[Freeipa-users] Let's Encrypt Install: Made a bit of install progress, next error
Joseph Flynn
jjflynn22 at gmail.com
Wed Dec 7 16:26:08 UTC 2016
Man, I feel silly. I thought i had that set earlier by using the network
setup during the install. Maybe different distributions handle that
differently. I have it corrected via your suggestion Martin Thanks you!!
To the next stage... Seems like partial success. Is there another step
needed to install the cert that appears to have been created in my home
directory?
[image: Inline image 1]
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/home/jjflynn22/0001_chain.pem. Your cert will expire on
2017-03-07. To obtain a new or tweaked version of this certificate
in the future, simply run certbot again. To non-interactively renew
*all* of your certificates, run "certbot renew"
- If you like Certbot, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le
certutil: unable to open "/root/ipa-le/0000_cert.pem" for reading (-5950,
2).
On Wed, Dec 7, 2016 at 10:56 AM, Martin Basti <mbasti at redhat.com> wrote:
> Please make sure you use `hostnamectl set-hostname FQDN` to set all
> hostnames on system (static, tentaive, current ....)
> Martin
>
> On 07.12.2016 16:52, Joseph Flynn wrote:
>
> Damn, I thought I already fixed that but didn't. Hold while I rerun...
> I bet that was it.
>
> On Wed, Dec 7, 2016 at 10:50 AM, Martin Basti <mbasti at redhat.com> wrote:
>
>> What does `hostname` command return?
>>
>> On 07.12.2016 16:37, Joseph Flynn wrote:
>>
>> Sorry, I wasn't clear in my earlier subject line. This is related to the
>> Lets Encrypt installation.
>>
>> I tried to pull some more relevant items from the log below. I don't
>> actually see all of the elements of my FQDN (ipa-a.kkgpitt.org) only
>> references to the host (ipa-a) in the log, but am not sure what a good log
>> should include.
>>
>> Thanks for any assistance,
>> Joe
>>
>>
>> On Tue, Dec 6, 2016 at 4:15 PM, Joseph Flynn <jjflynn22 at gmail.com> wrote:
>>
>>> Volunteers,
>>>
>>> I moved over to a Fedora VM which was way more difficult than it should
>>> be. All kinds of problems with Guest Additions and I ended up having to
>>> run server mode with no GUI. Now I run an Ubuntu VM from which I ssh into
>>> my Fedora VM. Anyway...
>>>
>>> The install made it a further step than before. I get a quick blue
>>> screen pop up at the end then an error saying:
>>> [image: Inline image 1]
>>>
>>> An unexpected error occurred:
>>>> The request message was malformed :: DNS name does not have enough
>>>> labels
>>>> Please see the logfiles in /var/log/letsencrypt for more details.
>>>>
>>>
>>> When I run the cert checker util I get this
>>> https://www.sslshopper.com/ssl-checker.html#hostname=ipa-a.kkgpitt.org
>>>
>>> Full log below.
>>>
>>> Any suggestions? Is it not pulling my proper hostname?
>>>
>>> Thanks,
>>> Joe
>>>
>>>
>>>
>>>
>>>
>>> [jjflynn22 at ipa-a ~]$ cat /etc/hosts
>>> 192.168.1.211 ipa-a.kkgpitt.org ipa-a
>>> 127.0.0.1 localhost localhost.localdomain localhost4
>>> localhost4.localdomain4
>>> ::1 localhost localhost.localdomain localhost6
>>> localhost6.localdomain6
>>>
>>>
>>>
>>>
>>> [jjflynn22 at ipa-a ~]$ sudo cat /var/log/letsencrypt/letsencrypt.log
>>> [sudo] password for jjflynn22:
>>> 2016-12-06 20:57:43,982:DEBUG:certbot.main:Root logging level set at 20
>>> 2016-12-06 20:57:43,983:INFO:certbot.main:Saving debug log to
>>> /var/log/letsencrypt/letsencrypt.log
>>> 2016-12-06 20:57:43,991:DEBUG:certbot.main:certbot version: 0.9.3
>>> 2016-12-06 20:57:43,991:DEBUG:certbot.main:Arguments: ['--standalone',
>>> '--csr', '/root/ipa-le/httpd-csr.der', '--email', 'xxxxx at gmail.com',
>>> '--agree-tos']
>>> 2016-12-06 20:57:43,992:DEBUG:certbot.main:Discovered plugins:
>>> PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#nu
>>> ll,PluginEntryPoint#manual,PluginEntryPoint#standalone)
>>> 2016-12-06 20:57:43,995:DEBUG:certbot.plugins.selection:Requested
>>> authenticator standalone and installer None
>>> 2016-12-06 20:57:44,019:DEBUG:certbot.plugins.selection:Single
>>> candidate plugin: * standalone
>>> Description: Spin up a temporary webserver
>>> Interfaces: IAuthenticator, IPlugin
>>> Entry point: standalone = certbot.plugins.standalone:Authenticator
>>> Initialized: <certbot.plugins.standalone.Authenticator object at
>>> 0x7fc3dc6fccd0>
>>> Prep: True
>>> 2016-12-06 20:57:44,019:DEBUG:certbot.plugins.selection:Selected
>>> authenticator <certbot.plugins.standalone.Authenticator object at
>>> 0x7fc3dc6fccd0> and installer None
>>> 2016-12-06 20:57:44,115:DEBUG:certbot.main:Picked account:
>>> <Account(7446b15565eb5a2fc5850f3ad97dc6dc)>
>>> 2016-12-06 20:57:44,116:DEBUG:root:Sending GET request to
>>> https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
>>> 2016-12-06 20:57:44,119:INFO:requests.packages.urllib3.connectionpool:Starting
>>> new HTTPS connection (1): acme-v01.api.letsencrypt.org
>>> 2016-12-06 20:57:44,500:DEBUG:requests.packages.urllib3.connectionpool:"GET
>>> /directory HTTP/1.1" 200 280
>>> 2016-12-06 20:57:44,506:DEBUG:root:Received <Response [200]>. Headers:
>>> {'Content-Length': '280', 'Expires': 'Tue, 06 Dec 2016 20:57:46 GMT',
>>> 'Boulder-Request-Id': 'mqxztXHk-k5DDBqftS_2vmB0sWVWVjS1twToXbIOdL0',
>>> 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx',
>>> 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control':
>>> 'max-age=0, no-cache, no-store', 'Date': 'Tue, 06 Dec 2016 20:57:46 GMT',
>>> 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json',
>>> 'Replay-Nonce': 'sz4mf6DlGO-Iw1q8bOlAlisD3CKZlCZUA9JzmN3dcDk'}.
>>> Content: '{\n "new-authz": "https://acme-v01.api.letsencr
>>> ypt.org/acme/new-authz",\n "new-cert": "https://acme-v01.api.letsencr
>>> ypt.org/acme/new-cert",\n "new-reg": "https://acme-v01.api.letsencr
>>> ypt.org/acme/new-reg",\n "revoke-cert": "https://acme-v01.api.letsencr
>>> ypt.org/acme/revoke-cert"\n}'
>>> 2016-12-06 20:57:44,506:DEBUG:acme.client:Received response <Response
>>> [200]> (headers: {'Content-Length': '280', 'Expires': 'Tue, 06 Dec 2016
>>> 20:57:46 GMT', 'Boulder-Request-Id': 'mqxztXHk-k5DDBqftS_2vmB0sWVWVjS1twToXbIOdL0',
>>> 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx',
>>> 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control':
>>> 'max-age=0, no-cache, no-store', 'Date': 'Tue, 06 Dec 2016 20:57:46 GMT',
>>> 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json',
>>> 'Replay-Nonce': 'sz4mf6DlGO-Iw1q8bOlAlisD3CKZlCZUA9JzmN3dcDk'}): '{\n
>>> "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",\n
>>> "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",\n
>>> "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",\n
>>> "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert
>>> "\n}'
>>> 2016-12-06 20:57:44,506:DEBUG:certbot.client:CSR:
>>> CSR(file='/root/ipa-le/httpd-csr.der', data='0\x82\x02x0\x82\x01`\x02
>>> \x01\x000\x101\x0e0\x0c\x06\x03U\x04\x03\x13\x05ipa-a0\x82\
>>> x01"0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03\x82\
>>> x01\x0f\x000\x82\x01\n\x02\x82\x01\x01\x00\xdau1L\xa6T\xc8\x93\xc0P\x93\xb3\xd2\xcb
>>> \xe2PU\xf0\x94=\x1c\n\x1e\xe5\xfe\xed<\xfa\xb1d-\x92\xebeD\x
>>> b1\x0eq9\xf1\xfa\xb5p\xdc\x12qN\x96\x0b\x1f\x13\xab\xae
>>>
>>> .......
>>>
>>> 99\xc0\xb0\x07N\xdd5\x9e1\xb8\xdc\x8c\xc1N\xc1\x04\xa1\xd0\x
>>> fc\xc2$f\x84e\xd4\xf7i\x1a\x1c~,\x80\xea/~j\xea\xa2\xf3\xe9\
>>> x96\xfe5j\xa4\xb4X\x12L\xd5\xe5\xb0\x99|\xb8\xd1\xed\xa3\xf2
>>> \xd5\xf0\x94\xc3"\xe8\x9dT\x17\xcf\x12$oVE\x83\xd1\x96\xac\
>>> xa1\xf9F\xd2mO\xe9$\xa7\x00_\xaa\xc6\xa3j\xa1\xbaX8\xa43K\
>>> x18os\xe1\xf4L(\xf9\xac\'\xc5\x9a\xdc\xf5s\xc6`\x97\xe6\xea\
>>> xf8\xcc\xfa\xe1U_\xff\x86\xf0\x82\xab\xaf\xb9\x92q\x06\x0f\
>>> xa5}]\x9c\xb1\x84b\x85<\xed\x92,g\x0e\xeaoAi|\xc5\n\x92', form='der'),
>>> domains: [u'ipa-a']
>>> 2016-12-06 20:57:44,507:DEBUG:root:Requesting fresh nonce
>>> 2016-12-06 20:57:44,507:DEBUG:root:Sending HEAD request to
>>> https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs:
>>> {}
>>> 2016-12-06 20:57:44,608:DEBUG:requests.packages.urllib3.connectionpool:"HEAD
>>> /acme/new-authz HTTP/1.1" 405 0
>>> 2016-12-06 20:57:44,609:DEBUG:root:Received <Response [405]>. Headers:
>>> {'Content-Length': '91', 'Pragma': 'no-cache', 'Boulder-Request-Id':
>>> 'c2cMPhHqlO5kTv8xJ5dfIs4NCD2KMqn8X-IxPzutDAI', 'Expires': 'Tue, 06 Dec
>>> 2016 20:57:46 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Allow':
>>> 'POST', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Tue, 06
>>> Dec 2016 20:57:46 GMT', 'Content-Type': 'application/problem+json',
>>> 'Replay-Nonce': '3fq9edUYLFJwQKDU-oaLVpQdUglFemQpGNbwZ-AtmfI'}.
>>> Content: ''
>>> 2016-12-06 20:57:44,609:DEBUG:acme.client:Storing nonce:
>>> '\xdd\xfa\xbdy\xd5\x18,Rp@\xa0\xd4\xfa\x86\x8bV\x94\x1dR\tEz
>>> d)\x18\xd6\xf0g\xe0-\x99\xf2'
>>> 2016-12-06 20:57:44,610:DEBUG:acme.jose.json_util:Omitted empty fields:
>>> combinations=None, challenges=None, expires=None, status=None
>>> 2016-12-06 20:57:44,610:DEBUG:acme.client:Serialized JSON:
>>> {"identifier": {"type": "dns", "value": "ipa-a"}, "resource":
>>> "new-authz"}
>>> 2016-12-06 20:57:44,610:DEBUG:acme.jose.json_util:Omitted empty fields:
>>> kid=None, x5c=(), crit=(), jwk=None, typ=None, jku=None, cty=None,
>>> x5tS256=None, x5u=None, alg=None, x5t=None
>>> 2016-12-06 20:57:44,612:DEBUG:acme.jose.json_util:Omitted empty fields:
>>> kid=None, x5c=(), crit=(), typ=None, jku=None, cty=None, x5tS256=None,
>>> x5u=None, x5t=None, nonce=None
>>> 2016-12-06 20:57:44,612:DEBUG:root:Sending POST request to
>>> https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs:
>>> {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA",
>>> "n": "vmM8XoN-WDCdPcaMNxu9zlLEJBBN-W_pIkG-Afw5uawBBXWHbWyzUeb06Ly
>>> pMM94LcTi0drWTf00Fdv5SiVKMAwwAoqH-Xzv5LHBwYmqNFGr-W6cphQjNTP
>>> 21IP87NKxG87OdvvOMjE--oMuJJMYWbyAAcOZNhIobWp969EMGu9Oi5JeQI1
>>> bLqIHS317xWDPD_EMTmhnVxZGBuS5gs_ObYejnJmGyu4_Bn1yLIDlBuphYsH
>>> g0pWoAgjZQAr3NI4N7oVrB-LiW21-k9I-LH3dijxVLBe_7jfKsIsVTJyzMzl
>>> -g2iAeogYHfRngkhnQVXfhSleeZbfHwKXPs5FdmnHBw"}}, "protected":
>>> "eyJub25jZSI6ICIzZnE5ZWRVWUxGSndRS0RVLW9hTFZwUWRVZ2xGZW1RcEdOYndaLUF0bWZJIn0",
>>> "payload": "eyJpZGVudGlmaWVyIjogeyJ0eXBlIjogImRucyIsICJ2YWx1ZSI6ICJpcGE
>>> tYSJ9LCAicmVzb3VyY2UiOiAibmV3LWF1dGh6In0", "signature":
>>> "sDGSJkUMIFVRr7YGU33exEVslJFZlZoTuyv74F_XtloybjzZFg81r8ONbCU
>>> XtU6Q1COsA1M9df_vpL1b8Pz2bhfgEkG7taiaHDEyK-PGx5cn9U4vgSp3uZM
>>> NfVGFK-0gSYxLIsI0AgEIV8rTVKVw5kHVhn8Ob7gCuBgz1QkGr8WefqAcJ6v
>>> xycvbPBXh3GlpHylKDNTEsH5kbdKtfg5bKJu8RDLFBhAZCFub61EwkeT7Hfv
>>> hsWkaXJQhoolWiFn_3PjAZCEZzPL5igCOW0V65OEp6O3wdnC4FwS0BwxE0Cx
>>> B2QA2mXMdvX4SILRf5mhzhTOmdTL0gLYXffI1XErbvg"}'}
>>> 2016-12-06 20:57:44,728:DEBUG:requests.packages.urllib3.connectionpool:"POST
>>> /acme/new-authz HTTP/1.1" 400 109
>>> 2016-12-06 20:57:44,730:DEBUG:root:Received <Response [400]>. Headers:
>>> {'Content-Length': '109', 'Boulder-Request-Id':
>>> 'z34CxBq8_BBQbE6zM00YjU8c08FeXh24WHyCG1xAYJE', 'Expires': 'Tue, 06 Dec
>>> 2016 20:57:46 GMT', 'Server': 'nginx', 'Connection': 'close',
>>> 'Cache-Control': 'max-age=0, no-cache, no-store', 'Pragma': 'no-cache',
>>> 'Boulder-Requester': '6994631', 'Date': 'Tue, 06 Dec 2016 20:57:46 GMT',
>>> 'Content-Type': 'application/problem+json', 'Replay-Nonce':
>>> 'YoSNpLT1RJSN5tUVEWujrxjZ4LxoU-jKncsn1aN9HFI'}. Content: '{\n "type":
>>> "urn:acme:error:malformed",\n "detail": "DNS name does not have enough
>>> labels",\n "status": 400\n}'
>>> 2016-12-06 20:57:44,730:DEBUG:acme.client:Storing nonce:
>>> "b\x84\x8d\xa4\xb4\xf5D\x94\x8d\xe6\xd5\x15\x11k\xa3\xaf\x18
>>> \xd9\xe0\xbchS\xe8\xca\x9d\xcb'\xd5\xa3}\x1cR"
>>> 2016-12-06 20:57:44,730:DEBUG:acme.client:Received response <Response
>>> [400]> (headers: {'Content-Length': '109', 'Boulder-Request-Id':
>>> 'z34CxBq8_BBQbE6zM00YjU8c08FeXh24WHyCG1xAYJE', 'Expires': 'Tue, 06 Dec
>>> 2016 20:57:46 GMT', 'Server': 'nginx', 'Connection': 'close',
>>> 'Cache-Control': 'max-age=0, no-cache, no-store', 'Pragma': 'no-cache',
>>> 'Boulder-Requester': '6994631', 'Date': 'Tue, 06 Dec 2016 20:57:46 GMT',
>>> 'Content-Type': 'application/problem+json', 'Replay-Nonce':
>>> 'YoSNpLT1RJSN5tUVEWujrxjZ4LxoU-jKncsn1aN9HFI'}): '{\n "type":
>>> "urn:acme:error:malformed",\n "detail": "DNS name does not have enough
>>> labels",\n "status": 400\n}'
>>> 2016-12-06 20:57:44,735:DEBUG:certbot.main:Exiting abnormally:
>>> Traceback (most recent call last):
>>> File "/usr/bin/letsencrypt", line 9, in <module>
>>> load_entry_point('certbot==0.9.3', 'console_scripts', 'certbot')()
>>> File "/usr/lib/python2.7/site-packages/certbot/main.py", line 776, in
>>> main
>>> return config.func(config, plugins)
>>> File "/usr/lib/python2.7/site-packages/certbot/main.py", line 566, in
>>> obtain_cert
>>> _csr_obtain_cert(config, le_client)
>>> File "/usr/lib/python2.7/site-packages/certbot/main.py", line 535, in
>>> _csr_obtain_cert
>>> certr, chain = le_client.obtain_certificate_from_csr(config.domains,
>>> csr, typ)
>>> File "/usr/lib/python2.7/site-packages/certbot/client.py", line 229,
>>> in obtain_certificate_from_csr
>>> authzr = self.auth_handler.get_authorizations(domains)
>>> File "/usr/lib/python2.7/site-packages/certbot/auth_handler.py", line
>>> 68, in get_authorizations
>>> domain, self.account.regr.new_authzr_uri)
>>> File "/usr/lib/python2.7/site-packages/acme/client.py", line 210, in
>>> request_domain_challenges
>>> typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri)
>>> File "/usr/lib/python2.7/site-packages/acme/client.py", line 190, in
>>> request_challenges
>>> new_authz)
>>> File "/usr/lib/python2.7/site-packages/acme/client.py", line 649, in
>>> post
>>> return self._check_response(response, content_type=content_type)
>>> File "/usr/lib/python2.7/site-packages/acme/client.py", line 565, in
>>> _check_response
>>> raise messages.Error.from_json(jobj)
>>> Error: urn:acme:error:malformed :: The request message was malformed ::
>>> DNS name does not have enough labels
>>>
>>>
>>>
>>>
>>>
>>
>>
>>
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161207/e59f11b6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 12140 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161207/e59f11b6/attachment.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 28624 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20161207/e59f11b6/attachment-0001.png>
More information about the Freeipa-users
mailing list