6 posts were split to a new topic: TLS-SNI disabled and only port 443 available
Hi
To make this clear for me.
This means the letsencrypt/certbots apache module is now dead?
I canât use --apache in the future?
Or is there a way that I can use the apache module with HTTP-01 challanges?
The standalone and the webroot modules have both downsides (server needs to be stopped or customer .htaccess can destroy the webroot way).
There is surely a way around this, but the apache module solves many problems for me in a good way.
Hi, I am little confused here ⌠can anyone please suggest me correct solution on this?
I have following cron being executed on weekly basis:
sudo /opt/letsencrypt/certbot-auto renew --renew-hook âservice apache2 reloadâ >> /var/log/certbot-renew.log && sudo service postfix restart && sudo service dovecot restart
But now it started returning me this error:
Cert is due for renewal, auto-renewingâŚ
Plugins selected: Authenticator apache, Installer apache
Renewing an existing certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Attempting to renew cert (somedomain.cz) from /etc/letsencrypt/renewal/somedomain.cz.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA⌠Skipping.
Additional error displayed is:
All renewal attempts failed. The following certs could not be renewed:
_ /etc/letsencrypt/live/somedomain.cz/fullchain.pem (failure)_
Should I update my cron command somehow or it is needed to call some command for each domain on server separately to resolve this issue?
Thank you very much for any help.
Well⌠If you wait until the next Certbot release, this might be managed easily, or at least with less effort.
Otherwise, the primary way to change renewal options is, yes, to run the command you used to create each certificate, modified with the new options.
You can try to edit Certbotâs configuration files, but theyâre undocumented and you have to be careful.
Thank you for reply, I have additional question related to:
âŚmodified with the new options.
You can try to edit Certbotâs configuration fileâŚ
Does exist any guide for this, how it should be modified or what additional options should be added into my cron call?
The first post in this thread has examples of what Certbot commands to use.
For example, if you used âcertbot --apache -d example.com -d www.example.comâ before, you might use âcertbot --authenticator webroot --installer apache --webroot-path /var/www/example.com/public_html -d example.com -d www.example.comâ, if thatâs how your web server is configured.
We canât say anything precise without knowing more about how the web server is configured and what commands were used before.
There isnât a guide for editing the files, no. I donât recommend it, especially in a thread with thousands of views.
Just to say that this worked for me for apache (centos 7 variety):
certbot --authenticator standalone --installer apache -d yourdomain.com -d www.yourdomain.com -d your.domain.com --pre-hook âsystemctl stop httpdâ --post-hook âsystemctl start httpdâ
The example above shows a regular domain, a domain with the www, and a sub-domain in the command.
Please replace yourdomain.com with the domain you plan on using.
Thank you community.
Regards,
tech
Hi There,
I am in the process of setting up Letâs Encrypt docker for unraid to be able to access my other dockers remotely.
I am relatively new to setting up the docker and unraid and am learning as I go along.
Question I have is where do I run these commands. Do i need to add them to a config file somewhere and if so which file is it and where would I find it.
Thanks in advance.
For this, update your docker, and there should be a variable called HTTPVAL under advanced set to false (if it isnât create it⌠Add path port or variable) set this variable to true and restart the docker.
This should set the linuxserver.io letsencrypt docker to use http-01 instead of TLS-SNI-01.
Good Luck!
1 Like
Awesome thanks, very helpful.
Hereâs what I did for a apache vhost in case someone wonders:
sudo certbot --authenticator webroot --webroot-path /var/www/example.com/public_html --installer apache -d example.com
Thank you very much for your help! Doing the above got rid of the error.
However, I am now getting the following errors:
certbot: error: argument --cert-path: No such file or directory
It then tries to generate a nw certificate but gets the following warning:
Failed authorization procedure. .duckdns.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://.duckdns.org/.well-known/acme-challenge/3_oQRrYeXN7Wuuz280qP2hErIiQoCgKlo2FSE2Kagmg: Timeout
And is then followed by this error:
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container
Any further suggestions on how to resolve this?
I am using a different local port then port 80.
I have already setup port forwarding on my router.
Any help would be much appreciated.
Hi all, as far as Iâve read the description of the issue, this doesnât seem to be an issue with Google Compute Engine which weâre using but the TLS-SNI authentication isnât working for them, despite being re-enabled for âmajor providersâ. Can someone please advise why this isnât working in GCE and when it could be re-enabled? Thanks so much!
Cleaning up challenges
Unable to clean up challenge directory /home/user/www/mysite/public_html/.well-known/acme-challenge
Failed authorization procedure. mysite (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mysite/.well-known/acme-challenge/nx9F4NDuyyeD1DnB9dAdJpRx5KBTQWcbrnA-pNGKJt0: "
"<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<meta name="viewport" conte"
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: therevisionist.org.uk
Type: unauthorized
Detail: Invalid response from
http://mysite/.well-known/acme-challenge/nx9F4NDuyyeD1DnB9dAdJpRx5KBTQWcbrnA-pNGKJt0:
"<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"
/>
<meta name="viewport" conte"
The domain in question is currently displaying content from another domain on the server, all permissions seem to be okay?
Iâm sorry for this newbie questionâŚ
I have about 10 domains and iâve used simply the command
certbot --apache
to generate the certificatesâŚ
i have also a cron job :
certbot renew
Now i have to migrate from TLS-SNI validation to HTTP-01 (or DNS-01) âŚ
Do I have to cancel existent certificates?
or do i have to update certbot to the new version (when it will be available)⌠and always do the same command (certbot --apache) ?
thanks!
@dragonballz: what is the full certbot command you are using? Also itâs okay to use a different local port but the external port youâre forwarding to the local port must be port 80 in order for http-01 authentication to work.
@barta: Google Compute Engine is a VPS provider that provides unlimited root access to servers to itâs customers. Many of those customers are running control panel software that is subject to the vulnerability on their GCE instances. So unfortunately, Letâs Encrypt cannot safely whitelist all of GCE.
@rbottoni: tls-sni-01 has been re-enabled for existing accounts and domains, so you shouldnât need to switch to http-01 unless you need to get a certificate for a new domain. You definitely want to update to newer Certbot versions as they become available to be able to continue to renew.
If you do switch to webroot authentication as described in the OP, that will get picked up automatically next time your certbot renew cronjob runs. There is no need to revoke your old certificates.
3 Likes