LetsEncrypt App Install failed

kutscherd · January 5, 2021, 3:52pm

I tried to install LetsEncrypt-App for UCS but during the installation i have a error like this:

Screenshot:
grafik

Text:
Traceback (most recent call last):
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 197, in
main(sys.argv[1:])
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 193, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 149, in get_crt
raise ValueError(“Challenge did not pass for {0}: {1}”.format(domain, authorization))
ValueError: Challenge did not pass for buchklub.at: {u’status’: u’invalid’, u’challenges’: [{u’status’: u’invalid’, u’validationRecord’: [{u’url’: u’http://buchklub.at/.well-known/acme-challenge/v3CXr0p0XGFI_XUXKhGGRxBPqZvaFvEaFVnOFTcjBcI’, u’hostname’: u’buchklub.at’, u’addressUsed’: u’91.221.100.40’, u’port’: u’80’, u’addressesResolved’: [u’91.221.100.40’]}, {u’url’: u’https://www.buchklub.at/.well-known/acme-challenge/v3CXr0p0XGFI_XUXKhGGRxBPqZvaFvEaFVnOFTcjBcI’, u’hostname’: u’www.buchklub.at’, u’addressUsed’: u’91.221.100.40’, u’port’: u’443’, u’addressesResolved’: [u’91.221.100.40’]}, {u’url’: u’https://www.buchklub.at/.well-known/acme-challenge/v3CXr0p0XGFI_XUXKhGGRxBPqZvaFvEaFVnOFTcjBcI/’, u’hostname’: u’www.buchklub.at’, u’addressUsed’: u’91.221.100.40’, u’port’: u’443’, u’addressesResolved’: [u’91.221.100.40’]}], u’url’: u’https://acme-v02.api.letsencrypt.org/acme/chall-v3/8987652491/XuygEQ’, u’token’: u’v3CXr0p0XGFI_XUXKhGGRxBPqZvaFvEaFVnOFTcjBcI’, u’error’: {u’status’: 403, u’type’: u’urn:ietf:params:acme:error:unauthorized’, u’detail’: u’Invalid response from https://www.buchklub.at/.well-known/acme-challenge/v3CXr0p0XGFI_XUXKhGGRxBPqZvaFvEaFVnOFTcjBcI/ [91.221.100.40]: “\n\n\n\n<!–[if IE 7]> <html cla”’}, u’type’: u’http-01’}], u’identifier’: {u’type’: u’dns’, u’value’: u’buchklub.at’}, u’expires’: u’2020-12-08T02:31:51Z’}
Setting letsencrypt/status

Anyone has any solution or idea what it could be?
After the installation Apache won’t start again and i cant create Certs…

Kevo · January 5, 2021, 4:29pm

I would guess that your domain name and IP don’t match the UCS system. The challenge did not pass error means the let’s encrypt servers were not able to contact your UCS system to validate the address so certs could be provided.

For that to work, the domain name that is provided to let’s encrypt needs to resolve to the IP address of your UCS system.

kutscherd · January 5, 2021, 5:13pm

Thank you for the fast reply!

So you mean that there is a problem with the name-resolution from outside the network?

The problem is that there are three domains.
domain.local
domain.net
domain.at

The server looks like it is in the domain *.local:
univention-ldapsearch -s base -LLL dn
dn: dc=domain,dc=local

But i never provided any domain during the installation!

I am not sure how to prevent this…

Kevo · January 5, 2021, 5:29pm

The domain is set during install. I don’t think there is any provision to change it after the fact. Luckily you can enter multiple domain names you want to use with the Let’s Encrypt app settings so that will probably be fine depending on what you need the certs for.

The main thing is that the external dns needs to point to your UCS external IP and the let’s encrypt servers need to be able to get to the server on the web port to validate that your dns name matches with your server.

Mornsgrans · January 5, 2021, 7:53pm

can you reach your server from outside by calling buchklub.at?

kutscherd · January 8, 2021, 8:12am

Yes! I can ping and reach the server and his webinterface with the domain example.buchklub.at!

kutscherd · January 8, 2021, 8:16am

Basically, the goal is that Outlook internally (example.buchklub.local) and the web interface of the OX-App-Suite (example.buchklub.at) receive a certificate with which they are considered secure!

I will try again to install LetsEncrypt, but I can remember that errors occur when creating certificates for the * .buchklub.at domain, for example.
Which mistakes can I like to post here …

kutscherd · January 8, 2021, 1:55pm

if i try to install now i have the problem that “apache2” is not starting again (missing file):

Unbenannt

I think here is something totally wrong…the install already is messed up…

You think the:
Response Code: 405
Response: {
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Method not allowed”,
“status”: 405

comes from the wrong domain? For both, install and uninstall?

Apache Log (service apache2 restart/status)

root@EXAMPLE:~# service apache2 status
● apache2.service - The Apache HTTP Server
Loaded: loaded (/lib/systemd/system/apache2.service; enabled; vendor preset: enabled)
Active: failed (Result: exit-code) since Fri 2021-01-08 14:35:31 CET; 1min 26s ago
Process: 19669 ExecStop=/usr/sbin/apachectl stop (code=exited, status=1/FAILURE)
Process: 19705 ExecStart=/usr/sbin/apachectl start (code=exited, status=1/FAILURE)
Main PID: 20831 (code=exited, status=0/SUCCESS)
CPU: 175ms

Jän 08 14:35:31 EXAMPLE systemd[1]: Starting The Apache HTTP Server…
Jän 08 14:35:31 EXAMPLE apachectl[19705]: AH00526: Syntax error on line 30 of /etc/apache2/sites-enabled/univention-letsencrypt.conf:
Jän 08 14:35:31 EXAMPLE apachectl[19705]: SSLCertificateFile: file ‘/etc/univention/letsencrypt/signed_chain.crt’ does not exist or is empty
Jän 08 14:35:31 EXAMPLE apachectl[19705]: Action ‘start’ failed.
Jän 08 14:35:31 EXAMPLE apachectl[19705]: The Apache error log may have more information.
Jän 08 14:35:31 EXAMPLE systemd[1]: apache2.service: Control process exited, code=exited status=1
Jän 08 14:35:31 EXAMPLE systemd[1]: Failed to start The Apache HTTP Server.
Jän 08 14:35:31 EXAMPLE systemd[1]: apache2.service: Unit entered failed state.
Jän 08 14:35:31 EXAMPLE systemd[1]: apache2.service: Failed with result ‘exit-code’.

Uninstall / Remove LetsEncrypt again

Going to remove Let’s Encrypt (1.2.2-8)
No hostdn for letsencrypt found. Nothing to remove
Configuring letsencrypt=1.2.2-8
Fre Jän 8 14:37:59 CET 2021
Refreshing certificate for following domains:
buchklub.at buchklub.net
Parsing account key…
Parsing CSR…
Found domains: buchklub.at, buchklub.net
Getting directory…
Directory found!
Registering account…
Already registered!
Creating new order…
Order created!
Traceback (most recent call last):
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 197, in
main(sys.argv[1:])
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 193, in main
signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 125, in get_crt
authorization, _, _ = _do_request(auth_url, err_msg=“Error getting challenges”)
File “/usr/share/univention-letsencrypt/acme_tiny.py”, line 45, in _do_request
raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data))
ValueError: Error getting challenges:
Url: https://acme-staging-v02.api.letsencrypt.org/acme/authz-v3/185347218
Data: None
Response Code: 405
Response: {
“type”: “urn:ietf:params:acme:error:malformed”,
“detail”: “Method not allowed”,
“status”: 405
}
Setting letsencrypt/status
Module: ox-config
Paketlisten werden gelesen…
Abhängigkeitsbaum wird aufgebaut…
Statusinformationen werden eingelesen…
Die folgenden Pakete werden ENTFERNT:
univention-letsencrypt
0 aktualisiert, 0 neu installiert, 1 zu entfernen und 28 nicht aktualisiert.

Kevo · January 8, 2021, 5:34pm

You need to make sure that the domains that are setup to get certs in Let’s Encrypt can actually be looked up via DNS and they point properly to your server. .local domains won’t work, so if that’s in your Let’s Encrypt settings you should take it out.

Not sure what else it would be.

Mornsgrans · January 8, 2021, 6:13pm

Using wildcard certificates let you run into trouble.

To retrieve a certificate from Letsencrypt you will need a DNS enry in Internet.

So you must register “example.buchklub.at” at Letsencrypt.

kutscherd · January 13, 2021, 9:56am

i think the problem is more or less that the mailserver is in the domain “.buchklub.local” and so letsencrypt tries to install a cert for that domain, but this domain is not reachable from outside.
Just the “.buchklub.at” domain. But i see no way to go around this problem.
LetsEncrypt will always try to install with the server-domain, and so it will never work more or less…

kutscherd · January 13, 2021, 9:58am

The problem is that already the installation fails because of the local-domain, in which the server is at the moment. And because of this install with the error (see above), the including of other domains, including the one reachable from outside the internal network, is with errors or is not working correctly.

Mornsgrans · January 13, 2021, 11:53am

If i am right, the maildomain must be a .buchklub.at domain.
This can be changed in the UCS web- and domain settings - Domain - Email on the Univention Web interface

Create a snapshot/Backup before experimenting with the settings.

kutscherd · January 13, 2021, 12:51pm

Everything points to that…right.
I will try but I have to check the combination with Active-Directory etc. first!
I think this might be the next problem, because the DC are only responsible for .buchklub.local.
So the users and primary mail address would be out of access…