(Solved) Dehydrated problem

Status
Not open for further replies.

Andyd358

Member
Aug 23, 2018
260
9
18
55
UK
new install nad trying to setup leysencrypt but getting this:


root@voip:/usr/src/fusionpbx-install.sh/debian/resources# ./letsencrypt.sh
Domain Name: *.voip.xxxxxxxx.co.uk
Email Address: andrew@sxxxxxxx.co.uk
fatal: destination path 'dehydrated' already exists and is not an empty directory.
fatal: destination path 'dns-01-manual' already exists and is not an empty directory.
# INFO: Using main config file /etc/dehydrated/config
+ Account already registered!
# INFO: Using main config file /etc/dehydrated/config
Unknown hook "this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script"
Unknown hook "startup_hook"
Processing *.voip.xxxxxx.co.uk
Unknown hook "this_hookscript_is_broken__dehydrated_is_working_fine__please_ignore_unknown_hooks_in_your_script"
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till Jul 11 10:55:48 2021 GMT (Longer than 30 days). Skipping renew!

nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

Its showing cert for localhost at present. What shoul di do to fix this?
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,498
413
83
Do you know why the paths would already exist if it is a new install? Did you have an existing install of dehydrated?
 

Andyd358

Member
Aug 23, 2018
260
9
18
55
UK
Do you know why the paths would already exist if it is a new install? Did you have an existing install of dehydrated?
I had already tried it once which said it had suceeded but the Cert is still showwing as Localhost. So i treid it again as if I was renewing it. and thats the error i got
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,498
413
83
To renew a certificate or just check if renewal is required you would normally run dehydrated with the -c (--cron) switch. On the subject of cron, did to set up any regular renewal checks?

Try running dehydrated with -c and see if any more srrors are thrown, if they are then we need to start looking at the configuration files and hook scripts that the install has set up. It should not be too difficult to resolve.
 
  • Like
Reactions: Andyd358

Andyd358

Member
Aug 23, 2018
260
9
18
55
UK
Keep getting this:

+ Responding to challenge for voip.xxxxxx-it.co.uk authorization...
Unknown hook "invalid_challenge"
+ Cleaning challenge tokens...

Now you can remove the following from the zone definition of voip.xxxxxxx-it.co.uk:
_acme-challenge.voip.xxxxxxx-it.co.uk. IN TXT "pOyTo6p_AHbvF_nsS7V3rKtNynbzOTIGwJR_GZ6KjM4"

The DNS entry is correct
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,498
413
83
Do you have a configuration file at /etc/dehydrated/config ?

If so, what hook scripts does it specify? What do the hook scripts look like? What version of dehydrated are you running? How are you updating your DNS zone files?
 

Andyd358

Member
Aug 23, 2018
260
9
18
55
UK
Do you have a configuration file at /etc/dehydrated/config ?

If so, what hook scripts does it specify? What do the hook scripts look like? What version of dehydrated are you running? How are you updating your DNS zone files?
Config file looks like this

########################################################
# This is the main config file for dehydrated #
# #
# This file is looked for in the following locations: #
# $SCRIPTDIR/config (next to this script) #
# /usr/local/etc/dehydrated/config #
# /etc/dehydrated/config #
# ${PWD}/config (in current working-directory) #
# #
# Default values of this config are in comments #
########################################################

# Which user should dehydrated run as? This will be implicitly enforced when running as root
#DEHYDRATED_USER=

# Which group should dehydrated run as? This will be implicitly enforced when running as root
#DEHYDRATED_GROUP=

# Resolve names to addresses of IP version only. (curl)
# supported values: 4, 6
# default: <unset>
#IP_VERSION=

# URL to certificate authority or internal preset
# Presets: letsencrypt, letsencrypt-test, zerossl, buypass, buypass-test
# default: letsencrypt
#CA="letsencrypt"

# Path to old certificate authority
# Set this value to your old CA value when upgrading from ACMEv1 to ACMEv2 under a different endpoint.
# If dehydrated detects an account-key for the old CA it will automatically reuse that key
# instead of registering a new one.
# default: https://acme-v01.api.letsencrypt.org/directory
#OLDCA="https://acme-v01.api.letsencrypt.org/directory"

# Which challenge should be used? Currently http-01, dns-01 and tls-alpn-01 are supported
#CHALLENGETYPE="http-01"

# Path to a directory containing additional config files, allowing to override
# the defaults found in the main configuration file. Additional config files
# in this directory needs to be named with a '.sh' ending.
# default: <unset>
#CONFIG_D=

# Directory for per-domain configuration files.
# If not set, per-domain configurations are sourced from each certificates output directory.
# default: <unset>
#DOMAINS_D=

# Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined)
#BASEDIR=$SCRIPTDIR

# File containing the list of domains to request certificates for (default: $BASEDIR/domains.txt)
#DOMAINS_TXT="${BASEDIR}/domains.txt"

# Output directory for generated certificates
#CERTDIR="${BASEDIR}/certs"

# Output directory for alpn verification certificates
#ALPNCERTDIR="${BASEDIR}/alpn-certs"

# Directory for account keys and registration information
#ACCOUNTDIR="${BASEDIR}/accounts"

# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/dehydrated)
WELLKNOWN="/var/www/dehydrated"

# Default keysize for private keys (default: 4096)
#KEYSIZE="4096"

# Path to openssl config file (default: <unset> - tries to figure out system default)
#OPENSSL_CNF=

# Path to OpenSSL binary (default: "openssl")
#OPENSSL="openssl"

# Extra options passed to the curl binary (default: <unset>)
#CURL_OPTS=

# Program or function called in certain situations
#
# After generating the challenge-response, or after failed challenge (in this case altname is empty)
# Given arguments: clean_challenge|deploy_challenge altname token-filename token-content
#
# After successfully signing certificate
# Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem
#
# BASEDIR and WELLKNOWN variables are exported and can be used in an external program
# default: <unset>
#HOOK=

# Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no)
#HOOK_CHAIN="no"

# Minimum days before expiration to automatically renew certificate (default: 30)
#RENEW_DAYS="30"

# Regenerate private keys instead of just signing new certificates on renewal (default: yes)
#PRIVATE_KEY_RENEW="yes"

# Create an extra private key for rollover (default: no)
#PRIVATE_KEY_ROLLOVER="no"

# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1
#KEY_ALGO=secp384r1

# E-mail to use during the registration (default: <unset>)
CONTACT_EMAIL="andrewdunn@xxxxxxxco.uk"

# Lockfile location, to prevent concurrent access (default: $BASEDIR/lock)
#LOCKFILE="${BASEDIR}/lock"

# Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no)
#OCSP_MUST_STAPLE="no"

# Fetch OCSP responses (default: no)
#OCSP_FETCH="no"

# OCSP refresh interval (default: 5 days)
#OCSP_DAYS=5

# Issuer chain cache directory (default: $BASEDIR/chains)
#CHAINCACHE="${BASEDIR}/chains"

# Automatic cleanup (default: no)
#AUTO_CLEANUP="no"

# ACME API version (default: auto)
#API=auto

# Preferred issuer chain (default: <unset> -> uses default chain)
#PREFERRED_CHAIN=
 

Andyd358

Member
Aug 23, 2018
260
9
18
55
UK
Im updating the DNS through the Control panle for the domain then testing it via MXtoolbox to see if its updated.
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,498
413
83
Your hook script is identical to your config file, did you post the wrong file?

If you are manually updating your DNS, then I assume the hook script is not doing the work, that could be why you are getting an error.
 
  • Like
Reactions: Andyd358

Andyd358

Member
Aug 23, 2018
260
9
18
55
UK
Your hook script is identical to your config file, did you post the wrong file?

If you are manually updating your DNS, then I assume the hook script is not doing the work, that could be why you are getting an error.
Sorry didnt have my glasses on lol

Hooks script :
#!/usr/bin/env bash

# based on https://github.com/lukas2511/dehydrated/wiki/example-dns-01-nsupdate-script

set -e
set -u
set -o pipefail

case "$1" in
"deploy_challenge")
echo ""
echo "Add the following to the zone definition of ${2}:"
echo "_acme-challenge.${2}. IN TXT \"${4}\""
echo ""
echo -n "Press enter to continue..."
read tmp
echo ""
;;
"clean_challenge")
echo ""
echo "Now you can remove the following from the zone definition of ${2}:"
echo "_acme-challenge.${2}. IN TXT \"${4}\""
echo ""
echo -n "Press enter to continue..."
read tmp
echo ""
;;
"sync_cert")
# do nothing for now
;;
"deploy_cert")
# do nothing for now
;;
"unchanged_cert")
# do nothing for now
;;
"exit_hook")
echo "${2:-}"
;;
*)
echo "Unknown hook \"${1}\""
;;
esac

exit 0
 

Adrian Fretwell

Well-Known Member
Aug 13, 2017
1,498
413
83
OK, I think your hook script may be short of a few functions. The hook script is called with a parameter ($1), this represents the action dehydrated wants the hook script to perform. Because you are manually updating your DNS, it is probably OK for you to just add empty placeholders for the missing functions.

Every time you see "Unknown hook" it means the script was called with a parameter that it did not understand. in your case, initially "startup_hook" and latterly "invalid_challenge". You could add these to the case statement in our script:

Code:
case "$1" in
   "deploy_challenge")
       echo ""
       echo "Add the following to the zone definition of ${2}:"
       echo "_acme-challenge.${2}. IN TXT \"${4}\""
       echo ""
       echo -n "Press enter to continue..."
       read tmp
       echo ""
   ;;
   "clean_challenge")
       echo ""
       echo "Now you can remove the following from the zone definition of ${2}:"
       echo "_acme-challenge.${2}. IN TXT \"${4}\""
       echo ""
       echo -n "Press enter to continue..."
       read tmp
       echo ""
   ;;
   "sync_cert")
       # do nothing for now
   ;;
   "deploy_cert")
       # do nothing for now
   ;;
   "unchanged_cert")
       # do nothing for now
   ;;
   "exit_hook")
       echo "${2:-}"
   ;;
   "startup_hook")
       # do nothing for now
   ;;
   "invalid_challenge")
       # do nothing for now
   ;;
   *)
       echo "Unknown hook \"${1}\""
   ;;
esac

I would pay close attention to the invalid challenge call, it may be an indication that something is wrong when it checks your DNS zone file for the _acme-challenge.
 

Bifur

Member
Sep 13, 2020
122
9
18
How long are you waiting after adding the txt record? I run into challenge errors if I don't go e it a good 5 minutes before pressing enter for it to check. I just setup a new install and of course I didn't wait long enough so I had to redo it and wait about 5-10 minutes before proceeding.
 

Andyd358

Member
Aug 23, 2018
260
9
18
55
UK
How long are you waiting after adding the txt record? I run into challenge errors if I don't go e it a good 5 minutes before pressing enter for it to check. I just setup a new install and of course I didn't wait long enough so I had to redo it and wait about 5-10 minutes before proceeding.
been waiting around 20 minutes and tried again last night actuaklky left it over night untill this morning and got the same error.
 

Andyd358

Member
Aug 23, 2018
260
9
18
55
UK
Some slight progress but still got an error in the end


nginx: [emerg] BIO_new_file("/etc/dehydrated/certs/oip.XXXXXX-it.co.uk/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/dehydrated/certs/oip.XXXXXXXX-it.co.uk/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

Its shoul dbe for Voip.XXXXX>co.uk not oip.XXXXX.co.uk I must have had a type on a previous attempt . any Idea how I woul dremove any reference to iop.XXXXX.co.uk..

cheers
 

Bifur

Member
Sep 13, 2020
122
9
18
I'm not at my server to see but if I remember correctly I have to edit the virtual sites file (I believe somewhere under /etc/nginx/) and change the domain name from pbx.wasthis.com to pbx.isthis.com. Can confirm this evening if you can't get it.
 
Last edited:

Andyd358

Member
Aug 23, 2018
260
9
18
55
UK
I'm not at my server to see but if I remember correctly I have to edit the virtual sits file (I believe somewhere under /etc/nginx/) and change the domain name from pbx.wasthis.com to pbx.isthis.com. Can confirm this evening if you can't get it.
Thanks you pointed me in the right direction. Seems under /etc/nginx/sites-available/ I looked at the FusionPBX file and within this were the typos altered that and reran the ./letsencrypt.sh and it worked fine this time..

thank you both Bifur and Adrian for their help.
 

Bifur

Member
Sep 13, 2020
122
9
18
Thanks you pointed me in the right direction. Seems under /etc/nginx/sites-available/ I looked at the FusionPBX file and within this were the typos altered that and reran the ./letsencrypt.sh and it worked fine this time..

thank you both Bifur and Adrian for their help.
Glad you got it working!
 

magic.coast.user

New Member
Jan 18, 2022
5
0
1
59
How do you get it to auto-renew? I ran "dehydrated -c" which renewed the certificates for nginx, but didn't restart nginx or replace the certs and links in /etc/freeswitch/tls

Without those files updated, then wss and tls connections fail.

Is there a cron job that can renew the letsencrypt certificates AND updated the freeswitch certificate files?

I manually re-ran the original letsencrypt.sh script and that worked. Should i modify that script with a hard coded domain name and run that every day?
 
Status
Not open for further replies.