Forum OpenACS Q&A: letsencrypt - unable to renew

Request notifications

Collapse
Posted by Tyge Cawthon on
letsencrypt certificate expired and I am having problems renewing it. Suggestions would be greatly appreciated. Been trying to trouble shoot this since the certificated expired on Jan 7th 2019.

Ref: Ubuntu 18.x
Openacs 5-9-1
NaviServer/4.99.17 (tar-4.99.17)

Here is what I have done thus far with no success.
All commands executed as root using sudo -s

cd /usr/local/src/modules/letsencrypt
Makefile install

the output file this was:
/usr/local/ns/bin/install-sh -c letsencrypt.tcl /usr/local/ns//pages/

cd /var/www/5-9/packages/acs-subsite/www/admin
cp -rp /usr/local/ns/pages/letsencrypt.tcl .

edit letsencrypt.tcl - added ID, password and made sure flag was set to 1.

chown nsadmin:nsadmin letsencrypt.tcl

copied and rename my .pem file
cd /var/www/5-9/etc

cp /home/letsencrypt/certs/a21.highlandpiping.com/server.pem
/var/www/5-9/etc/certfile.pem

verified chown was correct.

edited /usr/local/ns/config-5-9.tcl

change this line. commented out
# ns_param certificate /home/letsencrypt/certs/a21.highlandpiping.com/server.pem

added this line:
ns_param certificate $serverroot/etc/certfile.pem

verified$serverroot value was /var/www/5-9

saved config-5-9.tcl file.
Stopped nas processes.
Started nas processes.

Had to disable my secured browser.
in the browser type
https://a21.highlandpiping.com/admin/letsencrypt.tcl

I was prompt for my openacs ID and password. Then I was prompt for the letsencrypt.tcl file ID and password.

I received the same error that was reported by Jim Lynch
see error message below.

verified access to letsencrypt servers and their port from my openacs webserver.

Error I received:
can't connect to acme-v01.api.letsencrypt.org port 443: network is unreachable
while executing
"ns_http queue $url"
(procedure ":getAPIurls" line 7)
invoked from within
":getAPIurls $config"
(procedure "getCertificate" line 39)
invoked from within
"$c getCertificate"
("uplevel" body line 756)
invoked from within
"uplevel {
#
# letsencrypt.tcl --
#
# A small Let's Encrypt client for NaviServer implemented in Tcl.
# To use it, set enabled to 1 and drop it..."
(procedure "code::tcl::/web/mu-main//packages/acs-subsite/www/admin/lets..." line 2)
invoked from within
"code::tcl::$__adp_stub"
("uplevel" body line 12)
invoked from within
"uplevel {

if { [file exists $__adp_stub.tcl] } {

# ensure that data source preparation procedure exists and is up-to-date
..."
(procedure "adp_prepare" line 2)
invoked from within
"adp_prepare"
invoked from within
"template::adp_parse $themed_template {}"
(procedure "adp_parse_ad_conn_file" line 14)
invoked from within
"$handler"
("::try" body line 3)
invoked from within
"rp_serve_concrete_file [ad_conn file]"
(procedure "::nsf::procs::rp_serve_abstract_file" line 60)
invoked from within
"rp_serve_abstract_file "$root/$extra_url""
("::try" body line 2)
invoked from within
"ad_try {
rp_serve_abstract_file "$root/$extra_url"
set ::tcl_url2file([ad_conn url]) [ad_conn file]
set ::tcl_url2..."
(procedure "rp_handle_request" line 45)
invoked from within
"rp_handle_request"
("::try" body line 2)

Collapse
Posted by Gustaf Neumann on
Can it be that that the machine has a half-configured IPv6 setup? i.e. the resolver returns for "acme-v01.api.letsencrypt.org" multiple IP addresses (including IPv4 and IPv6 addresses), but the connection through IPv6 does not work (due to e.g firewall rules, etc)?

You can check this from NaviServer:

/usr/local/ns/bin/nsd -c
% ns_addrbyhost -all acme-v01.api.letsencrypt.org
2600:1406:1a:394::3a8e 2600:1406:1a:38a::3a8e 104.86.94.242

% ns_http run https://acme-v01.api.letsencrypt.org
status 200 time 0:244362 headers d1 body {...}
Probably, the "ns_http" request runs into a problem at your site (assuming, the problem you saw was not a temporary outage at letsencrypt).

When this assumptions are correct, try

/usr/local/ns/bin/nsd -c
% set requestHeaders [ns_set create]
% ns_set update $requestHeaders Host acme-v01.api.letsencrypt.org
% ns_http run -headers $requestHeaders -keep_host_header 104.86.94.242
If this returns no error but a result dict, the problem is diagnosed.

How to solve the problem:

  • Disable IPv6 on the machine (in doubt, google for it)
  • Replace in the letsencrypt script "ns_http queue $url" with a snippet as above (this should be just a temporary fix to get things working again)
  • Update NaviServer to the newest version from bitbucket: i have just modified the code base to deal with such half-working setups better. Set in install-ns.sh "version_ns=HEAD"
  • It is possibly also an option to downgrade NaviServer to e.g. 4.99.16 and change /etc/gai.conf to make the resolver to return IPv4 addresses first (4.99.17 started use multiple IP addresses for client requests)
hope this helps. I am currently in transit on San Francisco airport, and i am just replying so many options, since your situation seems urgent.

Collapse
Posted by Iuri Sampaio on
Hello Tyge,

If Gustaf's procedures don't work, you can always be drastic, and stop looking for a needle in the haystack.

1. Back up you source code and DB;
2. Re-install Ubtuntu. p.s. choose 16.4lts this time;
3. Reinstall letscript/certbot, through apt-get, tutorial available at: https://certbot.eff.org/all-instructions.

I've always had problems related with Ubuntu and Letsencrypt renew. If your scenario allow you, you must start a new VM from scratch. You may change to Debian instead.
Then, you may run Gustaf's installation scripts, available at:
https://github.com/gustafn/install-ns

There's another nice tutorial, which you may find at http://project-open.com/en/install-debian-stretch

Best wishes,
I

Collapse
Posted by Tyge Cawthon on
First and more importantly, thank you all for your support.

Good news, my site is back up. The unexplainable news
is, I did received at the proper .pem files, however, the final pem was never created. I looked in the dehydrated script and executed the commands:
cp ${CERTDIR}/${domain}/fullchain.pem ${CERTDIR}/${domain}/server.pem
cat ${CERTDIR}/${domain}/privkey.pem >> ${CERTDIR}/${domain}/server.pem
chmod 770 ${CERTDIR}/${domain}/server.pem
chown letsencrypt:letsencrypt server.pem

I will investigate this further. We learn by our mistakes.
Thanks again.

BTW - I try to document as much as I can so beginners can learn openacs faster and enjoy developing applications using OpenACS.

If anyone is interested here is a link to some of the things I have been documenting. This is a rough draft and needs to be updated.

My focus is demonstrating qforms.

https://a21.highlandpiping.com/beginners-tutorial/

Feedback (good, bad, ugly) is welcome.

Thanks again