1 Topic by FraserGlynn

  • FraserGlynn
  • Member
  • Offline
  • Registered: 2017-08-01
  • Posts: 3

Topic: Having issues trying to get a Let's Encrypt Certificate with certbot

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: Ubuntu 16.04 LTS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx):Nginx
- Manage mail accounts with iRedAdmin-Pro? No
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Right so, I'm trying to get an ssl certificate for the mail server on my domain and whenever I tried running:

sudo certbot --nginx

I get:
An unexpected error occurred:
SSLError: ("bad handshake: SysCallError(104, 'ECONNRESET')",)

So after much brain racking and reading the first section on this website (https://www.digitalocean.com/community/ … untu-16-04) I had edited the nginx 00-default.conf file in /etc/nginx/sites-available/ adding the line:

server_name mydomain.domain;

I then ran certbot --nginx again and got what seemed like success untill I tried to load the webmail page to be greeted with a too many redirects error.
I'm not 100% sure whats going on but can assume that certbot is messing with nginx's config files, I would run this manually but I'm (if you can't already tell) a little out of my depth, so any help and guidance that you can offer is much appreciated.

Cheers,
Fraser

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Having issues trying to get a Let's Encrypt Certificate with certbot

Running certbot with option '--nginx' will modify your Nginx config file, you need to check files under /etc/nginx/, revert the changes, then update /etc/nginx/templates/ssl.tmpl to use your letsencrypt cert, restart Nginx service.

3 Reply by FraserGlynn

  • FraserGlynn
  • Member
  • Offline
  • Registered: 2017-08-01
  • Posts: 3

Re: Having issues trying to get a Let's Encrypt Certificate with certbot

ZhangHuangbin wrote:

Running certbot with option '--nginx' will modify your Nginx config file, you need to check files under /etc/nginx/, revert the changes, then update /etc/nginx/templates/ssl.tmpl to use your letsencrypt cert, restart Nginx service.

Thanks, for your reply!
Just in case you didn't believe me, I really am a bit of a novice, what am I putting into the ssl.tmpl file to use the cert?

4 Reply by FraserGlynn

  • FraserGlynn
  • Member
  • Offline
  • Registered: 2017-08-01
  • Posts: 3

Re: Having issues trying to get a Let's Encrypt Certificate with certbot

Also lets scratch that, I'm completely stuck on:
An unexpected error occurred:
SSLError: ("bad handshake: SysCallError(104, 'ECONNRESET')",)

Whenever I run certbot, not very helpful. I can ping the domain and get a reply from the external ip, so im not sure whats going on, heres the log for reference:
2017-08-01 03:54:07,954:DEBUG:certbot.main:certbot version: 0.14.2
2017-08-01 03:54:07,955:DEBUG:certbot.main:Arguments: ['--nginx']
2017-08-01 03:54:07,955:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2017-08-01 03:54:07,980:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2017-08-01 03:54:07,980:DEBUG:certbot.cli:Default Detector is Namespace(account=<certbot.cli._Default object at 0x7f67c3407fd0>, agree_dev_preview=None, allow_subset_of_names=<certbot.cli._Default object at 0x7f67c340d310>, apache=<certbot.cli._Default object at 0x7f67c33a44d0>, authenticator='nginx', break_my_certs=<certbot.cli._Default object at 0x7f67c3401d90>, cert_path=<certbot.cli._Default object at 0x7f67c3420990>, certname=<certbot.cli._Default object at 0x7f67c341b750>, chain_path=<certbot.cli._Default object at 0x7f67c3420c90>, checkpoints=<certbot.cli._Default object at 0x7f67c3420490>, config_dir=<certbot.cli._Default object at 0x7f67c3420d90>, config_file=None, configurator=<certbot.cli._Default object at 0x7f67c33a41d0>, csr=<certbot.cli._Default object at 0x7f67c3420290>, debug=<certbot.cli._Default object at 0x7f67c3407590>, debug_challenges=<certbot.cli._Default object at 0x7f67c3407410>, dialog=None, domains=<certbot.cli._Default object at 0x7f67c341b650>, dry_run=<certbot.cli._Default object at 0x7f67c341b850>, duplicate=<certbot.cli._Default object at 0x7f67c3407e90>, eff_email=<certbot.cli._Default object at 0x7f67c341bc50>, email=<certbot.cli._Default object at 0x7f67c341bb50>, expand=<certbot.cli._Default object at 0x7f67c340da10>, force_interactive=<certbot.cli._Default object at 0x7f67c341b550>, fullchain_path=<certbot.cli._Default object at 0x7f67c3420b90>, func=<function run at 0x7f67c37371b8>, hsts=<certbot.cli._Default object at 0x7f67c3401b50>, http01_port=<certbot.cli._Default object at 0x7f67c3401f10>, ifaces=<certbot.cli._Default object at 0x7f67c3420790>, init=<certbot.cli._Default object at 0x7f67c3420590>, installer='nginx', key_path=<certbot.cli._Default object at 0x7f67c3420a90>, logs_dir=<certbot.cli._Default object at 0x7f67c3420f90>, manual=<certbot.cli._Default object at 0x7f67c33a47d0>, manual_auth_hook=<certbot.cli._Default object at 0x7f67c33a4a10>, manual_cleanup_hook=<certbot.cli._Default object at 0x7f67c33a4b50>, manual_public_ip_logging_ok=<certbot.cli._Default object at 0x7f67c33a4c50>, must_staple=<certbot.cli._Default object at 0x7f67c3401450>, nginx=True, nginx_ctl=<certbot.cli._Default object at 0x7f67c33a4e90>, nginx_server_root=<certbot.cli._Default object at 0x7f67c33a49d0>, no_bootstrap=<certbot.cli._Default object at 0x7f67c3407a10>, no_self_upgrade=<certbot.cli._Default object at 0x7f67c3407b90>, no_verify_ssl=<certbot.cli._Default object at 0x7f67c3407290>, noninteractive_mode=<certbot.cli._Default object at 0x7f67c341b450>, num=<certbot.cli._Default object at 0x7f67c3420090>, os_packages_only=<certbot.cli._Default object at 0x7f67c3407d10>, post_hook=<certbot.cli._Default object at 0x7f67c341b510>, pre_hook=<certbot.cli._Default object at 0x7f67c341b710>, pref_challs=<certbot.cli._Default object at 0x7f67c341b910>, prepare=<certbot.cli._Default object at 0x7f67c3420690>, quiet=<certbot.cli._Default object at 0x7f67c3407890>, reason=<certbot.cli._Default object at 0x7f67c3420390>, redirect=<certbot.cli._Default object at 0x7f67c34016d0>, register_unsafely_without_email=<certbot.cli._Default object at 0x7f67c341b950>, reinstall=<certbot.cli._Default object at 0x7f67c340dcd0>, renew_by_default=<certbot.cli._Default object at 0x7f67c340d6d0>, renew_hook=<certbot.cli._Default object at 0x7f67c341b310>, renew_with_new_domains=<certbot.cli._Default object at 0x7f67c340d4d0>, rsa_key_size=<certbot.cli._Default object at 0x7f67c3401210>, server=<certbot.cli._Default object at 0x7f67c33a40d0>, staging=<certbot.cli._Default object at 0x7f67c3407710>, standalone=<certbot.cli._Default object at 0x7f67c33a46d0>, standalone_supported_challenges=<certbot.cli._Default object at 0x7f67c33a4f90>, staple=<certbot.cli._Default object at 0x7f67c33eedd0>, strict_permissions=<certbot.cli._Default object at 0x7f67c341bb10>, text_mode=<certbot.cli._Default object at 0x7f67c341b350>, tls_sni_01_port=<certbot.cli._Default object at 0x7f67c34070d0>, tos=<certbot.cli._Default object at 0x7f67c340d1d0>, uir=<certbot.cli._Default object at 0x7f67c33ee990>, update_registration=<certbot.cli._Default object at 0x7f67c341ba50>, user_agent=<certbot.cli._Default object at 0x7f67c3420190>, validate_hooks=<certbot.cli._Default object at 0x7f67c341b110>, verb='run', verbose_count=<certbot.cli._Default object at 0x7f67c341b250>, webroot=<certbot.cli._Default object at 0x7f67c33a48d0>, webroot_map=<certbot.cli._Default object at 0x7f67c33aa1d0>, webroot_path=<certbot.cli._Default object at 0x7f67c33a4d90>, work_dir=<certbot.cli._Default object at 0x7f67c3420e90>)
2017-08-01 03:54:08,000:DEBUG:certbot.log:Root logging level set at 20
2017-08-01 03:54:08,001:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2017-08-01 03:54:08,002:DEBUG:certbot.plugins.selection:Requested authenticator nginx and installer nginx
2017-08-01 03:54:08,536:DEBUG:certbot.plugins.selection:Single candidate plugin: * nginx
Description: Nginx Web Server plugin - Alpha
Interfaces: IAuthenticator, IInstaller, IPlugin
Entry point: nginx = certbot_nginx.configurator:NginxConfigurator
Initialized: <certbot_nginx.configurator.NginxConfigurator object at 0x7f67c33a4f10>
Prep: True
2017-08-01 03:54:08,538:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_nginx.configurator.NginxConfigurator object at 0x7f67c33a4f10> and installer <certbot_nginx.configurator.NginxConfigurator object at 0x7f67c33a4f10>
2017-08-01 03:54:20,054:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2017-08-01 03:54:20,065:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2017-08-01 03:54:20,383:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.14.2', 'console_scripts', 'certbot')()
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 742, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 589, in run
    le_client = _init_le_client(config, authenticator, installer)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 382, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 367, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 158, in register
    acme = acme_from_config_key(config, key)
  File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 44, in acme_from_config_key
    return acme_client.Client(config.server, key=key, net=net)
  File "/usr/lib/python2.7/dist-packages/acme/client.py", line 71, in __init__
    self.net.get(directory).json())
  File "/usr/lib/python2.7/dist-packages/acme/client.py", line 646, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python2.7/dist-packages/acme/client.py", line 619, in _send_request
    response = self.session.request(method, url, *args, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 488, in request
    resp = self.send(prep, **send_kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 609, in send
    r = adapter.send(request, **kwargs)
  File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 497, in send
    raise SSLError(e, request=request)
SSLError: ("bad handshake: SysCallError(104, 'ECONNRESET')",)

5 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: Having issues trying to get a Let's Encrypt Certificate with certbot

How about get the cert without modify Nginx?

certbot certonly --webroot -d ... -w ...