Let's Encrypt error

KRG-23 · September 6, 2017, 9:35am

Hello,
I’ve tried to install Flood on my seedbox but Let’s Encrypt install scr**ed up my Apache2.

Here is the detailed journal:

There seem to be a problem in /etc/apache2/sites-enabled/default-ssl.conf at line 39, which displays the cert location.

Let’s Encrypt is supposed to have created the certs in /root/.acme.sh/krg-23.com but it’s only containing krg-23.com.conf

Now my QB is down and I can’t figure out how to fix this problem. When running box install letsencrypt (which I did several times), the installer says the following:

bt:~/.acme.sh/krg-23.com# box install letsencrypt
Installing letsencrypt
fatal: destination path ‘acme.sh-master’ already exists and is not an empty directory.
Please enter an administrator email: [email protected]
Please enter a valid domain: krg-23.com
[Wed Sep 6 11:31:13 CEST 2017] It is recommended to install socat first.
[Wed Sep 6 11:31:13 CEST 2017] We use socat for standalone server if you use standalone mode.
[Wed Sep 6 11:31:13 CEST 2017] If you don’t use standalone mode, just ignore this warning.
[Wed Sep 6 11:31:13 CEST 2017] Installing to /root/.acme.sh
[Wed Sep 6 11:31:13 CEST 2017] Installed to /root/.acme.sh/acme.sh
[Wed Sep 6 11:31:14 CEST 2017] Installing alias to ‘/root/.bashrc’
[Wed Sep 6 11:31:14 CEST 2017] OK, Close and reopen your terminal to start using acme.sh
[Wed Sep 6 11:31:14 CEST 2017] Installing cron job
13 0 * * * “/root/.acme.sh”/acme.sh --cron --home “/root/.acme.sh” > /dev/null
30 2 * * 1 ~/acme.sh/acme.sh --cron --home ~/acme.sh > /dev/null
30 2 * * 1 ~/acme.sh/acme.sh --cron --home ~/acme.sh > /dev/null
[Wed Sep 6 11:31:14 CEST 2017] Good, bash is found, so change the shebang to use bash as preferred.
[Wed Sep 6 11:31:15 CEST 2017] OK
[Wed Sep 6 11:31:15 CEST 2017] Please install socat tools first.
[Wed Sep 6 11:31:15 CEST 2017] _on_before_issue.

And no cert is created.

I’m at a loss here because I’m not at ease with all that is certificate… And I thought box install letsencrypt would do everything smoothly.

Thank you for your help because I don’t know how to revert back to make my QB accessible again

bate · September 6, 2017, 10:04am

Please have a look at Replace my current domain with a new one maybe the solutuon will fix your problem. If not let us know and we’ll more in depth

JMSolo · September 6, 2017, 11:14am

Yeah, what’s happened is the acme method of building the certificates now require socat tools dependencies. I have pushed an update to address this as of this morning.

As @bate has posted, follow the directions as per Lines 40 and 41 to replace the generated certificate with the defaults, then restart apache and issue the box install letsencrypt command once more. Either update from your dashboard after you restore the default snakeoil certificates or run apt -y install socat before running the box command for lets encrypt. If not, it will generate another blank cert.

KRG-23 · September 6, 2017, 11:25am

Thank you @bate and @JMSolo, I’ll give it a try and let you know

KRG-23 · September 6, 2017, 3:18pm

Reverting back is working ! Just great, thank you the both of you.

However, after installing socat, I got errors again … and no domain.pem files can be found in .acme.sh domain subfolder, only domain.key Is it normal ?

bt:~/.acme.sh# box install letsencrypt
Installing letsencrypt
fatal: destination path ‘acme.sh-master’ already exists and is not an empty directory.
Please enter an administrator email: [email protected]
Please enter a valid domain: krg-23.com
[Wed Sep 6 13:32:39 CEST 2017] Installing to /root/.acme.sh
[Wed Sep 6 13:32:39 CEST 2017] Installed to /root/.acme.sh/acme.sh
[Wed Sep 6 13:32:39 CEST 2017] Installing alias to ‘/root/.bashrc’
[Wed Sep 6 13:32:39 CEST 2017] OK, Close and reopen your terminal to start using acme.sh
[Wed Sep 6 13:32:39 CEST 2017] Installing cron job
13 0 * * * “/root/.acme.sh”/acme.sh --cron --home “/root/.acme.sh” > /dev/null
30 2 * * 1 ~/acme.sh/acme.sh --cron --home ~/acme.sh > /dev/null
30 2 * * 1 ~/acme.sh/acme.sh --cron --home ~/acme.sh > /dev/null
30 2 * * 1 ~/acme.sh/acme.sh --cron --home ~/acme.sh > /dev/null
[Wed Sep 6 13:32:39 CEST 2017] Good, bash is found, so change the shebang to use bash as preferred.
[Wed Sep 6 13:32:40 CEST 2017] OK
[Wed Sep 6 13:32:40 CEST 2017] Standalone mode.
[Wed Sep 6 13:32:41 CEST 2017] Registering account
[Wed Sep 6 13:32:46 CEST 2017] Registered
[Wed Sep 6 13:32:48 CEST 2017] Update account tos info success.
[Wed Sep 6 13:32:48 CEST 2017] ACCOUNT_THUMBPRINT=‘5ZgXHDhBJRr_KcQF0t8DBjQpOgEPtTyH5-icCZzt7VU’
[Wed Sep 6 13:32:48 CEST 2017] Creating domain key
[Wed Sep 6 13:32:49 CEST 2017] The domain key is here: /root/.acme.sh/krg-23.com/krg-23.com.key
[Wed Sep 6 13:32:49 CEST 2017] Single domain=‘krg-23.com’
[Wed Sep 6 13:32:49 CEST 2017] Getting domain auth token for each domain
[Wed Sep 6 13:32:49 CEST 2017] Getting webroot for domain=‘krg-23.com’
[Wed Sep 6 13:32:49 CEST 2017] Getting new-authz for domain=‘krg-23.com’
[Wed Sep 6 13:32:53 CEST 2017] The new-authz request is ok.
[Wed Sep 6 13:32:53 CEST 2017] Verifying:krg-23.com
[Wed Sep 6 13:32:53 CEST 2017] Standalone mode server
[Wed Sep 6 13:32:59 CEST 2017] krg-23.com:Verify error:The key authorization file from the server did not match this challenge [Fc1vikPlWa1Ww-CQNE0uWyZyPUbiKXfZE6uXz1mNfpI.5ZgXHDhBJRr_KcQF0t8DBjQpOgEPtTyH5-icCZzt7VU] != [Fc1vikPlWa1Ww-CQNE0uWyZyPUbiKXfZE6uXz1mNfpI.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8]
[Wed Sep 6 13:32:59 CEST 2017] Please add ‘–debug’ or ‘–log’ to check more details.
[Wed Sep 6 13:32:59 CEST 2017] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh
Job for apache2.service failed because the control process exited with error code. See “systemctl status apache2.service” and “journalctl -xe” for details.
bt:~/.acme.sh#

JMSolo · September 6, 2017, 4:25pm

You will need to rm -rf krg-23.com from the /root/.acme.sh directory first. Then rerun the box install letsencrypt. I would first double check that your back to defaults in the default-ssl.conf file, then issue the restart once more.

Certificates on successful generation get moved to /etc/apache2/ssl/certs

KRG-23 · September 7, 2017, 2:23pm

Marvelous ! This is just great, thank you.

Now I am wearing green !

2017-09-07_16-14-59

Just so you know, it was not that easy.

I’ve followed your steps (removing folder and reverting defaut-ssl.conf lines back)
box install letsencrypt was sill returning cert verification errors
so I’ve changed the domain name from krg-23.com to bt.krg-23.com and it worked !

This might be because of the Standalone Server configuration during the install. But I’m not quite sure of that. This is what gave me the hint to change domain name anyway

system · September 10, 2017, 2:23pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.