Let's encrypt certificat renew

,

:uk:/:us:

My YunoHost server

Hardware: Old laptop or computer
YunoHost version: 11.1.2.2 (testing)
I have access to my server : Through SSH | through the webadmin | direct access via keyboard / screen | …

Description of my issue

I can’t renew my “let’s encrypt” certificate.
When I launch :

sudo yunohost domain cert-renew mondomain.fr

I get an error :

Wrote file to /tmp/acme-challenge-public/DMCeuEw10tD-jmuh81Sa2XwlqvuZ3q2LBUeT8HuZbUU, but couldn't download http://muc.mondomain.fr/.well-known/acme-challenge/DMCeuEw10tD-jmuh81Sa2XwlqvuZ3q2LBUeT8HuZbUU: Error:
Url: http://muc.mondomain.fr/.well-known/acme-challenge/DMCeuEw10tD-jmuh81Sa2XwlqvuZ3q2LBUeT8HuZbUU
Data: None
Response Code: None
Response: <urlopen error [Errno 111] Connection refused>
Erreur : Certificate renewing for mondomain.fr failed!

https://paste.yunohost.org/raw/axohobaluk

The resolution name of muc.mondomain.fr works fine. It is the same IP address as mondomain.fr.

I don’t even know what the muc subdomain is for.

Any idea what I can try?

Thanks
Cyril

:fr:

Mon serveur YunoHost

Matériel: Vieil ordinateur
Version de YunoHost: 11.1.2.2 (testing)
J’ai accès à mon serveur : En SSH | Par la webadmin | En direct avec un clavier/écran | …

Description du problème

Je ne parviens pas à renouveler mon certificat “let’s encrypt”.
Quand je lance :

sudo yunohost domain cert-renew mondomain.fr

J’ai l’erreur :

Wrote file to /tmp/acme-challenge-public/DMCeuEw10tD-jmuh81Sa2XwlqvuZ3q2LBUeT8HuZbUU, but couldn't download http://muc.mondomain.fr/.well-known/acme-challenge/DMCeuEw10tD-jmuh81Sa2XwlqvuZ3q2LBUeT8HuZbUU: Error:
Url: http://muc.mondomain.fr/.well-known/acme-challenge/DMCeuEw10tD-jmuh81Sa2XwlqvuZ3q2LBUeT8HuZbUU
Data: None
Response Code: None
Response: <urlopen error [Errno 111] Connection refused>
Erreur : Certificate renewing for mondomain.fr failed!

https://paste.yunohost.org/raw/axohobaluk

Le nom de résolution de muc.mondomain.fr fonctionne bien. C’est bien la même adresse IP que mondomain.fr.

Je ne sais même pas à quoi sert le sous-domaine muc.

Une idée de ce que je peux essayer ?

Merci,
Cyril

Est-ce que tu serais derrière un reverse proxy ou un truc du genre

Je ne suis pas sûr…
Comment je peux vérifier ?

Sur le serveur Yunohost, je n’ai pas touché à la configuration nginx par défaut. J’avais activé la configuration automatique du DNS OVH, mais je ne pense pas que ça change la config du serveur web.

Serait-ce ma box orange qui bloque un truc ?
J’ai bien routé les ports.
Mais elle n’intervient pas dans la résolution de nom …

Hi,

Same problem here. No reverse proxy or whatsoever. I’m hosted on a dedicated server, not behind my home router. I’m on the latest testing version

yunohost: 
  repo: testing
  version: 11.1.3
yunohost-admin: 
  repo: testing
  version: 11.1.3
moulinette: 
  repo: testing
  version: 11.1.2
ssowat: 
  repo: testing
  version: 11.1.2.5

like @Cyril from what I understand from his latest posts.

Hopefully, Certificate Manager <certmanager@domain.tld> sent a mail to root, that I’m sharing it here : hastebin .

It looks like the certificate manager generates a file (/tmp/acme-challenge-public/7ZLfLy_PFrrlvaclfS7O56fX_ZDeenp357BVUo8h-aQ) that still exists on my server but that could not be downloaded afterwards through http://muc.domain.tld/.well-known/acme-challenge/7ZLfLy_PFrrlvaclfS7O56fX_ZDeenp357BVUo8h-aQ, leading to the certification failure.

There is no HTTP response code in the logs, but I suspect some 401, because when I try to fetch to HTTP file now, it redirects me to the Yunohost admin panel. As this problem seems to happen after the latest SSOwat update, I guess it’s a matter of permissions ?

can you try to grep -nr muc.yourdomain.tld /etc/nginx ? It should display the position of the line (which may not be there, and would be symptomatic of a manually modified conf file)

Alternatively you can try disabling XMPP for this domain in the webadmin, Domains > yourdomain.tld > Features > disable xmpp

grep -nr muc.mydomain.tld /etc/nginx returns nothing.

Since I don’t use XMPP I’ve deactivated it. The main domain certificate could be renewed without any error.

Thanks @jeremy1 and @Aleks

I disabled XMPP for this domain and was also able to renew my certificate.

Great!

I’m getting an error about metronome.service failing, this seems logical as it is the IM server. But is it supposed to try to start?

Mise à jour du panneau ‘feature’ de configuration du domaine ‘lalinne.fr

Saving the new configuration...
La configuration a été mise à jour pour 'metronome'
La configuration a été mise à jour pour 'nginx'
Job for metronome.service failed because the control process exited with error code.
See "systemctl status metronome.service" and "journalctl -xe" for details.

Échec de l`exécution du script : '/usr/share/yunohost/hooks/conf_regen/12-metronome'

Config updated as expected

I run grep -nr muc.yourdomain.tld /etc/nginx with and without the XMPP service and I get something strange :

With XMPP activated, it returns nothing.

Without XMPP enabled, it returns : /etc/nginx/conf.d/domain.fr.conf:9: server_name domain.fr xmpp-upload.domain.fr muc.domain.fr;

Isn’t it supposed to be the opposite?

Cyril

I fixed the main issue in this commit.

Should be added in the next release :+1:

3 Likes