SSL & Apache : crontab with letsencrypt-auto

lijecreative · December 8, 2015, 9:23am

Hi,

I just set a certificate for one of my website on my server.
Everything is fine so I tried to set a crontab with letsencrypt-auto.
I created the file cli.ini and I called it with: @monthly letsencrypt-auto -c cli.ini && service apache2 reload

I got this error:
The following ‘urn:acme:error:connection’ errors were reported by the server:
Domains: xxx.org
Error: The server could not connect to the client for DV

The content of cli.ini is:
rsa-key-size = 4096
server = https://acme-staging.api.letsencrypt.org/directory
email = my.email@gmail.com
domains = xxx.org
authenticator = webroot
webroot-path = /var/www/

Can you tell me how to fix this?

Regards

lijecreative · December 8, 2015, 9:38am

Tried this instead:
./letsencrypt-auto -c /var/www/xxx.org/web/letsencrypt/cli.ini -d xxx.org -d www.xxx.org certonly

still getting:
Error: The server could not connect to the client for DV

sahsanu · December 8, 2015, 10:42am

Hello @lijecreative,

Several things, in your first post you said that you are executing this command from cron.

In that command you didn'y specify a SUBCOMMAND so it will try to use run by default (Obtain & install a cert in your current webserver), and don't know if that is what you want. Before put such command in cron you should have tested it and know that it could run unattended. Also, which is the user that runs that command?, if it is root should be no problem but if it is another user that user should be able to run sudo commands.

You said that you also tried this command:

Which seems almost ok (there is no need to specify twice the domains, in command line and config file) to me but can't run unnatended, you should use the following switchs to run unnatended renew-by-default, agree-tos and text. Also, you are using staging server that should be used for test, if you want to get real and valid certificates you should use https://acme-v01.api.letsencrypt.org/directory as server.

Here my example config file.

renew-by-default
agree-tos
rsa-key-size = 4096
server = https://acme-v01.api.letsencrypt.org/directory
email = myuser@mydomain.tld
text
authenticator = webroot
webroot-path = /path/to/your/webroot
domains = mydomain.tld,www.mydomain.tld

And with that file you should run this command to use it with certonly:
./letsencrypt-auto certonly --config /path/to/your/cli.ini

Once you have checked that all is configured as expected try to run previous command and see what the errors are because seems that letsencrypt cannot get the challenge that should be on /var/www/.well-known/acme-challenge/${random_challenge_file}

If you still have problems, use debug and verbose parameters to get more info about the error (also check /var/log/letsencrypt.log):

./letsencrypt-auto certonly --config /path/to/your/cli.ini --debug -vvvvv

If you still have issues you could let us know what is your actual domain so we can test whether we reach it from our side.

Cheers,
sahsanu

lijecreative · December 8, 2015, 12:21pm

Hi,

Thanks for you help

root runs the command.

The cron is supposed to renew the certificates.

That's true, I forgot to mention that I updated the file for my 2nd try.

I updated the file to:

rsa-key-size = 4096
server = https://acme-v01.api.letsencrypt.org/directory
email = email@gmail.com
domains = www.xxx.org
authenticator = webroot
webroot-path = /var/www/
renew-by-default = true
agree-tos = true
text = true

and ran:

./letsencrypt-auto certonly --config /var/www/xxx.org/web/letsencrypt/cli.ini --debug -vvvvv

i'm getting this error:

IMPORTANT NOTES:

The following 'urn:acme:error:unauthorized' errors were reported by
the server:

Domains: www.xxx.org
Error: The client lacks sufficient authorization

and:

FailedChallenges: Failed authorization procedure. www.xxx.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.xxx.org/.well-known/acme-challenge/tkJAPvOvvg_nesgdiOMwzdIsIqUiHwOXqf_U4whoBpc [149.202.55.90]: 404

sahsanu · December 8, 2015, 12:35pm

@lijecreative, I’ve tried to get your challenge file:

curl -i https://www.saystoptospam.org/.well-known/acme-challenge/tkJAPvOvvg_nesgdiOMwzdIsIqUiHwOXqf_U4whoBpc

HTTP/1.1 301 Moved Permanently
Date: Tue, 08 Dec 2015 12:29:11 GMT
Server: Apache
X-Pingback: https://www.saystoptospam.org/xmlrpc.php
Expires: Wed, 11 Jan 1984 05:00:00 GMT
Cache-Control: no-cache, must-revalidate, max-age=0
Pragma: no-cache
Location: https://www.saystoptospam.org
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html; charset=UTF-8

But it is redirected to https://www.saystoptospam.org so Let’s Encrypt can’t retrieve it to validate your domain, you should fix your redirection or avoid redirect if the url contains ./well-known/acme-challenge/.

By the way, checking your domain I can see that you created today a certificate for your domain with www and without it so seems it worked a few hours ago…

I’m leaving now but if you search the community for redirect and alias you will find several examples for a few web servers.

Cheers,
sahsanu

lijecreative · December 8, 2015, 12:38pm

it is redirecting because it’s a 404.

I did it manually a bit earlier, indeed.

lijecreative · December 8, 2015, 12:40pm

See, it was a 404, but now i've added a plugin that redirects 404 to / (301)

I changed the rights on LE folder and now it says:

FailedChallenges: Failed authorization procedure. www.xxx.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error parsing key authorization file: Invalid key authorization: 1311 parts

chriswheeler · December 8, 2015, 12:43pm

Sending 301 HTTP responses to not found requests is not a good idea, I’d keep with 404. You can still send content with a 404 status (such as a message for humans), and even a java script or meta redirect.

lijecreative · December 8, 2015, 12:45pm

Fine. I removed the plugin. I’ll deal with it later, when the cron will be ok.

FailedChallenges: Failed authorization procedure. www.xxx.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.xxx.org/.well-known/acme-challenge/qjVPrMj03n70YIpV_abuvv5X3Mgib4WAw79fBnaqMUM [149.202.55.90]: 404

lijecreative · December 8, 2015, 1:43pm

it looks like letsencrypt-auto save the validation in /var/www/.well-know… instead of /var/www/website.tld/web/.well-known…

Why so?

pfg · December 8, 2015, 1:48pm

Hope this answers your question.

lijecreative · December 8, 2015, 1:53pm

The .ini should be able to renew more than one certificat (let’s say 30 in a row).

So what I did is:
ln -s /var/www/.well-known/ .well-known

then in the .ini, I let:
webroot-path = /var/www/

I just have to do so for every websites.
It’s working

chriswheeler · December 8, 2015, 3:03pm

You could also remove the webroot-path from the ini file pass the web-root as a parameter with

-w /var/www/website.tld/web/

serverco · December 8, 2015, 8:11pm

Are you using ISPconfig or some other similar system to manage your virtual hosts ? ( I’m just guessing from your format of /var/www/website.tld/web/ … if so, have a look at https://github.com/sjau/le2ispc which helps set things up for such formats.

lijecreative · December 8, 2015, 10:04pm

That’s correct. I’m using ISP Config.
My cron and configuration file may be a problem for ISPconfig?

serverco · December 8, 2015, 10:08pm

The default letsencrypt-auto -apache doesn’t work correctly for all accounts on an ISPconfig system. On my ISPconfig servers I’ve used the script listed above which works nicely ( and essentially adds the certificates into the ISPconfig GUI) and makes it “automatic” for such systems.

Teh alternative would be doing it with the certonly and -manual flags, then copying the certs into the ISPconfig GUI manually yourself.