Lets Encrypt error /schlägt fehl

Corin · October 17, 2017, 2:40pm

Hey,

i have a problem. i wanted to get a cert for my domain c-corp.org, but i get an error. I use the domain @ univention and @ bought official domain.

log:
Di 17. Okt 16:36:20 CEST 2017
Refreshing certificate for following domains:
c-corp.org
Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying c-corp.org...
Traceback (most recent call last):
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 198, in <module>
    main(sys.argv[1:])
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 194, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "/usr/share/univention-letsencrypt/acme_tiny.py", line 149, in get_crt
    domain, challenge_status))
ValueError: c-corp.org challenge did not pass: {u'status': u'invalid', u'validationRecord': [{u'addressesResolved': [u'89.31.143.1'], u'url': u'http://c-corp.org/.well-known/acme-challenge/uKLAtj-ulb5zaGMqUcciB2jwGzmCZh3ZdjM6P8QsFqA', u'hostname': u'c-corp.org', u'addressesTried': [], u'addressUsed': u'89.31.143.1', u'port': u'80'}], u'keyAuthorization': u'uKLAtj-ulb5zaGMqUcciB2jwGzmCZh3ZdjM6P8QsFqA.ujbfj-dWNnEvDBsKSX0W6uH1UG2jowDu9XhM75_ugwo', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/uRucso-yLfMsAU0TT79HsWAVFgewpip6Bz9s4e25Mmc/2230547646', u'token': u'uKLAtj-ulb5zaGMqUcciB2jwGzmCZh3ZdjM6P8QsFqA', u'error': {u'status': 403, u'type': u'urn:acme:error:unauthorized', u'detail': u'Invalid response from http://c-corp.org/.well-known/acme-challenge/uKLAtj-ulb5zaGMqUcciB2jwGzmCZh3ZdjM6P8QsFqA: "<html>\n<head>\n<meta name="keywords" content=">">\n<meta name="description" content="Domain registriert bei united-domains.de">\n<m"'}, u'type': u'http-01'}

How may i solve it?

audiolinux · October 19, 2017, 2:30pm

Hi Corin,
I guess there already is a ssl encryption activated for that domain.
cheers
Sebastian

peichert · October 19, 2017, 2:51pm

It seems that the DNS-Entry for domain does not point to your System, so the letsencrypt client could not verify the request.

To solve this, change the corresponding DNS records A/Cname to your UCS Systems IP address and make sure that Port 80 is reachable.

Then you could try again with the certificate request.

Corin · October 20, 2017, 11:12am

The Problem was port 80… Port 80 was not to my univention server. Only port 443 was going to my Univention.

Corin · October 23, 2017, 2:38pm

So habe nun in der Fehlerdiagnose leider einen kritischen Fehler.

Das Zertifikat von Lets Encrypt läuft auf dem Server und 443 und 80 sind auf den Server geroutet.

Das hier ist der Fehler (Kritisch und taucht 2 mal auf)
Ungültiges Zertifikat ‘/etc/univention/letsencrypt/signed.crt’ gefunden: /etc/univention/letsencrypt/signed.crt: CN = central.domain.org error 20 at 0 depth lookup:unable to get local issuer certificate

Ungültiges Zertifikat ‘/etc/univention/letsencrypt/signed.crt’ gefunden: /etc/univention/letsencrypt/signed.crt: CN = central.domain.org error 20 at 0 depth lookup:unable to get local issuer certificate

peichert · October 24, 2017, 10:43am

If the Lets Encrypt certificate is requested and works in your browser, everything is fine. You could check it with https://www.ssllabs.com

That means that the signing intermediate certificate is unknown to your system. For more about the chain of trust see https://letsencrypt.org/certificates/

To fix this: Add the intermediate letsencrypt certificate to the trusted certificates on your system

ln -s /etc/univention/letsencrypt/intermediate.pem /usr/local/share/ca-certificates/lets-encrypt.crt
update-ca-certificates

Your server will now accept all certificates issued by “Let’s Encrypt Authority X3”. And the above error is gone.