No access from outside

#1

Hello everyone,
I am French and I will try to explain my problem.
I put a certificate on my raspberry that hosts Jeedom.
Wanting to renew, I blocked my certificate (5 requests in 1 week).
Since then, I no longer have access to my system from outside via the https address.
Can you help me ?
As I do not know what I can provide you as a log, do not hesitate to ask me.
Thanks for your help.

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: momotte.synology.me

I ran this command:

It produced this output:

My web server is (include version):

The operating system my web server runs on is (include version):

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): Yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel):

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): 0.28.0

Plus d'accès depuis l'extérieur
#2

Hi @OUARZA

there are some curious things, but your site works.

You have a non-www and a www version ( https://check-your-website.server-daten.de/?q=momotte.synology.me ):

Host T IP-Address is auth. ∑ Queries ∑ Timeout
momotte.synology.me A 2.3.93.68 yes 1 0
AAAA yes
www.momotte.synology.me A 2.3.93.68 yes 1 0
AAAA yes

Checking your http + https that works:

Domainname Http-Status redirect Sec. G
http://momotte.synology.me/
2.3.93.68 302 https://momotte.synology.me:5001/ 2.727 A
http://www.momotte.synology.me/
2.3.93.68 302 https://www.momotte.synology.me:5001/ 0.933 A
https://momotte.synology.me/
2.3.93.68 -14 10.023 T
Timeout - The operation has timed out
https://www.momotte.synology.me/
2.3.93.68 -14 10.027 T
Timeout - The operation has timed out
https://momotte.synology.me:5001/ 200 2.183 I
https://www.momotte.synology.me:5001/ 200 2.584 N
Certificate error: RemoteCertificateNameMismatch

Your standard https doesn’t work, there is a timeout.

But your http redirects to https + port 5001. And the non-www version has a new certificate:

CN=momotte.synology.me
	13.05.2019
	11.08.2019
expires in 88 days	momotte.synology.me - 1 entry

So use

https://momotte.synology.me:5001/

1 Like
#3

Hello,
Thank you for your reply.
You are testing the certificate that is on my Synology NAS.
I have the problem on my raspberry hosting Jeedom which is on another port.

#4

Yep, there are 5 identical certificates:

CertSpotter-Id Issuer not before not after Domain names LE-Duplicate next LE
910017591 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-13 19:47:40 2019-08-11 19:47:40 momotte.synology.me
1 entries duplicate nr. 5 next Letsencrypt certificate: 2019-05-20 19:31:08
910005178 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-13 19:40:21 2019-08-11 19:40:21 momotte.synology.me
1 entries duplicate nr. 4
910002719 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-13 19:38:31 2019-08-11 19:38:31 momotte.synology.me
1 entries duplicate nr. 3
909997814 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-13 19:34:31 2019-08-11 19:34:31 momotte.synology.me
1 entries duplicate nr. 2
909993290 CN=Let’s Encrypt Authority X3, O=Let’s Encrypt, C=US 2019-05-13 19:31:08 2019-08-11 19:31:08 momotte.synology.me
1 entries duplicate nr. 1

Why don’t you use one of these?

What’s the port?

#5

how to use the same on 2 devices?
can I communicate the port number without risk of being hacked?

#6

You have two options:

  • create one certificate and copy it, it’s your internal network (or)
  • create one certificate per device and use it.Two devices - that’s not a problem.

But you have created 5 certificates and you don’t use it.

1 Like
#7

Yes, I am stuck. I exceeded the quota.
When will I be able to create another one?
Can you give me the method to use the same on my raspberry?

#8

It doesn’t help if you create the next and don’t know how to install it. You have to fix the installation problem.

#9

When I try to renew it or create a new one, he tells me that I have reached the limit.
Do you want the exact order?

#10

Please answer all the questions of the template.

#11

Your screenshot in your french topic

says: That’s a http port, not a https port.

SSL_ERROR_RX_RECORD_TOO_LONG

As written: There is no certificate creation problem. There is a certificate installation problem. But to fix that you have to share your current configuration.

Or check the documentation of

Raspberry avec Jeedom.

I have no idea how Jeedom works.

#12

@OUARZA Pour résumer:

  • Le quota de 5 certificats est sur 7 jours glissant, il faut juste attendre.
  • RX_RECORD_TOO_LONG est symptomatique d’une réponse http au lieu d’https, lors d’une redirection de ports.
    Je n’ai malheureusement pas plus d’expérience avec Jeedom. Si vous décrivez plus en détail votre configuration (en anglais de préférence pour que les autres puissent comprendre), peut-être que quelqu’un aura une idée.
#13

Searched, there is a Jeedom forum.

https://www.jeedom.com/forum/index.php

Searching Letsencrypt, there are a lot of answers.

There

https://jeedom.github.io/core/en_US/administration

If you are in HTTPS the port is 443 (default) and in HTTP the port is 80 (default). To use HTTPS from the outside, a letsencrypt plugin is now available on the market.

is something about a letsencrypt plugin, but no link.

1 Like
#14

Hello,
I will redo my port forwarding and post you all the information.
I will try to continue in English.
In the meantime, I posted a message on the Jeedom forum: https://www.jeedom.com/forum/viewtopic.php?p=730447&sid=a76d4c3d3049ce255cc9a22277fafc11#p730460

#15

There is your error:

ServerName XXXXX.synology.me
#SSLCertificateFile /etc/letsencrypt/live/XXXXX.synology.me/fullchain.pem
#SSLCertificateKeyFile /etc/letsencrypt/live/XXXXX.synology.me/privkey.pem

# is the start of a comment. Remove these.

#16

I had to comment on this file because I did not even have access to the local anymore.

#17

Copy the created certificate. Then add there the file path and file name. And remove the #.

You have a complete untypical configuration. So you have to do that manual or with an additional script.

#18

I just removed the #, now I no longer have access to the site locally :frowning:


pi@raspberrypi:~ $ cd /etc
pi@raspberrypi:/etc $ sudo chmod a+x ./certbot-auto
pi@raspberrypi:/etc $ ./certbot-auto --apache -d momotte.synology.me
Requesting to rerun ./certbot-auto with root privileges...
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Error while running apache2ctl configtest.
Action 'configtest' failed.
The Apache error log may have more information.

AH00526: Syntax error on line 9 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/momotte.synology.me/fullchain.pem' does not exist or is empty

The apache plugin is not working; there may be problems with your existing configuration.
The error was: MisconfigurationError("Error while running apache2ctl configtest.\nAction 'configtest' failed.\nThe Apache error log may have more information.\n\nAH00526: Syntax error on line 9 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:\nSSLCertificateFile: file '/etc/letsencrypt/live/momotte.synology.me/fullchain.pem' does not exist or is empty\n",)

pi@raspberrypi:/etc $ apache2ctl configtest
AH00526: Syntax error on line 9 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
SSLCertificateFile: file '/etc/letsencrypt/live/momotte.synology.me/fullchain.pem' does not exist or is empty
Action 'configtest' failed.
The Apache error log may have more information.

pi@raspberrypi:/etc $ sudo nano /var/log/letsencrypt/letsencrypt.log

    2019-05-16 17:29:37,955:DEBUG:certbot.main:certbot version: 0.34.2
    2019-05-16 17:29:37,959:DEBUG:certbot.main:Arguments: ['--apache', '-d', 'momotte.synology.me']
    2019-05-16 17:29:37,959:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint$
    2019-05-16 17:29:38,042:DEBUG:certbot.log:Root logging level set at 20
    2019-05-16 17:29:38,047:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2019-05-16 17:29:38,053:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
    2019-05-16 17:29:38,332:ERROR:certbot.util:Error while running apache2ctl configtest.
    Action 'configtest' failed.
    The Apache error log may have more information.


    AH00526: Syntax error on line 9 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
    SSLCertificateFile: file '/etc/letsencrypt/live/momotte.synology.me/fullchain.pem' does not exist or is empty

    2019-05-16 17:29:38,334:DEBUG:certbot.plugins.disco:Misconfigured PluginEntryPoint#apache: Error while running apache2ctl configtest.
    Action 'configtest' failed.
    The Apache error log may have more information.

    AH00526: Syntax error on line 9 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
    SSLCertificateFile: file '/etc/letsencrypt/live/momotte.synology.me/fullchain.pem' does not exist or is empty
    Traceback (most recent call last):
      File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/plugins/disco.py", line 131, in prepare
        self._initialized.prepare()
      File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_apache/configurator.py", line 246, in prepare
        self.config_test()
      File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_apache/configurator.py", line 2201, in config_test
        raise errors.MisconfigurationError(str(err))
    MisconfigurationError: Error while running apache2ctl configtest.
    Action 'configtest' failed.
    The Apache error log may have more information.

    AH00526: Syntax error on line 9 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
    SSLCertificateFile: file '/etc/letsencrypt/live/momotte.synology.me/fullchain.pem' does not exist or is empty

    2019-05-16 17:29:38,346:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
    Description: Apache Web Server plugin
    Interfaces: IAuthenticator, IInstaller, IPlugin
    Entry point: apache = certbot_apache.entrypoint:ENTRYPOINT
    Initialized: <certbot_apache.override_debian.DebianConfigurator object at 0x75a92770>
    Prep: Error while running apache2ctl configtest.
    Action 'configtest' failed.
    The Apache error log may have more information.

    AH00526: Syntax error on line 9 of /etc/apache2/sites-enabled/000-default-le-ssl.conf:
    SSLCertificateFile: file '/etc/letsencrypt/live/momotte.synology.me/fullchain.pem' does not exist or is empty

    2019-05-16 17:29:38,353:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None

pi@raspberrypi:/etc $ ./certbot-auto certificates
Requesting to rerun ./certbot-auto with root privileges...
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
No certs found.
#19

Hello,

I reinstalled my Linux and Jeedom distribution.
I do not have access to my system from the outside.
I launched the order :
pi@raspberrypi:/etc $ sudo ./certbot-auto --apache -d momotte.synology.me

Here is the answer:

================================================== ===

Certbot has problem setting up the virtual environment.

We were not able to guess the right solution from your pip
output.

Consult https://certbot.eff.org/docs/install.html#problems-with-python-virtual-environment
for possible solutions.
You may also find some support at https://certbot.eff.org/support/.

I made the orders: https://certbot.eff.org/docs/install.html#problems-with-python-virtual-environment
user@webserver:~ sudo fallocate -l 1G /tmp/swapfile user@webserver:~ sudo chmod 600 /tmp/swapfile
user@webserver:~ sudo mkswap /tmp/swapfile user@webserver:~ sudo swapon /tmp/swapfile

but that gives the same error.

Can you help me ?

#20

There are a lot of threads with that error message.

Please check