Look in here: /etc/letsencrypt
/opt/letsencrypt
Ensure the old certs aren't in used in the Nginx web sites before you delete them.
Be careful to the delete the right ones.
I switched from StartSSL to Letsencrypt today. Setup with Plugin worked like a charm. I created a cron for renewal.
Do I need port 80 for renewal as well?
I usually serve only SSL on Port 443, mapped through Router. Port 80 is used internal only for OMV WebUI.
Do I need port 80 for renewal as well?
Yes.
I run a Nextcloud-Installation with MySQL, Nginx, Fail2Ban and SSL on Port 443. Does opening Port 80 to the same web root bring some security issues with it?
My Nginx is configured to serve only SSL/Port 443, I am a little converned pointing port 80 to that jail as well
I don't see any issue with port 80.
You use reverse proxy.
There's a guide in the forum.
I don't need reverse Proxy.
I set up Nginx with one host (nextcloud) and pointed the letsencrypt-plugin directly to this host/webroot. Since this is the only service I need to be reachable from outside without using VPN, there is no need to use the reverse proxy.
OMV WebGUI is served without certificate and only reachable within LAN.
For security reasons I mapped as few ports as possible (only port 443) through my router to my NAS machine.
I switched WebUI Port and opened port 80 for Letsencrypt. Accessing the domain on port 80 now redirects me to https/port 443.
I did it exactly that way.
WebUI is port 8080, port 80 open for letsencrypt, cron created with slider.
Letsencrypt tries to renew my cert, but gets an error because of .well-known subdirectory in my webroot. .well-known has no subdir or file within. Permissions are root:www-data with drwxr-s---+
2017-07-08 22:36:11,189:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:
Domain: xxxxxxxxxx
Type: unauthorized
Detail: Invalid response from http://xxxxxxxxxx/.well-known/acme-challenge/xxxxxxxxxx_oC_xxxxxxxxxx: "<!DOCTYPE html>
<html class="ng-csp" data-placeholder-focus="false" lang="en" >
<head data-requesttoken="xxxxxxxxxx"
To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2017-07-08 22:36:11,190:INFO:certbot.auth_handler:Cleaning up challenges
2017-07-08 22:36:11,190:DEBUG:certbot.plugins.webroot:Removing /srv/dev-disk-by-label-Storage/nextcloud/.well-known/acme-challenge/xxxxxxxxxx_oC_xxxxxxxxxx
2017-07-08 22:36:11,192:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /srv/dev-disk-by-label-Storage/nextcloud/.well-known/acme-challenge
2017-07-08 22:36:11,192:WARNING:certbot.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/xxxxxxxxxx.conf produced an unexpected error: Failed authorization procedure. xxxxxxxxxx (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://xxxxxxxxxx/.well-known/acme-challenge/xxxxxxxxxx_oC_xxxxxxxxxx: "<!DOCTYPE html>
<html class="ng-csp" data-placeholder-focus="false" lang="en" >
<head data-requesttoken="xxxxxxxxxx". Skipping.
2017-07-08 22:36:11,196:DEBUG:certbot.renewal:Traceback was:
Traceback (most recent call last):
File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 413, in handle_renewal_request
main.obtain_cert(lineage_config, plugins, renewal_candidate)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 626, in obtain_cert
action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 103, in _auth_from_available
renewal.renew_cert(config, domains, le_client, lineage)
File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 296, in renew_cert
new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate
self.config.allow_subset_of_names)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 77, in get_authorizations
self._respond(resp, best_effort)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 134, in _respond
self._poll_challenges(chall_update, best_effort)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 198, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. xxxxxxxxxx (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://xxxxxxxxxx/.well-known/acme-challenge/xxxxxxxxxx_oC_xxxxxxxxxx: "<!DOCTYPE html>
<html class="ng-csp" data-placeholder-focus="false" lang="en" >
<head data-requesttoken="xxxxxxxxxx"
2017-07-08 22:36:11,197:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in <module>
load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 655, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 430, in handle_renewal_request
len(renew_failures), len(parse_failures)))
Error: 1 renew failure(s), 0 parse failure(s)Seems that because of a lack of authorization no renewal is possible. Strange is the cleanup within .well-known
Pushing the monthly cron renewal manually gives me this
Fehler #0:
exception 'OMV\ExecException' with message 'Failed to execute command 'export PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin; export LANG=C; export SHELL=/bin/sh; sudo --shell --non-interactive --user=root -- omv-letsencrypt 2>&1' with exit code '1': Existing certificate uuid is invalid
Use the Generate Certificate button in the plugin view at least once before using this script.' in /usr/share/openmediavault/engined/rpc/cron.inc:175
Stack trace:
#0 /usr/share/php/openmediavault/rpc/serviceabstract.inc(528): OMVRpcServiceCron->{closure}('/tmp/bgstatuslh...', '/tmp/bgoutputiY...')
#1 /usr/share/openmediavault/engined/rpc/cron.inc(179): OMV\Rpc\ServiceAbstract->execBgProc(Object(Closure))
#2 [internal function]: OMVRpcServiceCron->execute(Array, Array)
#3 /usr/share/php/openmediavault/rpc/serviceabstract.inc(124): call_user_func_array(Array, Array)
#4 /usr/share/php/openmediavault/rpc/rpc.inc(86): OMV\Rpc\ServiceAbstract->callMethod('execute', Array, Array)
#5 /usr/sbin/omv-engined(536): OMV\Rpc\Rpc::call('Cron', 'execute', Array, Array, 1)
#6 {main}Using google, there seems to be a solution through DNS Record. I checked, there is a A record for my domain, http and www. Ports 80 and 443 are opened through router. The web root is used for Nextcloud.
How can i resolve this issue?
Edit: Solved it by editing the nginx v-host config.
Edit 2: My letsencrypt-cert checks for monthly renewal, but the job says no renewal is needed, even 5 days before cert will expire. I receive Email from letsencrypt saying I have to check my cert.
When I push a creation of a new cert manually, a new cert is created, but it does not replace the old one, it will be placed as second cert. (I use my cert with nginx for nextcloud)
How can I resolve this issue?
How can i set it auto renew after 3 months, i'm using Debian 8 & 3.0. Can i use : certbot renew --dry-run
Source here : https://tophostcoupon.com/how-…-encrypt-on-linux-server/
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!