Difference between revisions of "2018/05/30"
m (Woozle moved page Woozle/toot.cat/2018/05/30 to 2018/05/30 without leaving a redirect: indended location) |
|||
| Line 1: | Line 1: | ||
| + | {{page/date|nav=[[2018/05/20|prev]] .. [[2018/05/30|today]] .. [[2018/06/22|next]] }} | ||
==Solved== | ==Solved== | ||
There were, I think, two main problems: | There were, I think, two main problems: | ||
| − | * The | + | * The {{l/htyp|Let's Encrypt}} configuration had not been properly set up after the [[2018/04/10|server migration in April]] |
| − | * | + | * {{l/htyp|Nginx}} was correctly configured to respond to IPv6 on port 443 (https), but ''not'' on port 80 (http). |
| − | ** This was the problem that took the most time to identify, as it caused the | + | ** This was the problem that took the most time to identify, as it caused the {{l/htyp|letsencrypt}} command to fail even though the URL appeared to be returning the proper file. |
Confounding factors included: | Confounding factors included: | ||
| − | * [[HSTS]] was turned on (this seems to be part of the SSL cert, ''not'' something in Nginx), so existing browser sessions insisted on self-redirecting from http to https even when I had turned that off in Nginx. '''Workaround''': only attempt access in an anonymous browser window. (Using | + | * [[HSTS]] was turned on (this seems to be part of the SSL cert, ''not'' something in Nginx), so existing browser sessions insisted on self-redirecting from http to https even when I had turned that off in Nginx. '''Workaround''': only attempt access in an anonymous browser window. (Using {{l/htyp|wget}} to do the test also might have worked – and ultimately, it was use of wget from an IPv6-enabled server that provided the final clue.) |
* My home internet (and apparently everyone else's) uses only IPv4, while Let's Encrypt uses IPv6 if it is available – so Let's Encrypt was consistently reporting a problem that we weren't seeing, leading us to think (basically) that we were misunderstanding the messages. | * My home internet (and apparently everyone else's) uses only IPv4, while Let's Encrypt uses IPv6 if it is available – so Let's Encrypt was consistently reporting a problem that we weren't seeing, leading us to think (basically) that we were misunderstanding the messages. | ||
Latest revision as of 18:58, 20 November 2022
Wednesday, May 30, 2018 (#150)
SolvedThere were, I think, two main problems:
Confounding factors included:
Cleanup to do:
Relevant Files
Narration / NotesPhase 1It looks like nginx was set to use a different set of certificate files than the ones Let's Encrypt was set to renew. Tentatively, LE goes through all the .conf files in /etc/letsencrypt/renewal and renews each one. There was only one, and it pointed at files in /etc/letsencrypt/live/tootcat2.hypertwins.net/ I've changed it to point to /etc/letsencrypt/live/toot.cat/ Nginx also looks for 2 cert files in /etc/letsencrypt/live/toot.cat/, so now at least we're matched. When I try to renew with letsencrypt renew, I get: root@tootcat2:/# letsencrypt renew
Processing /etc/letsencrypt/renewal/toot.cat.conf
2018-05-31 00:11:15,708:ERROR:letsencrypt.error_handler:Encountered exception during recovery
2018-05-31 00:11:15,709:ERROR:letsencrypt.error_handler:Missing --webroot-path for domain: toot.cat
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/letsencrypt/error_handler.py", line 74, in call_registered
self.funcs[-1]()
File "/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py", line 280, in _cleanup_challenges
self.dv_auth.cleanup(dv_c)
File "/usr/lib/python2.7/dist-packages/letsencrypt/plugins/webroot.py", line 139, in cleanup
root_path = self._get_root_path(achall)
File "/usr/lib/python2.7/dist-packages/letsencrypt/plugins/webroot.py", line 108, in _get_root_path
.format(achall.domain))
PluginError: Missing --webroot-path for domain: toot.cat
2018-05-31 00:11:15,711:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/toot.cat.conf produced an unexpected error: Missing --webroot-path for domain: toot.cat. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/toot.cat/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
root@tootcat2:/#
The key piece of information there seems to be "Missing --webroot-path for domain". What seems to be happening is that Nginx is redirecting from http to https even though the file exists. Phase 2It turned out there was an HSTS policy that was forcing the browser to redirect even though Nginx wasn't, I think? But opening a toot.cat URL in an anonymous window fixed that. However it still wasn't finding the test file, so I changed the webroot on both Nginx and Let'sEncrypt to /var/www/challenges, and then was able to access the test file. ...but Let's Encrypt still returns this: root@tootcat2:/var/www/challenges# letsencrypt renew
Processing /etc/letsencrypt/renewal/toot.cat.conf
2018-05-31 00:49:39,460:ERROR:letsencrypt.error_handler:Encountered exception during recovery
2018-05-31 00:49:39,460:ERROR:letsencrypt.error_handler:Missing --webroot-path for domain: toot.cat
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/letsencrypt/error_handler.py", line 74, in call_registered
self.funcs[-1]()
File "/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py", line 280, in _cleanup_challenges
self.dv_auth.cleanup(dv_c)
File "/usr/lib/python2.7/dist-packages/letsencrypt/plugins/webroot.py", line 139, in cleanup
root_path = self._get_root_path(achall)
File "/usr/lib/python2.7/dist-packages/letsencrypt/plugins/webroot.py", line 108, in _get_root_path
.format(achall.domain))
PluginError: Missing --webroot-path for domain: toot.cat
2018-05-31 00:49:39,462:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/toot.cat.conf produced an unexpected error: Missing --webroot-path for domain: toot.cat. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/toot.cat/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
root@tootcat2:/var/www/challenges#
Phase 3root@tootcat2:/var/www/challenges/.well-known# letsencrypt renew Processing /etc/letsencrypt/renewal/toot.cat.conf 2018-05-31 01:30:48,656:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/toot.cat.conf produced an unexpected error: urn:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new authz :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/toot.cat/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) root@tootcat2:/var/www/challenges/.well-known# root@tootcat2:/var/www/challenges/.well-known# letsencrypt --staging renew Processing /etc/letsencrypt/renewal/toot.cat.conf 2018-05-31 01:36:59,134:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/toot.cat.conf produced an unexpected error: You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/toot.cat/fullchain.pem (failure) 1 renew failure(s), 0 parse failure(s) root@tootcat2:/var/www/challenges/.well-known# Phase 4root@tootcat2:/var/www/challenges/.well-known# letsencrypt --dry-run renew Processing /etc/letsencrypt/renewal/toot.cat.conf 2018-05-31 01:42:09,149:WARNING:letsencrypt.client:Registering without email! 2018-05-31 01:42:09,992:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/toot.cat.conf produced an unexpected error: Missing command line flag or config entry for this setting: Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-staging.api.letsencrypt.org/directory (You can set this with the --agree-tos flag). Skipping. ** DRY RUN: simulating 'letsencrypt renew' close to cert expiry ** (The test certificates below have not been saved.) All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/toot.cat/fullchain.pem (failure) ** DRY RUN: simulating 'letsencrypt renew' close to cert expiry ** (The test certificates above have not been saved.) 1 renew failure(s), 0 parse failure(s) root@tootcat2:/var/www/challenges/.well-known# root@tootcat2:/var/www/challenges/.well-known# letsencrypt --dry-run --agree-tos renew Processing /etc/letsencrypt/renewal/toot.cat.conf 2018-05-31 01:52:59,407:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/toot.cat.conf produced an unexpected error: Failed authorization procedure. toot.c$ t (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://toot.cat/.well-known/acme-challenge/tZFwZb9H2at2brdJYexpRqTDYOigSbT$ J_6oL3AXwBQ: ''[404 errors]''. Skipping. ** DRY RUN: simulating 'letsencrypt renew' close to cert expiry ** (The test certificates below have not been saved.) All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/toot.cat/fullchain.pem (failure) ** DRY RUN: simulating 'letsencrypt renew' close to cert expiry ** (The test certificates above have not been saved.) 1 renew failure(s), 0 parse failure(s) [...] root@tootcat2:/var/www/challenges/.well-known# letsencrypt --dry-run --agree-tos --manual renew Processing /etc/letsencrypt/renewal/toot.cat.conf 2018-05-31 01:59:54,703:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/toot.cat.conf produced an unexpected error: Missing command line flag or config entry for this setting: NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running letsencrypt in manual mode on a machine that is not your server, please ensure you're okay with that. Are you OK with your IP being logged? (You can set this with the --manual-public-ip-logging-ok flag). Skipping. ** DRY RUN: simulating 'letsencrypt renew' close to cert expiry ** (The test certificates below have not been saved.) All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/toot.cat/fullchain.pem (failure) ** DRY RUN: simulating 'letsencrypt renew' close to cert expiry ** (The test certificates above have not been saved.) 1 renew failure(s), 0 parse failure(s) root@tootcat2:/var/www/challenges/.well-known# Phase 5Relevant excerpts from Discord:
|