Hello and thanks for all the hard work! I’m having trouble setting up Let’s Encrypt certs and I’m not sure at all where to go next. Any nudge in the right direction would be greatly appreciated
My YunoHost server
Hardware: Raspberry Pi 3
YunoHost version: 4.3.6.2
I have access to my server : Through SSH | through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : yes
If yes, please explain:
My connection doesn’t allow NAT, so my yunohost server is connected to another network through VPN. The connection is managed by the “VPN Client” application available in yunohost. The VPN itself is on another raspberry pi which is reachable through a public IP (82.123.aaa.bbb) and redirects the necessary ports to my yunohost setup. I have tried two types of redirections for 80 and 443 ports: either redirecting all the trafic through NAT (with ip-table) or redirecting only requests to specific subdomains through an apache reverse proxy. In both cases I’m able to reach my yunohost server.
Description of my issue
To get help efficiently, please explain what you are trying to achieve, in which context, what you tried and provide detailed error messages and logs if you can.
I’m trying to install Let’s Encrypt SSL certs. I’ve first tried to use the web console but then switched to SSH to know exactly what commands I run. Regardless of which subdomain I try and if redirect all traffic through NAT or just the traffic to the subdomains through the reverse proxy, I get the same behavior:
´´´admin@yuno:~ $ sudo yunohost domain cert install cork.simonpicard.eu --no-checks
Info: Now attempting install of certificate for domain cork.simonpicard.eu!
Info: Parsing account key…
Info: Parsing CSR…
Info: Found domains: cork.simonpicard.eu
Info: Getting directory…
Info: Directory found!
Info: Registering account…´´´
At this point it hangs for a long time. I usually ^C after a few tens of minutes but I once let it run through the night and it ended up failing after almost exactly 8 hours with the following log: https://paste.yunohost.org/raw/inevidegog
I have looked a bit around and my understanding is that an invalid anti-replay nonce happens after the challenge has expired, which is consistent with the command failing after 8 hours. However I don’t know where to look. My understanding is that certbot should take over the nginx server and serve the challenge at domain.tld/.well-known/something so I tried to access this while running this command at as close intervals as my browser’s refresh would allow and saw my regular yunohost interface, I’m not sure how relevant that test is as I’m assuming the process could take a very short time that I couldn’t capture but who knows. Anyway, if anyone has an idea of what I could try or useful resources I’d be very interested!
Thanks for the help Jarod. I have tried this and unfortunately the result was similar to previous attempt. I let it run for 45 minutes before ^C, here is the log:
Yes, I did run a diagnostic that can be found here: hastebin. There are a few errors related to mail and xmpp, whichi I’m not planning to use and which in my understanding shouldn’t interfere with let’s encrypt, and a few DNS errors on some subdomains, but the one I’m working on right now is cork.simonpicard.eu which doesn’t have errors that should be an issue if I understand correctly. Thanks for your help!
I’m not using xmpp since it’s crashing and I never found a solution. But letsencrypt generation required me to add the xmpp hosts line even though I don’t use it
So I’ve set up all the suggested DNS and redirected all the corresponding ports, includig for xmpp and mail, and still no dice. Unfortunately I don’t have more time right now, so I settled for a temporary workaround, if it’s useful to anybody:
-installed certbot
-shutdown nginx with sudo service nginx stop
-get certbot to obtain a certificate and configure it for nginx with sudo certbot --standalone --installer nginx
Following that nginx wasn’t able to restart but rebooting the server fixed it. So far my website is able to use the cert correctly, but:
-it is not recognised in yunohost’s interface so it may be overridden with a self-signed certificate
-since it requires nginx to be shut down renewal will be more complicated to setup
-it’s not working out of the box
So all in all I foresee some level trouble but it will do as a temporary workaround. Thanks again for your help jarod, I might post again if I have more time or if I find a solution.
Note of interest: before using certbot’s standalone server I tried to use the nginx plugin which failed with the following error: nginx: [emerg] “server_names_hash_bucket_size” directive in etc/nginx/conf.d/ssowat.conf:3
This file’s line 3 was the following: server_names_hash_bucket_size 128;
and I wasn’t able to locate any related instructions somewhere else in the conf.d.
Nit sure if it is related to the main issue at all, just thought I’d notice in case it’s useful for somebody.
