SOLVED - Letsencrypt - Fehler bei Erstellung des Zertifíkates

Ich habe Nextcloud erfolgreich installiert und über openmediavault webgui ein SSL-Zertifikat erstellt.
Es funktioniert alles, so wie es soll.(Daheim und von ausserhalb Zugang)
Nun möchte ich aber ein letsencrypt-Zertifikat erstellen und nutzen.
Hier kommt bei der Erstellung (egal, ob über OMV oder per Konsole) eine Fehlermeldung.
Hier die Meldungen, wenn ich es über die Konsole versuche:

Hier hätte ich gerne die Fehlermeldung eingefügt.
Leider darf ich als Neuer nicht mehr als 4 links einfügen.

Was mach ich nun?

Hi,

schreibe die URLs in der Fehlermeldung sonst um.
http: // meine . domain . de/index.php/apps/
Oder vielleicht
http:\meine,domain,de\index.php\apps

root@omv:~# letsencrypt certonly --webroot -w /srv/dev/*** -d mydomain.net --rsa-key-size 4096
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api. letsencrypt. org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain.net
Using the webroot path /srv/dev*** for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mydomain.net (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http:/ /mydomain.net/.well-known/acme-challenge/**********: Connection refused

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mydomain.net
    Type: connection
    Detail: Fetching
    http:/ /mydomain.net/.well-known/acme-challenge/**********:
    Connection refused

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address. Additionally, please check that
    your computer has a publicly routable IP address and that no
    firewalls are preventing the server from communicating with the
    client. If you’re using the webroot plugin, you should also verify
    that you are serving files from the webroot path you provided.

Könnte es daran liegen, dass versucht wird über http:/ /mydomain.net… eine Verbindung zu bekommen?
Denn in meiner nginx-datei (in: /etc/nginx/sites-available/) steht kein server{ listen 80

Ja, genau daran liegt es :slight_smile:

Ich verstehe schon, dass mein eigentlich kein HTTP haben möchte, aber du kannst einen Forward auf HTTPS erzwingen.

Ich habe in meiner nginx-site folgendes definiert:

server {
    listen 80;
    listen [::]:80;
    server_name my.domain.net;

    server_tokens off;

    # enforce https
    return 301 https://$server_name$request_uri;
}

Damit funktioniert es.

Danke für die rasche Antwort.

habe folgendes hinzugefügt:
server {
listen 80;
listen [::]:80;
server_name mydomain.net;

server_tokens off;

# enforce https
return 301 https://$server_name$request_uri;

}

dann folgt:

server {
listen 443 ssl;
listen [::]:443 ssl;
ssl_certificate ************ und so weiter

Klappt leider auch nicht.
Hier die Fehlermeldung:
root@omv:~# letsencrypt certonly --webroot -w /srv/dev*** -d mydomain.net --rsa-key-size 4096
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt. org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain. net
Using the webroot path /srv/dev-**** for all unmatched domains.
Waiting for verification…
Cleaning up challenges
Failed authorization procedure. mydomain.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http:/ /mydomain.net/.well-known/acme-challenge/**************************************: "

<head data-requesttoken="/**************************************: +"

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: mydomain.net
    Type: unauthorized
    Detail: Invalid response from
    http:/ /mydomain.net/.well-known/acme-challenge/************************************:
    "

    <head data-requesttoken="********************************+"

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

Ich kenne mich mit letsencrypt ansonsten leider nicht so gut aus. Jetzt scheint ja etwas bei der Authorisierung schief zu laufen:

The client lacks sufficient authorization :: Invalid response from http:/ /m****.ddns.net/.well-known/acme-challenge/5IJ*******K0: "

<head data-requesttoken="VjG*******2z+"

Steht noch etwas nützliches im /var/log/letsencrypt/letsencrypt.log ?

Hab das log durchgelesen aber nicht durchgeblickt.
Gibt’s etwas Bestimmtes, worauf ich im log achten muss?

Keine Ahnung :frowning: Ich würde auch nur nach irgendetwas auffälligem schauen, was einen Hinweis gibt. Am besten löscht du das aktuell log, lässt den Certbot noch mal laufen und postest dann das gesamte Log.

Kann ich das ganze log einstellen?
Oder sind da irgendwelche sicherheitsrelevante sachen hinterlegt?

Ich glaube die sicherheitsrelevanten Sachen hast du schon gepostet. Das könnte man noch mal entfernen.

Blockquote
Blockquote
2018-01-16 13:40:37,138:DEBUG:certbot.main:Root logging level set at 20
2018-01-16 13:40:37,139:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-01-16 13:40:37,140:DEBUG:certbot.main:certbot version: 0.10.2
2018-01-16 13:40:37,141:DEBUG:certbot.main:Arguments: [’–webroot’, ‘-w’, '/srv/dev-’, ‘-d’, ‘mydomain. net’, ‘–rsa-key-size’, ‘4096’]
2018-01-16 13:40:37,142:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2018-01-16 13:40:37,142:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2018-01-16 13:40:37,147:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f52cff1cd10>
Prep: True
2018-01-16 13:40:37,149:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f52cff1cd10> and installer None
2018-01-16 13:40:37,481:DEBUG:certbot.main:Picked account: <Account(dd101827e0abc836d4dd0489e1324390)>
2018-01-16 13:40:37,484:DEBUG:root:Sending GET request to https:/ /acme-v01.api.letsencrypt.org/directory.
2018-01-16 13:40:37,488:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt. org
2018-01-16 13:40:37,795:DEBUG:requests.packages.urllib3.connectionpool:“GET /directory HTTP/1.1” 200 562
2018-01-16 13:40:37,796:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 562
Replay-Nonce: eaznaa-tzJ1-vGYrm57-7-7Gw0v0gxeDxpo3y_qp0UQ
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 16 Jan 2018 13:40:37 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 16 Jan 2018 13:40:37 GMT
Connection: keep-alive
{
“dJ2pbcTtVr8”: “https:/ /community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417”,
“key-change”: “https:/ /acme-v01.api.letsencrypt.org/acme/key-change”,
“meta”: {
“terms-of-service”: “https:/ /letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf”
},
“new-authz”: “https:/ /acme-v01.api.letsencrypt.org/acme/new-authz”,
“new-cert”: “https:/ /acme-v01.api.letsencrypt.org/acme/new-cert”,
“new-reg”: “https:/ /acme-v01.api.letsencrypt.org/acme/new-reg”,
“revoke-cert”: “https:/ /acme-v01.api.letsencrypt.org/acme/revoke-cert”
}
2018-01-16 13:40:37,798:INFO:certbot.main:Obtaining a new certificate
2018-01-16 13:40:37,798:DEBUG:root:Requesting fresh nonce
2018-01-16 13:40:37,799:DEBUG:root:Sending HEAD request to https:/ /acme-v01.api.letsencrypt.org/acme/new-authz.
2018-01-16 13:40:38,023:DEBUG:requests.packages.urllib3.connectionpool:“HEAD /acme/new-authz HTTP/1.1” 405 0
2018-01-16 13:40:38,025:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Replay-Nonce: -1HzKrJPdbihIqS9NEgWA93JP3VsJhjm3MSA6hYORvQ
Expires: Tue, 16 Jan 2018 13:40:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 16 Jan 2018 13:40:38 GMT
Connection: keep-alive
2018-01-16 13:40:38,025:DEBUG:acme.client:Storing nonce: -*********************
2018-01-16 13:40:38,029:DEBUG:acme.client:JWS payload:
{
“identifier”: {
“type”: “dns”,
“value”: “mydomain. net”
},
“resource”: “new-authz”
}
2018-01-16 13:40:38,037:DEBUG:root:Sending POST request to https:/ /acme-v01.api.letsencrypt.org/acme/new-authz:
{
“header”: {
“alg”: “RS256”,
“jwk”: {
“e”: “AQAB”,
“kty”: “RSA”,
“n”: ""
}
},
“protected”: "
",
“payload”: "
",
“signature”: "
"
}
2018-01-16 13:40:38,353:DEBUG:requests.packages.urllib3.connectionpool:“POST /acme/new-authz HTTP/1.1” 201 733
2018-01-16 13:40:38,355:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Content-Type: application/json
Content-Length: 733
Boulder-Requester: 27366729
Link: <https:/ /acme-v01.api.letsencrypt.org/acme/new-cert>;rel=“next”
Location: https:/ /acme-v01.api.letsencrypt.org/acme/authz/************************
Replay-Nonce: _
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 16 Jan 2018 13:40:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 16 Jan 2018 13:40:38 GMT
Connection: keep-alive
{
“identifier”: {
“type”: “dns”,
“value”: “mydomain. net”
},
“status”: “pending”,
“expires”: “2018-01-23T13:40:38.225355683Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “pending”,
“uri”: "https:/ /acme-v01.api.letsencrypt.org/acme/challenge/
/3116082171",
“token”: "
"
},
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: "https:/ /acme-v01.api.letsencrypt.org/acme/challenge//3116082172",
“token”: ""
}
],
“combinations”: [
[
0
],
[
1
]
]
}
2018-01-16 13:40:38,356:DEBUG:acme.client:Storing nonce: NDfm4DF2Roqo_eQla6MSwQZDd2ZKxSwUuowKN7YFnyo
2018-01-16 13:40:38,358:INFO:certbot.auth_handler:Performing the following challenges:
2018-01-16 13:40:38,358:INFO:certbot.auth_handler:http-01 challenge for mydomain. net
2018-01-16 13:40:38,359:INFO:certbot.plugins.webroot:Using the webroot path /srv/dev-*** for all unmatched domains.
2018-01-16 13:40:38,360:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /srv/dev-/.well-known/acme-challenge
2018-01-16 13:40:38,368:DEBUG:certbot.plugins.webroot:Attempting to save validation to /srv/dev-/.well-known/acme-challenge/

2018-01-16 13:40:38,369:INFO:certbot.auth_handler:Waiting for verification…
2018-01-16 13:40:38,370:DEBUG:acme.client:JWS payload:
{
“keyAuthorization”: "
",
“type”: “http-01”,
“resource”: “challenge”
}
2018-01-16 13:40:38,375:DEBUG:root:Sending POST request to https:/ /acme-v01.api.letsencrypt.org/acme/challenge//3116082171:
{
“header”: {
“alg”: “RS256”,
“jwk”: {
“e”: “AQAB”,
“kty”: “RSA”,
“n”: "
"
}
},
“protected”: "
",
“payload”: "
",
“signature”: “*************"
}
2018-01-16 13:40:38,654:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/
/3116082171 HTTP/1.1” 202 336
2018-01-16 13:40:38,656:DEBUG:acme.client:Received response:
HTTP 202
Server: nginx
Content-Type: application/json
Content-Length: 336
Boulder-Requester: 27366729
Link: <https:/ /acme-v01.api.letsencrypt.org/acme/authz/
>;rel=“up”
Location: https:/ /acme-v01.api.letsencrypt.org/acme/challenge/
/3116082171
Replay-Nonce: OSmSmlMrps-FadCty4uG33_3Jt6LgSAoXGStAf6tUro
Expires: Tue, 16 Jan 2018 13:40:38 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 16 Jan 2018 13:40:38 GMT
Connection: keep-alive
{
“type”: “http-01”,
“status”: “pending”,
“uri”: "https:/ /acme-v01.api.letsencrypt.org/acme/challenge//3116082171",
“token”: "
",
“keyAuthorization”: "lKtH_
FM.*************_"
}
2018-01-16 13:40:38,657:DEBUG:acme.client:Storing nonce: OSmSmlMrps-FadCty4uG33_3Jt6LgSAoXGStAf6tUro
2018-01-16 13:40:41,661:DEBUG:root:Sending GET request to https:/ /acme-v01.api.letsencrypt.org/acme/authz/
.
2018-01-16 13:40:41,960:DEBUG:requests.packages.urllib3.connectionpool:“GET /acme/authz/********************* HTTP/1.1” 200 1988
2018-01-16 13:40:41,962:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Content-Type: application/json
Content-Length: 1988
Link: <https:/ /acme-v01.api.letsencrypt.org/acme/new-cert>;rel=“next”
Replay-Nonce: VacsOYvp7JR54-
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
Expires: Tue, 16 Jan 2018 13:40:41 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 16 Jan 2018 13:40:41 GMT
Connection: keep-alive
{
“identifier”: {
“type”: “dns”,
“value”: “mydomain. net”
},
“status”: “invalid”,
“expires”: “2018-01-23T13:40:38Z”,
“challenges”: [
{
“type”: “http-01”,
“status”: “invalid”,
“error”: {
“type”: “urn:acme:error:unauthorized”,
“detail”: "Invalid response from http:/ /mydomain.net.net/.well-known/acme-challenge/: "\u003c!DOCTYPE html\u003e\n\u003chtml class=“ng-csp” data-placeholder-focus=“false” lang=“en” \u003e\n\t\u003chead data-requesttoken=""",
“status”: 403
},
“uri”: "https:/ /acme-v01.api.letsencrypt.org/acme/challenge//3116082171",
“token”: "
",
“keyAuthorization”: "
",
“validationRecord”: [
{
“url”: "https:/ /mydomain.net.net/.well-known/acme-challenge/
",
“hostname”: “mydomain. net”,
“port”: “443”,
“addressesResolved”: [
“62.47.189.143”
],
“addressUsed”: “62.47.189.143”,
“addressesTried”: []
},
{
“url”: “http:/ /mydomain.net.net/.well-known/acme-challenge/***************************”,
“hostname”: “mydomain. net”,
“port”: “80”,
“addressesResolved”: [
“62.47.189.143”
],
“addressUsed”: “62.47.189.143”,
“addressesTried”: []
}
]
},
{
“type”: “dns-01”,
“status”: “pending”,
“uri”: “https:/ /acme-v01.api.letsencrypt.org/acme/challenge/***************************/3116082172”,
“token”: “***************************************”
}
],
“combinations”: [
[
0
],
[
1
]
]
}
2018-01-16 13:40:41,966:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:
Domain: mydomain. net
Type: unauthorized
Detail: Invalid response from http:/ /mydomain.net.net/.well-known/acme-challenge/***************************: "

<head data-requesttoken="**************************" To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. 2018-01-16 13:40:41,966:INFO:certbot.auth_handler:Cleaning up challenges 2018-01-16 13:40:41,967:DEBUG:certbot.plugins.webroot:Removing /srv/dev-disk-by-label-hddcloud/www/nextcloud12.0.4/.well-known/acme-challenge/lKtH*************************** 2018-01-16 13:40:41,968:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /srv/dev-disk-by-label-hddcloud/www/nextcloud12.0.4/.well-known/acme-challenge 2018-01-16 13:40:41,971:DEBUG:certbot.main:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/letsencrypt", line 11, in load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')() File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main return config.func(config, plugins) File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 626, in obtain_cert action, _ = _auth_from_available(le_client, config, domains, certname, lineage) File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 107, in _auth_from_available lineage = le_client.obtain_and_enroll_certificate(domains, certname) File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 291, in obtain_and_enroll_certificate certr, chain, key, _ = self.obtain_certificate(domains) File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate self.config.allow_subset_of_names) File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 77, in get_authorizations self._respond(resp, best_effort) File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 134, in _respond self._poll_challenges(chall_update, best_effort) File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 198, in _poll_challenges raise errors.FailedChallenges(all_failed_achalls) FailedChallenges: Failed authorization procedure. mydomain.net.net (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http:/ /mydomain.net.net/.well-known/acme-challenge/***************************: " <head data-requesttoken="***************************"

letsencrypt certonly --webroot -w /srv/dev-disk-by-label-hddcloud/www -d mydomain.net --rsa-key-size 4096

Machen die beiden Schalter -w und --webroot eventuell das gleiche und sind für die Angabe von webroot? Wenn ja, könntest du einen von beiden mal weglassen?

Was man vielleicht noch versuchen könnte:

  • mit Schalter --nginx ausführen
  • im interaktiven Modus ausführen (–manual)

Führst du das Kommando als root user aus?

ja, ich führe es als root aus.
Was mir aufgefallen ist:
Die Uhrzeiten im log sind 1 Stunde hinten nach.

Aber die Uhrzeit vom Server stimmt? Falls nicht müsste die Zeit deines Servers noch mal gesynched werden.

Ja, die stimmt.(Laut omv)

Und hier timedatectl:

Blockquote
timedatectl
Local time: Die 2018-01-16 17:32:17 CET
Universal time: Die 2018-01-16 16:32:17 UTC
RTC time: Die 2018-01-16 16:32:16
Time zone: Europe/Vienna (CET, +0100)
NTP enabled: no
NTP synchronized: no
RTC in local TZ: no
DST active: no
Last DST change: DST ended at
Son 2017-10-29 02:59:59 CEST
Son 2017-10-29 02:00:00 CET
Next DST change: DST begins (the clock jumps one hour forward) at
Son 2018-03-25 01:59:59 CET
Son 2018-03-25 03:00:00 CEST

Ich hab’s gelöst!
folgender Codeschnippsel hat in nginx gefehlt:

location ^~ /.well-known/acme-challenge/ { }

Hab diesen unter .well-known/cardav gesetzt.