Letsencrypt installation issues

[Rony]

Hi,

The first time I installed Letsencrypt using the method posted by Jorge (https://wiki.zimbra.com/wiki/Installing ... bra_Server) went fine.
Then I was not able to renew it on time after expiration because I got busy with urgent matters, and could not install a new one either for unknown reasons.
After trying many methods I ended up having page 502 errors, I could only access the Admin Panel page and had no choice but to reinstall a new server then restore my data.
So now with a new installation I cannot use the same method, it is giving me:
Challenge failed for domain mail.domain.ca
http-01 challenge for mail.domain.ca
Cleaning up challenges
Some challenges have failed.
If I start the proxy then it gives me
Problem binding to port 80: Could not bind to IPV4 or IPV6.
Despite the port 80 being opened.
I have tried changing access to Both, Redirect, HTTP, HTTPS, all have failed.
I have lost days with that and cannot guess what is preventing the certificate to be issued.
Thank you

[comradeTJH]

Could something else running on the same machine be using port 80?

try:

Code: Select all

netstat -tunl |grep 80

to check if some process is using port 80

[JDunphy]

Challenge failed for domain mail.domain.ca
http-01 challenge for mail.domain.ca
Cleaning up challenges
Some challenges have failed.
If I start the proxy then it gives me
Problem binding to port 80: Could not bind to IPV4 or IPV6.

Not being able to bind means that nginx (ie. proxy) can't listen at that port which indicates something else has it open and is listening... Given you mention trying to validate with http-01, could that be still lying around. Here is one method to find out who has that port in a listen mode. Do this as root.

Code: Select all

% su -
# %netstat -npl |grep 80
tcp        0      0 10.10.10.10:80            0.0.0.0:*                   LISTEN      14848/nginx         
tcp        0      0 127.0.0.1:80                0.0.0.0:*                   LISTEN      9540/httpd          
tcp        0      0 :::80                       :::*                        LISTEN      14848/nginx    

So in the example above... nginx with pid 14848 has a socket in LISTEN mode and bound to ip address 10.10.10.10 for port 80.
The method you chose required that either zimbra is running at port 80 or the letsencrypt tool... I don't use that method myself but do use letsencrypt for my certs and they work well. The acme protocol which all the tools use for verification has changed and some previous methods are deprecated... TLS-SNI-01 for example. https://community.nethserver.org/t/lets ... port/11755

HTH

Jim

[Rony]

Hi Jim,

Thank you for taking the time to help.
There is nothing else running on port 80, to avoid issues I just limited the server to latest edition of Zimbra OSE 8.8.11

netstat -tunl |grep 80
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8080 0.0.0.0:* LISTEN
tcp6 0 0 :::7780 :::* LISTEN

and:
zmprov gs `zmhostname` | grep zimbraMail.*Port

zimbraMailPort: 8080
zimbraMailProxyPort: 80
zimbraMailSSLClientCertPort: 9443
zimbraMailSSLPort: 8443
zimbraMailSSLProxyClientCertPort: 3443
zimbraMailSSLProxyPort: 443

[comradeTJH]

Try stopping all zimbra services before you do the letsencrypt challenge request.

As zimbra user: zmcontrol stop

[Rony]

I did stop the Proxy and mail services, just like I said, I followed the instructions posted by Jorge and all went on my first server but failed on the new one.
Am I missing something obvious which many know but is not necessarily posted within instructions?
Thank you

[JDunphy]

I misunderstood your original question and thought you couldn't get nginx back up and running after the letsencrypt validation failed? The validation method you chose is pulling a known string but there are some limitations on redirection for example if there is anything odd with your environment.
https://letsencrypt.org/docs/challenge-types/ ... Here is a summary of the validation method you are trying where certbot is your ACME client.

"This is the most common challenge type today. Let’s Encrypt gives a token to your ACME client, and your ACME client puts a file on your web server at http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>. That file contains the token, plus a thumbprint of your account key. Once your ACME client tells Let’s Encrypt that the file is ready, Let’s Encrypt tries retrieving it (potentially multiple times from multiple vantage points). If our validation checks get the right responses from your web server, the validation is considered successful and you can go on to issue your certificate. If the validation checks fail, you’ll have to try again with a new certificate."

Some of the drawbacks with that method.

"Cons:

It doesn’t work if your ISP blocks port 80 (this is rare, but some residential ISPs do this).
Let’s Encrypt doesn’t let you use this challenge to issue wildcard certificates.
If you have multiple web servers, you have to make sure the file is available on all of them."

Does your letsencrypt validation method have any additional logs that could indicate some clues? You should see the request come in for your acme-challenge for example. I have limited ability to help here as I use the DNS method myself for validation and a different ACME client that is fully contained in a bash script.

[JDunphy]

Any ACME client will work here so one can switch back and forth depending on ease of use from time to time.

If you are in a rush and instead of debugging this, maxxer has created a really simple zimbra certbot bash script that handles all the steps you perform from the wiki article and is menu driven. It uses the same ACME validation method you are attempting for your domains.

see: https://github.com/YetOpen/certbot-zimbra

[Rony]

Thank you Jim,
I will dig more into this.

For sure my ISP is not blocking port 80 as my previous installation worked fine before omitting to renew the certificate prior to its expiration date.
I tried Maxx method when I wanted to reinstall it but it gave the same error messages as the manual one.
In fact it all depends on the communication with the webserver and there is something puzzling me, probably the answer is already debated.
But if we stop nginx then how can the web-server be reached by http or even https? since there is no other web server running in the background to open the page and reach
http://<YOUR_DOMAIN>/.well-known/acme-challenge/<TOKEN>
even if the token was successfully created automatically or manually, it cannot be read unless some web server is running in the background.
Is that a stupid question?
Anyway I will read more and try to understand this process as despite me running well my mail server since 2017, I only tried installing a Letsencrypt certificate since 4 months and need to upgrade my knowledge.

[JDunphy]

The ACME client is the webserver for this validation with the wiki method. It will be listening on port 80. The wiki has you shutdown the proxy so the client can bind to port 80. You can verify this yourself by getting two terminals going and running the verification and watching the netstat in the other terminal... use the options I gave you so you can match the port to the process id and name.

BTW, maxxer method is a slightly different because he uses zimbra's nginx for his webserver than your wiki method but they both use the same validation method based on http-01.