Still unable to get a Certifcate

I gave up on the last attempt and started over with a clean server and installed iRedmail

Installation worked fine.

I go to Lets Debug and get:
All OK!

OK

No issues were found with pegasus.corp.networkingtechnology.org. If you are having problems with creating an SSL certificate, please visit the Let's Encrypt Community forums and post a question there.

I follow the instructions:

Step 5: Installing Let’s Encrypt TLS Certificate

Since the mail server is using a self-signed TLS certificate, both desktop mail client users and webmail client users will see a warning. To fix this, we can obtain and install a free Let’s Encrypt TLS certificate.

Obtaining the Certificate

First, log into your server again via SSH and run the following commands to install Let’s Encrypt (certbot) client on CentOS 8.

sudo dnf install certbot python3-certbot-nginx -y

iRedMail has already configured TLS settings in the default Nginx virtual host, so here I recommend using the webroot plugin, instead of nginx plugin, to obtain the certificate. Run the following command. Replace with the red text with your own email address and hostname.

sudo certbot certonly --webroot --agree-tos --email you@example.com -d mail.your-domain.com -w /var/www/html/

For all my trouble and hard work, once again I get the 'Failed to Authenticate' invalid response

Does NOTHING ever work on these 'How-To'?

It uses NGINX and what I know about that could be written on the back of a VERY small postage stamp. I've always used apache, but it doesn't support apache.

Can anyone shed light on what is wrong this time?

Server is Alma 8.6, clean, name pegasus.corp.networkingtechnology.org

What doesn't support Apache? Because Certbot is either webserver agnostic or works nicely with Apache. Maybe you have a different reason for usign nginx, but Certbot can't be it.

Not without the full nginx configuration and the exact Certbot output.

2 Likes

IREDMAIL doesn't support apache (I did say that).

Where to I find the NGINX config? I have NEVER used or seen it before.

Certbot error:

[root@pegasus ~]# certbot certonly --webroot --agree-tos --email hmartin@networkingtechnology.org -d pegasus.corp.networkingtechnology.org -w /var/www/html/
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Would you be willing, once your first certificate is successfully issued, to
share your email address with the Electronic Frontier Foundation, a founding
partner of the Let's Encrypt project and the non-profit organization that
develops Certbot? We'd like to send you email about our work encrypting the web,
EFF news, campaigns, and ways to support digital freedom.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
(Y)es/(N)o: Y
Account registered.
Requesting a certificate for pegasus.corp.networkingtechnology.org

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: pegasus.corp.networkingtechnology.org
  Type:   unauthorized
  Detail: 79.132.230.61: Invalid response from https://pegasus.corp.networkingtechnology.org/.well-known/acme-challenge/HvbXhnJl_eyGX8jBASYu28OU7z_CvNBZEbFePu7xHiU: 404

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

Hello again Hank. I'm not sure why you talk about nginx. Because Apache is processing requests to your pegasus domain. Example

curl -I -m10 pegasus.corp.networkingtechnology.org/.well-known/acme-challenge/Test123
HTTP/1.1 301 Moved Permanently
Date: Tue, 06 Sep 2022 14:48:20 GMT
Server: Apache/2.4.37 (AlmaLinux) OpenSSL/1.1.1k mod_fcgid/2.3.9
Location: https://pegasus.corp.networkingtechnology.org/.well-known/acme-challenge/Test123

curl -Ik -m10 https://pegasus.corp.networkingtechnology.org/.well-known/acme-challenge/Test123
HTTP/1.1 404 Not Found
Server: Apache/2.4.37 (AlmaLinux) OpenSSL/1.1.1k mod_fcgid/2.3.9
(404 is expected as you don't have or need Test123 file)

You should see this in your Apache access logs at the time in the response header

3 Likes

As far as I can see, you said "it" didn't support Apache, but I have no way to know what "it" is exactly.

2 Likes

Hi Mike,

I'm fast reaching the point of giving up and staying with the old GW7 server or installing Microsoft Exchange. NOTHING ever word as it should on Linux.

This was a CLEAN install and after dnf update I followed these instructions TO THE LETTER because I cut and pasted every command to ensure no typos. THERE SHOULD BE NO APACHE on this server according to the instructions I followed., but there's a /etc/httpd folder and all the files.

What to do? Remove apache or just delete the entire thing and stay with GW7?

So fat I haven't found ANYTHING on the internet which actually WORKS when it's to do with Linux.
Do I

Maybe it's as simple as an incorrect IP address in the DNS? Wrong portmap, if applicable? It's kinda weird the internet sees an Apache webserver while there is no Apache installed and/or running on your host. So perhaps the DNS is incorrect. Checking this should be included in the default debugging strategy of such problems.

With regard to Linux: most "howto's" are written by users and can be of very good, good, OK, terrible or even horrendous quality. Simple operations are mostly good to do for novice users, but complex operations often require skill of the user too. This is perhaps indeed often a downside of using open source software.

2 Likes

systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor pres>
Drop-In: /usr/lib/systemd/system/httpd.service.d
└─php-fpm.conf
Active: inactive (dead)
Docs: man:httpd.service(8)
[root@pegasus ~]# systemctl stop httpd
[root@pegasus ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor pres>
Drop-In: /usr/lib/systemd/system/httpd.service.d
└─php-fpm.conf

I just checked all the DNS entries and OPNsense Port Forwarding and IP addreses + Ports open. NO problems

Does Alma Linux 8.6 automatically install Apache?

I don't know. That's a better question at the Alma Linux forums or their docs.

Note the status display says Apache is not running on that machine. Which proves that requests to your domain pegasus.corp.networkingtechnology.org with DNS IP 79.132.230.61 are not reaching that machine. See my post #4 which clearly shows Apache responding.

Until you sort out your network and server architecture there is not much we can do.

There are a couple people who volunteer in this forum and also offer paid services. They might be able to sort that out for you. Let me know if you want that referral.

3 Likes