Forums

×

Warning

JUser: :_load: Unable to load user with ID: 120551
Resolved
0 votes
Found this wiki page Let's Encrypt. Now I receive the error below. Whats does this mean? I'll check Google this evening if I can find some more information.


Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.


ps. couldn't find a Let's Encrypt sub-forum (is this possible to add?) so I posted in other system topics.
Wednesday, January 24 2018, 07:13 PM
Share this post:
Responses (19)
  • Accepted Answer

    Thursday, February 08 2018, 06:04 PM - #Permalink
    Resolved
    1 votes
    @Graham and Marcel,

    In consultation with the Dev's I've reworked the HowTo to use the group "ssl-cert" instead of "mail". This has largely come about because of Marcel's desire to use the certificates for Wordpress which don't really fit the "mail" group. It was the original intention of the ssl-cert group which was never implemented. Any set up with the original instructions will still work but you may want to update your installation. It means changing the group ownership of /etc/letsencrypt/live and /etc/letsencrypt/archive, running the various usermod commands then restarting the services.

    @Marcel, If you get Wordpress working, let me know the file you changed, the parameters, with wordpress user (if any) and the service to restart and I'll update the HowTo

    @anyone else. If you have an app you've made use Let's Encrypt certificates I'll happily update the HowTo if you give me the same info I've requested from Marcel.
    The reply is currently minimized Show
  • Accepted Answer

    Sunday, February 04 2018, 03:31 PM - #Permalink
    Resolved
    0 votes
    Nick,

    Thanks for the link to the procedure on how to assign the LetsEncrypt certificate. I followed that and now I am not getting the annoying certificate error when Outlook clients start up.

    This is the link to the article which works for imap/pop/postfix smtp.

    https://www.clearos.com/resources/documentation/clearos/content:en_us:kb_howtos_using_letsencrypt_certificates_for_mail

    As always, thanks for your help it is much appreciated.

    Graham Sivill
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, February 03 2018, 08:28 PM - #Permalink
    Resolved
    0 votes
    As Graham posted, please add a default website. I'm thinking it will then start working.

    [edit]
    It will also generate your "/etc/httpd/conf.d/flex-80.conf"
    [/edit]
    [edit 2]
    It will also make the findmnt command return something
    [/edit 2]
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, February 03 2018, 08:21 PM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    It looks like I am the only one it is working for!

    What is the contents of your /etc/httpd/conf.d/flex-80.conf and the output of "findmnt | grep \]"? I assume the domain for your certificate resolves to your external IP. Does it help if you open incoming port 443?


    I don't have a "/etc/httpd/conf.d/flex-80.conf", but I have a "/etc/httpd/conf.d/app-wordpress.conf"


    Alias /wordpress /var/clearos/wordpress/sites

    <Directory /var/clearos/wordpress/sites>
    Require all granted
    </Directory>


    "findmnt | grep \]" doesn't output anything..

    Port 80 and 443 are open.

    I can access my Plex server via my main domain name. http://domain.com:32400. So I suppose that is set okay.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, February 03 2018, 07:19 PM - #Permalink
    Resolved
    0 votes
    To use your new certificate in e-mail programs, see this HowTo. It only covers postfix and cyrus-imapd as I don't use Kopano or Zarafa. If you use either of those and can give me the parameters and file which need changing and the service which needs to be restarted I can update the HowTo, but the approach should be the same for any of them. The only question would be if Zarafa or Kopano did not run as root user or as a user which belonged to the mail group.

    For renewal, a cron job runs very night. Certificates last for 3 months but certbot (the underlying package) will renew them after 2 months. When they get renewed, app-lets-encrypt will run any configlet in /var/clearos/events/lets_encrypt. By default this just restarts the Web Server and Webconfig, but in the HowTo you drop in a configlet for postfix and cyrus-imapd to get them to restart. Restarting reads the new certificate.

    This works because, in reality, you are not pointing these apps directly to certificates but to symlinks. Certbot maintains the symlinks to always point to the latest certificate.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, February 03 2018, 05:40 PM - #Permalink
    Resolved
    0 votes
    Nick,

    I finally got it working, the issue was I hadn't gone into Server >> Web >> Webserver and added a website, once I had added a default website and then went back to lets encrypt it then succeeded. So I now have my Let's Encrypt certificate. What I don't know is how I now make that be the certificate used by the email system as the certificate that pops up when opening outlook clients is not trusted and is the default one that is created when you first install the system.

    I went into System >> Settings >> Certificate Manager but can't see how I instruct it to use the certificate from Let's Encrypt.

    Also, does ClearOS automatically renew the certificate each time it expires or do you have to do it manually?

    Siv
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, February 03 2018, 04:15 PM - #Permalink
    Resolved
    0 votes
    It looks like I am the only one it is working for!

    What is the contents of your /etc/httpd/conf.d/flex-80.conf and the output of "findmnt | grep \]"? I assume the domain for your certificate resolves to your external IP. Does it help if you open incoming port 443?
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, February 03 2018, 03:54 PM - #Permalink
    Resolved
    0 votes
    Thanks Nick!

    I tried to register my main domain, and the error I receive is "Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80."

    I have opened port 80, and I can access the default site from ClearOS via my domain. Of course this is access through http.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, February 03 2018, 03:19 PM - #Permalink
    Resolved
    0 votes
    @Shaun, Can you confirm that you have a valid external CNAME record for the subdomain certificate you are trying to add? Beyond that, I'll need to catch up with Peter Baldwin. Python gives notoriously unhelpful error messages and I have minimal python skills.

    @Marcel, what is the issue with Wordpress? Have a look at this HowTo to give you ideas. If you can find the Wordpress options for the certificates in its config file, make the necessary changes and add your configlet to /var/clearos/events/lets_encrypt. The only problem I can see is one of permissions. If Wordpress runs as root it should be OK. There is a group called ssl-certs but I can't work out who belongs to it, if anyone, as that is the obvious group to use.
    • Shaun Ellensohn
      more than a month ago
      Hi Nick

      Yes i can confirm that i have CNAME Records for all subdomains i am trying to add
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, February 03 2018, 03:07 PM - #Permalink
    Resolved
    0 votes
    Is it possible to make this work with the Wordpress app?

    the site of a Wordpress install is located at "var/clearos/wordpress/projectname.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, February 03 2018, 02:36 PM - #Permalink
    Resolved
    0 votes
    I seem to be having some problems with the latest version of the app.
    The Main Domain worked fine but when i try to add a new one (with or without "Other Domains") i get the following Error message...

    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Could not choose appropriate plugin: Too many flags setting configurators/installers/authenticators 'webroot' -> 'apache'
    Too many flags setting configurators/installers/authenticators 'webroot' -> 'apache'


    The content of said log is the following:

    2018-02-03 14:30:22,669:DEBUG:certbot.main:certbot version: 0.21.0
    2018-02-03 14:30:22,669:DEBUG:certbot.main:Arguments: ['--apache', '--agree-tos', '-n', '-m', 'me@mydomain', '-d', alternate.domain.com']
    2018-02-03 14:30:22,669:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2018-02-03 14:30:22,685:DEBUG:certbot.log:Root logging level set at 20
    2018-02-03 14:30:22,686:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2018-02-03 14:30:22,686:INFO:certbot.main:Could not choose appropriate plugin: Too many flags setting configurators/installers/authenticators 'webroot' -> 'apache'
    2018-02-03 14:30:22,686:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
    File "/usr/bin/certbot", line 9, in <module>
    load_entry_point('certbot==0.21.0', 'console_scripts', 'certbot')()
    File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1240, in main
    return config.func(config, plugins)
    File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1099, in certonly
    installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
    File "/usr/lib/python2.7/site-packages/certbot/plugins/selection.py", line 161, in choose_configurator_plugins
    req_auth, req_inst = cli_plugin_requests(config)
    File "/usr/lib/python2.7/site-packages/certbot/plugins/selection.py", line 239, in cli_plugin_requests
    req_auth = set_configurator(req_auth, "apache")
    File "/usr/lib/python2.7/site-packages/certbot/plugins/selection.py", line 219, in set_configurator
    raise errors.PluginSelectionError(msg.format(repr(previously), repr(now)))
    PluginSelectionError: Too many flags setting configurators/installers/authenticators 'webroot' -> 'apache'


    Any tips on where the problem could be?
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, February 03 2018, 01:57 PM - #Permalink
    Resolved
    0 votes
    Tests done.

    Test 1
    In my DNS record I created a new CNAME record, test1.example.com and waited for it to propagate through the DNS system.
    Then in the Let's Encrypt app, I added a certificate with a Primary Domain of test1.example.com and off it went and created me a certificate. No website existed for the subdomain.

    Test 2
    In my DNS record I created a new CNAME record, test2.example.com and waited for it to propagate through the DNS system.
    Set up a website in the Webconfig for test2.example.com with the sandboxed layout
    Then in the Let's Encrypt app, I added a certificate with a Primary Domain of test3.example.com and off it went and created me a certificate.

    As they both worked I would conclude that the app works. I did not check with the standard website layout.

    @Graham, I guess I conclude your issue is a particular set up issue but I don't know what.

    Can you check your bind mounts with:
    findmnt | grep \]
    Where is your webroot? I'd expect /var/www/html.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, February 03 2018, 01:29 PM - #Permalink
    Resolved
    0 votes
    Hi Alonso,
    Thanks for that. I'm just trying to set up a test to see what is happening. I'm just waiting for my test CNAME record to propagate. It would be nice to get it working from the app as it is supposed to.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, February 03 2018, 01:25 PM - #Permalink
    Resolved
    0 votes
    hello, the simple way is to use THIS challenge from cli, to get the NEW certificate.
    certbot certonly --webroot -w /var/www/html/ -d domaingoeshere.com


    adjust to your domain root.
    this will retrive the certificate, and let'sencrypt/webserver apps can handle from here.

    hope it helps
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, February 03 2018, 10:50 AM - #Permalink
    Resolved
    0 votes
    Nick,

    I have a default website set up and I also have Roundcube webmail running on that. If I go to my ClearOS server from outside its internal network using http://remote.domain.co.uk I see the screen in the attached image. So I know a webserver is running. What is CertBot looking for a particular file or something that lets it know the domain name you have selected is yours?

    Siv
    Attachments:
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, February 03 2018, 08:41 AM - #Permalink
    Resolved
    0 votes
    Hi Graham,
    A Virtual Host configuration is created when you create a Default Website through the webconfig - Webconfig > Server > Web > Web Server. You'll find it in /etc/httpd/conf.d/flex-80.conf. Can you be a little cautions when setting it up if you have a running web server. Just make sure it still works afterwards. It still keeps you main document root as /var/www/html. You may also want to read this post, but if you follow his guidelines you will probably have to restructure your web site. I don't follow them yet as I set up my web site before the new layout was created. From memory the only issue I had with a pre-existing was with the "bind mounts" not being created from the flexshare to /var/www/html and I had to configure my certificate through the webconfig as the old settings in /etc/httpd/conf.d/ssl.conf became obsoleted - taken over by the ones in /etc/httpd/conf.d/flex-443.conf, set through the webconfig.

    Also note that once you have the default website set up, it is through the same screen that you configure your web server to use your Let's Encrypt certificate.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, February 03 2018, 12:58 AM - #Permalink
    Resolved
    0 votes
    I just tried to run the Certbot 0.21.0 as that is installed and I am getting this error:

    Unable to find a virtual host listening on port 80 which is currently needed for Certbot to prove to the CA that you control your domain. Please add a virtual host for port 80.

    I have port 80 opened and pointing to the ClearOS server but do I need to do something else to get the "Virtual Host" set up (what is a virtual host?)

    Siv
    The reply is currently minimized Show
  • Accepted Answer

    Thursday, January 25 2018, 06:28 PM - #Permalink
    Resolved
    0 votes
    Hi Nick,

    Thanks for the explanation! I'll wait for Certbot 0.21.0 reaches the Epel repo.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, January 24 2018, 10:06 PM - #Permalink
    Resolved
    0 votes
    Hi Marcel,
    There is a problem with the underlying app, certbot and the authentication mechanism it uses so Let's Encrypt have had to suspend its operation for new certificate requests (not renewals) for the moment. Certbot 0.21.0 has just been released to fix this issue but this has to get into EPEL testing then EPEL before we get it. Have a look at the WikiSuite bug and follow the links.
    The reply is currently minimized Show
Your Reply