MIGRATION from one machine to an other : How can I migrate the certificates?

charly · July 22, 2019, 11:42am

My YunoHost server

Hardware: Raspberry Pi 3 at home, migrating to a Rock64
YunoHost version: Up to date
I have access to my server : Through SSH and webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : not really, i’m migrating to a new hardware

Description of my issue

Hi all,

I’ve got a question : I was using a raspberry pie 3 and I’m now migrating to an other machine : A rock64 with 4Gb of ram.

For some reason that I don’t understand, it seems impossible to generate some new certificates for my domain on this machine.
I cannot try it from the webadmin as it says that it’s not set properly and so impossible to realise.
In command line, I have an error with a timeout…

I won’t paste it here, because my question is just about the certificates
Is it possible to transfer the ssl certificates from one machine to an other ?
If yes, how could I do that as I have access to both the machines in ssh ?

Thanks very much for your kind help,
Charly

jershon · July 22, 2019, 1:52pm

Hi Charly,

Here is the location of the certificates on your Yunohost installation : “/etc/yunohost/certs”. I guess you can transfer them from on server to the other.

Anyway, I’m not sure it will solve your problem. Indeed, ssl certificates have an expiration date. Sooner or latter, you will have to generate a new one…

Sincerely

Aleks · July 22, 2019, 4:30pm

Yes exactly … your real issue seems to be that you are not able to generate the certificate on your new machine, so please let’s solve that issue instead of a temporary workaround …

Let’s Encrypt certificates are meant to be easily renewable so the preferred solution should be to just have a new certificate on the new machine

charly · July 22, 2019, 6:40pm

Hi,
Thanks for you answers.
Alright, I’ll post the details tomorow morning about what’s going wrong with the certificate generation.
Good night !

charly · July 23, 2019, 7:54am

Hi everyone,

So, here are some more details about my settings :
-Yunohost installed on a ROCK64
-My domain name is redirected to the public IP of my OpenVPN server
-Yunohost is connected to this VPN server (10.8.0.1) and received a static IP adress (10.8.0.2).
-The OpenVPN server iptables firewall is set to forward ports 80 and 443 to the Yunohost 10.8.0.2
-It worked like a charm with the previous machine (and still works if I connect it to the openVPN) > So I would says doesn’t comes from the DNS or the OpenVPN settings (but of course, I could be wrong)

The problem :
Yunohost has been freshly installed on a ARMbian Strech, on this ROCK64.
I can reach the web interface of the Yunohost when I write its local IP adress if the adress bar of firefox.
I cannot reach it with the domain name when the yunohost is connected to the OpenVPN server : I have a security message (see below)
I cannot reach it with the domain name if I modify /etc/hosts of my personnal computer like 192.168.1.103 (local IP of the Yunohost) domain.name.ltd

Firefox displays a security message, and I just don’t have the option for an exception or what so ever :
Connexion bloquée : problème de sécurité potentiel

Firefox a détecté une menace potentielle de sécurité et a interrompu le chargement de my.domain.fr, car ce site web nécessite une connexion sécurisée.

Que pouvez-vous faire ?

my.domain.fr a recours à une stratégie de sécurité HTTP Strict Transport Security (HSTS), une connexion sécurisée est obligatoire pour y accéder. Vous ne pouvez pas ajouter d’exception pour visiter ce site.

Le problème vient probablement du site web, donc vous ne pouvez pas y remédier.

Si vous naviguez sur un réseau d’entreprise ou si vous utilisez un antivirus, vous pouvez contacter les équipes d’assistance pour obtenir de l’aide. Vous pouvez également signaler le problème aux personnes qui administrent le site web

Quelqu’un pourrait être en train d’essayer d’usurper l’identité du site. Vous ne devriez pas poursuivre.

Les sites web justifient leur identité par des certificats. Firefox ne fait pas confiance à my.domain.fr, car l’émetteur de son certificat est inconnu, le certificat est auto-signé ou le serveur n’envoie pas les certificats intermédiaires corrects.


Code d’erreur : SEC_ERROR_UNKNOWN_ISSUER

And finally, in the web administration page of the Yunohost, I cannot issue the certificate :
Ce domaine ne semble pas prêt pour installer un certificat Let’s Encrypt. Veuillez vérifier votre configuration DNS et l’accessibilité HTTP de votre serveur.

Withe the command line :

root@box:~# yunohost domain cert-install my.domain.fr
Info: Now attempting install of certificate for domain my.domain.fr!
Traceback (most recent call last):
  File "/usr/bin/yunohost", line 214, in <module>
    timeout=opts.timeout,
  File "/usr/lib/python2.7/dist-packages/moulinette/__init__.py", line 136, in cli
    moulinette.run(args, output_as=output_as, password=password, timeout=timeout)
  File "/usr/lib/python2.7/dist-packages/moulinette/interfaces/cli.py", line 425, in run
    ret = self.actionsmap.process(args, timeout=timeout)
  File "/usr/lib/python2.7/dist-packages/moulinette/actionsmap.py", line 523, in process
    return func(**arguments)
  File "/usr/lib/moulinette/yunohost/domain.py", line 237, in domain_cert_install
    return yunohost.certificate.certificate_install(domain_list, force, no_checks, self_signed, staging)
  File "/usr/lib/moulinette/yunohost/certificate.py", line 145, in certificate_install
    domain_list, force, no_checks, staging)
  File "/usr/lib/moulinette/yunohost/certificate.py", line 297, in _certificate_install_letsencrypt
    _display_debug_information(domain)
  File "/usr/lib/moulinette/yunohost/certificate.py", line 884, in _display_debug_information
    local_dns_ip = _get_local_dns_ip(domain)
  File "/usr/lib/moulinette/yunohost/certificate.py", line 873, in _get_local_dns_ip
    answers = resolver.query(domain, "A")
  File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 949, in query
    timeout = self._compute_timeout(start)
  File "/usr/lib/python2.7/dist-packages/dns/resolver.py", line 858, in _compute_timeout
    raise Timeout(timeout=duration)
dns.exception.Timeout: The DNS operation timed out after 30.0024559498 seconds

Thanks very much in advance for your kind help

charly · July 23, 2019, 8:18am

If it can help, this is the message displayed by Firefox when I clic on advanced :

https://my.domain.fr/

L’autorité de délivrance du certificat du pair n’est pas reconnue.

HTTP Strict Transport Security : true

HTTP Public Key Pinning : false

Chaîne de certificat :

-----BEGIN CERTIFICATE-----

MIIDgjCCAmqgAwIBAgIUAN9klKl+56JWRWnYtlB+McrmieIwDQYJKoZIhvcNAQEL

BQAwFzEVMBMGA1UEAxMM…3b1DBX823K6xDU8SFAiGdOud5P0Svk5ltG59I5TGIQF

Q8n5Jj31OaR2994ZR4Lyo3munVk4kd8nDqm1wxXe4WCJfx+xH3o=

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

MIIDKTCCAhGgAwIBAgIJAKr2d8FRUvtKMA0GCSqGSIb3DQEBCwUAMBcxFTATBgNV

BAMTDGJveC5zdWNoYS5mcjA…ppiSPAuo+X3HS4PT92ObvTCDWkx5yi0QpYk1gZ

2szQquxfUgUvT3ggUIyenDEn7HF8u3D0QkDh+MxzcH7Q10NM0YNJWgb9YC3y

-----END CERTIFICATE-----

charly · July 23, 2019, 8:33am

I just realized that I can reach the Yunohost through writing the public IP adress of my domain in the adress bar of firefox (but not with the domain name)

Thanks again !

anonyme18 · July 23, 2019, 9:15am

Hello,
I’m not an expert, I don’t know if this will help you, but it looks like a DNS problem.
If it worked before, maybe recheck the internal roads and restore /etc/hosts to its original state.
I’m, however, intrigued by your Yunohost configuration and OpenVPN have 2 different addresses: wouldn’t there be redirection problems there?
Have a good day.

charly · July 23, 2019, 9:38am

Hi and thanks very much for you interest,

Well, that’s what I was thinking too but :
-A ping to my domain name responds with the (correct) public IP of the OpenVPN server
-I can reach the Yunohost with the public IP of the Open VPN server.

And these settings are working nicely with the raspberry.

Something must be wrong somewhere

anonyme18 · July 23, 2019, 10:15am

No idea, a lead: could it be from IPv6?

decentral1se · July 24, 2019, 9:41am

I’m a bit late here now but I followed the https://yunohost.org/#/backup documentation. It’s possible to do a full system backup and then if you see the " Restoring during the postinstall" step, you can restore it completely on the new machine. I ran this recently and it worked well. All the certificates were taken with me.

charly · July 24, 2019, 1:54pm

Well, I’ve tried it at the beginning and it didn’t work.
But now that you’ve mentioned it, I think about it and the reason why it failed was the SD card…
I’ll try this way.
I’m moving to a different country so I’ll try from there in 1 or 2 month.
I’ll let you know !

Thanks !

decentral1se · July 24, 2019, 10:06pm

system · August 8, 2019, 10:06pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.