1 Topic by rinze

  • rinze
  • Member
  • Offline
  • From: Netherlands
  • Registered: 2018-12-16
  • Posts: 21

Topic: LetsEncrypt not able to download certificate files

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release): 0.9.9 MARIADB edition.
- Deployed with iRedMail Easy or the downloadable installer?: downloadable installer
- Linux/BSD distribution name and version: CentOS Linux release 7.6.1810 (Core)
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

Hi,

I'm setting up a new server with iRedMail. I'm at this moment stuck in the steps written here: https://docs.iredmail.org/letsencrypt.html

When requesting a new certificate (with option --dry-run), an error message appears:

Challenge failed for domain mail02.hostingkruidenier.nl
http-01 challenge for mail02.hostingkruidenier.nl
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

   Domain: mail02.hostingkruidenier.nl
   Type:   connection
   Detail: Fetching
   https://<domain>/.well-known/acme-challenge/37R8lh6XO97d8WUPKriV6T3k9X2zDtTQi7Un3cuJ2sM:
   Connection refused

To check what is going on, I added the --debug-challenges flag:

certbot certonly --webroot -w /var/www/html -d <domain> --dry-run --debug-challenges
A file is created in /var/www/html/.well-known/acme-challenge.
I am able to download that file, however:

curl -k http://<domain>/.well-known/acme-challenge/37R8lh6XO97d8WUPKriV6T3k9X2zDtTQi7Un3cuJ2sM

gives:

<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx</center>
</body>
</html>

curl -k https://<domain>/.well-known/acme-challenge/37R8lh6XO97d8WUPKriV6T3k9X2zDtTQi7Un3cuJ2sM
gives the response I need, the content of the file.

When I check the access.log file from Nginx, I can see a 301 is being served for the first request, nothing is logged (so a 200) for the second request.

When I hit enter after the certbot command, I see these 4 entries being added to the access.log file:

52.29.173.72 - - [07/Jul/2019:12:51:39 +0200] "GET /.well-known/acme-challenge/37R8lh6XO97d8WUPKriV6T3k9X2zDtTQi7Un3cuJ2sM HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
13.58.30.69 - - [07/Jul/2019:12:51:39 +0200] "GET /.well-known/acme-challenge/37R8lh6XO97d8WUPKriV6T3k9X2zDtTQi7Un3cuJ2sM HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
66.133.109.36 - - [07/Jul/2019:12:51:40 +0200] "GET /.well-known/acme-challenge/37R8lh6XO97d8WUPKriV6T3k9X2zDtTQi7Un3cuJ2sM HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
34.213.106.112 - - [07/Jul/2019:12:51:40 +0200] "GET /.well-known/acme-challenge/37R8lh6XO97d8WUPKriV6T3k9X2zDtTQi7Un3cuJ2sM HTTP/1.1" 301 178 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Does that mean that letsencrypt is not following up the 301 to https? Or does letsencrypt require a http instead of a https connection?

In both cases, what can I do to get this working and/or find the cause?

Regards,

Rinze

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by Neutro (edited by Neutro 2019-07-07 22:25:49)

  • Neutro
  • Member
  • Offline
  • Registered: 2014-03-17
  • Posts: 123

Re: LetsEncrypt not able to download certificate files

Hi,

(the -k option with curl command line is useless on a http request as it is used to allow unsecure https requests)

curl -k http://<domain>/.well-known/acme-challenge/37R8lh6XO97d8WUPKriV6T3k9X2zDtTQi7Un3cuJ2sM

301 Moved Permanently

This is a normal response to a http to https redirect. Curl gives you the first answer from the web server and it stops there. Since iredmail redirects all http to https by default the 301 redirect answer by curl is 100% normal.

When the letsencrypt server accesses your challenge URL, it doesn't use curl like you do. It downloads the file normally. At your level this would translate to using wget instead of curl.

If you use wget instead of curl on your http link (or if you just open the link in your web browser directly):

http://mail02.hostingkruidenier.nl/.wel … 7Un3cuJ2sM 

you'll see immediately what's wrong: on fresh iredmail installation iredmail generates a self-signed SSL certificate, which means when anyone tries to access your server it displays a certificate error because it is self-signed (which is still normal and why you want to replace it with a letsecrypt one).

So to correct the problem you need to disable http to https redirect just for the certbot validation.

For this you need to edit the file /etc/nginx/sites-enabled/00-default.conf and disable/comment the line below (add a # at the beginning of the line):

return 301 https://$host$request_uri;

then restart nginx service and try again.

Once the certbot challenge is successful, remove the comment in nginx config file, restart the service again and finish setting up the letsencrypt certificate as explained in the documentation.

You won't need to do this again after for renewal because the letsencrypt certificate wont make a SSL warning pop up message like the self signed certificate does after a fresh install.

What's strange is that in my memory when i did a letsencrypt install the same way you did on a fresh iredmail server i don't think i ever encountered that problem, yet it is normal to get it with a self signed certificate, and the iredmail doc doesn't talk about it, so maybe there is a special no http to https redirect for letsencrypt setup somewhere by default and for some reason it wasn't taken into account in your case.

Zhang will probably tell us wink

3 Reply by rinze

  • rinze
  • Member
  • Offline
  • From: Netherlands
  • Registered: 2018-12-16
  • Posts: 21

Re: LetsEncrypt not able to download certificate files

Neutro wrote:

Hi,
What's strange is that in my memory when i did a letsencrypt install the same way you did on a fresh iredmail server i don't think i ever encountered that problem, yet it is normal to get it with a self signed certificate, and the iredmail doc doesn't talk about it, so maybe there is a special no http to https redirect for letsencrypt setup somewhere by default and for some reason it wasn't taken into account in your case.

Zhang will probably tell us wink

Well, I've installed some mail servers before as well, but this never occured to me yet.
Oh, by the way, disabling the return line you said, results in a 404 error for the Let's Encrypt URL sad

4 Reply by Neutro

  • Neutro
  • Member
  • Offline
  • Registered: 2014-03-17
  • Posts: 123

Re: LetsEncrypt not able to download certificate files

Well it's strange. I suggest you start over from scratch to see if it works better. Maybe you did a mistake during the installation process you didn't notice.

Otherwise you can use https://zerossl.com/free-ssl/#crt to get a letsencrypt certificate manually which you can then use as an existing certificate as explained here https://docs.iredmail.org/use.a.bought. … icate.html

After this is done you should be able to get a new certificate with certbot as described before.

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,091

Re: LetsEncrypt not able to download certificate files

Default Nginx configure is ok, please do not change it.

rinze wrote:

- The following errors were reported by the server:
   Domain: mail02.hostingkruidenier.nl
   Type:   connection
   Detail: Fetching
   https://<domain>/.well-known/acme-challenge/37R8lh6XO97d8WUPKriV6T3k9X2zDtTQi7Un3cuJ2sM:
   Connection refused

It says "Connection refused", do you have any network firewall that blocks / rejects connection from port 443?