Forums

GregMiller
GregMiller
Offline
Resolved
0 votes
I just installed Lets Encrypt and was able to obtain a new cert. When I click on "Return to Summary", all I get is a blank page with "Ooooops: Certificate not found." in the top left. I can no longer the Lets Encrypt tab in the System>Security>Lets Encrypt folder.

Also, when I System>Settings>General Settings I see a Certificate not found error. The original self-signed cert is not even displayed.

If I delete the /etc/letsencrypt folder. I can start over, but I get the same results.

Is there a bug or could I have done something wrong?

I do not have the webserver installed, but I do have proxypass installed.

Greg
Friday, March 08 2019, 01:19 AM
Share this post:
Responses (13)
  • Accepted Answer

    Friday, March 08 2019, 08:29 AM - #Permalink
    Resolved
    0 votes
    If you have deleted the Let's Encrypt folder, then you'll probably have to find every app which used the Let's Encrypt certificate through its webconfig, and reset those apps to use the default certificate. Apps which I know can use Let's Encrypt are the Web Server, Webconfig, ClearGLASS (although that should not matter as it takes a local copy before using it) and, I think, OpenFire. There may be others. I don't know about ProxyPass, and it was released at about the same time as ProxyPass so I don't know how aware they are of each other. You could try grepping for the files using the certificates. Something like:
    grep letsencrypt\/live /etc/* -r
    grep letsencrypt\/live /usr/clearos/* -r

    Alternatively, if you know the name, can you create a new certificate of the same name? You may have to use the underlying certbot app to do that directly.

    Have you also checked that your default certificate (/etc/pki/CA/sys-0-cert.pem) is still there?
    The reply is currently minimized Show
  • Accepted Answer

    GregMiller
    GregMiller
    Offline
    Friday, March 08 2019, 04:39 PM - #Permalink
    Resolved
    0 votes
    The strange part is that deleting the letsencrypt folder removes the missing certificate errors and lets me start over. I have the original backed up. When I try to get a new cert, it seems to work, a bunch of info is displayed and the folder is recreated and certs are added. I restored the backup and no have the "Ooooops: Certificate not found." error on the Lets Encrypt page as well as the missing certificates error on the cert manager page. I ran the grep commands and this is what I get.


    [root@home etc]# grep letsencrypt\/live /etc/* -r
    /etc/letsencrypt/renewal/home.millernet.ca.conf:cert = /etc/letsencrypt/live/home.millernet.ca/cert.pem
    /etc/letsencrypt/renewal/home.millernet.ca.conf:privkey = /etc/letsencrypt/live/home.millernet.ca/privkey.pem
    /etc/letsencrypt/renewal/home.millernet.ca.conf:chain = /etc/letsencrypt/live/home.millernet.ca/chain.pem
    /etc/letsencrypt/renewal/home.millernet.ca.conf:fullchain = /etc/letsencrypt/live/home.millernet.ca/fullchain.pem
    [root@home etc]# grep letsencrypt\/live /usr/clearos/* -r
    /usr/clearos/apps/lets_encrypt/libraries/Lets_Encrypt.php: const PATH_CERTIFICATES = '/etc/letsencrypt/live';
    [root@home etc]#


    Here are the files:
    [root@home etc]# ls -l /etc/letsencrypt/live/
    total 4
    drwxr-xr-x 2 root root 88 Mar 7 15:23 home.millernet.ca
    -rw-r--r-- 1 root root 740 Mar 7 15:23 README
    [root@home etc]# ls -l /etc/letsencrypt/live/home.millernet.ca
    total 4
    lrwxrwxrwx 1 root root 41 Mar 7 15:23 cert.pem -> ../../archive/home.millernet.ca/cert1.pem
    lrwxrwxrwx 1 root root 42 Mar 7 15:23 chain.pem -> ../../archive/home.millernet.ca/chain1.pem
    lrwxrwxrwx 1 root root 46 Mar 7 15:23 fullchain.pem -> ../../archive/home.millernet.ca/fullchain1.pem
    lrwxrwxrwx 1 root root 44 Mar 7 15:23 privkey.pem -> ../../archive/home.millernet.ca/privkey1.pem
    -rw-r--r-- 1 root root 692 Mar 7 15:23 README


    I noticed that the certs have a 1 in the name but the symbolic links do not. Not sure if that could be the issue. I guess it depends on if the apps access the certs via link or directly. Now I have requested certs too many times and have reached the certbot limit. The /etc/pki/CA/sys-0-cert.pem cert is still in place as well.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 08 2019, 05:19 PM - #Permalink
    Resolved
    0 votes
    So you have not deployed the certificates anywhere, it seems.

    The symlinks are the magic of certbot. When it renews your certificate next, the certificates will be whatever2.pem, but certbot will change the symlinks to point to the new certificates. That way if you want to use a certificate, your always point to the live certificate and certbot makes sure that is symlinked to the latest one.

    I guess the thing to do now is to turn on webconfig debugging, but I struggle with the output. Can you do:
    touch /etc/clearos/webconfig.debug
    Then trigger the error. Then remove the webconfig.debug file or rename it and go and look at the log in /var/log/webconfig/debug.log.
    The reply is currently minimized Show
  • Accepted Answer

    GregMiller
    GregMiller
    Offline
    Friday, March 08 2019, 06:07 PM - #Permalink
    Resolved
    0 votes
    I think we are getting closer. Here is an excerpt from the log:
    Mar 8 18:03:16 UTC 2019: 0.3345: profile: debug: clearos\apps\lets_encrypt\Lets_Encrypt::get_certificates (288): 
    Mar 8 18:03:16 UTC 2019: 0.3345: profile: debug: clearos\apps\base\Folder::__construct (145):
    Mar 8 18:03:16 UTC 2019: 0.3346: profile: debug: clearos\apps\base\Folder::exists (340):
    Mar 8 18:03:16 UTC 2019: 0.3346: profile: debug: clearos\apps\base\Shell::__construct (105):
    Mar 8 18:03:16 UTC 2019: 0.3347: profile: debug: clearos\apps\base\Shell::execute (132): /bin/ls '/etc/letsencrypt/live'
    Mar 8 18:03:16 UTC 2019: 0.3462: profile: debug: clearos\apps\base\Folder::get_listing (375):
    Mar 8 18:03:16 UTC 2019: 0.3463: profile: debug: clearos\apps\base\Folder::exists (340):
    Mar 8 18:03:16 UTC 2019: 0.3463: profile: debug: clearos\apps\base\Shell::__construct (105):
    Mar 8 18:03:16 UTC 2019: 0.3464: profile: debug: clearos\apps\base\Shell::execute (132): /bin/ls '/etc/letsencrypt/live'
    Mar 8 18:03:16 UTC 2019: 0.3574: profile: debug: clearos\apps\base\Shell::__construct (105):
    Mar 8 18:03:16 UTC 2019: 0.3575: profile: debug: clearos\apps\base\Shell::execute (132): /bin/ls /etc/letsencrypt/live
    Mar 8 18:03:16 UTC 2019: 0.3685: profile: debug: clearos\apps\certificate_manager\SSL::__construct (256):
    Mar 8 18:03:16 UTC 2019: 0.3687: profile: debug: clearos\apps\certificate_manager\SSL::get_certificate_attributes (941):
    Mar 8 18:03:16 UTC 2019: 0.3687: profile: debug: clearos\apps\base\File::__construct (176):
    Mar 8 18:03:16 UTC 2019: 0.3688: profile: debug: clearos\apps\base\File::exists (392):
    Mar 8 18:03:16 UTC 2019: 0.3689: profile: debug: clearos\apps\base\Shell::__construct (105):
    Mar 8 18:03:16 UTC 2019: 0.3690: profile: debug: clearos\apps\base\Shell::execute (132): /bin/ls '/etc/letsencrypt/live/README/cert.pem'
    Mar 8 18:03:16 UTC 2019: 0.3803: exception: info: /usr/clearos/apps/certificate_manager/libraries/SSL.php (952): Certificate not found.
    Mar 8 18:03:16 UTC 2019: 0.3804: exception: info: /usr/clearos/apps/certificate_manager/libraries/SSL.php (952): Certificate not found.


    For some reason it is looking for the cert here -> /etc/letsencrypt/live/README/cert.pem
    The reply is currently minimized Show
  • Accepted Answer

    GregMiller
    GregMiller
    Offline
    Friday, March 08 2019, 06:13 PM - #Permalink
    Resolved
    0 votes
    I just deleted the README file and it seems to be working now.

    Thank you so much for your help. I really appreciate it.

    Greg
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 08 2019, 08:07 PM - #Permalink
    Resolved
    0 votes
    I wonder where the README came from. What version of certbot are you running? "rpm -q certbot"
    The reply is currently minimized Show
  • Accepted Answer

    GregMiller
    GregMiller
    Offline
    Friday, March 08 2019, 08:18 PM - #Permalink
    Resolved
    0 votes
    It looks like certbot-0.31.0-2.el7.noarch

    It gets created with the letencrypt folder.
    The reply is currently minimized Show
  • Accepted Answer

    Friday, March 08 2019, 10:39 PM - #Permalink
    Resolved
    0 votes
    I'll have to load in 0.31 to check it out. It has not been released to business yet.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, March 09 2019, 11:07 AM - #Permalink
    Resolved
    0 votes
    I have investigated further and it appears to be an issue with certbot-0.31 only and only when creating new certificates. If you do that, the README file appears. I tried a manual renewal and that worked OK but uses different commands from an automatic renewal, so it does not categorically prove that an automatic renewal will be OK. I have filed a bug report on the issue.
    Like
    1
    The reply is currently minimized Show
  • Accepted Answer

    GregMiller
    GregMiller
    Offline
    Saturday, March 09 2019, 03:12 PM - #Permalink
    Resolved
    0 votes
    Thanks again.
    The reply is currently minimized Show
  • Accepted Answer

    Saturday, March 16 2019, 07:35 AM - #Permalink
    Resolved
    0 votes
    Nick Howitt wrote:

    I have investigated further and it appears to be an issue with certbot-0.31 only and only when creating new certificates. If you do that, the README file appears. I tried a manual renewal and that worked OK but uses different commands from an automatic renewal, so it does not categorically prove that an automatic renewal will be OK. I have filed a bug report on the issue.


    Nick, you just saved my day !

    Thanks,
    Bernard
    The reply is currently minimized Show
  • Accepted Answer

    Drew Mol
    Drew Mol
    Offline
    Wednesday, March 20 2019, 06:37 AM - #Permalink
    Resolved
    0 votes
    Due to TLS-SNI-01 vaidation method reaching end-of-life and getting the same message from LE, I updated to 0.31.0-2.el7 from clearos-epel repo, and had the same issue of the above error in webconfig after requesting a new certificate. I removed certbot and installed version 0.30.2-1.el7, which also had this issue. The TSL-SNI-01 method was removed in versions 0.28 and later and the most recent version of certbot in the clearos-epel repo prior to 0.30.2-1 was 0.27.1-1, so I updated back to 0.31.0-2 and added two files to fix the issue:

    I created a global configuration file that will execute a deploy-hook script on all invocations of certbot by using the --deploy-hook parameter.

    Then I made a script that:
    1. removes the README file from the /etc/lencrypt/live directory
    2. removes the README file from /etc/letsencrypt/live/certprimarydomainname.tld directory
    3. removes the renew-hook entry in the certificate's renewal .conf file, which is autmatically added whenever certbot is run with a --deploy-hook parameter specified

    I created a certbot global configuration file in the /etc/letsencrypt directory:
    nano /etc/letsencrypt/cli.ini

    I added the following line and saved the file:
    deploy-hook = /etc/letsencrypt/remove_readme_files.sh

    Then I created the script remove_readme_files.sh in the same directory, this script will be added as the "--deploy-hook" parameter to all invocations of certbot:
    nano /etc/letsencrypt/remove_readme_files.sh

    I added the following lines and saved the file:
    #!/bin/bash#!/bin/bash
    find /etc/letsencrypt/live/ -type f -name "README" -exec rm -f {} \;
    base=$(basename "$RENEWED_LINEAGE")
    sed -i '/renew_hook/d' /etc/letsencrypt/renewal/${base}.conf

    I set the script to be executable:
    chmod +x /etc/letsencrypt/remove_readme_files.sh


    Hope this helps.
    The reply is currently minimized Show
  • Accepted Answer

    Wednesday, March 20 2019, 08:25 AM - #Permalink
    Resolved
    0 votes
    @Drew,
    As a new poster, your first couple of posts are moderated so don't appear immediately. I am deleting your second post.

    Thanks for your post. It is an interesting method and I did not know about the cli.ini. I would have just dropped a file into /var/clearos/events/lets_encrypt, making sure it appeared alphabetically first. This is what the programmed deploy-hook executes. Note you only need to delete /etc/letsencrypt/live/README. The others are OK.

    I have submitted a patch to Wikisuite, as it is their program and am just waiting for it to be accepted. If you wanted to patch manually, you need to edit the get_certificates() function in /usr/clearos/apps/lets_encrypt/libraries/Lets_Encrypt.php and change:
            foreach ($certificate_list as $certificate)

    $certs[$certificate] = $ssl->get_certificate_attributes(self::PATH_CERTIFICATES . '/' . $certificate . '/' . self::FILE_CERT);
    to:
            foreach ($certificate_list as $certificate) {
    $filename = self::PATH_CERTIFICATES . '/' . $certificate . '/' . self::FILE_CERT;
    $file = new File($filename, TRUE);
    if ($file->exists())
    $certs[$certificate] = $ssl->get_certificate_attributes($filename);
    }
    It is essentially what my patch does. My patch also fixes calling certbot with max-log-backups where it was implemented in just one of the three lines where the certbot command was invoked. From your post I could probably have fixed it using the cli.ini.

    [edit]
    Reading your patch again, I am not sure it is a good idea to overwrite renew_hook in the renewal*.conf file. Normally this does things like restart apache to make it use the new certificate. Do you know how this file interacts with the certbot renewal command line where the renew_hook is expressly specified rather than read from this file?
    [/edit]
    The reply is currently minimized Show
Your Reply