I just decided to see if I could set up HTTPS on the Apache server(s) on my private LAN. I installed certbot (Leap 15.0) but I got an error when I ran it: # certbot --apache Saving debug log to /var/log/certbot/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): certbot@howorth.org.uk ------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A An unexpected error occurred: The server experienced an internal error :: Unable to update registration Please see the logfiles in /var/log/certbot for more details. The contents of the log are just under 15000 bytes from that session! The error seems to start at: 2019-06-07 21:57:08,381:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "POST /acme/reg/58775261 HTTP/1.1" 500 107 2019-06-07 21:57:08,382:DEBUG:acme.client:Received response: HTTP 500 Server: nginx Content-Type: application/problem+json Content-Length: 107 Boulder-Requester: 58775261 Replay-Nonce: mEggCvGs9jNQkdzADeFIjybA87yrXSm3jK2rYlucpdM Expires: Fri, 07 Jun 2019 20:57:08 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Fri, 07 Jun 2019 20:57:08 GMT Connection: close { "type": "urn:acme:error:serverInternal", "detail": "Unable to update registration", "status": 500 } 2019-06-07 21:57:08,382:DEBUG:certbot.log:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/certbot", line 11, in <module> load_entry_point('certbot==0.24.0', 'console_scripts', 'certbot')() File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1315, in main return config.func(config, plugins) File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1072, in run le_client = _init_le_client(config, authenticator, installer) File "/usr/lib/python2.7/site-packages/certbot/main.py", line 637, in _init_le_client acc, acme = _determine_account(config) File "/usr/lib/python2.7/site-packages/certbot/main.py", line 516, in _determine_account config, account_storage, tos_cb=_tos_cb) File "/usr/lib/python2.7/site-packages/certbot/client.py", line 166, in register regr = perform_registration(acme, config, tos_cb) File "/usr/lib/python2.7/site-packages/certbot/client.py", line 190, in perform_registration tos_cb) File "/usr/lib/python2.7/site-packages/acme/client.py", line 838, in new_account_and_tos return self.client.agree_to_tos(regr) File "/usr/lib/python2.7/site-packages/acme/client.py", line 292, in agree_to_tos regr.update(body=regr.body.update(agreement=regr.terms_of_service))) File "/usr/lib/python2.7/site-packages/acme/client.py", line 110, in update_registration updated_regr = self._send_recv_regr(regr, body=body) File "/usr/lib/python2.7/site-packages/acme/client.py", line 76, in _send_recv_regr response = self._post(regr.uri, body) File "/usr/lib/python2.7/site-packages/acme/client.py", line 95, in _post return self.net.post(*args, **kwargs) File "/usr/lib/python2.7/site-packages/acme/client.py", line 1185, in post return self._post_once(*args, **kwargs) File "/usr/lib/python2.7/site-packages/acme/client.py", line 1202, in _post_once response = self._check_response(response, content_type=content_type) File "/usr/lib/python2.7/site-packages/acme/client.py", line 1054, in _check_response raise messages.Error.from_json(jobj) Error: urn:acme:error:serverInternal :: The server experienced an internal error :: Unable to update registration 2019-06-07 21:57:08,404:ERROR:certbot.log:An unexpected error occurred: 2019-06-07 21:57:08,405:ERROR:certbot.log:The server experienced an internal error :: Unable to update registration /var/log/certbot/letsencrypt.log lines 130-185/185 (END) Does anybody have any idea what it all means? Yours, Puzzled -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/07/2019 04:05 PM, Dave Howorth wrote:
I just decided to see if I could set up HTTPS on the Apache server(s) on my private LAN. I installed certbot (Leap 15.0) but I got an error when I ran it:
# certbot --apache Saving debug log to /var/log/certbot/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): certbot@howorth.org.uk
------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A An unexpected error occurred: The server experienced an internal error :: Unable to update registration Please see the logfiles in /var/log/certbot for more details.
The contents of the log are just under 15000 bytes from that session! The error seems to start at:
<snip> I don't know what the exact error with the spaghetti spew of ....py files is, but most likely culprits are generally: 1) your system isn't reachable over port 80 (required for writing to /var/lib/letsencrypt/ during cert creation); or 2) your firewall is blocking port 80 leading to 1) above. Certbot is the way to go. I was so happy to get off self-signed certs, and it is deadbang easy to do. I had fits with one server due to a router config not passing port 80 (which is how I found out about this problem). Double check and make sure everything is configured as needed: https://wiki.archlinux.org/index.php/Certbot I can't believe I didn't do it sooner. You can also set up a service or cron job to update the certs when needed. (but make sure you don't have 3 failures in 24 hours, or so, or you will be blocked from getting (or updating) certs until the next Monday) -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Sat, 8 Jun 2019 02:11:24 -0500 "David C. Rankin" <drankinatty@suddenlinkmail.com> wrote:
On 06/07/2019 04:05 PM, Dave Howorth wrote:
I just decided to see if I could set up HTTPS on the Apache server(s) on my private LAN. I installed certbot (Leap 15.0) but I got an error when I ran it:
# certbot --apache Saving debug log to /var/log/certbot/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Enter email address (used for urgent renewal and security notices) (Enter 'c' to cancel): certbot@howorth.org.uk
------------------------------------------------------------------------------- Please read the Terms of Service at https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf. You must agree in order to register with the ACME server at https://acme-v01.api.letsencrypt.org/directory ------------------------------------------------------------------------------- (A)gree/(C)ancel: A An unexpected error occurred: The server experienced an internal error :: Unable to update registration Please see the logfiles in /var/log/certbot for more details.
The contents of the log are just under 15000 bytes from that session! The error seems to start at:
<snip>
I don't know what the exact error with the spaghetti spew of ....py files is, but most likely culprits are generally:
1) your system isn't reachable over port 80 (required for writing to /var/lib/letsencrypt/ during cert creation); or
2) your firewall is blocking port 80 leading to 1) above.
Certbot is the way to go. I was so happy to get off self-signed certs, and it is deadbang easy to do. I had fits with one server due to a router config not passing port 80 (which is how I found out about this problem). Double check and make sure everything is configured as needed:
https://wiki.archlinux.org/index.php/Certbot
I can't believe I didn't do it sooner. You can also set up a service or cron job to update the certs when needed. (but make sure you don't have 3 failures in 24 hours, or so, or you will be blocked from getting (or updating) certs until the next Monday)
Thanks, David, and the others who replied. I certainly hope my system is not reachable over port 80. I run the router in stealth mode and am concerned that it is still responding to pings and IDENTs. I didn't realize my system needed to be visible. My whole purpose was to be able to use HTTPS on my internal network without any external connections. I suppose I need to do a lot more reading. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dave Howorth wrote:
I didn't realize my system needed to be visible. My whole purpose was to be able to use HTTPS on my internal network without any external connections. I suppose I need to do a lot more reading.
If you're really just going to use it internally, the self-signed method might be easier. _might_ - it is very easy with LetsEncrypt too. LetsEncrypt uses domain-validation when issuing certificates. One method is "http-01" which means you (ie. certbot) writing a string accessible by your webserver which can then be read externally, i.e. by LetsEncrypt. Another method is dns-01, similar idea but via DNS. -- Per Jessen, Zürich (19.1°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/08/2019 05:22 AM, Dave Howorth wrote:
Thanks, David, and the others who replied. I certainly hope my system is not reachable over port 80. I run the router in stealth mode and am concerned that it is still responding to pings and IDENTs.
I didn't realize my system needed to be visible. My whole purpose was to be able to use HTTPS on my internal network without any external connections. I suppose I need to do a lot more reading.
You only need port 80 up during cert creation (and then once every 3 months thereafter for update). Once the certs are installed, you can disable port 80 again. I use mod rewrite to force all traffic to 443 (which was another layer of failure I found :) -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
David C. Rankin wrote:
On 06/08/2019 05:22 AM, Dave Howorth wrote:
Thanks, David, and the others who replied. I certainly hope my system is not reachable over port 80. I run the router in stealth mode and am concerned that it is still responding to pings and IDENTs.
I didn't realize my system needed to be visible. My whole purpose was to be able to use HTTPS on my internal network without any external connections. I suppose I need to do a lot more reading.
You only need port 80 up during cert creation (and then once every 3 months thereafter for update). Once the certs are installed, you can disable port 80 again.
I use mod rewrite to force all traffic to 443 (which was another layer of failure I found :)
I always add this condition: RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge -- Per Jessen, Zürich (18.4°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 06/08/2019 01:54 PM, Per Jessen wrote:
David C. Rankin wrote:
On 06/08/2019 05:22 AM, Dave Howorth wrote:
Thanks, David, and the others who replied. I certainly hope my system is not reachable over port 80. I run the router in stealth mode and am concerned that it is still responding to pings and IDENTs.
I didn't realize my system needed to be visible. My whole purpose was to be able to use HTTPS on my internal network without any external connections. I suppose I need to do a lot more reading.
You only need port 80 up during cert creation (and then once every 3 months thereafter for update). Once the certs are installed, you can disable port 80 again.
I use mod rewrite to force all traffic to 443 (which was another layer of failure I found :)
I always add this condition:
RewriteCond %{REQUEST_URI} !^/.well-known/acme-challenge
That's a keeper! THanks. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dave Howorth wrote:
I just decided to see if I could set up HTTPS on the Apache server(s) on my private LAN. I installed certbot (Leap 15.0) but I got an error when I ran it:
# certbot --apache
I am not familiar with that particular mode, is this the initial registration?
The contents of the log are just under 15000 bytes from that session! The error seems to start at:
2019-06-07
21:57:08,381:DEBUG:urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443
"POST /acme/reg/58775261 HTTP/1.1" 500 107 2019-06-07 21:57:08,382:DEBUG:acme.client:Received response: HTTP 500 Server: nginx
It looks the registration code at letsencrypt had a problem.
{ "type": "urn:acme:error:serverInternal", "detail": "Unable to update registration", "status": 500 }
I googled that - certbot Unable to update registration - there were a few hits, but nothing recent. -- Per Jessen, Zürich (14.9°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (3)
-
Dave Howorth -
David C. Rankin -
Per Jessen