1 Topic by dcihon

  • dcihon
  • Member
  • Offline
  • Registered: 2013-11-11
  • Posts: 97

Topic: Problem with Letsencrypt

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- Deployed with iRedMail Easy or the downloadable installer? Downloadable
- Linux/BSD distribution name and version: Debian 10
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? NO
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.

I am getting this error when trying to get the certificate.

$ sudo certbot -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: mail.dccathome.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for mail.dccathome.com
Performing the following challenges:
http-01 challenge for mail.dccathome.com
Waiting for verification...
Challenge failed for domain mail.dccathome.com
http-01 challenge for mail.dccathome.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: mail.dccathome.com
  Type:   connection
  Detail: Fetching http://mail.dccathome.com/.well-known/acme-challenge/HBBuo6Ld5Z-92XUazWR-5RB4u7P0JQg-48HSbvQHBOI: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by montanelli

  • montanelli
  • Member
  • Offline
  • Registered: 2021-03-23
  • Posts: 48

Re: Problem with Letsencrypt

I see good dns for mail.dccathome.com, but I can't hit it with HTTP or HTTPS

Two possible errors of the top of my head. I'd start here:

1) blocking ports 80 & 443 either by firewall with lack of proper passthrus or provider blocking.

If you are running firewalld, run:

firewall-cmd --list-all

2) nginx is not running or is in a failed state.

I forget on Debian vs EL 8, but if it is systemctl commands

systemctl status -all

and you want the first two lines to be:

mail.dccathome.com
    State: running
 
or

systemctl status nginx

and that should come back as running.


dcihon wrote:

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- Deployed with iRedMail Easy or the downloadable installer? Downloadable
- Linux/BSD distribution name and version: Debian 10
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):  MySQL
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? NO
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.

I am getting this error when trying to get the certificate.

$ sudo certbot -v
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx

Which names would you like to activate HTTPS for?
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1: mail.dccathome.com
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Select the appropriate numbers separated by commas and/or spaces, or leave input
blank to select all options shown (Enter 'c' to cancel): 1
Requesting a certificate for mail.dccathome.com
Performing the following challenges:
http-01 challenge for mail.dccathome.com
Waiting for verification...
Challenge failed for domain mail.dccathome.com
http-01 challenge for mail.dccathome.com

Certbot failed to authenticate some domains (authenticator: nginx). The Certificate Authority reported these problems:
  Domain: mail.dccathome.com
  Type:   connection
  Detail: Fetching http://mail.dccathome.com/.well-known/acme-challenge/HBBuo6Ld5Z-92XUazWR-5RB4u7P0JQg-48HSbvQHBOI: Error getting validation data

Hint: The Certificate Authority failed to verify the temporary nginx configuration changes made by Certbot. Ensure the listed domains point to this nginx server and that it is accessible from the internet.

Cleaning up challenges
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

3 Reply by dcihon

  • dcihon
  • Member
  • Offline
  • Registered: 2013-11-11
  • Posts: 97

Re: Problem with Letsencrypt

$ firewall-cmd --list-all
bash: firewall-cmd: command not found
dcihon@mx:~
$ systemctl status nginx.service
● nginx.service - A high performance web server and a reverse proxy server
   Loaded: loaded (/lib/systemd/system/nginx.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2021-10-25 10:04:46 EDT; 8h ago
     Docs: man:nginx(8)
 Main PID: 857 (nginx)
    Tasks: 2 (limit: 4915)
   Memory: 5.4M
   CGroup: /system.slice/nginx.service
           ├─  857 nginx: master process /usr/sbin/nginx -g daemon on; master_process on;
           └─10738 nginx: worker process

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

4 Reply by montanelli (edited by montanelli 2021-10-31 21:19:01)

  • montanelli
  • Member
  • Offline
  • Registered: 2021-03-23
  • Posts: 48

Re: Problem with Letsencrypt

The error message from Letsencrypt clearly says:

Fetching http://mail.dccathome.com/.well-known/...  Error getting validation data

I cannot get to http://mail.dccathome.com/mail

I can get to https://mail.dccathome.com/mail

I would start there. Three possibilities that come to mind:

1) you are blocking port 80 (http) via firewall, or not permitting (same thing).

2) You are redirecting all request to http to go to https.

3) you do not have a virtual server configuration that mail.dccathome.com exists on port 80

I'm going fishing, be back in a couple days. smile