kosmos.social cert renewal failed due to auth error #110

New Issue

raucao · 2019-10-26T16:56:29Z

raucao commented

2019-10-26 16:56:29 +00:00

systemd alert email:

certbot.service - Certbot
   Loaded: loaded (/lib/systemd/system/certbot.service; static; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sat 2019-10-26 08:07:28 UTC; 54ms ago
     Docs: file:///usr/share/doc/python-certbot-doc/html/index.html
           https://letsencrypt.readthedocs.io/en/latest/
  Process: 7615 ExecStart=/usr/bin/certbot -q renew (code=exited, status=1/FAILURE)
 Main PID: 7615 (code=exited, status=1/FAILURE)

Oct 26 08:01:24 andromeda systemd[1]: Starting Certbot...
Oct 26 08:07:28 andromeda certbot[7615]: Attempting to renew cert (kosmos.social) from /etc/letsencrypt/renewal/kosmos.social.conf produced an unexpected error: Failed authorization procedure. kosmos.social (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://kosmos.social/.well-known/acme-challenge/Yx3D1DpgmOdjfXciBhkkn4jdMUNi7l7TisNZ1foobar [2a01:4f8:221:39c1::2]: 404. Skipping.
Oct 26 08:07:28 andromeda certbot[7615]: All renewal attempts failed. The following certs could not be renewed:
Oct 26 08:07:28 andromeda certbot[7615]:   /etc/letsencrypt/live/kosmos.social/fullchain.pem (failure)
Oct 26 08:07:28 andromeda certbot[7615]: 1 renew failure(s), 0 parse failure(s)
Oct 26 08:07:28 andromeda systemd[1]: certbot.service: Main process exited, code=exited, status=1/FAILURE
Oct 26 08:07:28 andromeda systemd[1]: certbot.service: Failed with result 'exit-code'.
Oct 26 08:07:28 andromeda systemd[1]: Failed to start Certbot.
Oct 26 08:07:28 andromeda systemd[1]: certbot.service: Triggering OnFailure= dependencies.

systemd alert email: ```text certbot.service - Certbot Loaded: loaded (/lib/systemd/system/certbot.service; static; vendor preset: enabled) Active: failed (Result: exit-code) since Sat 2019-10-26 08:07:28 UTC; 54ms ago Docs: file:///usr/share/doc/python-certbot-doc/html/index.html https://letsencrypt.readthedocs.io/en/latest/ Process: 7615 ExecStart=/usr/bin/certbot -q renew (code=exited, status=1/FAILURE) Main PID: 7615 (code=exited, status=1/FAILURE) Oct 26 08:01:24 andromeda systemd[1]: Starting Certbot... Oct 26 08:07:28 andromeda certbot[7615]: Attempting to renew cert (kosmos.social) from /etc/letsencrypt/renewal/kosmos.social.conf produced an unexpected error: Failed authorization procedure. kosmos.social (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://kosmos.social/.well-known/acme-challenge/Yx3D1DpgmOdjfXciBhkkn4jdMUNi7l7TisNZ1foobar [2a01:4f8:221:39c1::2]: 404. Skipping. Oct 26 08:07:28 andromeda certbot[7615]: All renewal attempts failed. The following certs could not be renewed: Oct 26 08:07:28 andromeda certbot[7615]: /etc/letsencrypt/live/kosmos.social/fullchain.pem (failure) Oct 26 08:07:28 andromeda certbot[7615]: 1 renew failure(s), 0 parse failure(s) Oct 26 08:07:28 andromeda systemd[1]: certbot.service: Main process exited, code=exited, status=1/FAILURE Oct 26 08:07:28 andromeda systemd[1]: certbot.service: Failed with result 'exit-code'. Oct 26 08:07:28 andromeda systemd[1]: Failed to start Certbot. Oct 26 08:07:28 andromeda systemd[1]: certbot.service: Triggering OnFailure= dependencies. ```

raucao commented

2019-10-26 16:57:31 +00:00

Current cert is valid until November 24.

greg self-assigned this 2019-10-28 10:09:34 +00:00

greg commented

2019-10-28 10:09:48 +00:00

I found the issue, it was caused by this addition: 10b6f63

+server {
+  listen 80;
+  server_name <%= @server_name %>;
+  return 301 https://$server_name$request_uri;
+}

The certbot vhost (https://gitea.kosmos.org/kosmos/chef/src/branch/master/site-cookbooks/kosmos-nginx/templates/default/nginx_conf_certbot.erb) takes care of pointing requests to .well-known to the static dir where certbot creates the validation file, as well as redirecting to HTTPS. The added lines make every HTTP request redirect to HTTPS. I'm creating a PR now

I found the issue, it was caused by this addition: 10b6f63 ```diff +server { + listen 80; + server_name <%= @server_name %>; + return 301 https://$server_name$request_uri; +} ``` The certbot vhost (https://gitea.kosmos.org/kosmos/chef/src/branch/master/site-cookbooks/kosmos-nginx/templates/default/nginx_conf_certbot.erb) takes care of pointing requests to .well-known to the static dir where certbot creates the validation file, as well as redirecting to HTTPS. The added lines make every HTTP request redirect to HTTPS. I'm creating a PR now

greg referenced this issue from a commit

2019-10-28 10:20:46 +00:00

Remove the redirection from HTTP to HTTPS from the mastodon vhost This is already done in the certbot vhost (https://gitea.kosmos.org/kosmos/chef/src/branch/master/site-cookbooks/kosmos-nginx/templates/default/nginx_conf_certbot.erb) and it redirects every request to HTTPS, breaking Let's Encrypt validation Fixes #110

greg closed this issue

2019-10-30 11:29:59 +00:00

Sign in to join this conversation.

2 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: kosmos/chef#110