Re: [CentOS] letsencrypt error
In article , Jerry Geis wrote: > Hi Tony, > > Thanks for the suggestion https://github.com/srvrco/getssl was not aware of > that. > I got so close... It says it loaded the certificate the files are there - I > edited /etc/httpd/conf.d/ssl.conf and set the two paths to the right file. > restrated httpd - all seemed good - but when I goto my site it did not work. > So I re-ran with -f option and I get: > > Registering account > Verify each domain > Verifying rsd.layeredsolutionsinc.com > rsd.layeredsolutionsinc.com is already validated > Verification completed, obtaining certificate. > Requesting Finalize Link > Requesting Order Link > Requesting certificate > Full certificate saved in /root/.getssl/XX/fullchain.crt > Certificate saved in /root/.getssl/XX/rsd.layeredsolutionsinc.com.crt > /root/.getssl/XX/XX.crt didn't match server > getssl: XX - rsa certificate obtained but certificate on server is > different from the new certificate > > So close... > Any thoughts on that are appreciated. Idid searching and those issues > dont seem to relate to my case. Hi Jerry, you need to explore the configuration files. They are in .getssl/getssl.cfg and .getssl//getssl.cfg First, in .getssl//getssl.cfg you need to tell it where to copy the certificate and key for the web server. They should match what you have in /etc/httpd/conf.d/ssl.conf Here are my entries as an example: # Location for all your certs, these can either be on the server (full path name) # or using ssh /sftp as for the ACL DOMAIN_CERT_LOCATION="/etc/pki/tls/certs/your.domain.name.crt" # this is domain cert DOMAIN_KEY_LOCATION="/etc/pki/tls/private/your.domain.name.key" # this is domain key CA_CERT_LOCATION="/etc/pki/tls/certs/chain.crt" # this is CA cert Then secondly, in the global config .getssl/getssl.cfg you need to tell it how to restart the web server to pick up the new certs, which it will do before testing whether the new certificate is served correctly: # The command needed to reload apache / nginx or whatever you use RELOAD_CMD="/usr/sbin/apachectl graceful" I think these are the only changes I made from the defaults. Cheers Tony -- Tony Mountifield Work: t...@softins.co.uk - http://www.softins.co.uk Play: t...@mountifield.org - http://tony.mountifield.org ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] letsencrypt error
Hi Tony, Thanks for the suggestion https://github.com/srvrco/getssl was not aware of that. I got so close... It says it loaded the certificate the files are there - I edited /etc/httpd/conf.d/ssl.conf and set the two paths to the right file. restrated httpd - all seemed good - but when I goto my site it did not work. So I re-ran with -f option and I get: Registering account Verify each domain Verifying rsd.layeredsolutionsinc.com rsd.layeredsolutionsinc.com is already validated Verification completed, obtaining certificate. Requesting Finalize Link Requesting Order Link Requesting certificate Full certificate saved in /root/.getssl/XX/fullchain.crt Certificate saved in /root/.getssl/XX/rsd.layeredsolutionsinc.com.crt /root/.getssl/XX/XX.crt didn't match server getssl: XX - rsa certificate obtained but certificate on server is different from the new certificate So close... Any thoughts on that are appreciated. Idid searching and those issues dont seem to relate to my case. Thanks Jerry ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] letsencrypt error
On 2/5/21 10:00 AM, Jerry Geis wrote: I thought someone would have ran into the same issue as I was migrating to this new way of doing things getting letsencypt working on apache. I did run into it, just on nginx. That's why I posted the reply. ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] letsencrypt error
On Fri, Feb 5, 2021 at 9:44 AM Lamar Owen wrote: > On 2/5/21 7:49 AM, Jerry Geis wrote: > > *>>certbot-auto is no longer available. > > See https://certbot.eff.org/docs/install.html#id9 "We used to have a > shell script named certbot-auto to help people install Certbot on UNIX > operating systems, however, this script is no longer supported. If you > want to uninstall certbot-auto, you can follow our instructions here." > > > ... Skipping bootstrap because certbot-auto is deprecated on this > > system. Your system is not supported by certbot-auto anymore. Certbot > > cannot be installed. Please visit https://certbot.eff.org/ to check > > for other alternatives. My Centos 7 is basically out of the box. > > Previously with certbot-auto - it worked every time. Any one else run > > into this and know what the issue is ? > The issue is fully documented and is simply that the certbot-auto script > is being discontinued by the certbot team at EFF. Questions about why > it's being discontinued would need to be taken up with the EFF team on > their github issue tracker at https://github.com/certbot/certbot/issues > > The EFF-recommended way to use certbot has changed. The _new_ way is > with a snap (as in 'install snapd and download the snap for certbot'). > If you already have it might work, but that's going away; you need to > use the solution recommended at certbot.eff.org which first instructs > the user to uninstall any OS package containing certbot. At > https://certbot.eff.org/docs/install.html there is a warning block: > "While the Certbot team tries to keep the Certbot packages offered by > various operating systems working in the most basic sense, due to > distribution policies and/or the limited resources of distribution > maintainers, Certbot OS packages often have problems that other > distribution mechanisms do not. The packages are often old resulting in > a lack of bug fixes and features and a worse TLS configuration than is > generated by newer versions of Certbot. They also may not configure > certificate renewal for you or have all of Certbot’s plugins available. > For reasons like these, we recommend most users follow the instructions > at https://certbot.eff.org/instructions and OS packages are only > documented here as an alternative." > > Further, this isn't a CentOS problem; CentOS 7 doesn't ship > certbot-auto. EPEL7 ships a certbot package, but it doesn't ship > certbot-auto. The certbot in the EPEL7 package is currently working on > one of my systems, but it is at this point in time one release out of > date. (the package currently in EPEL7 is 1.11.0; current is 1.12.0; > 1.12.0 drops support for python2, so the move from 1.11.0 to 1.12.0 > could be fun). > > So, the EFF's recommended instructions for CentOS 7 running nginx are at > https://certbot.eff.org/lets-encrypt/centosrhel7-nginx (I chose the > nginx page because I am running some servers with CentOS 7 and nginx; > there are instructions for CentOS/RHEL 8 as well as for apache). > > > > Hi Lamar - I did find that page... I did follow the instructions. certbot is removed. rpm -qa | grep cert ca-certificates-2020.2.41-70.0.el7_8.noarch whereis certbot certbot: /usr/bin/certbot /var/lib/snapd/snap/bin/certbot ls -l /usr/bin/certbot lrwxrwxrwx 1 root root 17 Feb 4 13:38 /usr/bin/certbot -> /snap/bin/certbot The snap link was made. the snap daemon is running: ps ax | grep snapd 18721 pts/0S+ 0:00 /bin/grep -d skip snapd 24817 ?Ssl0:12 /usr/libexec/snapd/snapd I thought someone would have ran into the same issue as I was migrating to this new way of doing things getting letsencypt working on apache. Thanks, Jerry ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] letsencrypt error
On 2/5/21 7:49 AM, Jerry Geis wrote: *>>certbot-auto is no longer available. See https://certbot.eff.org/docs/install.html#id9 "We used to have a shell script named certbot-auto to help people install Certbot on UNIX operating systems, however, this script is no longer supported. If you want to uninstall certbot-auto, you can follow our instructions here." ... Skipping bootstrap because certbot-auto is deprecated on this system. Your system is not supported by certbot-auto anymore. Certbot cannot be installed. Please visit https://certbot.eff.org/ to check for other alternatives. My Centos 7 is basically out of the box. Previously with certbot-auto - it worked every time. Any one else run into this and know what the issue is ? The issue is fully documented and is simply that the certbot-auto script is being discontinued by the certbot team at EFF. Questions about why it's being discontinued would need to be taken up with the EFF team on their github issue tracker at https://github.com/certbot/certbot/issues The EFF-recommended way to use certbot has changed. The _new_ way is with a snap (as in 'install snapd and download the snap for certbot'). If you already have it might work, but that's going away; you need to use the solution recommended at certbot.eff.org which first instructs the user to uninstall any OS package containing certbot. At https://certbot.eff.org/docs/install.html there is a warning block: "While the Certbot team tries to keep the Certbot packages offered by various operating systems working in the most basic sense, due to distribution policies and/or the limited resources of distribution maintainers, Certbot OS packages often have problems that other distribution mechanisms do not. The packages are often old resulting in a lack of bug fixes and features and a worse TLS configuration than is generated by newer versions of Certbot. They also may not configure certificate renewal for you or have all of Certbot’s plugins available. For reasons like these, we recommend most users follow the instructions at https://certbot.eff.org/instructions and OS packages are only documented here as an alternative." Further, this isn't a CentOS problem; CentOS 7 doesn't ship certbot-auto. EPEL7 ships a certbot package, but it doesn't ship certbot-auto. The certbot in the EPEL7 package is currently working on one of my systems, but it is at this point in time one release out of date. (the package currently in EPEL7 is 1.11.0; current is 1.12.0; 1.12.0 drops support for python2, so the move from 1.11.0 to 1.12.0 could be fun). So, the EFF's recommended instructions for CentOS 7 running nginx are at https://certbot.eff.org/lets-encrypt/centosrhel7-nginx (I chose the nginx page because I am running some servers with CentOS 7 and nginx; there are instructions for CentOS/RHEL 8 as well as for apache). ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] letsencrypt error
In article , Jerry Geis wrote: > *>>certbot-auto is no longer available. > *>It still getting updates > >https://github.com/certbot/certbot/blob/master/certbot-auto > >>* Forbidden\n\nForbidden\n *>Try opening up your page in the browser to see what's going on. You > might not setup your nginx/apache properly > >http://mydomain/.well-known/acme-challenge/i_fU1bFrQZzgfVI2FtWo8Ov0ITjplCcPjXdK61Fwa-w > > I went there, downloaded it, and tried to run - and I get this. > > Skipping bootstrap because certbot-auto is deprecated on this system. > Your system is not supported by certbot-auto anymore. > Certbot cannot be installed. > Please visit https://certbot.eff.org/ to check for other alternatives. > > My Centos 7 is basically out of the box. Previously with certbot-auto - it > worked every time. Any one else run into this and know what the issue is ? Try using getssl instead: https://github.com/srvrco/getssl Cheers Tony -- Tony Mountifield Work: t...@softins.co.uk - http://www.softins.co.uk Play: t...@mountifield.org - http://tony.mountifield.org ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] letsencrypt error
*>>certbot-auto is no longer available. *>It still getting updates >https://github.com/certbot/certbot/blob/master/certbot-auto >>* Forbidden\n\nForbidden\nTry opening up your page in the browser to see what's going on. You might not setup your nginx/apache properly >http://mydomain/.well-known/acme-challenge/i_fU1bFrQZzgfVI2FtWo8Ov0ITjplCcPjXdK61Fwa-w I went there, downloaded it, and tried to run - and I get this. Skipping bootstrap because certbot-auto is deprecated on this system. Your system is not supported by certbot-auto anymore. Certbot cannot be installed. Please visit https://certbot.eff.org/ to check for other alternatives. My Centos 7 is basically out of the box. Previously with certbot-auto - it worked every time. Any one else run into this and know what the issue is ? Thanks Jerry ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] letsencrypt error
>certbot-auto is no longer available. It still getting updates https://github.com/certbot/certbot/blob/master/certbot-auto > Forbidden\n\nForbidden\nhttp://mydomain/.well-known/acme-challenge/i_fU1bFrQZzgfVI2FtWo8Ov0ITjplCcPjXdK61Fwa-w ___ CentOS mailing list CentOS@centos.org https://lists.centos.org/mailman/listinfo/centos
[CentOS] letsencrypt error
Hi all - So I just ran into the changes lately from letsencrpt. certbot-auto is no longer available. I added this to httpd.conf ServerName mydomain service httpd restart When I do "certbot -d mydomain" I get this : Domain: mydomain Type: unauthorized Detail: Invalid response from http://mydomain/.well-known/acme-challenge/i_fU1bFrQZzgfVI2FtWo8Ov0ITjplCcPjXdK61Fwa-w [97.107.162.8]: "\n\n403 Forbidden\n\nForbidden\nhttps://lists.centos.org/mailman/listinfo/centos
