Mailinglist Archive: opensuse (621 mails)

< Previous Next >
Re: [opensuse] certbot error
On Sat, 8 Jun 2019 02:11:24 -0500
"David C. Rankin" <drankinatty@xxxxxxxxxxxxxxxxxx> wrote:

On 06/07/2019 04:05 PM, Dave Howorth wrote:
I just decided to see if I could set up HTTPS on the Apache
server(s) on my private LAN. I installed certbot (Leap 15.0) but I
got an error when I ran it:

# certbot --apache
Saving debug log to /var/log/certbot/letsencrypt.log
Plugins selected: Authenticator apache, Installer apache
Enter email address (used for urgent renewal and security notices)
(Enter 'c' to cancel): certbot@xxxxxxxxxxxxxx

-------------------------------------------------------------------------------
Please read the Terms of Service at
https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf.
You must agree in order to register with the ACME server at
https://acme-v01.api.letsencrypt.org/directory
-------------------------------------------------------------------------------
(A)gree/(C)ancel: A
An unexpected error occurred:
The server experienced an internal error :: Unable to update
registration Please see the logfiles in /var/log/certbot for more
details.

The contents of the log are just under 15000 bytes from that
session! The error seems to start at:

<snip>

I don't know what the exact error with the spaghetti spew of ....py
files is, but most likely culprits are generally:

1) your system isn't reachable over port 80 (required for writing to
/var/lib/letsencrypt/ during cert creation); or

2) your firewall is blocking port 80 leading to 1) above.

Certbot is the way to go. I was so happy to get off self-signed
certs, and it is deadbang easy to do. I had fits with one server due
to a router config not passing port 80 (which is how I found out
about this problem). Double check and make sure everything is
configured as needed:

https://wiki.archlinux.org/index.php/Certbot

I can't believe I didn't do it sooner. You can also set up a service
or cron job to update the certs when needed. (but make sure you don't
have 3 failures in 24 hours, or so, or you will be blocked from
getting (or updating) certs until the next Monday)

Thanks, David, and the others who replied. I certainly hope my system
is not reachable over port 80. I run the router in stealth mode and am
concerned that it is still responding to pings and IDENTs.

I didn't realize my system needed to be visible. My whole purpose was
to be able to use HTTPS on my internal network without any external
connections. I suppose I need to do a lot more reading.


--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse+owner@xxxxxxxxxxxx

< Previous Next >