Pritunl : Error getting LetsEncrypt certificate

ItsMrB · January 8, 2021, 1:34pm

Hi,
Please can anyone point out what is going wrong with my new Pritunl setup as i am unable to obtain a LetsEncrypt cert. (I am completely new to setting up a VPN server so bare with me.)
im running Ubuntu Server 20.04 and I'm on my 4th / 5th attempt on getting it to work and trying fix'x i have see on forums and normal google search's.

The error i am getting on Pritunl page is : Error getting LetsEncrypt certificate check the logs for more information.

I can see theese entry's in the log file (/var/log/pritunl.log)

[autumn-skies-5353][2021-01-08 12:42:01,349][ERROR] Failed to get LetsEncrypt cert
Traceback (most recent call last):
  File "/usr/lib/pritunl/lib/python2.7/site-packages/pritunl/handlers/settings.py", line 938, in settings_put
    acme.update_acme_cert()
  File "/usr/lib/pritunl/lib/python2.7/site-packages/pritunl/acme.py", line 68, in update_acme_cert
    cert = get_acme_cert(settings.app.acme_key, csr)
  File "/usr/lib/pritunl/lib/python2.7/site-packages/pritunl/acme.py", line 43, in get_acme_cert
    set_acme,
  File "/usr/lib/pritunl/lib/python2.7/site-packages/pritunl/acme_tiny.py", line 138, in get_crt
    raise ValueError("Challenge did not pass for {0}: {1}".format(domain, authorization))
ValueError: Challenge did not pass for itsmrbstech.com: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'validationRecord': [{u'url': u'http://itsmrbstech.com/.well-known/acme-challenge/JK9iZYDPCgAPaBK3dRQ8O0rXC3B86kQQdrNb5DAHiT0', u'hostname': u'itsmrbstech.com', u'addressUsed': u'x.x.x.x.', u'port': u'80', u'addressesResolved': [u'x.x.x.x.']}, {u'url': u'http://www.itsmrbstech.com/.well-known/acme-challenge/JK9iZYDPCgAPaBK3dRQ8O0rXC3B86kQQdrNb5DAHiT0', u'hostname': u'www.itsmrbstech.com', u'addressUsed': u'x.x.x.x.', u'port': u'80', u'addressesResolved': [u'x.x.x.x.']}, {u'url': u'https://www.itsmrbstech.com/.well-known/acme-challenge/JK9iZYDPCgAPaBK3dRQ8O0rXC3B86kQQdrNb5DAHiT0', u'hostname': u'www.itsmrbstech.com', u'addressUsed': u'x.x.x.x.', u'port': u'443', u'addressesResolved': [u'x.x.x.x.']}], u'url': u'https://acme-v02.api.letsencrypt.org/acme/chall-v3/9917120903/YwGHAA', u'token': u'JK9iZYDPCgAPaBK3dRQ8O0rXC3B86kQQdrNb5DAHiT0', u'error': {u'status': 403, u'type': u'urn:ietf:params:acme:error:unauthorized', u'detail': u'Invalid response from https://www.itsmrbstech.com/.well-known/acme-challenge/JK9iZYDPCgAPaBK3dRQ8O0rXC3B86kQQdrNb5DAHiT0 [x.x.x.x.]: "<!DOCTYPE HTML PUBLIC \\"-//IETF//DTD HTML 2.0//EN\\">\\n<html><head>\\n<title>404 Not Found</title>\\n</head><body>\\n<h1>Not Found</h1>\\n<p"'}, u'type': u'http-01'}], u'identifier': {u'type': u'dns', u'value': u'itsmrbstech.com'}, u'expires': u'2021-01-15T12:41:56Z'}
  acme_domain = "itsmrbstech.com"

I have reviewed the firewall and port 80 and 443 is open so it can download a certificate as expected.

Has anyone got any idea on how to get around this?

rg305 · January 8, 2021, 1:40pm

Please show the output of:
apachectl -S

ItsMrB · January 8, 2021, 2:04pm

Hi,
Just ran the command and it appears apache2 is not installed. (i assuemed Pritunl uses apache for the web interface, Lesson learnt on assumption there)

I also can not see any evidence of nginx being installed as well. So i clueless on what Pritunl is using to run its web interface on,

i've had a quick look at the docs and i can see this in reference to the web-server.

" The web console server runs on port 443 by default. An additional web server runs on port 80 for LetsEncrypt verification and redirecting HTTP requests to HTTPS. The web console server port can be changed in the Settings inside the web console or by running the command pritunl set app.server_port 443 . To disable the web server on port 80 run the command pritunl set app.redirect_server false this will also prevent the use of LetsEncrypt certificates. The web server that runs during the initial setup for Pritunl also uses port 443 this can be changed by modifying /etc/pritunl.conf ."

Link : https://docs.pritunl.com/docs/configuration-5

in /etc/pritunl.conf is this.
{
"mongodb_uri": "mongodb://localhost:27017/pritunl",
"log_path": "/var/log/pritunl.log",
"static_cache": true,
"temp_path": "/tmp/pritunl_8889645d9ef048a6a8f1a864b984e3c0",
"bind_addr": "0.0.0.0",
"www_path": "/usr/share/pritunl/www",
"local_address_interface": "auto",
"port": 443
}

As per the port reference on that config file i did have to allow Firefox to go ahead continue past the security warning.

From there i get the initial setup screen where it asks for the LetsEncrypt domain. To which is where i get the error message that is on my first post.

rg305 · January 8, 2021, 2:27pm

And yet Apache answers on ports 80 and 443:

curl -Iki http://itsmrbstech.com/
HTTP/1.1 301 Moved Permanently
Date: Fri, 08 Jan 2021 14:25:52 GMT
Server: Apache/2.4.41 (Ubuntu)
Location: http://www.itsmrbstech.com/
Content-Type: text/html; charset=iso-8859-1

curl -Iki https://itsmrbstech.com/
HTTP/1.1 503 Service Unavailable
Date: Fri, 08 Jan 2021 14:27:07 GMT
Server: Apache/2.4.41 (Ubuntu)
Set-Cookie: 04c61cda7b52ce4ca3c500ca4a3ef940=c9kk5jd1b85aoil2d8q5k1r6g2; path=/; HttpOnly
Expires: Wed, 17 Aug 2005 00:00:00 GMT
Last-Modified: Fri, 08 Jan 2021 14:27:08 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=utf-8

rg305 · January 8, 2021, 2:28pm

Try:
find / -name apachectl
or
locate apachectl

ItsMrB · January 8, 2021, 3:37pm

Both returned nothing,

However i have just noticed in the log file that the vpn. subdomain is not being picked up.

I did a ping to that sub domain and it is showing the correct ip address, So its not a dns issue going on.

I'll try and redo the initial setup again and see if the sub domain will come back.

ItsMrB · January 8, 2021, 4:28pm

Now showing the correct domain, But sadly getting the same error.

rg305 · January 8, 2021, 4:33pm

Let's begin at the beginning.
And take nothing for granted.

Please show from your server the output is these:
curl -6 ifconfig.co
curl -4 ifconfig.co

Osiris · January 8, 2021, 5:52pm

Try httpd -S

ItsMrB · January 9, 2021, 12:56pm

Hi,

Ran these commands

curl -6 ifconfig.co - nothing
curl -4 ifconfig.co - Spat out my public ip.

httpd -S - Returned :
Command 'httpd' not found, did you mean:

command 'http' from snap http (2.3.0)
command 'xttpd' from deb xtide (2.13.2-1build2)
command 'http' from deb httpie (1.0.3-2)

See 'snap info ' for additional versions.

The installation guides i use is here : https://docs.pritunl.com/docs/installation and followed the start of the config page.

I didn't see what web service was installled when i ran through the steps. (I assumed it was apache)

I may be able to spin up a VM and do a test run and see what gets installed if it is needed.

rg305 · January 9, 2021, 8:30pm

did that number match this number?:

Name:    itsmrbstech.com
Address: 206.189.16.183

ItsMrB · January 11, 2021, 11:47am

That IP address is pointing to my VPS where I have got a website in progress of being created.

The Pritunl server is on my LAN and the the DNS record get updated by my router. (Now i have got vpn.itsmrbstech.com working on the Pritunl server.)

The IP address on the DNS record gets updated by my router and works a dream. (There is another sub domain that get updated as expected.)

rg305 · January 11, 2021, 2:36pm

This is prone to failure:

Name:      vpn.itsmrbstech.com
Addresses: 87.115.206.170
           209.93.100.89

[Unless both IPs are being handled by the same device]

ItsMrB · January 11, 2021, 2:44pm

The 209.92.1.89 is the current IP. that my ISP is providing me with. (Dynamic IP). I wonder if the 87.115.206.170 IP what the that my ISP last gave me.

The router keeps the DNS addresses up to date with the correct ip. The DNS is handed by the same company that have my cloud VPS's.

ItsMrB · January 15, 2021, 12:51pm

Will i need port 443 or 80 forwarded in any way to allow lets encrypt to grab its certificate?
The only things i have forwarded is the port needed for the VPN server.

I am completely lost for ideas now,

rg305 · January 15, 2021, 12:59pm

If port 80 is open, you can run certbot in --standalone mode to obtain a cert with all names that resolve to that IP.
OR
Individual certs - one at a time.

ItsMrB · January 25, 2021, 5:04pm

Just had a look and it appears the Certbot is also not installed.
So i am completely out of idea on how it is running its web interface and how it obtaines a SSlLcertificate.

When i get a spre few mins i will install Pritunl in a test VM and see exectly what it installs.

ItsMrB · February 15, 2021, 7:02pm

Ok,
I have done some testing in a VM and i am getting exactly the same issue. Which is rather interesting.
After looking at the output from the installation, I cannot see any reference to apache or certbot. (or nginx for that matter)

Here is the output

Is there anything else i can review that might help get some insight on getting this to work?

rg305 · February 15, 2021, 7:58pm

There must be another step; from that list the closest thing is "easy-rsa" - but that won't get certs from another CA, it can be used as a CA.

ItsMrB · March 6, 2021, 5:34pm

The output is when i install Pritunl & MongoDB.
So the commmand was : sudo apt-get install pritunl mongodb