Too many flags setting configurators/installers/authenticators 'webroot' -> 'apache'

viciexperts · May 5, 2020, 6:17pm

I ran this command: sudo certbot --apache

It produced this output:
Too many flags setting configurators/installers/authenticators ‘webroot’ -> ‘apache’

cat /var/log/letsencrypt/letsencrypt.log
2020-05-04 16:57:35,680:DEBUG:certbot._internal.main:certbot version: 1.0.0
2020-05-04 16:57:35,681:DEBUG:certbot._internal.main:Arguments: [’–apache’]
2020-05-04 16:57:35,681:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-05-04 16:57:35,703:DEBUG:certbot._internal.log:Root logging level set at 20
2020-05-04 16:57:35,704:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log

My web server is (include version):

Server version: Apache/2.4.33 (Linux/SUSE)
Server built: 2019-08-28 06:00:22.000000000 +0000

The operating system my web server runs on is (include version):

NAME=“openSUSE Leap”
VERSION=“15.1”
ID=“opensuse-leap”
ID_LIKE=“suse opensuse”
VERSION_ID=“15.1”
PRETTY_NAME=“openSUSE Leap 15.1”
ANSI_COLOR=“0;32”
CPE_NAME=“cpe:/o:opensuse:leap:15.1”
BUG_REPORT_URL=“https://bugs.opensuse.org”
HOME_URL=“https://www.opensuse.org/”

My hosting provider, if applicable, is: No hosted, I have full access.

I can login to a root shell on my machine: YES

I’m using a control panel to manage my site :NO

The version of my client is: certbot 1.0.0

stevenzhu · May 4, 2020, 9:32pm

Hi,

Looks like this is similar to a very old thread…
Too many flags setting configurators/installers/authenticators ‘webroot’ -> ‘apache’

Before you do anything, backup your Let’s Encrypt folder. (Normally in /etc/letsencrypt)

If you can, try to see if you have a cli.ini set in your system.

There’s an extreme version:

viciexperts · May 4, 2020, 9:55pm

Thanks. Also I dont have yet a FQDN, is mandatory? because my server has public IP address, and I read you can have ssl cert without FQDN.

viciexperts · May 4, 2020, 10:05pm

rsa-key-size = 4096
server = https://acme-staging.api.letsencrypt.org/directory
agree-tos = True
renew-by-default = True
authenticator = webroot
webroot-path = /srv/www/htdocs

I dont have old installs, this is my first time in this server

JuergenAuer · May 4, 2020, 10:07pm

Hi @viciexperts

if you want to create a Letsencrypt certificate, a domain name is required.

There are certificates (see https://1.1.1.1/ ), but Letsencrypt doesn’t allow to create certificates with ip addresses.

stevenzhu · May 4, 2020, 10:10pm

Check that .ini line and remove the authenticator line.

viciexperts · May 5, 2020, 2:10pm

certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices) (Enter ‘c’ to
cancel): myemail@server.com
An unexpected error occurred:
The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See End of Life Plan for ACMEv1 for details.
Please see the logfiles in /var/log/letsencrypt for more details.

cat /var/log/letsencrypt/letsencrypt.log

2020-05-05 10:07:27,025:DEBUG:certbot._internal.main:certbot version: 1.0.0
2020-05-05 10:07:27,026:DEBUG:certbot._internal.main:Arguments: [’–apache’]
2020-05-05 10:07:27,026:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-05-05 10:07:27,049:DEBUG:certbot._internal.log:Root logging level set at 20
2020-05-05 10:07:27,050:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-05-05 10:07:27,050:DEBUG:certbot._internal.plugins.selection:Requested authenticator apache and installer apache
2020-05-05 10:07:27,213:DEBUG:certbot_apache._internal.configurator:Apache version is 2.4.33
2020-05-05 10:07:28,220:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * apache
Description: Apache Web Server plugin
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: apache = certbot_apache._internal.entrypoint:ENTRYPOINT
Initialized: <certbot_apache._internal.override_suse.OpenSUSEConfigurator object at 0x7f6ccc8e6990>
Prep: True
2020-05-05 10:07:28,221:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot_apache._internal.override_suse.OpenSUSEConfigurator object at 0x7f6ccc8e6990> and installer <certbot_apache._internal.override_suse.OpenSUSEConfigurator object at 0x7f6ccc8e6990>
2020-05-05 10:07:28,221:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator apache, Installer apache
2020-05-05 10:07:40,923:DEBUG:acme.client:Sending GET request to https://acme-staging.api.letsencrypt.org/directory.
2020-05-05 10:07:40,925:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-staging.api.letsencrypt.org:443
2020-05-05 10:07:41,138:DEBUG:urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 704
2020-05-05 10:07:41,139:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Tue, 05 May 2020 14:07:41 GMT
Content-Type: application/json
Content-Length: 704
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Replay-Nonce: 0001896nGwKuOhnfzlGTXYm90fm1UfkaI7_QF6YYylXUVE0
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
“key-change”: “https://acme-staging.api.letsencrypt.org/acme/key-change”,
“meta”: {
“caaIdentities”: [
“letsencrypt.org”
],
“terms-of-service”: “https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”,
“website”: “https://letsencrypt.org/docs/staging-environment/”
},
“new-authz”: “https://acme-staging.api.letsencrypt.org/acme/new-authz”,
“new-cert”: “https://acme-staging.api.letsencrypt.org/acme/new-cert”,
“new-reg”: “https://acme-staging.api.letsencrypt.org/acme/new-reg”,
“revoke-cert”: “https://acme-staging.api.letsencrypt.org/acme/revoke-cert”,
“w2NlDN3OW_M”: “Adding random entries to the directory”
}
2020-05-05 10:07:41,140:DEBUG:acme.client:Requesting fresh nonce
2020-05-05 10:07:41,140:DEBUG:acme.client:Sending HEAD request to https://acme-staging.api.letsencrypt.org/acme/new-reg.
2020-05-05 10:07:41,187:DEBUG:urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 “HEAD /acme/new-reg HTTP/1.1” 405 0
2020-05-05 10:07:41,188:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Date: Tue, 05 May 2020 14:07:41 GMT
Content-Type: application/problem+json
Content-Length: 91
Connection: keep-alive
Allow: POST
Cache-Control: public, max-age=0, no-cache
Replay-Nonce: 0002NzJt34j6WIONSuZ1_rdXa5OzYtgS-0apRzS8Rc2F2mc

2020-05-05 10:07:41,188:DEBUG:acme.client:Storing nonce: 0002NzJt34j6WIONSuZ1_rdXa5OzYtgS-0apRzS8Rc2F2mc
2020-05-05 10:07:41,189:DEBUG:acme.client:JWS payload:
{
“contact”: [
“mailto:email@servers.com”
],
“resource”: “new-reg”
}
2020-05-05 10:07:41,227:DEBUG:acme.client:Sending POST request to https://acme-staging.api.letsencrypt.org/acme/new-reg:
{
“protected”: “eyJub25jZSI6ICIwMDAyTnpKdDM0ajZXSU9OU3VaMV9yZFhhNU96WXRnUy0wYXBSelM4UmMyRjJtYyIsICJhbGciOiAiUlMyNTYiLCAiandrIjogeyJlIjogIkFRQUIiLCAia3R5IjogIlJTQSIsICJuIjogIjNJT2xSSjVRLTlyQmxwWEZOeVdOS19lWHJ6WHNFclFCVEU2c0VFVTNkR3Z2VU1BOEp1aUFMMXNUUnE0UUphQVd2a2hoRGdJOEVKSVQyQWNWM1FSb2wzbmVYWUJEZnpQSjZ6TmFpcWdNNjIwbGVYY2dCc1dkbjdIVE42bnd2NWJXZWasdZGxpd2xNY0c1OF80aVJPVUdydlYzUFJHY1A2RklSZTBuZzRZVzNQSWZWdmNEMFNVTExZeTBES2IyTXpfZ1l1WXhyc1VlNGRnQ1BETlNwb19IUVRNa3dsWjdJWjdEVE1ubFc3RE1xemkxZ21ibldaTURyWU81OHJxMDRIYmJKM2o2VjFseW81RGV6RHB0WTVOOG1TOTBwOE51LXQ2el9qWUJPX1FSaEVBNGV2c1JBYnVTTzVGVy1MdlFRM1FxRFFON1RQdW5qaVk1WmlKOVNCTHJnelo1VFpsMFppQ29nWDY0VUhoYUlIX3ZWVUFkR25CSmlIVlFHNUZjQjJxUmVZR0gxZTNSTkxmZW9fNWFrdFRxVkFnaW1ic05RU3VnYkdpSnVuU2szZ05qYzFJRWdvdjEzLWdMOEsybU13WEJCeUI4Vzk3aXpVIn19”,
“payload”: “ewogICJjb250YWN0IjogWwogICAgIm1haWx0bzpvbWFyQHZpY2lleHBlcnRzLmNvbSIKICBdLCAKICAicmVzb3VyY2UiOiAibmV3LXJlZyIKfQ”,
“signature”: “nGY5usfmH_sdXeQhAPEO2y_hJUYfkttPPVQCi-8Ia3snpfI4lDtA_ZysqS579Kyyy1p07DJ3EmvUoUB7zpw8kokj93B_unA34rAiJ8zvYsFoOWfaFZCPj4DgHkAWgnx45GvweF22Ciw84gmAc6yWImLqcwWck1ouI6zsFzUiBZZq3loUBXAlc54x7WCbLDOBTQwTXlmZFZ40HzMmVrWdi4ASZ3-5Vzt-S3iYss33Ms0IfvXDmyohbUMq3hDgZps20p5fsYpBo-Xd6H31kgCvVujY-9RHBDv1Md6lQeywHe0KCXOCrbIm9EIEVAEINC8khSVLugoKoHyjOkqFApUxq1nlewvqEtdzivTNcJMTtvAsEs8VbIgNrUGxzbHXR7-zwZGgITrGeV4zJNWef53TceSx_Df-c0_J3y8NGvmXgAFfU21LW96mKS_WzQ”
}
2020-05-05 10:07:41,293:DEBUG:urllib3.connectionpool:https://acme-staging.api.letsencrypt.org:443 “POST /acme/new-reg HTTP/1.1” 403 280
2020-05-05 10:07:41,294:DEBUG:acme.client:Received response:
HTTP 403
Server: nginx
Date: Tue, 05 May 2020 14:07:41 GMT
Content-Type: application/problem+json
Content-Length: 280
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Replay-Nonce: 0001Jn8zfPOFnKSYu9hKi3xbZPpyo7irl_DJfktlkQ19Kck

{
“type”: “urn:acme:error:unauthorized”,
“detail”: “Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See End of Life Plan for ACMEv1 for details.”,
“status”: 403
}
2020-05-05 10:07:41,295:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File “/usr/bin/certbot”, line 11, in
load_entry_point(‘certbot==1.0.0’, ‘console_scripts’, ‘certbot’)()
File “/usr/lib/python2.7/site-packages/certbot/main.py”, line 14, in main
return internal_main.main(cli_args)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1350, in main
return config.func(config, plugins)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 1097, in run
le_client = _init_le_client(config, authenticator, installer)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 607, in _init_le_client
acc, acme = _determine_account(config)
File “/usr/lib/python2.7/site-packages/certbot/_internal/main.py”, line 523, in _determine_account
config, account_storage, tos_cb=_tos_cb)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 177, in register
regr = perform_registration(acme, config, tos_cb)
File “/usr/lib/python2.7/site-packages/certbot/_internal/client.py”, line 220, in perform_registration
return acme.new_account_and_tos(newreg, tos_cb)
File “/usr/lib/python2.7/site-packages/acme/client.py”, line 848, in new_account_and_tos
regr = self.client.register(regr)
File “/usr/lib/python2.7/site-packages/acme/client.py”, line 277, in register
response = self._post(self.directory[new_reg], new_reg)
File “/usr/lib/python2.7/site-packages/acme/client.py”, line 95, in _post
return self.net.post(*args, **kwargs)
File “/usr/lib/python2.7/site-packages/acme/client.py”, line 1191, in post
return self._post_once(*args, **kwargs)
File “/usr/lib/python2.7/site-packages/acme/client.py”, line 1205, in _post_once
response = self._check_response(response, content_type=content_type)
File “/usr/lib/python2.7/site-packages/acme/client.py”, line 1061, in _check_response
raise messages.Error.from_json(jobj)
Error: urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See End of Life Plan for ACMEv1 for details.
2020-05-05 10:07:41,298:ERROR:certbot._internal.log:An unexpected error occurred:
2020-05-05 10:07:41,298:ERROR:certbot._internal.log:The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See End of Life Plan for ACMEv1 for details.

JuergenAuer · May 5, 2020, 2:58pm

ACME-v1 is deprecated.

Use acme-v02.api.letsencrypt.org instead.

Read

Osiris · May 5, 2020, 4:22pm

There are more lines in that cli.ini which should be removed.

renew-by-default = True is a recipe to running into rate limts… Should be removed. Also, the server line doesn’t need to be modified, with version 1.0.0 the ACME v2 endpoint is enabled by default, so the server line can be removed in total too. Use the --staging command line option for using the staging environment. Remove the --staging option if all testing is succesful and you want a live certificate.

viciexperts · May 5, 2020, 4:22pm

Thank you, I think that now works because it shows:
Which names would you like to activate HTTPS for?

1: dynportal.company.com
2: vicibox.company.com
3: dynportalcompany.com

I had to edit apache2/vhosts.d/1111-default-ssl.conf and add my FQDN
also, I had to disable the firewall.

and said:

Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/dialer2.callcentre.org/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/dialer2.callcentre.org/privkey.pem
Your cert will expire on 2020-08-03. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew all of your certificates, run
“certbot renew”

But when I access my server using https still said not valid certicate.
Your connection is not private

NET::ERR_CERT_AUTHORITY_INVALID

I also edited apache2/vhosts.d/1111-default-ssl.conf and changed these lines:
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/dialer2.callcentre.org/fullchain.pem
#SSLCACertificateFile /etc/apache2/ssl.crt/CA_chain.crt
SSLCertificateKeyFile /etc/letsencrypt/live/dialer2.callcentre.org/privkey.pem

And finally WORKS!
Thank you very much!