Hi all - So I just ran into the changes lately from letsencrpt. certbot-auto is no longer available.
I added this to httpd.conf <VirtualHost *:80> ServerName mydomain </VirtualHost>
service httpd restart
When I do "certbot -d mydomain" I get this : Domain: mydomain Type: unauthorized Detail: Invalid response from
http://mydomain/.well-known/acme-challenge/i_fU1bFrQZzgfVI2FtWo8Ov0ITjplCcPj... [97.107.162.8]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>403 Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"
What did I miss ? Thanks
Jerry
certbot-auto is no longer available.
It still getting updates https://github.com/certbot/certbot/blob/master/certbot-auto
Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"
Try opening up your page in the browser to see what's going on. You might not setup your nginx/apache properly http://mydomain/.well-known/acme-challenge/i_fU1bFrQZzgfVI2FtWo8Ov0ITjplCcPj...
*>>certbot-auto is no longer available. *>It still getting updates
https://github.com/certbot/certbot/blob/master/certbot-auto
- Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"
*>Try opening up your page in the browser to see what's going on. You might not setup your nginx/apache properly
http://mydomain/.well-known/acme-challenge/i_fU1bFrQZzgfVI2FtWo8Ov0ITjplCcPj...
I went there, downloaded it, and tried to run - and I get this.
Skipping bootstrap because certbot-auto is deprecated on this system. Your system is not supported by certbot-auto anymore. Certbot cannot be installed. Please visit https://certbot.eff.org/ to check for other alternatives.
My Centos 7 is basically out of the box. Previously with certbot-auto - it worked every time. Any one else run into this and know what the issue is ?
Thanks
Jerry
In article CABr8-B4Oq-5=xd6P8KpufFZf41NSAxS1nbke5orzxvcs+Bd1Aw@mail.gmail.com, Jerry Geis jerry.geis@gmail.com wrote:
*>>certbot-auto is no longer available. *>It still getting updates
https://github.com/certbot/certbot/blob/master/certbot-auto
- Forbidden</title>\n</head><body>\n<h1>Forbidden</h1>\n<p"
*>Try opening up your page in the browser to see what's going on. You might not setup your nginx/apache properly
http://mydomain/.well-known/acme-challenge/i_fU1bFrQZzgfVI2FtWo8Ov0ITjplCcPj...
I went there, downloaded it, and tried to run - and I get this.
Skipping bootstrap because certbot-auto is deprecated on this system. Your system is not supported by certbot-auto anymore. Certbot cannot be installed. Please visit https://certbot.eff.org/ to check for other alternatives.
My Centos 7 is basically out of the box. Previously with certbot-auto - it worked every time. Any one else run into this and know what the issue is ?
Try using getssl instead: https://github.com/srvrco/getssl
Cheers Tony
On 2/5/21 7:49 AM, Jerry Geis wrote:
*>>certbot-auto is no longer available.
See https://certbot.eff.org/docs/install.html#id9 "We used to have a shell script named certbot-auto to help people install Certbot on UNIX operating systems, however, this script is no longer supported. If you want to uninstall certbot-auto, you can follow our instructions here."
... Skipping bootstrap because certbot-auto is deprecated on this system. Your system is not supported by certbot-auto anymore. Certbot cannot be installed. Please visit https://certbot.eff.org/ to check for other alternatives. My Centos 7 is basically out of the box. Previously with certbot-auto - it worked every time. Any one else run into this and know what the issue is ?
The issue is fully documented and is simply that the certbot-auto script is being discontinued by the certbot team at EFF. Questions about why it's being discontinued would need to be taken up with the EFF team on their github issue tracker at https://github.com/certbot/certbot/issues
The EFF-recommended way to use certbot has changed. The _new_ way is with a snap (as in 'install snapd and download the snap for certbot'). If you already have it might work, but that's going away; you need to use the solution recommended at certbot.eff.org which first instructs the user to uninstall any OS package containing certbot. At https://certbot.eff.org/docs/install.html there is a warning block: "While the Certbot team tries to keep the Certbot packages offered by various operating systems working in the most basic sense, due to distribution policies and/or the limited resources of distribution maintainers, Certbot OS packages often have problems that other distribution mechanisms do not. The packages are often old resulting in a lack of bug fixes and features and a worse TLS configuration than is generated by newer versions of Certbot. They also may not configure certificate renewal for you or have all of Certbot’s plugins available. For reasons like these, we recommend most users follow the instructions at https://certbot.eff.org/instructions and OS packages are only documented here as an alternative."
Further, this isn't a CentOS problem; CentOS 7 doesn't ship certbot-auto. EPEL7 ships a certbot package, but it doesn't ship certbot-auto. The certbot in the EPEL7 package is currently working on one of my systems, but it is at this point in time one release out of date. (the package currently in EPEL7 is 1.11.0; current is 1.12.0; 1.12.0 drops support for python2, so the move from 1.11.0 to 1.12.0 could be fun).
So, the EFF's recommended instructions for CentOS 7 running nginx are at https://certbot.eff.org/lets-encrypt/centosrhel7-nginx%C2%A0 (I chose the nginx page because I am running some servers with CentOS 7 and nginx; there are instructions for CentOS/RHEL 8 as well as for apache).
On Fri, Feb 5, 2021 at 9:44 AM Lamar Owen lowen@pari.edu wrote:
On 2/5/21 7:49 AM, Jerry Geis wrote:
*>>certbot-auto is no longer available.
See https://certbot.eff.org/docs/install.html#id9 "We used to have a shell script named certbot-auto to help people install Certbot on UNIX operating systems, however, this script is no longer supported. If you want to uninstall certbot-auto, you can follow our instructions here."
... Skipping bootstrap because certbot-auto is deprecated on this system. Your system is not supported by certbot-auto anymore. Certbot cannot be installed. Please visit https://certbot.eff.org/ to check for other alternatives. My Centos 7 is basically out of the box. Previously with certbot-auto - it worked every time. Any one else run into this and know what the issue is ?
The issue is fully documented and is simply that the certbot-auto script is being discontinued by the certbot team at EFF. Questions about why it's being discontinued would need to be taken up with the EFF team on their github issue tracker at https://github.com/certbot/certbot/issues
The EFF-recommended way to use certbot has changed. The _new_ way is with a snap (as in 'install snapd and download the snap for certbot'). If you already have it might work, but that's going away; you need to use the solution recommended at certbot.eff.org which first instructs the user to uninstall any OS package containing certbot. At https://certbot.eff.org/docs/install.html there is a warning block: "While the Certbot team tries to keep the Certbot packages offered by various operating systems working in the most basic sense, due to distribution policies and/or the limited resources of distribution maintainers, Certbot OS packages often have problems that other distribution mechanisms do not. The packages are often old resulting in a lack of bug fixes and features and a worse TLS configuration than is generated by newer versions of Certbot. They also may not configure certificate renewal for you or have all of Certbot’s plugins available. For reasons like these, we recommend most users follow the instructions at https://certbot.eff.org/instructions and OS packages are only documented here as an alternative."
Further, this isn't a CentOS problem; CentOS 7 doesn't ship certbot-auto. EPEL7 ships a certbot package, but it doesn't ship certbot-auto. The certbot in the EPEL7 package is currently working on one of my systems, but it is at this point in time one release out of date. (the package currently in EPEL7 is 1.11.0; current is 1.12.0; 1.12.0 drops support for python2, so the move from 1.11.0 to 1.12.0 could be fun).
So, the EFF's recommended instructions for CentOS 7 running nginx are at https://certbot.eff.org/lets-encrypt/centosrhel7-nginx (I chose the nginx page because I am running some servers with CentOS 7 and nginx; there are instructions for CentOS/RHEL 8 as well as for apache).
Hi Lamar - I did find that page... I did follow the instructions.
certbot is removed. rpm -qa | grep cert ca-certificates-2020.2.41-70.0.el7_8.noarch
whereis certbot certbot: /usr/bin/certbot /var/lib/snapd/snap/bin/certbot ls -l /usr/bin/certbot lrwxrwxrwx 1 root root 17 Feb 4 13:38 /usr/bin/certbot -> /snap/bin/certbot
The snap link was made. the snap daemon is running: ps ax | grep snapd 18721 pts/0 S+ 0:00 /bin/grep -d skip snapd 24817 ? Ssl 0:12 /usr/libexec/snapd/snapd
I thought someone would have ran into the same issue as I was migrating to this new way of doing things getting letsencypt working on apache. Thanks,
Jerry
Hi Tony,
Thanks for the suggestion https://github.com/srvrco/getssl was not aware of that. I got so close... It says it loaded the certificate the files are there - I edited /etc/httpd/conf.d/ssl.conf and set the two paths to the right file. restrated httpd - all seemed good - but when I goto my site it did not work. So I re-ran with -f option and I get:
Registering account Verify each domain Verifying rsd.layeredsolutionsinc.com rsd.layeredsolutionsinc.com is already validated Verification completed, obtaining certificate. Requesting Finalize Link Requesting Order Link Requesting certificate Full certificate saved in /root/.getssl/XX/fullchain.crt Certificate saved in /root/.getssl/XX/rsd.layeredsolutionsinc.com.crt /root/.getssl/XX/XX.crt didn't match server getssl: XX - rsa certificate obtained but certificate on server is different from the new certificate
So close... Any thoughts on that are appreciated. Idid searching and those issues dont seem to relate to my case.
Thanks
Jerry
In article CABr8-B4dhv7CMrWVoj2UYAi1MOZkpR8FFUfHqLwH4ZTtAXxBoA@mail.gmail.com, Jerry Geis jerry.geis@gmail.com wrote:
Hi Tony,
Thanks for the suggestion https://github.com/srvrco/getssl was not aware of that. I got so close... It says it loaded the certificate the files are there - I edited /etc/httpd/conf.d/ssl.conf and set the two paths to the right file. restrated httpd - all seemed good - but when I goto my site it did not work. So I re-ran with -f option and I get:
Registering account Verify each domain Verifying rsd.layeredsolutionsinc.com rsd.layeredsolutionsinc.com is already validated Verification completed, obtaining certificate. Requesting Finalize Link Requesting Order Link Requesting certificate Full certificate saved in /root/.getssl/XX/fullchain.crt Certificate saved in /root/.getssl/XX/rsd.layeredsolutionsinc.com.crt /root/.getssl/XX/XX.crt didn't match server getssl: XX - rsa certificate obtained but certificate on server is different from the new certificate
So close... Any thoughts on that are appreciated. Idid searching and those issues dont seem to relate to my case.
Hi Jerry, you need to explore the configuration files. They are in .getssl/getssl.cfg and .getssl/<domain>/getssl.cfg
First, in .getssl/<domain>/getssl.cfg you need to tell it where to copy the certificate and key for the web server. They should match what you have in /etc/httpd/conf.d/ssl.conf Here are my entries as an example:
---- # Location for all your certs, these can either be on the server (full path name) # or using ssh /sftp as for the ACL DOMAIN_CERT_LOCATION="/etc/pki/tls/certs/your.domain.name.crt" # this is domain cert DOMAIN_KEY_LOCATION="/etc/pki/tls/private/your.domain.name.key" # this is domain key CA_CERT_LOCATION="/etc/pki/tls/certs/chain.crt" # this is CA cert ----
Then secondly, in the global config .getssl/getssl.cfg you need to tell it how to restart the web server to pick up the new certs, which it will do before testing whether the new certificate is served correctly:
---- # The command needed to reload apache / nginx or whatever you use RELOAD_CMD="/usr/sbin/apachectl graceful" ----
I think these are the only changes I made from the defaults.
Cheers Tony