-
Notifications
You must be signed in to change notification settings - Fork 371
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Error when generating certificate "for some reason could not reach..." #57
Comments
I'm assuming you have modified the config file to correct it for your domain. The process of obtaining a certificate works by placing a file in http:https://example.com/.well-known/acme-challenge/xxxx where example.com is your domain name and xxxx is a "random" string. getssl then checks (using curl) that it can reach the specified file - in your case it can't If you create the folder .well-known/acme-challenge and a file (say "test" ) with content "success" in it. can you then reach it in your browser at yourdomain.com/.well-known/acme-challenge/test ? |
I created the folders and the page is displayed correctly. You are right, the config is modified for my domain, but only changing the example.com to my domain, what other changes are necessary so that the script works smoothly. I didn't quite get the ssh and ftp sections of the config file. |
The "ftp / ssh" section of the config file I assume you mean is where you define the ACL ( the acme challenge location ). This should be defined as
where "'/var/www/example.com/web/.well-known/acme-challenge" is the location where you placed the test file. It's defined twice, once for the domain and the second time for the www.domain (assuming that those are the two FQDNs you want on the certificate. Not knowing your configuration I don't know if this is just "'/var/www/.well-known/acme-challenge" or some other location .... it's whatever it is in your server config. |
It worked for me if I made the ACL in the root of my web-folder, like this:
|
Correct, it should be your web root, followed by .well-known/acme-challenge ( I just don't know what the web root location on a specific setup ) |
I figured it out quickly, but maybe something like this will clue people in:
of course, then you will have people complaining that they cannot find a folder called /path/to/your/website/folder |
Good point, thanks :) I'll update the wiki, and change the default comments in the config file. |
That's much more clear thank you very much! |
This still isn't exactly helpful. Where are you supposed to define the ACL key/value pair? |
Does the wiki help - https://github.com/srvrco/getssl/wiki/Config-variables The ACME Challenge Location for the domain and each SAN. These are included in quotes, so for a main domain and a single SAN it would look like; ACL=('/var/www/example.com/web/.well-known/acme-challenge' 'ssh:server5:/var/www/example.com/web/.well-known/acme-challenge') These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge" where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain. You can use "ssh:servername:" at the start of any remote server location that you have ssh access to. If a location for a file starts with ftp: or sftp: then the next variables are userid:password:servername:path sftp requires sshpass and can be used for copying certificates and keys. These are defined in the getssl.cfg file. |
Sorry, no. I'm using Google App Engine, and don't have SSH access. I was trying to use lets encrypt manually and adding the appropriate challenge files in accordance with this thread: certbot/certbot#1480 I was having an issue because i'm trying to generate the certificate on my Macbook to upload to GAE, and once doing the manual challenge verification, it seemed to be having a problem verifying with letsencrypt. I found a thread where you were recommending getssl as a solution to that problem (https://community.letsencrypt.org/t/generate-certificate-on-local-machine/19945) But I now realise that either SSH or FTP is required in order to add the challenge? Is there any way to do it manually? |
The DNS challenge would be the best ( if you have an API for your dns - then you can automate it. To complete it manually it would need the script modifying slightly - or there are a couple of alternate clients - https://letsencrypt.org/docs/client-options/ - that can be done via the browser which are completely manual. |
I am having a similar problem. I have root access to the server and can ssh to the user accounts using their passwords. In the example configuration file below I have named my main server 'somedomain' and the virtual domain 'anotherdomain' When I run ./getssl somedomain.net without the virtual domain the certificate is generated for the main domain but when I add the virtual domain to the file I get 'getssl: for some reason could not reach http:https://anotherdomain.net/.well-known/acme-challenge/[code]'. I have tried sftp with the userid and password in the script with the same result. Here is an example of my script: Comment and modify any variables you needsee https://github.com/srvrco/getssl/wiki/Config-variables for detailsThe staging server is best for testing#CA="https://acme-staging.api.letsencrypt.org" This server issues full certificates, however has rate limitsCA="https://acme-v01.api.letsencrypt.org" #AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf" #Set an email address associated with your account - generally set at account level rather than domain. SANS=www.somedomain.net,anotherdomain.com,www.anotherdomain.com' ACL=('/home/somedomain/www/.well-known/acme-challenge' #Enable use of a single ACL for all checks Location for all your certs, these can either be on the server (full path name)or using ssh /sftp as for the ACLDOMAIN_CERT_LOCATION="/usr/local/ssl/somedomain.crt" The command needed to reload apache / nginx or whatever you useRELOAD_CMD="systemctl restart apache2" The time period within which you want to allow renewal of a certificatethis prevents hitting some of the rate limits.RENEW_ALLOW="30" Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number whichwill be checked for certificate expiry and also will be checked afteran update to confirm correct certificate is running (if CHECK_REMOTE) is set to trueSERVER_TYPE="https" Use the following 3 variables if you want to validate via DNS#VALIDATE_VIA_DNS="true" |
I might be able to help you with this one.
Now is it okay if I confirm a few things with you first?
Your domain name for the certificate, plus all your additional domains in the SAN much match the ACL.
There must be a one to one ratio here, it looks to me like you have your "domain" then 3 more in the SAN, but you have what 5 in the ACL?
There is an extra one in the ACL.
You see GetSSL matches the "common name" domain and each of the SAN entires to the ACL for uploading the verification files. If it can not match them one to one there will be an error which is expected.
For debug purposes, switch the script to "staging", since with staging you can run it a million times to debug it. Then once it work, move it back to live.
Staging will issue you a non-signed cert, so the entire process can run and even install and restart Apache. Just with an non-signed cert.
I am happy to try and help you with this one if you like.
John
[email protected]
… On Jan 6, 2017, at 4:49 PM, scpkyy ***@***.***> wrote:
I am having a similar problem. I have root access to the server and can ssh to the user accounts using their passwords. In the example configuration file below I have named my main server 'somedomain' and the virtual domain 'anotherdomain' When I run ./getssl somedomain.net without the virtual domain the certificate is generated for the main domain but when I add the virtual domain to the file I get 'getssl: for some reason could not reach http:https://anotherdomain.net/.well-known/acme-challenge/[code]'. I have tried sftp with the userid and password in the script with the same result.
If I manually copy the files from home/www/somedomain/.well-known/acme-challenge/ to /home/www/anotherdomain/.well-known/acme-challenge/ the code will show in the URL - so there are no restrictions there.
Here is an example of my script:
Comment and modify any variables you need
see https://github.com/srvrco/getssl/wiki/Config-variables for details
The staging server is best for testing
#CA="https://acme-staging.api.letsencrypt.org"
This server issues full certificates, however has rate limits
CA="https://acme-v01.api.letsencrypt.org"
#AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
#Set an email address associated with your account - generally set at account level rather than domain.
***@***.***"
ACCOUNT_KEY_LENGTH=4096
ACCOUNT_KEY="/root/.getssl/account.key"
PRIVATE_KEY_ALG="rsa"
SANS=www.somedomain.net,anotherdomain.com,www.anotherdomain.com'
ACL=('/home/somedomain/www/.well-known/acme-challenge'
'/home/anotherdomain/www/.well-known/acme-challenge'
'/home/anotherdomain/www/.well-known/acme-challenge'
'ssh:somedomain.net:/home/somedomain/www/.well-known/acme-challenge'
***@***.***:/home/anotherdomain/www/.well-known/acme-challenge')
#Enable use of a single ACL for all checks
USE_SINGLE_ACL="true"
#SKIP_HTTP_TOKEN_CHECK="true"
Location for all your certs, these can either be on the server (full path name)
or using ssh /sftp as for the ACL
DOMAIN_CERT_LOCATION="/usr/local/ssl/somedomain.crt"
DOMAIN_KEY_LOCATION="/usr/local/ssl/somedomain.key"
CA_CERT_LOCATION="/usr/local/ssl/somedomain_chain.crt"
#DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
#DOMAIN_KEY_CERT_LOCATION="" # this is the domain_key and domain cert
#DOMAIN_PEM_LOCATION="" # this is the domain_key. domain cert and CA cert
The command needed to reload apache / nginx or whatever you use
RELOAD_CMD="systemctl restart apache2"
The time period within which you want to allow renewal of a certificate
this prevents hitting some of the rate limits.
RENEW_ALLOW="30"
Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
will be checked for certificate expiry and also will be checked after
an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
SERVER_TYPE="https"
CHECK_REMOTE="true"
Use the following 3 variables if you want to validate via DNS
#VALIDATE_VIA_DNS="true"
#DNS_ADD_COMMAND=
#DNS_DEL_COMMAND=
AUTH_DNS_SERVER="nameserver1.somedomain.net nameserver2.somedomain.net"
#DNS_WAIT=10
#DNS_EXTRA_WAIT=60
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
I also just noticed...
You have USE_SINGLE_ACL set, which means the ACL can only contain one ACL entry. :)
So it is trying to use the first one.
John
[email protected]
… On Jan 6, 2017, at 4:49 PM, scpkyy ***@***.***> wrote:
I am having a similar problem. I have root access to the server and can ssh to the user accounts using their passwords. In the example configuration file below I have named my main server 'somedomain' and the virtual domain 'anotherdomain' When I run ./getssl somedomain.net without the virtual domain the certificate is generated for the main domain but when I add the virtual domain to the file I get 'getssl: for some reason could not reach http:https://anotherdomain.net/.well-known/acme-challenge/[code]'. I have tried sftp with the userid and password in the script with the same result.
If I manually copy the files from home/www/somedomain/.well-known/acme-challenge/ to /home/www/anotherdomain/.well-known/acme-challenge/ the code will show in the URL - so there are no restrictions there.
Here is an example of my script:
Comment and modify any variables you need
see https://github.com/srvrco/getssl/wiki/Config-variables for details
The staging server is best for testing
#CA="https://acme-staging.api.letsencrypt.org"
This server issues full certificates, however has rate limits
CA="https://acme-v01.api.letsencrypt.org"
#AGREEMENT="https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf"
#Set an email address associated with your account - generally set at account level rather than domain.
***@***.***"
ACCOUNT_KEY_LENGTH=4096
ACCOUNT_KEY="/root/.getssl/account.key"
PRIVATE_KEY_ALG="rsa"
SANS=www.somedomain.net,anotherdomain.com,www.anotherdomain.com'
ACL=('/home/somedomain/www/.well-known/acme-challenge'
'/home/anotherdomain/www/.well-known/acme-challenge'
'/home/anotherdomain/www/.well-known/acme-challenge'
'ssh:somedomain.net:/home/somedomain/www/.well-known/acme-challenge'
***@***.***:/home/anotherdomain/www/.well-known/acme-challenge')
#Enable use of a single ACL for all checks
USE_SINGLE_ACL="true"
#SKIP_HTTP_TOKEN_CHECK="true"
Location for all your certs, these can either be on the server (full path name)
or using ssh /sftp as for the ACL
DOMAIN_CERT_LOCATION="/usr/local/ssl/somedomain.crt"
DOMAIN_KEY_LOCATION="/usr/local/ssl/somedomain.key"
CA_CERT_LOCATION="/usr/local/ssl/somedomain_chain.crt"
#DOMAIN_CHAIN_LOCATION="" # this is the domain cert and CA cert
#DOMAIN_KEY_CERT_LOCATION="" # this is the domain_key and domain cert
#DOMAIN_PEM_LOCATION="" # this is the domain_key. domain cert and CA cert
The command needed to reload apache / nginx or whatever you use
RELOAD_CMD="systemctl restart apache2"
The time period within which you want to allow renewal of a certificate
this prevents hitting some of the rate limits.
RENEW_ALLOW="30"
Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,
smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number which
will be checked for certificate expiry and also will be checked after
an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
SERVER_TYPE="https"
CHECK_REMOTE="true"
Use the following 3 variables if you want to validate via DNS
#VALIDATE_VIA_DNS="true"
#DNS_ADD_COMMAND=
#DNS_DEL_COMMAND=
AUTH_DNS_SERVER="nameserver1.somedomain.net nameserver2.somedomain.net"
#DNS_WAIT=10
#DNS_EXTRA_WAIT=60
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Thank you for your reply, John. In the end I used certbot with the 'certonly' parameter from the command line and that generated a certificate for all the sites on the server. But I would like to understand where I went wrong with the getssl script. I had used many variations that included both use_single_acl off and on as well as the ACL list including the domain plus additional domains. My (mis?)understanding was that there also had to be an ssh directive for each of the additional sites. So are you saying that the ssh directives are not required if the site directive is listed as eg; '/home/somedomain/www/.well-known/acme-challenge'? In other words the ssh directive is an alternative? In retrospect that seems logical. |
With the ACL...
From your example you had 4 URLs/Domains.
However the ACL had 5 entries in it. So the last one would of never been used, only the first 4 and they would of been matched 1-1, 2-2, 3-3, and 4-4. Then the 5th one dropped.
When you selected SINGLE_ACL it would only use the 1st ACL entry for all 4 domain entries. Ignoring the last 4.
Make a little more sense? :)
If you look also, the first 3 have no ssh/sftp information to them. They are simply paths on the current server.
Each of your ACL entries must contain how to connect for each of the matching domain entries. Hence the 4 domains can all be located in 4 different locations. Matched to ACL entires 1-1 or Many-to-one.
This is what I >believe< was going on, from what I was seeing.
John
… On Jan 6, 2017, at 8:02 PM, scpkyy ***@***.***> wrote:
Thank you for your reply, John. In the end I used certbot with the 'certonly' parameter from the command line and that generated a certificate for all the sites on the server. But I would like to understand where I went wrong with the getssl script. I had used many variations that included both use_single_acl off and on as well as the ACL list including the domain plus additional domains. My (mis?)understanding was that there also had to be an ssh directive for each of the additional sites. So are you saying that the ssh directives are not required if the site directive is listed as eg; '/home/somedomain/www/.well-known/acme-challenge'? In other words the ssh directive is an alternative? In retrospect that seems logical.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.
|
Correct. From the wiki - https://github.com/srvrco/getssl/wiki/Config-variables The ACME Challenge Location for the domain and each SAN. These are included in quotes, so for a main domain and a single SAN it would look like; ACL=('/var/www/example.com/web/.well-known/acme-challenge' 'ssh:server5:/var/www/example.com/web/.well-known/acme-challenge') These should be of the form "/path/to/your/website/folder/.well-known/acme-challenge" where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain. You can use "ssh:servername:" or "ssh:user@servername:" at the start for any remote server location that you have ssh access to. If a location for a file starts with ftp: or sftp: then the next variables are userid:password:servername:path sftp requires sshpass and can be used for copying certificates and keys. If the tokens need to be copied to more than one location, then separate each location with a semi-colon. |
Hey all, sorry a bit late to the convo. For some reason, I'm getting the same "for some reason could not reach..." error as above, and "Please check manually" When I check the url manually, the file is there in the public url in the browser. So... not sure why if I can hit the url manually, getssl would not be able to from the script. Copying my ***.com/getssl.cfg file for reference. I verified that the path to the acme-challenge folder is correct on my web server by sshing in using that directory path. .getssl/example.com/.getssl.cfg vim: filetype=shThis file is read second (and per domain if running with the -a option)and overwrites any settings from the first fileUncomment and modify any variables you needsee https://github.com/srvrco/getssl/wiki/Config-variables for detailssee https://github.com/srvrco/getssl/wiki/Example-config-files for example configsThe staging server is best for testingCA="https://acme-staging-v02.api.letsencrypt.org" This server issues full certificates, however has rate limits#CA="https://acme-v02.api.letsencrypt.org" Private key types - can be rsa, prime256v1, secp384r1 or secp521r1PRIVATE_KEY_ALG="rsa" Additional domains - this could be multiple domains / subdomains in a comma separated listNote: this is Additional domains - so should not include the primary domain.SANS="www.example.com"Acme Challenge Location. The first line for the domain, the following ones for each additional domain.If these start with ssh: then the next variable is assumed to be the hostname and the rest the location.An ssh key will be needed to provide you with access to the remote server.Optionally, you can specify a different userid for ssh/scp to use on the remote server before the @ sign.If left blank, the username on the local server will be used to authenticate against the remote server.If these start with ftp:/ftpes:/ftps: then the next variables are ftpuserid:ftppassword:servername:ACL_locationThese should be of the form "/path/to/your/website/folder/.well-known/acme-challenge"where "/path/to/your/website/folder/" is the path, on your web server, to the web root for your domain.ftp: uses regular ftp; ftpes: ftp over explicit TLS (port 21); ftps: ftp over implicit TLS (port 990).ftps/ftpes support FTPS_OPTIONS, e.g. to add "--insecure" to the curl command for hosts with self-signed certificates.You can also user WebDAV over HTTPS as transport mechanism. To do so, start with davs: followed by username,password, host, port (explicitly needed even if using default port 443) and path on the server.Multiple locations can be defined for a file by separating the locations with a semi-colon.ACL=( 'www/example.com/.well-known/acme-challenge' 'ssh:[email protected]:/www/example.com/.well-known/acme-challenge')'ftp:ftpuserid:ftppassword:example.com:/web/.well-known/acme-challenge''davs:davsuserid:davspassword:{DOMAIN}:443:/web/.well-known/acme-challenge''ftps:ftpuserid:ftppassword:example.com:/web/.well-known/acme-challenge''ftpes:ftpuserid:ftppassword:example.com:/web/.well-known/acme-challenge')Specify SSH options, e.g. non standard port in SSH_OPTS(Can also use SCP_OPTS and SFTP_OPTS)SSH_OPTS=-p 12345Set USE_SINGLE_ACL="true" to use a single ACL for all checksUSE_SINGLE_ACL="true" Preferred Chain - use an different certificate root from the defaultThis uses wildcard matching so requesting "X1" returns the correct certificate - may need to escape charactersStaging options are: "(STAGING) Doctored Durian Root CA X3" and "(STAGING) Pretend Pear X1"Production options are: "ISRG Root X1" and "ISRG Root X2"#PREFERRED_CHAIN="(STAGING) Pretend Pear X1" Uncomment this if you need the full chain file to include the root certificate (Java keystores, Nutanix Prism)#FULL_CHAIN_INCLUDE_ROOT="true" Location for all your certs, these can either be on the server (full path name)or using ssh /sftp as for the ACLDOMAIN_CERT_LOCATION="/etc/ssl/example.com.crt" # this is domain cert The command needed to reload apache / nginx or whatever you use.Several (ssh) commands may be given using a bash array:RELOAD_CMD=('ssh:[email protected] reload httpd' 'logger getssl for server5 efficient.') Uncomment the following line to prevent non-interactive renewals of certificates#PREVENT_NON_INTERACTIVE_RENEWAL="true" Define the server type. This can be https, ftp, ftpi, imap, imaps, pop3, pop3s, smtp,smtps_deprecated, smtps, smtp_submission, xmpp, xmpps, ldaps or a port number whichwill be checked for certificate expiry and also will be checked afteran update to confirm correct certificate is running (if CHECK_REMOTE) is set to trueSERVER_TYPE="https" ########### eof ########### The error reads:
If I manually visit Note: If I ssh from my machine, a password is required; but I don't see a place in an ssh chain to include a password; also, I can visit the file on www without a password. I see the file contents there. Any ideas much appreciated! |
Hi @TheSethness Can you execute this command on the host where you are running getssl and let me know what output you get curl --user-agent "getssl/v2.47" --insecure --location http:https://example.com/.well-known/acme-challenge/0nvBSZKKxInd2dEeOfzDn63OoTHVlvY4_dNzi9YKgUg |
Hi @timkimber, thanks for your reply. Sure. The response from the copied command (with my domain in place of "example.com") is the contents of that acme challenge file. The curl works as expected.
|
myWebsite.com is a valid domain (although apparently not yours) When posting example domains / URL's you shouldn't use someone else's domain. Using example.com is good substitute if you won't post your own name. |
Hey @githubRover much appreciated! I updated the original comment to reflect example.com. :) |
@TheSethness The code looks like this:
As the manual check works, I don't see anything that could not be working. Here's what I think is happening.
There are two solutions
|
Thanks for this advice, Tim. It seems to have allowed for some progress. I'm getting a new error message now that I'm working on. :) Edit: However when I attempt to visit the site, the browser still tells me it's not secure. I did make sure that the links from the site are all https. Safari shows a lock on it and that it's valid, but Chrome not secure. Oy. This is the site. |
I'm getting an issue when trying to get an ssl certificate it says:
I'm not sure where is the problem, here is the configuration file:
# Uncomment and modify any variables you need
# The staging server is best for testing
#CA="https://acme-staging.api.letsencrypt.org"
# This server issues full certificates, however has rate limits
CA="https://acme-v01.api.letsencrypt.org"
# Additional domains - this could be multiple domains / subdomains in a comma separated list
SANS=www.example.com
# Location for all your certs, these can either be on the server (so full path name) or using ssh as for
the A$
DOMAIN_CERT_LOCATION="ssh:server5:/etc/ssl/domain.crt"
DOMAIN_KEY_LOCATION="ssh:server5:/etc/ssl/domain.key"
#CA_CERT_LOCATION="/etc/ssl/chain.crt"
#DOMAIN_CHAIN_LOCATION="" this is the domain cert and CA cert
#DOMAIN_PEM_LOCATION="" this is the domain_key. domain cert and CA cert
# Define the server type. This can either be a webserver, ldaps or a port number which
# will be checked for certificate expiry and also will be checked after
# an update to confirm correct certificate is running (if CHECK_REMOTE) is set to true
#SERVER_TYPE="webserver"
#CHECK_REMOTE="true"
Hopefully someone here can help with this issue.
The text was updated successfully, but these errors were encountered: