Pritunl : Error getting LetsEncrypt certificate

Hi,
Please can anyone point out what is going wrong with my new Pritunl setup as i am unable to obtain a LetsEncrypt cert. (I am completely new to setting up a VPN server so bare with me.)
im running Ubuntu Server 20.04 and I'm on my 4th / 5th attempt on getting it to work and trying fix'x i have see on forums and normal google search's.

The error i am getting on Pritunl page is : Error getting LetsEncrypt certificate check the logs for more information.

I can see theese entry's in the log file (/var/log/pritunl.log)

[autumn-skies-5353][2021-01-08 12:42:01,349][ERROR] Failed to get LetsEncrypt cert
Traceback (most recent call last):
  File "/usr/lib/pritunl/lib/python2.7/site-packages/pritunl/handlers/settings.py", line 938, in settings_put
    acme.update_acme_cert()
  File "/usr/lib/pritunl/lib/python2.7/site-packages/pritunl/acme.py", line 68, in update_acme_cert
    cert = get_acme_cert(settings.app.acme_key, csr)
  File "/usr/lib/pritunl/lib/python2.7/site-packages/pritunl/acme.py", line 43, in get_acme_cert
    set_acme,
  File "/usr/lib/pritunl/lib/python2.7/site-packages/pritunl/acme_tiny.py", line 138, in get_crt
    raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for itsmrbstech.com: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'validationRecord': [{u'url': u'http://itsmrbstech.com/.well-known/acme-challenge/JK9iZYDPCgAPaBK3dRQ8O0rXC3B86kQQdrNb5DAHiT0', u'hostname': u'itsmrbstech.com', u'addressUsed': u'x.x.x.x.', u'port': u'80', u'addressesResolved': [u'x.x.x.x.']}, {u'url': u'http://www.itsmrbstech.com/.well-known/acme-challenge/JK9iZYDPCgAPaBK3dRQ8O0rXC3B86kQQdrNb5DAHiT0', u'hostname': u'www.itsmrbstech.com', u'addressUsed': u'x.x.x.x.', u'port': u'80', u'addressesResolved': [u'x.x.x.x.']}, {u'url': u'https://www.itsmrbstech.com/.well-known/acme-challenge/JK9iZYDPCgAPaBK3dRQ8O0rXC3B86kQQdrNb5DAHiT0', u'hostname': u'www.itsmrbstech.com', u'addressUsed': u'x.x.x.x.', u'port': u'443', u'addressesResolved': [u'x.x.x.x.']}], u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall-v3/9917120903/YwGHAA', u'token': u'JK9iZYDPCgAPaBK3dRQ8O0rXC3B86kQQdrNb5DAHiT0', u'error': {u'status': 403, u'type': u'urn:ietf:params:acme:error:unauthorized', u'detail': u'Invalid response from https://www.itsmrbstech.com/.well-known/acme-challenge/JK9iZYDPCgAPaBK3dRQ8O0rXC3B86kQQdrNb5DAHiT0 [x.x.x.x.]: "<!DOCTYPE HTML PUBLIC \\"-//IETF//DTD HTML 2.0//EN\\">\\n<html><head>\\n<title>404 Not Found</title>\\n</head><body>\\n<h1>Not Found</h1>\\n<p"'}, u'type': u'http-01'}], u'identifier': {u'type': u'dns', u'value': u'itsmrbstech.com'}, u'expires': u'2021-01-15T12:41:56Z'}
  acme_domain = "itsmrbstech.com"

I have reviewed the firewall and port 80 and 443 is open so it can download a certificate as expected.

Has anyone got any idea on how to get around this?

Please show the output of:
apachectl -S

Hi,
Just ran the command and it appears apache2 is not installed. (i assuemed Pritunl uses apache for the web interface, Lesson learnt on assumption there)

I also can not see any evidence of nginx being installed as well. So i clueless on what Pritunl is using to run its web interface on,

i've had a quick look at the docs and i can see this in reference to the web-server.

" The web console server runs on port 443 by default. An additional web server runs on port 80 for LetsEncrypt verification and redirecting HTTP requests to HTTPS. The web console server port can be changed in the Settings inside the web console or by running the command pritunl set app.server_port 443 . To disable the web server on port 80 run the command pritunl set app.redirect_server false this will also prevent the use of LetsEncrypt certificates. The web server that runs during the initial setup for Pritunl also uses port 443 this can be changed by modifying /etc/pritunl.conf ."

Link : https://docs.pritunl.com/docs/configuration-5

in /etc/pritunl.conf is this.
{
"mongodb_uri": "mongodb://localhost:27017/pritunl",
"log_path": "/var/log/pritunl.log",
"static_cache": true,
"temp_path": "/tmp/pritunl_8889645d9ef048a6a8f1a864b984e3c0",
"bind_addr": "0.0.0.0",
"www_path": "/usr/share/pritunl/www",
"local_address_interface": "auto",
"port": 443
}

As per the port reference on that config file i did have to allow Firefox to go ahead continue past the security warning.

From there i get the initial setup screen where it asks for the LetsEncrypt domain. To which is where i get the error message that is on my first post.

And yet Apache answers on ports 80 and 443:

curl -Iki http://itsmrbstech.com/
HTTP/1.1 301 Moved Permanently
Date: Fri, 08 Jan 2021 14:25:52 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: http://www.itsmrbstech.com/
Content-Type: text/html; charset=iso-8859-1

curl -Iki https://itsmrbstech.com/
HTTP/1.1 503 Service Unavailable
Date: Fri, 08 Jan 2021 14:27:07 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: 04c61cda7b52ce4ca3c500ca4a3ef940=c9kk5jd1b85aoil2d8q5k1r6g2; path=/; HttpOnly
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Last-Modified: Fri, 08 Jan 2021 14:27:08 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

Try:
find / -name apachectl
or
locate apachectl

Both returned nothing,

However i have just noticed in the log file that the vpn. subdomain is not being picked up.

I did a ping to that sub domain and it is showing the correct ip address, So its not a dns issue going on.

I'll try and redo the initial setup again and see if the sub domain will come back.

Now showing the correct domain, But sadly getting the same error.

Let's begin at the beginning.
And take nothing for granted.

Please show from your server the output is these:
curl -6 ifconfig.co
curl -4 ifconfig.co

Try httpd -S 

1 Like

Hi,

Ran these commands

curl -6 ifconfig.co - nothing
curl -4 ifconfig.co - Spat out my public ip.

httpd -S - Returned :
Command 'httpd' not found, did you mean:

command 'http' from snap http (2.3.0)
command 'xttpd' from deb xtide (2.13.2-1build2)
command 'http' from deb httpie (1.0.3-2)

See 'snap info ' for additional versions.

The installation guides i use is here : https://docs.pritunl.com/docs/installation and followed the start of the config page.

I didn't see what web service was installled when i ran through the steps. (I assumed it was apache)

I may be able to spin up a VM and do a test run and see what gets installed if it is needed.

did that number match this number?:

Name:    itsmrbstech.com
Address: 206.189.16.183

That IP address is pointing to my VPS where I have got a website in progress of being created.

The Pritunl server is on my LAN and the the DNS record get updated by my router. (Now i have got vpn.itsmrbstech.com working on the Pritunl server.)

The IP address on the DNS record gets updated by my router and works a dream. (There is another sub domain that get updated as expected.)

This is prone to failure:

Name:      vpn.itsmrbstech.com
Addresses: 87.115.206.170
           209.93.100.89

[Unless both IPs are being handled by the same device]

The 209.92.1.89 is the current IP. that my ISP is providing me with. (Dynamic IP). I wonder if the 87.115.206.170 IP what the that my ISP last gave me.

The router keeps the DNS addresses up to date with the correct ip. The DNS is handed by the same company that have my cloud VPS's.

Will i need port 443 or 80 forwarded in any way to allow lets encrypt to grab its certificate?
The only things i have forwarded is the port needed for the VPN server.

I am completely lost for ideas now, :frowning:

If port 80 is open, you can run certbot in --standalone mode to obtain a cert with all names that resolve to that IP.
OR
Individual certs - one at a time.