Standalone linux installation failing

ssss · January 13, 2017, 9:13am

Hi Letsincrypt community,

I am trying to add certificates to a work server we use for showcases. The certificates will be used in an oracle product so I will have to do an standalone certification (there is no web server on the server anyway).

The IP that I use is a router. What I was hoping to do was to install certificates on a machine on the IP. Currently there are several machines under this IP. I have freed the IP:443.

So my questions are:

Is the Failed to find apache2ctl important?
Should I redirect the IP:443 to the machine where I try to install the certificate or what would be the correct thing to do here?

I ran this command:
./certbot-auto certonly --standalone-supported-challenges tls-sni-01 --email a@email.com -d A.webpage.com

It produced this output:

urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge

and

Failed to find apache2ctl in PATH: ..

My operating system is (include version):
Linux 3.10

I can login to a root shell on my machine:
Yes

Thanks for the effort,
Regards

serverco · January 13, 2017, 9:19am

I think you need to include "--standalone" on your command line - i.e.

./certbot-auto certonly --standalone --standalone-supported-challenges tls-sni-01 --email a@email.com -d A.webpage.com

I suspect this is because you weren't running in standalone mode, and it was trying to use apache.

Yes.

ssss · January 13, 2017, 9:38am

Okay. Thanks for the input. I will try it and let you know how it goes.

Migth take a day since the router config has to be changed.

serverco · January 13, 2017, 10:15am

An alternative may be the DNS-01 challenge, as that doesn’t require access though your router ( it needs a token placed in your DNS records instead )

ssss · January 13, 2017, 2:52pm

Okay. So I changed the run command to:

./certbot-auto certonly --standalone --preferred-challenges tls-sni-01 --email email@email.com
-d adress.com

The apache2ctl error disappeared which is good.

This error is still present:

urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for TLS-SNI-01 challenge

As you suggested I probably have to add a token in my DNS record.

-As I understood to provide this token is needed to show that I own the IP, just as creating a folder is done for the webroot installation?

Do you know any good articles about DNS records? I could not find any satisfactory.
What should this token contain?

Regards

serverco · January 13, 2017, 3:03pm

without your domain name and testing a little it’ difficult to determine exactly what’s wrong. The TLS-SNI-01 challenge creates a temporary SSL certificate which it displays on your sever on port 443. Let’s Encrypt then tests to verify it can see this certificate. For some reason it isn’t able to do that ( possibly because something else is listening in port 443, or the port forwarding isn’t correct through your router …)

The DNS challenge is relatively straightforward if you have an API on your DNS provider ( so you can automatically add a TXT record). It can be done manually, but would need to be renewed every couple of months so a DNS provider with a good API makes life easier. The client you are running ( certbot or other) will provide you with the TXT record).

Do you use a public DNS provider for your domain name ? if so which ? or do you manage your DNS yourself ?

ssss · January 13, 2017, 4:51pm

Thanks for the answer @serverco

Bluehost is the DNS provider and they provide the domain name myDomainName.com to us. I asked the person responsible for the router to open port 443 and forward it to the server where I run the certbot. When I do some checks it looks like the port is closed, but that can be because nothing is listening on that port if I am not mistaken.

I thought since I running the certbot on my server and I want to validate my server I do not need to use some API from my DNS provider. I thought the certbot was sufficient, but please let me know if it is wrong.

Regards

serverco · January 13, 2017, 5:03pm

You are correct. The only reason I suggested using the DNS challenge was because your site didn't appear to be connected direct to the internet ( from what you said, it's behind a router, and there are several other servers behind the same router - hence it was a suggestion as an alternative approach.

Correct, there should be nothing running until you run certbot.

Now that the router has been opened and port 443 forwarded to your server - are you still getting the same error from certbot ?

ssss · January 13, 2017, 5:09pm

Yes the same error:

urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to ..

Maybe the port forwarding wasnt done properly or could it be something else like a firewall?

serverco · January 13, 2017, 5:12pm

It could be either, yes.

Personally I’d run something on there to listen on port 443 - and test the connection. You don’t need a full webserver, just something to show you have access.

ssss · January 18, 2017, 1:16pm

Thanks for the help @serverco

I spinned up a temporary python webserver and did some tests. It was the firewall that caused the issues. I managed to download the certificates.

Now I will try to use them in OBIEE12c.

Thanks again for the help,

Regards

system · February 17, 2017, 1:30pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.