SSL-Zertifikat für KH wird nach Installation nicht erstellt [GELÖST]

[jacboy]

Hi,


folgende Ausgangslage:

Ubuntu 18.04 LTS (KVM-virtualisiert)
KeyHelp 20.2 installiert

SSL-Zertifikate -> Serverdienste absichern -> Let's Encrypt.

Hat nur leider nicht geklappt:

Code: Select all

[23-Oct-2020 00:05:38] INFO  --> starting ssl certification maintenance
[23-Oct-2020 00:05:38] INFO  --> checking (normal) SSL/TLS certificates
[23-Oct-2020 00:05:38] INFO  --> check certificate "[ID 1]"
[23-Oct-2020 00:05:38] INFO  --> certificate name is "default"
[23-Oct-2020 00:05:38] INFO  --> certificate is valid until 2030-10-20 23:57:37 (3649 days left)
[23-Oct-2020 00:05:38] INFO  --> checking lets encrypt certificates
[23-Oct-2020 00:05:38] INFO  --> remove unused accounts / certificates
[23-Oct-2020 00:05:38] INFO  --> deleteDirectory(): perform rm -rf /etc/ssl/keyhelp/letsencrypt/keyhelp/
[23-Oct-2020 00:05:38] INFO  --> finished
====
[23-Oct-2020 00:10:40] INFO  --> starting ssl certification maintenance
[23-Oct-2020 00:10:40] INFO  --> checking (normal) SSL/TLS certificates
[23-Oct-2020 00:10:40] INFO  --> check certificate "[ID 1]"
[23-Oct-2020 00:10:40] INFO  --> certificate name is "default"
[23-Oct-2020 00:10:40] INFO  --> certificate is valid until 2030-10-20 23:57:37 (3649 days left)
[23-Oct-2020 00:10:40] INFO  --> checking lets encrypt certificates
[23-Oct-2020 00:10:40] INFO  --> remove unused accounts / certificates
[23-Oct-2020 00:10:40] INFO  --> check domain "web1.jacboy.com'
[23-Oct-2020 00:10:40] INFO  --> certificate file does not exist
[23-Oct-2020 00:10:40] INFO  --> renew cert
[23-Oct-2020 00:10:40] INFO  --> Using certificate authority: "https://acme-v02.api.letsencrypt.org/" (LIVE).
[23-Oct-2020 00:10:40] INFO  --> Getting endpoint URLs.
[23-Oct-2020 00:10:40] INFO  --> Account "keyhelp" already registered. Continue.
[23-Oct-2020 00:10:40] INFO  --> Requesting Key ID.
[23-Oct-2020 00:10:40] INFO  --> Sending signed request to "https://acme-v02.api.letsencrypt.org/acme/new-acct".
[23-Oct-2020 00:10:42] INFO  --> Start certificate generation.
[23-Oct-2020 00:10:42] INFO  --> Token stored at: /home/keyhelp/www/.well-known/acme-challenge/local-check-5f920362805953.70710041
[23-Oct-2020 00:10:42] INFO  --> Local resolving checks of domains successfully completed.
[23-Oct-2020 00:10:42] INFO  --> Requesting challenges for domain "web1.jacboy.com".
[23-Oct-2020 00:10:42] INFO  --> Sending signed request to "https://acme-v02.api.letsencrypt.org/acme/new-order".
[23-Oct-2020 00:10:44] INFO  --> Start authorization process for "web1.jacboy.com".
[23-Oct-2020 00:10:44] INFO  --> Deploy challenge.
[23-Oct-2020 00:10:44] INFO  --> Token stored at: /home/keyhelp/www/.well-known/acme-challenge/HdmobIhFcOoCpPvWzv3Ub1sw9V5g13SaGPQqz2twvpc
[23-Oct-2020 00:10:44] INFO  --> Notify CA that the challenge is ready.
[23-Oct-2020 00:10:44] INFO  --> Sending signed request to "https://acme-v02.api.letsencrypt.org/acme/chall-v3/8075644486/wNOH7w".
[23-Oct-2020 00:10:46] INFO  --> Waiting for verification...
[23-Oct-2020 00:10:49] INFO  --> Waiting for verification...
[23-Oct-2020 00:10:52] INFO  --> Waiting for verification...
[23-Oct-2020 00:10:55] INFO  --> Waiting for verification...
[23-Oct-2020 00:10:57] INFO  --> Waiting for verification...
[23-Oct-2020 00:11:00] INFO  --> Waiting for verification...
[23-Oct-2020 00:11:03] INFO  --> Waiting for verification...
[23-Oct-2020 00:11:06] INFO  --> Waiting for verification...
[23-Oct-2020 00:11:09] ERROR --> a Let's Encrypt error occurred: Verification ended with an error. Response: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:connection","detail":"Fetching https:\/\/web1.jacboy.com\/.well-known\/acme-challenge\/HdmobIhFcOoCpPvWzv3Ub1sw9V5g13SaGPQqz2twvpc: Timeout during connect (likely firewall problem)","status":400},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/8075644486\/wNOH7w","token":"HdmobIhFcOoCpPvWzv3Ub1sw9V5g13SaGPQqz2twvpc","validationRecord":[{"url":"http:\/\/web1.jacboy.com\/.well-known\/acme-challenge\/HdmobIhFcOoCpPvWzv3Ub1sw9V5g13SaGPQqz2twvpc","hostname":"web1.jacboy.com","port":"80","addressesResolved":["2.59.133.3","2a0d:5941:1:db::ed23"],"addressUsed":"2a0d:5941:1:db::ed23"},{"url":"http:\/\/web1.jacboy.com\/.well-known\/acme-challenge\/HdmobIhFcOoCpPvWzv3Ub1sw9V5g13SaGPQqz2twvpc","hostname":"web1.jacboy.com","port":"80","addressesResolved":["2.59.133.3","2a0d:5941:1:db::ed23"],"addressUsed":"2.59.133.3"},{"url":"https:\/\/web1.jacboy.com\/.well-known\/acme-challenge\/HdmobIhFcOoCpPvWzv3Ub1sw9V5g13SaGPQqz2twvpc","hostname":"web1.jacboy.com","port":"443","addressesResolved":["2.59.133.3","2a0d:5941:1:db::ed23"],"addressUsed":"2a0d:5941:1:db::ed23"}]}
[23-Oct-2020 00:11:09] INFO  --> send notification to admin "keyadmin" (user@example.com)
[23-Oct-2020 00:11:09] INFO  --> finished

(E-Mail Adresse zensiert, Hostname web1.jacboy.com ist korrekt). Der FQDN löst korrekt auf den Server auf, sowohl IPv4 als auch IPv6. Für letzteres stimmt der rDNS noch nicht, das fixt mein Provider im Laufe des Tages und sollte auch nur für Mail relevant sein, nicht für so ein Zertifikat.

Im KH dann den SSL Zertifikate-Wartungsjob noch mal laufen lassen, leider noch immer nicht glücklich geworden. Unter https://web1.jacboy.com/.well-known/acm ... PQqz2twvpc wird mir auch der Token korrekt zurück gegeben - ich weiß aktuell leider nicht mehr weiter.



LG
Jay

[v3ng]

Sind die DNS Records frisch?
Je nach Provider kann das einige Stunden dauern, gerade Let's Encrypt scheint das einige Stunden noch zu cachen.

[jacboy]

Die sind 24+ Stunden alt.

[jacboy]

Hat sich erledigt, die IPv6 war nicht aktiviert, darüber wollte LE aber verifizieren. Danke trotzdem.

[Martin]

Hallo,

wenn ein AAAA Record für eine Domain existiert so muss die Domain auch über die IPv6 korrekt erreichbar sein. Let's Encrypt verifiziert diesen Eintrag dann ebenfalls.

[jacboy]

Ja genau. Die Adresse war auch lokal im Interface hinterlegt, nur von Seiten des Providers nicht. DIe haben beim Konfigurieren ausversehen das falsche Netz angewählt. Kein Ding, passiert den besten