[RESOLU] Renouvellement Certificat LE - Error: [Errno 22]

vincentux · July 19, 2017, 7:54am

Bonjour,
impossible de renouveler mon certificat LE, je n’ai pourtant pas modifié ma zone DNS ni rien d’autre… une idée du pourquoi ? oO
Merci

admin@Yunohost:~$ sudo yunohost domain cert-renew
Error: Certificate renewing for vincentux.fr failed !
Error: Traceback (most recent call last):
  File "/usr/lib/moulinette/yunohost/certificate.py", line 380, in certificate_renew
    _check_domain_is_ready_for_ACME(domain)
  File "/usr/lib/moulinette/yunohost/certificate.py", line 826, in _check_domain_is_ready_for_ACME
    'certmanager_domain_not_resolved_locally', domain=domain))
MoulinetteError: [Errno 22] The domain vincentux.fr cannot be resolved from inside your Yunohost server. This might happen if you recently modified your DNS record. If so, please wait a few hours for it to propagate. If the issue persists, consider adding vincentux.fr to /etc/hosts. (If you know what you are doing, use --no-checks to disable those checks.)

Error: [Errno 22] The domain vincentux.fr cannot be resolved from inside your Yunohost server. This might happen if you recently modified your DNS record. If so, please wait a few hours for it to propagate. If the issue persists, consider adding vincentux.fr to /etc/hosts. (If you know what you are doing, use --no-checks to disable those checks.)

et la commande cert-status :

admin@Yunohost:~$ sudo yunohost domain cert-status
certificates: 
  duniter-g1.vincentux.fr: 
    CA_type: Let's Encrypt
    summary: About to expire
    validity: 9
  ffsync.vincentux.fr: 
    CA_type: Let's Encrypt
    summary: About to expire
    validity: 3
  gtest.vincentux.fr: 
    CA_type: Let's Encrypt
    summary: CRITICAL
    validity: -64
  searx.vincentux.fr: 
    CA_type: Let's Encrypt
    summary: About to expire
    validity: 3
  social.vincentux.fr: 
    CA_type: Let's Encrypt
    summary: CRITICAL
    validity: -1
  vincentux.fr: 
    CA_type: Let's Encrypt
    summary: About to expire
    validity: 3

Aleks · July 19, 2017, 10:52am

Salut,

est-ce que tu es bien en 2.6.4 ?

Que renvoie python -c "import socket; print socket.gethostbyname('vincentux.fr')" ?

Sinon, est-ce que tu as essayé avec --no-checks ?

vincentux · July 19, 2017, 11:01am

Salut @CaptainSqrt2,

alors la commande
python -c "import socket; print socket.gethostbyname('vincentux.fr')
ne me revoit rien …

et voici le résultat de la commande
sudo yunohost domain cert-renew --no-checks

admin@Yunohost:~$ sudo yunohost domain cert-renew --no-checks
Error: Wrote file to /tmp/acme-challenge-public/XzVOHMVMuyVfY8LZZxSeIVNCOXbNshUVERshJu5iGHw, but couldn't download http://vincentux.fr/.well-known/acme-challenge/XzVOHMVMuyVfY8LZZxSeIVNCOXbNshUVERshJu5iGHw
Error: Certificate renewing for vincentux.fr failed !
Error: Traceback (most recent call last):
  File "/usr/lib/moulinette/yunohost/certificate.py", line 382, in certificate_renew
    _fetch_and_enable_new_certificate(domain, staging)
  File "/usr/lib/moulinette/yunohost/certificate.py", line 564, in _fetch_and_enable_new_certificate
    'certmanager_cert_signing_failed'))
MoulinetteError: [Errno 22] Signing the new certificate failed

Aleks · July 19, 2017, 11:02am

Erf, c’est bizarre Tu n’as pas oublié le " à la fin ?

Tu es bien en 2.6.4 ?

vincentux · July 19, 2017, 11:06am

Oups, effectivement je l’avais oublié, voici le retour :

163.172.180.43

et je suis bien en 2.6.4

Aleks · July 19, 2017, 11:08am

Okay,

c’est bizarre du coup, parce que ça ne corresponds pas à l’IP pointée par le DNS… Tu sais à quoi pourrait correspondre cette ip ? Une ligne qui traîne dans /etc/hosts peut-être ? Sinon tu peux essayer de chercher avec grep -nr "163.172.180.43" /etc/

vincentux · July 19, 2017, 11:13am

sudo grep -nr "163.172.180.43" /etc/
/etc/dnsmasq.d/social.vincentux.fr:1:address=/social.vincentux.fr/163.172.180.43
/etc/dnsmasq.d/gtest.vincentux.fr:1:address=/gtest.vincentux.fr/163.172.180.43
/etc/dnsmasq.d/searx.vincentux.fr:1:address=/searx.vincentux.fr/163.172.180.43
/etc/dnsmasq.d/duniter-g1.vincentux.fr:1:address=/duniter-g1.vincentux.fr/163.172.180.43
/etc/dnsmasq.d/ffsync.vincentux.fr:1:address=/ffsync.vincentux.fr/163.172.180.43
/etc/dnsmasq.d/vincentux.fr:1:address=/vincentux.fr/163.172.180.43

aucune idée d’où vient cette IP

Aleks · July 19, 2017, 11:16am

Hm okay,

et si tu essayes de régénéré la conf dnsmasq, ça change un truc dans /etc/dnsmasq.d/ ?

yunohost service regen-conf dnsmasq (éventuellement avec --force après)

vincentux · July 19, 2017, 11:20am

admin@Yunohost:~$ sudo yunohost service regen-conf dnsmasq
Success! The configuration has been updated for service 'dnsmasq'
dnsmasq: 
  applied: 
    /etc/dnsmasq.d/duniter-g1.vincentux.fr: 
      status: updated
    /etc/dnsmasq.d/ffsync.vincentux.fr: 
      status: updated
    /etc/dnsmasq.d/gtest.vincentux.fr: 
      status: updated
    /etc/dnsmasq.d/searx.vincentux.fr: 
      status: updated
    /etc/dnsmasq.d/social.vincentux.fr: 
      status: updated
    /etc/dnsmasq.d/vincentux.fr: 
      status: updated
    /etc/resolv.dnsmasq.conf: 
      status: updated
  pending:

ça a bien remis la bonne IP
je relance
sudo yunohost domain cert-renew

Aleks · July 19, 2017, 11:22am

Tu aurais pas une IP dynamique par hasard (ou susceptible de changer régulièrement ?) Je crois que on a pas trop pris en compte ce cas pour le moment dans ce qui gère dnsmasq

Edit: mais cool que ça ai marché !

vincentux · July 19, 2017, 11:24am

Presque, j’ai encore une erreur :

admin@Yunohost:~$ sudo yunohost domain cert-renew
Success! Successfully renewed Let's Encrypt certificate for domain vincentux.fr!
Error: Certificate renewing for gtest.vincentux.fr failed !
Error: Traceback (most recent call last):
  File "/usr/lib/moulinette/yunohost/certificate.py", line 380, in certificate_renew
    _check_domain_is_ready_for_ACME(domain)
  File "/usr/lib/moulinette/yunohost/certificate.py", line 812, in _check_domain_is_ready_for_ACME
    if not _dns_ip_match_public_ip(public_ip, domain):
  File "/usr/lib/moulinette/yunohost/certificate.py", line 836, in _dns_ip_match_public_ip
    'certmanager_error_no_A_record', domain=domain))
MoulinetteError: [Errno 22] No DNS 'A' record found for gtest.vincentux.fr. You need to make your domain name point to your machine to be able to install a Let's Encrypt certificate! (If you know what you are doing, use --no-checks to disable those checks.)

Error: [Errno 22] No DNS 'A' record found for gtest.vincentux.fr. You need to make your domain name point to your machine to be able to install a Let's Encrypt certificate! (If you know what you are doing, use --no-checks to disable those checks.)
Success! Successfully renewed Let's Encrypt certificate for domain searx.vincentux.fr!
Success! Successfully renewed Let's Encrypt certificate for domain ffsync.vincentux.fr!
Success! Successfully renewed Let's Encrypt certificate for domain social.vincentux.fr!
Success! Successfully renewed Let's Encrypt certificate for domain duniter-g1.vincentux.fr!

vincentux · July 19, 2017, 11:25am

J’ai rien dis, le sous domaine “gtest” n’existe plus

vincentux · July 19, 2017, 11:26am

Un grand MERCI à toi

Aleks · July 19, 2017, 11:28am

vincentux · June 19, 2018, 4:09pm

Arf, je ne comprend pas, ça recommence…

Du coup j’ai refais cette commande

admin@sc-mastodon:~$ sudo yunohost service regen-conf dnsmasq
Success! The configuration has been updated for service 'dnsmasq'
dnsmasq: 
  applied: 
    /etc/resolv.dnsmasq.conf: 
      status: updated
  pending:

mais la commande suivante ne fonctionne pas

admin@sc-mastodon:~$ sudo yunohost domain cert-renew
Success! Successfully renewed Let's Encrypt certificate for domain rss.vincentux.fr!
Error: Wrote file to /tmp/acme-challenge-public/x_qZUhuRNg1W7O7xl-FbXBQcrdjYdA7JvEFrj01o4B4, but couldn't download http://mail.vincentux.fr/.well-known/acme-challenge/x_qZUhuRNg1W7O7xl-FbXBQcrdjYdA7JvEFrj01o4B4
Warning: Debug information:
 - domain ip from DNS        51.15.211.242
 - domain ip from local DNS  51.15.211.242
 - public ip of the server   51.15.211.242

Error: Certificate renewing for mail.vincentux.fr failed !
Error: Traceback (most recent call last):
  File "/usr/lib/moulinette/yunohost/certificate.py", line 381, in certificate_renew
    _fetch_and_enable_new_certificate(domain, staging)
  File "/usr/lib/moulinette/yunohost/certificate.py", line 567, in _fetch_and_enable_new_certificate
    'certmanager_cert_signing_failed'))
MoulinetteError: [Errno 22] Signing the new certificate failed

Error: [Errno 22] Signing the new certificate failed
Success! Successfully renewed Let's Encrypt certificate for domain ffsync.vincentux.fr!

Y a t il moyen de supprimer le certificat puis de le re-installer ?

Aleks · June 19, 2018, 4:36pm

Est-ce que tu as une application installée a la racine de ton domaine ?

vincentux · June 19, 2018, 7:44pm

C’est a dire ???
https://vincentux.fr/app ou https://app.vincentux.fr ???

en fait j’ai les deux…

Aleks · June 19, 2018, 8:57pm

C’est à dire, est-ce tu débarques automatiquement sur une app quand tu vas sur “mail.vincentux.fr”

Ce que j’ai en tête, c’est qu’il te faut peut-être appliquer ce patch manuellement : https://github.com/YunoHost/yunohost/pull/428/files
sur /etc/nginx/conf.d/mail.vincentux.fr/000-acmechallenge.conf

vincentux · June 20, 2018, 4:52am

sur ce lien j’atterris sur l’app Roundcube.

Je vais essayé la modif,
voilà mon fichier /etc/nginx/conf.d/mail.vincentux.fr.d/000-acmechallenge.conf une fois modifié.

location ^~ '/.well-known/acme-challenge'
{
        default_type "text/plain";
        alias /tmp/acme-challenge-public/;
}

Donc après un reload de nginx

sudo systemctl reload nginx.service

la commande suivante passe enfin

admin@sc-mastodon:~$ sudo yunohost domain cert-renew
Success! Successfully renewed Let's Encrypt certificate for domain mail.vincentux.fr!

Encore une fois un grand MERCI