api.letsencrypt.org/acme/new-authz","new-cert":"https://acme-v01.api.letsencrypt.org/acme/new-cert","new-reg":"https://acme-v01.api.letsencrypt.org/acme/new-reg","revoke-cert":"https://acme-v01.api.letsencrypt.org/acme/revoke-cert"}' 2015-11-24 20:43:47,444:INFO:letsencrypt.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0001_key-letsencrypt.pem 2015-11-24 20:43:47,447:INFO:letsencrypt.crypto_util:Creating CSR: /etc/letsencrypt/csr/0001_csr-letsencrypt.pem 2015-11-24 20:43:47,447:DEBUG:letsencrypt.client:CSR: CSR(file='/etc/letsencrypt/csr/0001_csr-letsencrypt.pem', data='0\x82\x02\xb80\x82\x01\xa0\x02\x000"1 0\x1e\x06\x03U\x04\x03\x0c\x17mydomain.com0\x82\x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xc7\x8a\x83qLd<\x9e\x12\xc5*\xfb5\xcc\xf2\xed(h\xc9:O\x9b\x95\xb4\'\xedD\\3\xe3\xd816\x94\x95\xe6\x1c\xcf\xd8\xf1\x18\x1c\xe9^\xa7\xdbq\xd81/E\xeb\x937\x19\xack#\xaeV\x06;Cl4\xfd[\xe2E\x85\xbeq^\ti\'^X\xae\xca\x16\xa88+\r\x9cZ\xf8Zp\xc6\xb5n\xc8\xef\xf8^W\xf5\x01~$\x98\x97\xbc\xd7\xd5\x8eqx|t<\xf4\xa1\xd7\x0eh\xd6JB\x9e\xf88l\xf0\xc3\x98\x93\x1e\xf1\x03X\xde\xf8p!\x97\x01\\\x19/\x9d&\xd6;\x7f\x1b\x0b3\'\xea\x04\xf6!\xb0F\xee\x18\xa7\xdf\xfb\xdd\x02c\x9ePf\x03\xca/{\xb9K\xf3\xe1\xafv\xb06\x9be.\x0f\xf4\x8b\xa7\xef\x9d3\x94x\xd2\xf86\xf9\'\xce\xb8Q\xc5i+\x89Q\xd4\x02\x14\x1e\xa6\xef\xae\x9c\xee\x97\xda\xa5\x05-\x8c\xe9@\x1e\xb5\xce\xfe\x11%\xbc\x17"\x1f)\x0fG\x7f\x8a\xa6\x8f\x9a}b\x99\xaa\x8bZF\xe2\xd4\xd1\xd6\x8d\x04(\x95\x02\x03\x01\x00\x01\xa0R0P\x06\t*\x86H\x86\xf7\r\x01\t\x0e1C0A0?\x06\x03U\x1d\x11\x04806\x82\x17mydomain.com\x82\x1bwww.mydomain.com0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x0b\x05\x00\x03\x82\x01\x01\x00q\xcc0k\xe7\xe9\xa1\x93\xf7vV\x88$\x89\x1e’Y\xf3\x81\xc0Vz\xc1\xc8R\x95\xa0\xa2\x0e#e\xaa\xc7\xc5!\x8ej\x15\xd5<\xc4\xb0\x8bNiC\xb3\x1d\x99\xaa\x0c\xf1\x90#\xe2\xd7\xfdD \xf7\xb9\xa4\x17=\xffl\xaa\xd26\xf2TG\xa3\xb6\x10s\xce\xbb\xff\xd3\xec\x81\xe6\x01\xe93\xf8\xbc|\x94\xc4\xd4\t9\xf2\x88\xef\xf7\xf2LB#K\xe7\x05\xcf\x159\x83\x02\xd0\xa9\x82\x89^C\xc2\x97\x95\x94\xc2\x05\xac&\xe5\xd3;\xccpt\x87\x97\xc6G\xcc\x1ft\x8c\xb0\x81;\n\xea\xe9\x8b\xce\xa0\xd9\xb3F\x90\x0b\x1d\x05\x0er\x1a\xf0\x0cB\x9b\x0e\xb8\x12\x06\n\x94\xef’+\xf0\x9a\x8b\xe8H$\x88\r@\x04\xe4\xea*\xddR\x9fMB\xcc\xb3\xf2o-\x92\xcb\xa8\xee@-\x82\x10O\xa4\xa4\x93\xce\x8c\x0e\xcc\xdc\x83\xc0\xd7H\xbe~\x97\xc7\xed\n\x04D\xc6\xda\x0c\x96\xdd\x02\xc1\xf7\x93\xe1\x1e\xa5\x05.\x03AoBb\x17\xeej\x13\xcf\x16\xa5\xf7k\xda"h\xf4\xcc\xda’, form=‘der’), domains: [‘mydomain.com’, ‘www.mydomain.com’]
2015-11-24 20:43:47,448:DEBUG:root:Requesting fresh nonce
2015-11-24 20:43:47,448:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
2015-11-24 20:43:47,449:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-24 20:43:47,650:DEBUG:requests.packages.urllib3.connectionpool:“HEAD /acme/new-authz HTTP/1.1” 405 0
2015-11-24 20:43:47,652:DEBUG:root:Received <Response [405]>. Headers: {‘Content-Length’: ‘0’, ‘Pragma’: ‘no-cache’, ‘Expires’: ‘Tue, 24 Nov 2015 20:43:47 GMT’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Allow’: ‘POST’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Tue, 24 Nov 2015 20:43:47 GMT’, ‘Content-Type’: ‘application/problem+json’, ‘Replay-Nonce’: ‘PYXUp6uSFaOimQrY5vwhmPPhSZ62pNTIOq-6UxgsOtk’}. Content: ''
2015-11-24 20:43:47,653:DEBUG:acme.client:Storing nonce: '=\x85\xd4\xa7\xab\x92\x15\xa3\xa2\x99\n\xd8\xe6\xfc!\x98\xf3\xe1I\x9e\xb6\xa4\xd4\xc8:\xaf\xbaS\x18,:\xd9’
2015-11-24 20:43:47,653:DEBUG:acme.jose.json_util:Omitted empty fields: expires=None, challenges=None, combinations=None, status=None
2015-11-24 20:43:47,653:DEBUG:acme.client:Serialized JSON: {“identifier”: {“type”: “dns”, “value”: “mydomain.com”}, “resource”: “new-authz”}
2015-11-24 20:43:47,655:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), typ=None, jwk=None, x5u=None, kid=None, alg=None, cty=None, x5tS256=None, jku=None, x5t=None
2015-11-24 20:43:47,657:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), typ=None, x5u=None, kid=None, cty=None, x5tS256=None, jku=None, x5t=None, nonce=None
2015-11-24 20:43:47,658:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {‘data’: ‘{“header”: {“alg”: “RS256”, “jwk”: {“e”: “AQAB”, “kty”: “RSA”, “n”: “r6FJyUOpMCRrzLRy4R3MO5cmwxdWOwVGgN-h4AIXR7nDcwLCWhkMe4OWXrzK5jyjbjBaAs6Ss0fDhSL8eyzDUSROkXEgk8aJt58djYYmDXkokIrJuYxjztFui7H94WwlgQiWdpgcYKwt53S2Lg9eQdVdkgjw6N2EX40x-0NUFslKxFNZnOnnXS37l8KJZJvUKg2xh97psLlxUJWdjGZ9fYFvcaqW_jQj08INpKP1cEDlXiPqrVwDvd9udPTDQzVsGoxPMyzCEAq88buR12aAOEC__MBGq_BOpn88pgGe3BTsfJPVgQESCIl6PzIi7i7zV5MfVIamDFtc3JMAXsS-tQ”}}, “protected”: “eyJub25jZSI6ICJQWVhVcDZ1U0ZhT2ltUXJZNXZ3aG1QUGhTWjYycE5USU9xLTZVeGdzT3RrIn0”, “payload”: “eyJpZGVudGlmaWVyIjogeyJ0eXBlIjogImRucyIsICJ2YWx1ZSI6ICJwc3ljaG90aGVyYXBpZXByYXhpcy5hdCJ9LCAicmVzb3VyY2UiOiAibmV3LWF1dGh6In0”, “signature”: “MpjsbRRzUN9VwUdkf5RCxa_phak_NMjsWq6ZSjV-AJBpFsNf25sveHfxvBc2CIk7efiN8lqwhFIka_qKPZ3hgvGXI0_WNUrNKHZbiwITkPfsgCpC_PM5b_Y7ODKyazEfd-7lxiw72O7cWVDxgmjyADxFfhOS02d848o2FsyEK95g7iJC4-_mDBI68oS6rTvZ9t25vH67el–WNwrFHOg5vIbe3iF349UHcRkPvtCZA_rZ_b8TQDIr4LWgQC5PiURfmbzTOQTNzNJLAbI0zyfpsveZh8rCyWBf6SUzDKgM2F4fxdYmuxEH0M3C0q2U6sOS3IqDbW30SqCjmCgVO_pWQ”}’}
2015-11-24 20:43:47,659:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2015-11-24 20:43:47,881:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/new-authz HTTP/1.1” 403 101
2015-11-24 20:43:47,883:DEBUG:root:Received <Response [403]>. Headers: {‘Content-Length’: ‘101’, ‘Expires’: ‘Tue, 24 Nov 2015 20:43:47 GMT’, ‘Server’: ‘nginx’, ‘Connection’: ‘close’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Tue, 24 Nov 2015 20:43:47 GMT’, ‘Content-Type’: ‘application/problem+json’, ‘Replay-Nonce’: ‘CPLQUn4OuaAoYoFnZsuBp2hSUjj4f_rbBn3tNWbyMLM’}. Content: '{“type”:“urn:acme:error:unauthorized”,“detail”:“Error creating new authz :: Name is not whitelisted”}'
2015-11-24 20:43:47,884:DEBUG:acme.client:Storing nonce: '\x08\xf2\xd0R~\x0e\xb9\xa0(b\x81gf\xcb\x81\xa7hRR8\xf8\x7f\xfa\xdb\x06}\xed5f\xf20\xb3’
2015-11-24 20:43:47,884:DEBUG:acme.client:Received response <Response [403]> (headers: {‘Content-Length’: ‘101’, ‘Expires’: ‘Tue, 24 Nov 2015 20:43:47 GMT’, ‘Server’: ‘nginx’, ‘Connection’: ‘close’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Tue, 24 Nov 2015 20:43:47 GMT’, ‘Content-Type’: ‘application/problem+json’, ‘Replay-Nonce’: ‘CPLQUn4OuaAoYoFnZsuBp2hSUjj4f_rbBn3tNWbyMLM’}): '{“type”:“urn:acme:error:unauthorized”,“detail”:“Error creating new authz :: Name is not whitelisted”}'
2015-11-24 20:43:47,885:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py”, line 1206, in main
return args.func(args, config, plugins)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py”, line 500, in obtain_cert
_auth_from_domains(le_client, config, domains)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/cli.py”, line 325, in _auth_from_domains
lineage = le_client.obtain_and_enroll_certificate(domains)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py”, line 283, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py”, line 266, in obtain_certificate
return self._obtain_certificate(domains, csr) + (key, csr)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/client.py”, line 224, in _obtain_certificate
authzr = self.auth_handler.get_authorizations(domains)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/letsencrypt/auth_handler.py”, line 74, in get_authorizations
domain, self.account.regr.new_authzr_uri)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py”, line 215, in request_domain_challenges
typ=messages.IDENTIFIER_FQDN, value=domain), new_authz_uri)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py”, line 195, in request_challenges
response = self.net.post(new_authzr_uri, new_authz)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py”, line 628, in post
return self._check_response(response, content_type=content_type)
File “/root/.local/share/letsencrypt/lib/python2.7/site-packages/acme/client.py”, line 544, in _check_response
raise messages.Error.from_json(jobj)
Error: unauthorized :: The client lacks sufficient authorization :: Error creating new authz :: Name is not whitelisted`

p.s. after restarting the browser, I got the “This connection is untrusted” window when trying to load the Plesk admin interface. Interesting.


#4

well the error says you are not whitelisted. did you register properly for the beta and got a whitelisting response?


#5

I’m assuming you used the correct domain, and have just done a search / replace in everything you have posted here to show “mydomain.com” ?


#6

yep, that’s what I did


#7

hmmm… do I even have to wait for the whitelisting, I read that cerficates should be generally available by now?


#8

Before 3 December, you should request whitelisting here: https://docs.google.com/a/letsencrypt.org/forms/d/15Ucm4A20y2rf9gySCTXD6yoLG6Tba7AwYgglV7CKHmM


#9

Very cool - I’ve received my whitelisting email, thanks!

Can anyone give me a few hints on how to get this to work on my Plesk-administrated CentOS7 server?
My hosting directories are located in /var/www/vhosts/[domain]/httpdocs , and I’ve got a combined certificate for 3 domains, each with and without “www.” (=6) although my servers are configured to only use “www.”, so I guess installing them for only the “www.” versions would be enough.

  1. I take that I shouldn’t use the ‘webroot’ command but the certonly command in order to generate the certificates? 2) Can anyone tell me how to activate the certificates on Plesk (or bypassing it, it’s fine with me ;)) in order to be able to use SSL for those domains?
    The vhost definitions are in /etc/httpd/conf/plesk.conf.d/vhosts/[domain].conf containing sections like

     SSLEngine on
     SSLVerifyClient none
     SSLCertificateFile /usr/local/psa/var/certificates/certyQzwwx7
    

…would it suffice to adjust the name of the certificate there?


#10
  1. If you are running the tool on the server and know the document root (the httpdocs directory, usually), then webroot should work okay.

  2. It’s been a bit since I used Plesk, but you should be able to go into the customer or website details and add a new certificate. You can paste the contents of the key, certificate, and chain files in the interface. Once done, apply the certificate to the IP the website is on and it should be put in place. Plesk gets really cranky if you change its generated configuration files, so I wouldn’t start making edits there.


#11

Thanks. Meanwhile I succeeded in https’ing my site, I’ve found the most helpful thread here if anyone looks for instructions: A tutorial to start with CentOS 6.5?