Rate limiting and free DNS services


#1

So I tried before with the test CA and successfully obtained a (non-trusted) certificate, but did not attempt to install it. Now I got my beta invite so I figure I know I can get a real cert if I want (or so I thought - see below), but I might as well make the most of it by testing the Apache installer. Also, my “server” (a raspberry pi) already has a self-signed cert, and I was curious how the client would handle that. Here’s how it went.

First I ran:

./letsencrypt-auto --server https://acme-v01.api.letsencrypt.org/directory

and got the following error:

No installers seem to be present and working on your system; fix that or try running letsencrypt with the "certonly" command

Searched the forum and found this is the expected error if you try to run the client against nginx or something else. But I’m using Apache on Debian (or more precisely Raspbian) so that can’t be it. Digging deeper, I tried specifying the --apache option explicitly (and forgoing letsencrypt-auto from here on because it’s a raspberry pi and I have better things to do with my time than wait for pip over and over while testing):

sudo ~/.local/share/letsencrypt/bin/letsencrypt --server https://acme-v01.api.letsencrypt.org/directory --apache

which gives me a more helpful error message:

The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(('There has been an error in parsing the file (%s): %s', u'/etc/apache2/sites-enabled/default-ssl.conf', u'Syntax error'),)

I’d seen this one before while playing with the test CA: my config syntax is fine, but there’s something in it that the parser doesn’t understand. A line number would have been useful. Anyway, by trial and error I found that the following lines were the culprits, and commented them out:

RewriteRule ^\.well-known/carddav /owncloud/remote.php/carddav/ [L,R=301]
RewriteRule ^\.well-known/caldav /owncloud/remote.php/caldav/ [L,R=301]

Next attempt got as far as trying to request a certificate and failing due to rate limiting. I have a free domain at a dynamic DNS service and the rate limit appears to apply to the parent domain, so I guess there’s nothing I can do about that for now?

Never did find out if the Apache installer works.


#2

Yeah, I’m sorry to say that there’s nothing you can do about it right at this time. We’ve got some more things we need to do before we open up the limits further. It’s a good reminder that the tld+1 certificate limit hurts dynamic DNS services extra bad. I’ll forward this on to some of the team, too.


#3

I had that problem as well. The solution is to put the appropriate quotes in those lines.

Try changing your lines to:
RewriteRule “^.well-known/carddav” “/owncloud/remote.php/carddav/” [L,R=301]
RewriteRule “^.well-known/caldav” “/owncloud/remote.php/caldav/” [L,R=301]


Apache plugin not working
#4

Thanks, I’ll try that next time round.


#5

Tried it again with a new dynamic DNS name, this time from a service that’s on the public suffix list. Everything went fine, apart from another configuration syntax error (an unclosed <IfModule>, no idea how Apache itself didn’t choke on it) - thanks @Svavar_Kjarrval for the advice about the RewriteRule lines - and I now have a valid certificate. The installer correctly replaced the existing SSLCertificateFile and SSLCertificateKeyFile for my old self-signed cert with the newly generated ones, and added the SSLCertificateChainFile further down. It offered to add a redirect but failed due to a conflict with an existing RewriteRule (as I was already redirecting to HTTPS, I guess).

Really the only major problem was, as has been mentioned by others, the lack of clarity in the error messages when something goes wrong. It wasn’t initially clear that the apache plugin had failed at all, then later (in both cases) it wasn’t clear why it had failed.