A few of you might have noticed that Let’s Encrypt certificate fetching/renewing is broken. This is due to a recent change on Let’s Encrypt’s side. While we fix the issue upstream, a workaround is to run the following command on your server using SSH :
Certains d’entres vous ont peut-être remarqué que la récupération et le renouvellement de certificats Let’s Encrypt est actuellement cassé. Ceci est du a une mise à jour récente dans les conditions d’utilisation de Let’s Encrypt. En attendant que nous corrigions le problème directement dans YunoHost, vous pouvez contourner le problème en execurant la commande suivante sur votre serveur en SSH :
After that command it still says, that it cannot update because of the wrong agreement url. It seems, that the update doesn’t get recognized. (?)
(And yes, the update worked - the new “agreement” part is:
“agreement”: json.loads(urlopen(CA + “/directory”).read().decode(‘utf8’))[‘meta’][‘terms-of-service’], - but this doesn’t lead to the new ToS)
Error registering: 400 { "type": "urn:acme:error:malformed", "detail": "Provided agreement URL [https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf] does not match current agreement URL [https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf]", "status": 400 }
Certificate installation for squirrel.science failed ! Exception: [Errno 22] Signing the new certificate failed
admin@Xroklaus:~ $ cat /usr/lib/moulinette/yunohost/vendor/acme_tiny/acme_tiny.py
#!/usr/bin/env python
import argparse, subprocess, json, os, sys, base64, binascii, time, hashlib, re, copy, textwrap, logging
try:
from urllib.request import urlopen # Python 3
except ImportError:
from urllib2 import urlopen # Python 2
#DEFAULT_CA = "https://acme-staging.api.letsencrypt.org"
DEFAULT_CA = "https://acme-v01.api.letsencrypt.org"
...
# get the certificate domains and expiration
log.info("Registering account...")
code, result = _send_signed_request(CA + "/acme/new-reg", {
"resource": "new-reg",
"agreement": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
})
if code == 201:
log.info("Registered!")
elif code == 409:
log.info("Already registered!")
else:
raise ValueError("Error registering: {0} {1}".format(code, result))
...
if __name__ == "__main__": # pragma: no cover
main(sys.argv[1:])
It doesn’t work for me. I’m still getting this error:
admin@Xroklaus:~ $ sudo yunohost domain cert-renew --force
Error: Wrote file to /tmp/acme-challenge-public/TH6t-IY0aBep7n4SYY_twgopTqaLyAKb7hsPVm6r6JE, but couldn't download http://duniter-folatt.nohost.me/.well-known/acme-challenge/TH6t-IY0aBep7n4SYY_twgopTqaLyAKb7hsPVm6r6JE
Error: Certificate renewing for duniter-folatt.nohost.me failed !
Error: Traceback (most recent call last):
File "/usr/lib/moulinette/yunohost/certificate.py", line 382, in certificate_renew
_fetch_and_enable_new_certificate(domain, staging)
File "/usr/lib/moulinette/yunohost/certificate.py", line 567, in _fetch_and_enable_new_certificate
'certmanager_cert_signing_failed'))
MoulinetteError: [Errno 22] Signing the new certificate failed
Error: [Errno 22] Signing the new certificate failed
It worked for me too! However before running :
yunohost domain cert-install
I tried to install the certificate through the web admin interface, and it didn’t work.
Thanks a lot!
Yes, sorry, I was not blaming you That’s actually pretty cool to take the time to explain this. I just thought @folaht will be trying this at some point so I thought I’d elaborate a bit
admin@Xroklaus:/tmp $ sudo touch /tmp/acme-challenge-public/toto
admin@Xroklaus:/tmp $ sudo wget http://duniter-folatt.nohost.me/.well-known/acme-challenge/toto
--2017-11-27 18:43:40-- http://duniter-folatt.nohost.me/.well-known/acme-challenge/toto
Resolving duniter-folatt.nohost.me (duniter-folatt.nohost.me)... my.ip.v.4
Connecting to duniter-folatt.nohost.me (duniter-folatt.nohost.me)|my.ip.v.4|:80... connected.
HTTP request sent, awaiting response... 302 Moved Temporarily
Location: https://duniter-folatt.nohost.me/yunohost/admin [following]
--2017-11-27 18:43:40-- https://duniter-folatt.nohost.me/yunohost/admin
Connecting to duniter-folatt.nohost.me (duniter-folatt.nohost.me)|my.ip.v.4|:443... connected.
ERROR: The certificate of ‘duniter-folatt.nohost.me’ is not trusted.
ERROR: The certificate of ‘duniter-folatt.nohost.me’ hasn't got a known issuer.
The certificate's owner does not match hostname ‘duniter-folatt.nohost.me’
Instead of just commenting out a line, I’ve completely uninstalled Duniter.
Uninstalling duniter does not work either.
I still get the same error.
[update]
I think I just figured out what I’m doing wrong.
I have two servers and Let’s Encrypt is fetching them over IPv4.
Looks like I need to set inet6_only = on in /etc/wgetrc for starters.
[update]
Looks like my domain is not registered as ipv6.
admin@Xroklaus:~ $ sudo wget -6 http://duniter-folatt.nohost.me/.well-known/acme-challenge/toto
--2017-11-28 19:20:08-- http://duniter-folatt.nohost.me/.well-known/acme-challenge/toto
Resolving duniter-folatt.nohost.me (duniter-folatt.nohost.me)... failed: Name or service not known.
wget: unable to resolve host address ‘duniter-folatt.nohost.me’