Forum OpenACS Q&A: letsencrypt

Posted by Tyge Cawthon on 01/11/19 11:44 PM

letsencrypt certificate expired and I am having problems renewing it. Suggestions would be greatly appreciated. Been trying to trouble shoot this since the certificated expired on Jan 7th 2019.

Ref: Ubuntu 18.x
Openacs 5-9-1
NaviServer/4.99.17 (tar-4.99.17)

Here is what I have done thus far with no success.
All commands executed as root using sudo -s

cd /usr/local/src/modules/letsencrypt
Makefile install

the output file this was:
/usr/local/ns/bin/install-sh -c letsencrypt.tcl /usr/local/ns//pages/

cd /var/www/5-9/packages/acs-subsite/www/admin
cp -rp /usr/local/ns/pages/letsencrypt.tcl .

edit letsencrypt.tcl - added ID, password and made sure flag was set to 1.

chown nsadmin:nsadmin letsencrypt.tcl

copied and rename my .pem file
cd /var/www/5-9/etc

cp /home/letsencrypt/certs/a21.highlandpiping.com/server.pem
/var/www/5-9/etc/certfile.pem

verified chown was correct.

edited /usr/local/ns/config-5-9.tcl

change this line. commented out
# ns_param certificate /home/letsencrypt/certs/a21.highlandpiping.com/server.pem

added this line:
ns_param certificate $serverroot/etc/certfile.pem

verified$serverroot value was /var/www/5-9

saved config-5-9.tcl file.
Stopped nas processes.
Started nas processes.

Had to disable my secured browser.
in the browser type
https://a21.highlandpiping.com/admin/letsencrypt.tcl

I was prompt for my openacs ID and password. Then I was prompt for the letsencrypt.tcl file ID and password.

I received the same error that was reported by Jim Lynch
see error message below.

verified access to letsencrypt servers and their port from my openacs webserver.

Error I received:
can't connect to acme-v01.api.letsencrypt.org port 443: network is unreachable
while executing
"ns_http queue $url"
(procedure ":getAPIurls" line 7)
invoked from within
":getAPIurls $config"
(procedure "getCertificate" line 39)
invoked from within
"$c getCertificate"
("uplevel" body line 756)
invoked from within
"uplevel {
#
# letsencrypt.tcl --
#
# A small Let's Encrypt client for NaviServer implemented in Tcl.
# To use it, set enabled to 1 and drop it..."
(procedure "code::tcl::/web/mu-main//packages/acs-subsite/www/admin/lets..." line 2)
invoked from within
"code::tcl::$__adp_stub"
("uplevel" body line 12)
invoked from within
"uplevel {

if { [file exists $__adp_stub.tcl] } {

# ensure that data source preparation procedure exists and is up-to-date
..."
(procedure "adp_prepare" line 2)
invoked from within
"adp_prepare"
invoked from within
"template::adp_parse $themed_template {}"
(procedure "adp_parse_ad_conn_file" line 14)
invoked from within
"$handler"
("::try" body line 3)
invoked from within
"rp_serve_concrete_file [ad_conn file]"
(procedure "::nsf::procs::rp_serve_abstract_file" line 60)
invoked from within
"rp_serve_abstract_file "$root/$extra_url""
("::try" body line 2)
invoked from within
"ad_try {
rp_serve_abstract_file "$root/$extra_url"
set ::tcl_url2file([ad_conn url]) [ad_conn file]
set ::tcl_url2..."
(procedure "rp_handle_request" line 45)
invoked from within
"rp_handle_request"
("::try" body line 2)

2: Re: letsencrypt - unable to renew (response to 1)

Posted by Gustaf Neumann on 01/12/19 10:55 PM

Can it be that that the machine has a half-configured IPv6 setup? i.e. the resolver returns for "acme-v01.api.letsencrypt.org" multiple IP addresses (including IPv4 and IPv6 addresses), but the connection through IPv6 does not work (due to e.g firewall rules, etc)?

You can check this from NaviServer:

/usr/local/ns/bin/nsd -c
% ns_addrbyhost -all acme-v01.api.letsencrypt.org
2600:1406:1a:394::3a8e 2600:1406:1a:38a::3a8e 104.86.94.242

% ns_http run https://acme-v01.api.letsencrypt.org
status 200 time 0:244362 headers d1 body {...}

Probably, the "ns_http" request runs into a problem at your site (assuming, the problem you saw was not a temporary outage at letsencrypt).

When this assumptions are correct, try

/usr/local/ns/bin/nsd -c
% set requestHeaders [ns_set create]
% ns_set update $requestHeaders Host acme-v01.api.letsencrypt.org
% ns_http run -headers $requestHeaders -keep_host_header 104.86.94.242

If this returns no error but a result dict, the problem is diagnosed.

How to solve the problem:

Disable IPv6 on the machine (in doubt, google for it)
Replace in the letsencrypt script "ns_http queue $url" with a snippet as above (this should be just a temporary fix to get things working again)
Update NaviServer to the newest version from bitbucket: i have just modified the code base to deal with such half-working setups better. Set in install-ns.sh "version_ns=HEAD"
It is possibly also an option to downgrade NaviServer to e.g. 4.99.16 and change /etc/gai.conf to make the resolver to return IPv4 addresses first (4.99.17 started use multiple IP addresses for client requests)

hope this helps. I am currently in transit on San Francisco airport, and i am just replying so many options, since your situation seems urgent.

3: Re: letsencrypt - unable to renew (response to 1)

Posted by Iuri Sampaio on 01/13/19 02:32 AM

Hello Tyge,

If Gustaf's procedures don't work, you can always be drastic, and stop looking for a needle in the haystack.

1. Back up you source code and DB;
2. Re-install Ubtuntu. p.s. choose 16.4lts this time;
3. Reinstall letscript/certbot, through apt-get, tutorial available at: https://certbot.eff.org/all-instructions.

I've always had problems related with Ubuntu and Letsencrypt renew. If your scenario allow you, you must start a new VM from scratch. You may change to Debian instead.
Then, you may run Gustaf's installation scripts, available at:
https://github.com/gustafn/install-ns

There's another nice tutorial, which you may find at http://project-open.com/en/install-debian-stretch

Best wishes,
I

4: Re: letsencrypt - unable to renew (response to 1)

Posted by Tyge Cawthon on 01/13/19 04:27 AM

First and more importantly, thank you all for your support.

Good news, my site is back up. The unexplainable news
is, I did received at the proper .pem files, however, the final pem was never created. I looked in the dehydrated script and executed the commands:
cp ${CERTDIR}/${domain}/fullchain.pem ${CERTDIR}/${domain}/server.pem
cat ${CERTDIR}/${domain}/privkey.pem >> ${CERTDIR}/${domain}/server.pem
chmod 770 ${CERTDIR}/${domain}/server.pem
chown letsencrypt:letsencrypt server.pem

I will investigate this further. We learn by our mistakes.
Thanks again.

BTW - I try to document as much as I can so beginners can learn openacs faster and enjoy developing applications using OpenACS.

If anyone is interested here is a link to some of the things I have been documenting. This is a rough draft and needs to be updated.

My focus is demonstrating qforms.

https://a21.highlandpiping.com/beginners-tutorial/

Feedback (good, bad, ugly) is welcome.

Thanks again

5: Re: letsencrypt - unable to renew (response to 1)

Posted by Tyge Cawthon on 10/23/19 11:56 PM

FYI - Oct-23-2019.
Background: Openacs using letsencrypt has been working very successfully with certs renewing every 90 days.

The only changes to my environment have been Ubuntu patches. I am not sure what stopped letsencrypt from automatically updating for the month of October.

Letsencryt auto updates worked for the months of April and and July.

Here is my fix.
as user letsencrypt, cd /home/certs/hostname

This is where the pem files are located.
cp ./fullchain.pem server.pem
cat privkey.pem >> server.pem
chown letsencrypt:letsencrypt server.pem

Stopped/started nsd

Everything works. Posted to help others.

Forum OpenACS Q&A: letsencrypt - unable to renew