Lets Encrypt: pas possible de générer le certificat sur le domaine principal

Bonjour !

D’abord, merci pour le travail fait avec Yunohost, c’est vraiment cool

J’ai une installation sur un NUC Intel, depuis l’ISO Yunohost qui fonctionne très bien:

• à domicile, avec un dns dynamique de chez No-IP
• un domaine principal: tld.ch
• un 2e domaine: yuno.tld.ch
• les applis sont accessibles sans problème avec un certificat Lets Encrypt sur le sous-domaine - yuno.tld.ch
• les emails sont correctement traités avec des adresses nom@tld.ch

Le problème: impossible de générer un certificat Lets Encrypt sur le domaine principal - tld.ch.

Mon serveur YunoHost

Matériel: NUC intel
Version de YunoHost: 3.6.4.3
J’ai accès à mon serveur : En SSH et par la webadmin
Êtes-vous dans un contexte particulier DNS dynamique, tous les ports sont “verts”
Avez-vous effectué des modificiations particulières sur votre instance ? : non
Il y a deux domaines

• le principal qui pose problème: tld.ch
• un 2e qui est un sous-domaine du principal: yuno.tld.ch pour lequel Lets Encrypt est ok

Description du problème

Le problème: impossible de générer un certificat Lets Encrypt sur le domaine principal - tld.ch.

Dans le message d’erreur, le site https://tld.c/yunohost/admin/ répond 403, alors même que depuis l’admin Web tout fonctionne…

La commande utilisée:

yunohost domain cert-install tld.ch --no-checks --debug

Quelqu’un sait-il comment faire pour obtenir un certificat Lets Encrypt ?

Message d’erreur

args:
  force: false
  no_checks: true
  staging: false
ended_at: 2019-07-25 13:36:53.655027
error: "Certificate installation for tld.ch failed !\nException: La signature du\
  \ nouveau certificat a \xE9chou\xE9"
operation: letsencrypt_cert_install
related_to:
- - domain
  - tld.ch
started_at: 2019-07-25 13:36:47.161787
success: false

============

2019-07-25 15:36:47,166: DEBUG - Nginx configuration file for ACME challenge already exists for domain, skipping.
2019-07-25 15:36:47,167: DEBUG - Making sure tmp folders exists...
2019-07-25 15:36:47,311: DEBUG - Could not get public IPv6 : URL https://ip6.yunohost.org invalide : ce site existe-t-il ?
2019-07-25 15:36:47,312: DEBUG - Prepare key and certificate signing request (CSR) for tld.ch...
2019-07-25 15:36:48,827: DEBUG - Saving to /tmp/acme-challenge-private/tld.ch.csr.
2019-07-25 15:36:48,828: DEBUG - Now using ACME Tiny to sign the certificate...
2019-07-25 15:36:48,828: INFO - Parsing account key...
2019-07-25 15:36:48,843: INFO - Parsing CSR...
2019-07-25 15:36:48,858: INFO - Found domains: tld.ch
2019-07-25 15:36:48,859: INFO - Getting directory...
2019-07-25 15:36:49,097: INFO - Directory found!
2019-07-25 15:36:49,098: INFO - Registering account...
2019-07-25 15:36:49,621: INFO - Already registered!
2019-07-25 15:36:49,622: INFO - Creating new order...
2019-07-25 15:36:50,129: INFO - Order created!
2019-07-25 15:36:50,361: INFO - Verifying tld.ch...
2019-07-25 15:36:53,323: ERROR - Challenge did not pass for tld.ch: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'url': u'https://acme-v02.api.letsencrypt.org/acme/challenge/nMVP0unDrb-suG9D_wuShVLj5i9M3h83U9Kj8tznuIA/18712629583', u'token': u'-ExtHhgDIi7SFQMiS3OOsLaAEvOmaP6kZ2C2RK5D0lo', u'type': u'tls-alpn-01'}, {u'status': u'invalid', u'url': u'https://acme-v02.api.letsencrypt.org/acme/challenge/nMVP0unDrb-suG9D_wuShVLj5i9M3h83U9Kj8tznuIA/18712629584', u'token': u'I_zQWgG5mwH0mWwuLgnORwIUXrT-7WQAGam77Pr3mEM', u'type': u'dns-01'}, {u'status': u'invalid', u'validationRecord': [{u'url': u'http://tld.ch/.well-known/acme-challenge/eCe-RPNTnEDaSQNTBcO1Dy1XfV2Uh3oO43bGYS2t9Nk', u'hostname': u'tld.ch', u'addressUsed': u'178.194.196.121', u'port': u'80', u'addressesResolved': [u'178.194.196.121']}, {u'url': u'https://tld.ch/yunohost/admin', u'hostname': u'tld.ch', u'addressUsed': u'178.194.196.121', u'port': u'443', u'addressesResolved': [u'178.194.196.121']}, {u'url': u'https://tld.ch/yunohost/admin/', u'hostname': utld.ch', u'addressUsed': u'178.194.196.121', u'port': u'443', u'addressesResolved': [u'178.194.196.121']}], u'url': u'https://acme-v02.api.letsencrypt.org/acme/challenge/nMVP0unDrb-suG9D_wuShVLj5i9M3h83U9Kj8tznuIA/18712629585', u'token': u'eCe-RPNTnEDaSQNTBcO1Dy1XfV2Uh3oO43bGYS2t9Nk', u'error': {u'status': 403, u'type': u'urn:ietf:params:acme:error:unauthorized', u'detail': u'Invalid response from https://tld.ch/yunohost/admin/ [178.194.196.121]: "<!DOCTYPE html>\\n<html lang=\\"en\\">\\n<head>\\n    <meta charset=\\"utf-8\\">\\n    <title>YunoHost admin</title>\\n    <meta http-equiv=\\"cache"'}, u'type': u'http-01'}], u'identifier': {u'type': u'dns', u'value': u'tld.ch'}, u'expires': u'2019-08-01T13:36:50Z'}
2019-07-25 15:36:53,491: WARNING - Debug information:
 - domain ip from DNS        178.194.196.121
 - domain ip from local DNS  127.0.1.1
 - public ip of the server   178.194.196.121

2019-07-25 15:36:53,653: WARNING - Debug information:
 - domain ip from DNS        178.194.196.121
 - domain ip from local DNS  127.0.1.1
 - public ip of the server   178.194.196.121

2019-07-25 15:36:53,654: ERROR - Certificate installation for tld.ch failed !
Exception: La signature du nouveau certificat a échoué

tu tapes une essaie : yunohost domain cert-install tld.ch --force --no-checks

Hey, sorry, my french is -100000.

I ran dig +short tld.ch and I get 212.114.33.4. When I visit tld.ch in the browser I get sent to https://www.is-fun.de/domains/. So, I think you have not configured your DNS A record to point to the IP address of your NUC Intel?

This would explain the 403 - Let’s Encrypt knows that you are not controlling this “is-fun.de” domain and / or the certificate is already generated for this “is-fun.de” domain anyway.

Hope it helps!

Hello,
merci pour la suggestion. Malheureusement ça ne change rien ;-(

J’ai laissé le nom de domaine réel si cela peut aider.

Merci,
Marc

args:
  force: true
  no_checks: true
  staging: false
ended_at: 2019-07-26 07:38:21.890712
error: "Certificate installation for sm-ci.ch failed !\nException: La signature du\
  \ nouveau certificat a \xE9chou\xE9"
operation: letsencrypt_cert_install
related_to:
- - domain
  - sm-ci.ch
started_at: 2019-07-26 07:38:15.647246
success: false

============

2019-07-26 09:38:15,651: DEBUG - Nginx configuration file for ACME challenge already exists for domain, skipping.
2019-07-26 09:38:15,652: DEBUG - Making sure tmp folders exists...
2019-07-26 09:38:15,796: DEBUG - Could not get public IPv6 : URL https://ip6.yunohost.org invalide : ce site existe-t-il ?
2019-07-26 09:38:15,797: DEBUG - Prepare key and certificate signing request (CSR) for sm-ci.ch...
2019-07-26 09:38:16,836: DEBUG - Saving to /tmp/acme-challenge-private/sm-ci.ch.csr.
2019-07-26 09:38:16,837: DEBUG - Now using ACME Tiny to sign the certificate...
2019-07-26 09:38:16,838: INFO - Parsing account key...
2019-07-26 09:38:16,854: INFO - Parsing CSR...
2019-07-26 09:38:16,871: INFO - Found domains: sm-ci.ch
2019-07-26 09:38:16,872: INFO - Getting directory...
2019-07-26 09:38:17,118: INFO - Directory found!
2019-07-26 09:38:17,119: INFO - Registering account...
2019-07-26 09:38:17,600: INFO - Already registered!
2019-07-26 09:38:17,602: INFO - Creating new order...
2019-07-26 09:38:18,383: INFO - Order created!
2019-07-26 09:38:18,618: INFO - Verifying sm-ci.ch...
2019-07-26 09:38:21,558: ERROR - Challenge did not pass for sm-ci.ch: {u'status': u'invalid', u'challenges': [{u'status': u'invalid', u'validationRecord': [{u'url': u'http://sm-ci.ch/.well-known/acme-challenge/7ThnNdDg7_-s5kOqEARsxhso4an1itJNpshv7KyCKdg', u'hostname': u'sm-ci.ch', u'addressUsed': u'178.194.196.121', u'port': u'80', u'addressesResolved': [u'178.194.196.121']}, {u'url': u'https://sm-ci.ch/yunohost/admin', u'hostname': u'sm-ci.ch', u'addressUsed': u'178.194.196.121', u'port': u'443', u'addressesResolved': [u'178.194.196.121']}, {u'url': u'https://sm-ci.ch/yunohost/admin/', u'hostname': u'sm-ci.ch', u'addressUsed': u'178.194.196.121', u'port': u'443', u'addressesResolved': [u'178.194.196.121']}], u'url': u'https://acme-v02.api.letsencrypt.org/acme/challenge/I8PU4tbP1XDKMQu5L1RxtgipaOmaSwuE1eMehPR11A8/18741852580', u'token': u'7ThnNdDg7_-s5kOqEARsxhso4an1itJNpshv7KyCKdg', u'error': {u'status': 403, u'type': u'urn:ietf:params:acme:error:unauthorized', u'detail': u'Invalid response from https://sm-ci.ch/yunohost/admin/ [178.194.196.121]: "<!DOCTYPE html>\\n<html lang=\\"en\\">\\n<head>\\n    <meta charset=\\"utf-8\\">\\n    <title>YunoHost admin</title>\\n    <meta http-equiv=\\"cache"'}, u'type': u'http-01'}, {u'status': u'invalid', u'url': u'https://acme-v02.api.letsencrypt.org/acme/challenge/I8PU4tbP1XDKMQu5L1RxtgipaOmaSwuE1eMehPR11A8/18741852582', u'token': u'BCNPMau3KJ1ZCOurddAI13t1u6g_RY3JXslLiYWFeP8', u'type': u'dns-01'}, {u'status': u'invalid', u'url': u'https://acme-v02.api.letsencrypt.org/acme/challenge/I8PU4tbP1XDKMQu5L1RxtgipaOmaSwuE1eMehPR11A8/18741852583', u'token': u'k9mAC9GaETBlM_ZBLGh1eSa7Xgyhf4iyIRGof4z3im4', u'type': u'tls-alpn-01'}], u'identifier': {u'type': u'dns', u'value': u'sm-ci.ch'}, u'expires': u'2019-08-02T07:38:18Z'}
2019-07-26 09:38:21,732: WARNING - Debug information:
 - domain ip from DNS        178.194.196.121
 - domain ip from local DNS  127.0.1.1
 - public ip of the server   178.194.196.121

2019-07-26 09:38:21,889: WARNING - Debug information:
 - domain ip from DNS        178.194.196.121
 - domain ip from local DNS  127.0.1.1
 - public ip of the server   178.194.196.121

2019-07-26 09:38:21,890: ERROR - Certificate installation for sm-ci.ch failed !
Exception: La signature du nouveau certificat a échoué

Hello,

sorry but “tld.ch” was an obfuscated tld name, not the real one…

BR,
Marc

Shows that:

“Invalid response from https://sm-ci.ch/yunohost/admin/ [178.194.196.121]: "\n<html lang=\"en\">\n\n <meta charset=\"utf-8\">\n YunoHost admin\n <meta http-equiv=\"cache"”

It appears that Yunohost is giving a redirect instead of responding to the challenge. I have not used this CLI command before, so I am not sure what is going on

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.