I know this question has been asked several times, but I need some specific help as I've been taking advice from several other threads and nothing has worked to this point.
I'm trying to renew my SSL certificate in Ubuntu 14.04 using certbot-auto renew, and I'm running an Apache2 server and nginx. I'm getting the following output for certbot-auto renew:
root#PostgreSQLServer:/# sudo certbot-auto renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/my-domain.com.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for my-domain.com
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/my-domain.com.conf produced an unexpected error: Failed authorization procedure. my-domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://my-domain.com/.well-known/acme-challenge/ailNmgZADpb4QBipKM57sOi9w3PwNkwBwVFiRYs7i40: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/my-domain.com/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: my-domain.com
Type: unauthorized
Detail: Invalid response from
http://my-domain.com/.well-known/acme-challenge/ailNmgZADpb4QBipKM57sOi9w3PwNkwBwVFiRYs7i40:
"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
I ensured the .well-known folder exists in /var/www/my-domain.com/public_html and when I navigate to http://my-domain.com/.well-known/ in my browser, I am able to see the contents of that directory. I also added an acme-challenge folder in .well-known and included a test.txt file for testing; I was able to access the directory and the text file in my browser.
I found that the acme-challenge folder was not created when I ran the certbot-auto command so it seems to be a permissions issue. I am running certbot-auto as root, but also gave write permissions to www-data user on the .well-known and acme-challenge folders (root and www-data users are running the apache2 and nginx processes).
Even after granting that write permission, I still get the 404 error detailed above.
I also have an automated cert renewal process running via crontab and I have the output being logged to a local file. In that log file, I see the renewal request seemed to be working correctly until certbot-auto was upgraded from 0.9.3 to 0.10.1. Here's a sample from the log file when the upgrade took place:
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/offensively-bad.com.conf
-------------------------------------------------------------------------------
The following certs are not due for renewal yet:
/etc/letsencrypt/live/offensively-bad.com/fullchain.pem (skipped)
No renewals were attempted.
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/offensively-bad.com.conf
-------------------------------------------------------------------------------
The following certs are not due for renewal yet:
/etc/letsencrypt/live/offensively-bad.com/fullchain.pem (skipped)
No renewals were attempted.
Upgrading certbot-auto 0.9.3 to 0.10.1...
Replacing certbot-auto...
Creating virtual environment...
Installing Python packages...
Installation succeeded.
-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/offensively-bad.com.conf
-------------------------------------------------------------------------------
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/offensively-bad.com/fullchain.pem (failure)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain: offensively-bad.com
Type: unauthorized
Detail: Invalid response from
http://offensively-bad.com/.well-known/acme-challenge/tkSc8l-r1XVPIF5TosTbEXiYMa8sQnoXEjAEgAwRoqI:
"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
You can see that after upgrading, the process began failing with a 404 message.
I've tried all the advice I could find online and am completely stumped, so any help would be much appreciated. Thanks in advance!
My problem was a too old certbot version on my raspberry pi raspbian Stretch:
certbot --version
Gave
certbot 0.10.2
apt-get install python-certbot-apache -t stretch-backports
Did the trick:
certbot 0.21.1
And then just
certbot --apache -d domain.com
Hope this helps!
I had to edit this conf file: /etc/letsencrypt/renewal/offensively-bad.com.conf and modify the line below [[webroot_map]]:
[[webroot_map]]
offensively-bad.com = /path/to/what/certbot/thinks/is/the/correct/webroot/path/initially/specified/by/the/user
In my case, I changed it to
offensively-bad.com = /var/www/offensively-bad.com/public_html/
Thanks to the forum at letsencrypt for helping me out.
Related
<file-pond
:allow-multiple="true"
:accepted-file-types="['application/pdf']"
server="/tmp"
/>
This works locally but when it gets deployed on Heroku, it doesn't support /tmp resulting in the following error:
Failed to load resource: the server responded with a status of 503 (Service Unavailable)
I tried to look up Heroku documents on handling file uploads and it "seems" to support the /tmp from the root path of the current domain but it's still giving me an error.
I've try to apply my CA certificate to Solr. I've already reach solr with http or self-signed certificate following their own recipe in there: enabling ssl
But, when I try to apply my CA certificate I take an error : "HTTP ERROR 404 javax.servlet.UnavailableException: Error processing the request. CoreContainer is either not initialized or shutting down."
Full error message that I've take on browser
My solr.in.sh config is:
SOLR_SSL_ENABLED=true
SOLR_SSL_KEY_STORE=/etc/default/mykeystore
SOLR_SSL_KEY_STORE_PASSWORD=********
SOLR_SSL_TRUST_STORE=/etc/default/mykeystore
SOLR_SSL_TRUST_STORE_PASSWORD=********
SOLR_SSL_NEED_CLIENT_AUTH=false
# SOLR_SSL_WANT_CLIENT_AUTH=false
#SOLR_SSL_CLIENT_HOSTNAME_VERIFICATION=true
SOLR_SSL_CHECK_PEER_NAME=false
SOLR_SSL_KEY_STORE_TYPE=JKS
SOLR_SSL_TRUST_STORE_TYPE=JKS
I followed this two link for convert my pem file to key store: first:1 then:2 (I applied just fourth step in second link) then named the file as mykeystore.
I tried a lot of solution which some of them in stackoverflow. But none of them are my answer. Any help, any idea can be very useful. I'm totally stuck. What can I do/check?
I was using Ansible 2.4 and included the letsencrypt module in one of my roles hoping to get a complete `.pem' format file at the end (key, chain, cert). There was no problem generating the key or using the csr to request the new cert, and no problem with the challenge, but when everything was done, I was only getting the certificate back, no chain.
When I tried to use them, Apache would fail to start saying that the key and the cert did not match. I assumed that this was because I didn't include the chain which was missing.
According to the docs here: https://docs.ansible.com/ansible/latest/modules/acme_certificate_module.html the chain|chain_dest and fullchain|fullchain_dest parameters weren't added until Ansible 2.5. So I upgraded to Ansible 2.7 (via git), and I'm still running into the exact same error...
FAILED! => {
"changed": false,
"msg": "
Unsupported parameters for (letsencrypt) module: chain_dest, fullchain_dest
Supported parameters include: account_email, account_key, acme_directory, agreement,
challenge, csr, data, dest, remaining_days"
}
I've tried the aliases and current names for both but nothing is working. Here is my current challenge-response call:
- name: Let the challenge be validated and retrieve the cert and intermediate certificate
letsencrypt:
account_key: /etc/ssl/lets_encrypt.key
account_email: ###########.###
csr: /etc/ssl/{{ myhost.public_hostname }}.csr
dest: /etc/ssl/{{ myhost.public_hostname }}.crt
chain_dest: /etc/ssl/{{ myhost.public_hostname }}.int
fullchain_dest: /etc/ssl/{{ myhost.public_hostname }}.pem
challenge: dns-01
acme_directory: https://acme-v01.api.letsencrypt.org/directory
remaining_days: 60
data: "{{ le_com_challenge }}"
tags: sslcert
The documentation says that this is valid, but the error response does not include chain|chain_dest or fullchain|fullchain_dest as valid parameters.
I would, from the docs, expect that this response should result in the new certificate being created (.crt), the chain being created (.int), and the fullchain to be created (.pem).
Any help would be appreciated.
Should have waited 5 minutes... seems that the newer parameters are only available under the newer module name acme_certificate, even though it says letsencrypt was a valid alias. As soon as I updated this it worked.
I am trying to install a Let's Encrypt SSL certificate to a subscription held on a Plesk install.
I am running the following version of Plesk;
Plesk Onyx Version 17.8.11 Update #11
I then navigate to
Subscriptions > Domain > Lets Encrypt
From the setup screen I do not change anything, so
'Include a "www" subdomain for the domain and each selected alias'
and
'Secure webmail on this domain'
Remain unchecked. However, when I try to install the cert I get the following error;
Error: Could not issue a Let's Encrypt SSL/TLS certificate for domain.org.
The authorization token is not available at http://example.com/.well-known/acme-challenge/key.
The token file 'C:\Inetpub\vhosts\example.com\httpdocs\\.well-known\acme-challenge\key' is either unreadable or does not have the read permission.
To resolve the issue, correct the permissions on the token file to make it is possible to download it via the above URL.
See the related Knowledge Base article for details.
Details
Invalid response from https://acme-v01.api.letsencrypt.org/acme/authz/umis0L7-OVlu7SrSjMFHBsu-T7Cx0hwFS-WMxHgZgNA.
Details:
Type: urn:acme:error:unauthorized
Status: 403
Detail: Invalid response from http://example.com/.well-known/acme-challenge/key: "<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-sc"
It give a link to the following KB;
Plesk Suggested KB article
Which suggest I check the DNS resovles, so ipconfig shows me that the domain is pointing to the right IP.
However I dont have the ability for IPv6 and when i go to
domains > example.com> Web Hosting Access
I do not have the ability to select this.
Now from RDP to the server and looking I can see the directory structure is created i..e
.well-known > acme-challenge > key file
is created? Can anyone help with what the issue could be here please?
Check if the domain name resolves to IPv6 or not:
dig AAAA google.com #8.8.8.8
Check permissions for token file well-known > acme-challenge > key file
Try to access this file via browser, or create a new test text file inside of the acme-challenge folder and try to access it. There is a possibility that web.config file can cause the issue.
I installed Alfresco on Windows 7 with the executable default install.My installation is Alfresco community version (5.0.d).
I tried to configue SSL link. I changed the file named generate_keystores.bat located in D:\Alfresco\alf_data\keystore.
It makes me generate my self-signed certificates.
Then I replaced all .keystore and .truststore with my certificates and I also imported certificates into Java's keystore which is named cacerts.
I configured Tomcat server to browse my /share only in https.
When I run it all things look prefect, but I cannot search users and site with it.
It seems the indexing has broken and the solr.log output ERROR logs:
2015-10-13 21:11:15,007 ERROR
[org.alfresco.solr.tracker.AbstractTracker] Tracking failed
org.alfresco.error.AlfrescoRuntimeException: 09132881
api/solr/aclchangesets return status:403
at org.alfresco.solr.client.SOLRAPIClient.getAclChangeSets(SOLRAPIClient.java:159)
at org.alfresco.solr.tracker.AclTracker.checkRepoAndIndexConsistency(AclTracker.java:347)
at org.alfresco.solr.tracker.AclTracker.trackRepository(AclTracker.java:313)
at org.alfresco.solr.tracker.AclTracker.doTrack(AclTracker.java:104)
at org.alfresco.solr.tracker.AbstractTracker.track(AbstractTracker.java:153)
at org.alfresco.solr.tracker.TrackerJob.execute(TrackerJob.java:47)
at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)
'2015-10-13 21:11:15,012 ERROR [org.alfresco.solr.tracker.AbstractTracker] Tracking failed
org.alfresco.error.AlfrescoRuntimeException: 09132882 GetModelsDiff return status is 403
at org.alfresco.solr.client.SOLRAPIClient.getModelsDiff(SOLRAPIClient.java:1091)
at org.alfresco.solr.tracker.ModelTracker.trackModelsImpl(ModelTracker.java:249)
at org.alfresco.solr.tracker.ModelTracker.trackModels(ModelTracker.java:207)
at org.alfresco.solr.tracker.ModelTracker.doTrack(ModelTracker.java:167)
at org.alfresco.solr.tracker.AbstractTracker.track(AbstractTracker.java:153)
at org.alfresco.solr.tracker.TrackerJob.execute(TrackerJob.java:47)
at org.quartz.core.JobRunShell.run(JobRunShell.java:216)
at org.quartz.simpl.SimpleThreadPool$WorkerThread.run(SimpleThreadPool.java:563)
Could anybody tell me the reason of this issue?