Try running letsencrypt with the "certonly" command


#1

I been waiting a long time and know it’s close. So seen if can install it and did the:

git clone https://github.com/letsencrypt/letsencrypt

Then I did:

./letsencrypt-auto --agree-dev-preview --server \ https

Don’t want to show my URL but I put it after the https. I guess that was wrong.

How would I run the “certonly” command? I guess that’s what it needs to fix this.

Thank you Letsencrypt this will be super when you have the apt-get install working.

-Raymond Day


#2

I think I all most got it. I get this now at the end of the command:

An unexpected error occurred.
Error: unauthorized :: The client lacks sufficient authorization :: Error creating new authz :: Name is not whitelisted
Please see the logfiles in /var/log/letsencrypt for more details.
root@ICS32:~/letsencrypt#

Here is that /var/log/letsencrypt but I put XXXX.XX for my URL Don’t want to give it out. All so changed the http to NOLINK because it will not let me post more then 2 links.

It will not let me upload a .log file so I renamed it to .gif

Looks like that did not work so will have to just copy and paste the hole log here:

2015-11-02 22:05:26,012:DEBUG:letsencrypt.cli:Root logging level set at -40
2015-11-02 22:05:26,045:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2015-11-02 22:05:26,078:DEBUG:letsencrypt.cli:letsencrypt version: 0.0.0.dev20151030
2015-11-02 22:05:26,112:DEBUG:letsencrypt.cli:Arguments: [’–agree-dev-preview’, ‘-d’, ‘XXX.XX’, ‘–server’, ‘NOLINKs://acme-v01.api.letsencrypt.org/directory’, ‘-vvvvvvv’]
2015-11-02 22:05:26,148:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2015-11-02 22:05:26,208:DEBUG:letsencrypt.cli:Requested authenticator None and installer None
2015-11-02 22:05:27,335:DEBUG:letsencrypt.plugins.disco:Other error:(PluginEntryPoint#apache): (‘There has been an error in parsing the file (%s): %s’, u’/etc/apache2/conf-enabled/phpbb3.conf’, u’Syntax error’)
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py”, line 103, in prepare
self._initialized.prepare()
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/configurator.py”, line 153, in prepare
self.check_parsing_errors(“NOLINKd.aug”)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/augeas_configurator.py”, line 64, in check_parsing_errors
raise errors.PluginError(msg)
PluginError: (‘There has been an error in parsing the file (%s): %s’, u’/etc/apache2/conf-enabled/phpbb3.conf’, u’Syntax error’)
2015-11-02 22:05:27,359:DEBUG:letsencrypt.plugins.disco:Other error:(PluginEntryPoint#webroot): --webroot-path must be set
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/disco.py”, line 103, in prepare
self._initialized.prepare()
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/webroot.py”, line 50, in prepare
self.option_name(“path”)))
PluginError: --webroot-path must be set
2015-11-02 22:05:27,392:DEBUG:letsencrypt.display.ops:Single candidate plugin: * standalone
Description: Automatically use a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = letsencrypt.plugins.standalone:Authenticator
Initialized: <letsencrypt.plugins.standalone.Authenticator object at 0x7fe0348df210>
Prep: True
2015-11-02 22:05:27,412:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt.plugins.standalone.Authenticator object at 0x7fe0348df210> and installer None
2015-11-02 22:05:27,482:DEBUG:letsencrypt.cli:Picked account: <Account(19f8c5dfdf782f0c1d5531f42386f79f)>
2015-11-02 22:05:27,501:DEBUG:root:Sending GET request to NOLINKs://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2015-11-02 22:05:27,535:INFO:requests.packages.urllib3.connectionpool:Starting new NOLINKS connection (1): acme-v01.api.letsencrypt.org
2015-11-02 22:05:27,980:DEBUG:requests.packages.urllib3.connectionpool:“GET /directory NOLINK/1.1” 200 263
2015-11-02 22:05:28,042:DEBUG:root:Received <Response [200]>. Headers: {‘Content-Length’: ‘263’, ‘Expires’: ‘Mon, 02 Nov 2015 22:05:06 GMT’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Mon, 02 Nov 2015 22:05:06 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Access-Control-Allow-Origin’: ‘’, ‘Replay-Nonce’: ‘66ocA-fVnBOlGA0RO1UZnpwt3ZeQX112aZVGm6lVipM’}. Content: '{“new-authz”:“NOLINKs://acme-v01.api.letsencrypt.org/acme/new-authz”,“new-cert”:“NOLINKs://acme-v01.api.letsencrypt.org/acme/new-cert”,“new-reg”:“NOLINKs://acme-v01.api.letsencrypt.org/acme/new-reg”,“revoke-cert”:“NOLINKs://acme-v01.api.letsencrypt.org/acme/revoke-cert”}'
2015-11-02 22:05:28,097:DEBUG:acme.client:Received response <Response [200]> (headers: {‘Content-Length’: ‘263’, ‘Expires’: ‘Mon, 02 Nov 2015 22:05:06 GMT’, ‘Strict-Transport-Security’: ‘max-age=604800’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Mon, 02 Nov 2015 22:05:06 GMT’, ‘X-Frame-Options’: ‘DENY’, ‘Content-Type’: ‘application/json’, ‘Access-Control-Allow-Origin’: '
’, ‘Replay-Nonce’: ‘66ocA-fVnBOlGA0RO1UZnpwt3ZeQX112aZVGm6lVipM’}): ‘{“new-authz”:“NOLINKs://acme-v01.api.letsencrypt.org/acme/new-authz”,“new-cert”:“NOLINKs://acme-v01.api.letsencrypt.org/acme/new-cert”,“new-reg”:“NOLINKs://acme-v01.api.letsencrypt.org/acme/new-reg”,“revoke-cert”:“NOLINKs://acme-v01.api.letsencrypt.org/acme/revoke-cert”}‘
2015-11-02 22:05:28,482:INFO:letsencrypt.crypto_util:Generating key (2048 bits): /etc/letsencrypt/keys/0003_key-letsencrypt.pem
2015-11-02 22:05:28,558:INFO:letsencrypt.crypto_util:Creating CSR: /etc/letsencrypt/csr/0003_csr-letsencrypt.pem
2015-11-02 22:05:28,597:DEBUG:letsencrypt.client:CSR: CSR(file=’/etc/letsencrypt/csr/0003_csr-letsencrypt.pem’, REMOVED KEY HERE, domains: [‘XXXX.XX’]
2015-11-02 22:05:28,637:DEBUG:root:Requesting fresh nonce
2015-11-02 22:05:28,671:DEBUG:root:Sending HEAD request to NOLINKs://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
2015-11-02 22:05:28,703:INFO:requests.packages.urllib3.connectionpool:Starting new NOLINKS connection (1): acme-v01.api.letsencrypt.org
2015-11-02 22:05:29,212:DEBUG:requests.packages.urllib3.connectionpool:“HEAD /acme/new-authz NOLINK/1.1” 405 0
2015-11-02 22:05:29,277:DEBUG:root:Received <Response [405]>. Headers: {‘Content-Length’: ‘0’, ‘Pragma’: ‘no-cache’, ‘Expires’: ‘Mon, 02 Nov 2015 22:05:07 GMT’, ‘Server’: ‘nginx’, ‘Connection’: ‘keep-alive’, ‘Allow’: ‘POST’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Mon, 02 Nov 2015 22:05:07 GMT’, ‘Content-Type’: ‘application/problem+json’, ‘Replay-Nonce’: ‘cXQCXn48EbbNANsU2EdmpIbP_PI9B5m3y8AhSe9kmZ4’}. Content: ''
2015-11-02 22:05:29,331:DEBUG:acme.client:Storing nonce: 'qt\x02^~<\x11\xb6\xcd\x00\xdb\x14\xd8Gf\xa4\x86\xcf\xfc\xf2=\x07\x99\xb7\xcb\xc0!I\xefd\x99\x9e’
2015-11-02 22:05:29,380:DEBUG:acme.jose.json_util:Omitted empty fields: expires=None, challenges=None, status=None, combinations=None
2015-11-02 22:05:29,420:DEBUG:acme.client:Serialized JSON: {“identifier”: {“type”: “dns”, “value”: “XXXX.XX”}, “resource”: “new-authz”}
2015-11-02 22:05:29,480:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), kid=None, jwk=None, x5t=None, x5tS256=None, cty=None, x5u=None, typ=None, alg=None, jku=None
2015-11-02 22:05:29,559:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), kid=None, nonce=None, x5tS256=None, cty=None, x5t=None, x5u=None, typ=None, jku=None
2015-11-02 22:05:29,592:DEBUG:root:Sending POST request to NOLINKs://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {‘data’: ‘{“header”: {“alg”: “RS256”, “jwk”: {“e”: “AQAB”, “kty”: “RSA”, “n”: “REMOVED RSA KEY HERE”}’}
2015-11-02 22:05:29,625:INFO:requests.packages.urllib3.connectionpool:Starting new NOLINKS connection (1): acme-v01.api.letsencrypt.org
2015-11-02 22:05:30,125:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/new-authz NOLINK/1.1” 403 101
2015-11-02 22:05:30,190:DEBUG:root:Received <Response [403]>. Headers: {‘Content-Length’: ‘101’, ‘Expires’: ‘Mon, 02 Nov 2015 22:05:08 GMT’, ‘Server’: ‘nginx’, ‘Connection’: ‘close’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Mon, 02 Nov 2015 22:05:08 GMT’, ‘Content-Type’: ‘application/problem+json’, ‘Replay-Nonce’: ‘umfGUbO7xpQJQsJjeeNQEfgGu9ccXVRvM7EoNbPsBo0’}. Content: '{“type”:“urn:acme:error:unauthorized”,“detail”:“Error creating new authz :: Name is not whitelisted”}'
2015-11-02 22:05:30,246:DEBUG:acme.client:Storing nonce: '\xbag\xc6Q\xb3\xbb\xc6\x94\tB\xc2cy\xe3P\x11\xf8\x06\xbb\xd7\x1c]To3\xb1(5\xb3\xec\x06\x8d’
2015-11-02 22:05:30,294:DEBUG:acme.client:Received response <Response [403]> (headers: {‘Content-Length’: ‘101’, ‘Expires’: ‘Mon, 02 Nov 2015 22:05:08 GMT’, ‘Server’: ‘nginx’, ‘Connection’: ‘close’, ‘Pragma’: ‘no-cache’, ‘Cache-Control’: ‘max-age=0, no-cache, no-store’, ‘Date’: ‘Mon, 02 Nov 2015 22:05:08 GMT’, ‘Content-Type’: ‘application/problem+json’, ‘Replay-Nonce’: ‘umfGUbO7xpQJQsJjeeNQEfgGu9ccXVRvM7EoNbPsBo0’}): '{“type”:“urn:acme:error:unauthorized”,“detail”:“Error creating new authz :: Name is not whitelisted”}'
2015-11-02 22:05:30,340:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 11, in
sys.exit(main())
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 1131, in main
return args.func(args, config, plugins)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 489, in obtaincert
_auth_from_domains(le_client, config, domains, plugins)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/cli.py”, line 327, in _auth_from_domains
lineage = le_client.obtain_and_enroll_certificate(domains, plugins)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py”, line 229, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py”, line 212, in obtain_certificate
return self._obtain_certificate(domains, csr) + (key, csr)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py”, line 170, in _obtain_certificate
authzr = self.auth_handler.get_authorizations(domains)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py”, line 74, in get_authorizations
domain, self.account.regr.new_authzr_uri)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 215, in request_domain_challenges
typ=messages.IDENTIFIER_FQDN, value=domain), new_authz_uri)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 195, in request_challenges
response = self.net.post(new_authzr_uri, new_authz)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 624, in post
return self._check_response(response, content_type=content_type)
File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 542, in _check_response
raise messages.Error.from_json(jobj)
Error: unauthorized :: The client lacks sufficient authorization :: Error creating new authz :: Name is not whitelisted

-Raymond Day


#3

Hi @Ray. To answer your original question, to run the client with the certonly command, simply include certonly on the command line.

As for the error about not being whitelisted, there was a problem with our whitelist that has recently been corrected. I would try running the client again and see if you have the same issue.


#4

Looks like it worked. Had to stop Apache and I did this command:

./letsencrypt-auto certonly

It came back with:

IMPORTANT NOTES:

  • Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/XXXX.XX/fullchain.pem. Your cert will
    expire on 2016-01-31. To obtain a new version of the certificate in
    the future, simply run Let’s Encrypt again.

Started Apache and went to my URL with a https and I get:

This webpage is not available

Can still go to http with out the s that still works.

What else needs to be done?

-Raymond Day


#5

Not sure if this has something to do with it but my:

Document Root /media/USBdisk2-3TB/var/www

Is there. I all so have a link at /var/www that points to there.

-Raymond Day


#6

Sounds like you got a cert! Congratulations.

The certonly command gets you a certificate but does not automatically install/configure it for you. If you’d like to configure the cert with Apache, you have a couple options:

  1. Run ./letsencrypt-auto again but do not include certonly.
  2. Run ./letsencrypt-auto install --apache --cert-path /etc/letsencrypt/live/XXXX.XX/cert.pem --key-path /etc/letsencrypt/live/XXXX.XX/privkey.pem --chain-path /etc/letsencrypt/live/XXXX.XX/chain.pem
  3. Configure the certificate yourself. There are a number of guides online to help you through that process.

#7

Ran the long one line command and this time got back this:

Please choose whether HTTPS access is required or optional. x
x lqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x
x x Easy Allow both HTTP and HTTPS access to these sites x x
x x Secure Make all requests redirect to secure HTTPS access

Picked easy and it just went back to the command line fast.

Looked up “Configure the certificate yourself letsencrypt” have not found nothing yet. Still looking.

-Raymond Day


#8

Here is how Webmin shows it. Port 443 seems like it showed work. I am on webmin with my LAN but I have a Port Forward for the WWW. But it still don’t work. Still looking for certificate myself.

-Raymond Day


#9

When I run the:

./letsencrypt-auto install --apache --cert-path /etc/letsencrypt/live/XXXX.XX/cert.pem --key-path /etc/letsencrypt/live/XXXX.XX/privkey.pem --chain-path /etc/letsencrypt/live/XXXX.XX/chain.pem

Do replace the XXXX.XX with my http. It will ask if I want to continue with this text.

No names were found in your configuration files.
You should specify ServerNames in your config files in order to
allow for accurate installation of your certificate.
If you do use the default vhost, you may specify the name manually.

Been changed the LAN name of ICS32 to my XXXX.XX and restarting apache2 and it don’t give any errors. Not sure were I change the ServerNames if that’s what’s wrong.

I thought because I did not foreword port 443 and then I did and it still give me the same error.

I thought that would of fix it. Not sure what is wrong.

-Raymond Day


#10

In webmin Looks like I fixed it. I got though the ServerName. Webmin shows Server Name under Virtual Server Details and was on Default. I clicked were can type and type my XXXX.XX and got past the No names were found.

But now it gives me this error:

IMPORTANT NOTES:

  • The following ‘connection’ errors were reported by the server:

Domains: XXXX.XX
Error: The server could not connect to the client for DV

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain contains
the right IP address. Additionally, please check that your computer
has publicly routable IP address and no firewalls are preventing
the server from communicating with the client.
root@ICS32:~/letsencrypt#

I guess because I have a port foreword to my LAN from the WWW. Can this be fixed?

-Raymond Day


#11

I get back this:

Error: The server could not connect to the client for DV

I did port Forward 443 to it’s IP but still gives this error.

Got godaddy to get the domain name would I have to config it there some how?

Not sure what else to do.

How would I fix this?

-Raymond Day


#12

That photo of Webmin I have in here were it shows localhost for Server Name I now have my URL but it still don’t work. But I don’t get the error any more of “No names were found in your configuration files”.

-Raymond Day