(outdated) Tutorial for using free SSL/TLS certificates provided by "letsencrypt"


#21

quastion, how do I create the crontab with root?

Sudo crontab -e or should I just write crontab -e in the terminal?
And how do I know if it works?


#22
sudo -i
crontab -e

You can save output to log file, so you can check if it’s working.

 30     2       *       *       1       /usr/bin/certbot renew >> /var/log/le-renew.log

#23

I want to install let’s encrypt on Ubuntu, I did like the same on this post but not successfully :frowning: , i’m using Free Tier at Amazon EC2, OS Ubuntu 16.4


#24

i would use https://github.com/Neilpang/acme.sh


#25

Have been looking for this for a while. Thanks very much!


#26

The community manual actually contains instructions on how to use acme.sh


#27

Hello !

I’m sorry to bother you, but i’m trying to get the Let’s encrypt certificate for more than one month now… and it doesn’t work and i don’t understand why…

I search a lot on google and tried many things found on some forum, but i’m getting this error again and again:

[quote]Failed authorization procedure. mydomain.fr (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.fr/.well-known/acme-challenge/xW5e-ssGxezDEPUIE2UJZRoLU08n_1sOzad6jTLc4N0 [2001:1600:4:1::b]: 404

IMPORTANT NOTES:

Here is my seafile.conf on nginx:

[quote]server {
listen 80;
listen [::]:80;
server_name mydomain.fr;
rewrite ^ https://$http_host$request_uri? permanent; # force redirect ht$

# Enables or disables emitting nginx version on error pages and in the "Ser$
server_tokens off;

location /.well-known/acme-challenge {
default_type “text/plain”;
allow all;
root /home/pi/certbot-webroot;
}
}

server {
listen 443;
listen [::]:443;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
error_page 497 https://$host:$server_port$request_uri;

location / {

fastcgi_pass 127.0.0.1:8000 ;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SERVER_ADDR $server_addr;
fastcgi_param SERVER_PORT $server_port;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param HTTPS on;
fastcgi_param HTTP_SCHEME https;
fastcgi_param REMOTE_ADDR $remote_addr;

    access_log      /var/log/nginx/seahub.access.log;

error_log /var/log/nginx/seahub.error.log;
}
location /seafhttp {
rewrite ^/seafhttp(.*)$ $1 break;
proxy_pass http://127.0.0.1:8082;
client_max_body_size 0;
}
location /media {
root /home/pi/seafile/seafile-server-latest/seahub;
}
location /.well-known/acme-challenge {
default_type “text/plain”;
allow all;
root /home/pi/certbot-webroot;
}
}[/quote]

I tried a lot of different nginx differents configurations… but still get this error… what am i doing wrong?
Seafile is working normally if i go to the adress, and the port forward on my internet seems to be good (80, 443 and seafile port are going on my raspberry).

I think i’m not understanding some easy things on the nginx configuration of the .well-know directory?

Thanks in advance for your help :slight_smile:, and sorry for my poor english… i’m from France :confused:


[SOLVED] Error 404 while trying to set up HTTPS with Let's Encrypt certificates
#28

I had the same problem a couple of weeks ago. The manual has older instructions and it no longer works. Back last January, there was a security issue that came up with ACME authentication to grab a certificate, and the error you are getting is the error I got. The ACME client could not answer the challenge. The reason is due to that security issue, and now the ACME clients have been updated to new versions, but that isn’t detailed in the Seafile manual.


#29

In my case, I was trying to use Certbot on Debian. However, it would not answer the challenge from Let’s Encrypt. I had to manually download certbot-auto, copy it to an appropriate location, run it, and then it grabbed my certificate. I also had to change it in NGinx and also my init.d files. Then, I had to change it for the automatic updates to the certificate, not to mention, tweak some settings in NGinx.

I just noticed you are trying to use Certbot. So, I need some details so that I can come up with a solution for you. What version and flavor of Linux are you using? What version of NGinx are you using? I can help you resolve this. :slight_smile:


#30

Wow… i was far from expecting that ! Thanks a lot for your answer ! :slight_smile:

I’m using Raspbian 4.9.59-v7+ and NGinx is 1.10.3.
Certbot-auto is downloaded in /home/pi/certbot-auto.
My seafile.conf is described above :slight_smile:

I hope we can resolve this ! Because it got me mad :dizzy_face: :smile:
Don’t hesitate if you need to know the content of some files… and i’ll try to answer as fast as i can :slight_smile:

Thanks again


#31

Can you tell me the procedure you used to do your configuration? certbot-auto handled everything for me. All I had to do after getting the certificate was setup a few things in NGinx. So, I started with my standard NGinx file. Then, I downloaded certbot-auto using wget. Then, I opened port 80 on my router since I’m using an alternate external port for Seafile. Then I ran certbot-auto. After it gave me the success message, it downloaded the files for me and automatically edited my NGinx file with the proper things. Then, I went in and added the remaining stuff for Seafile. One section to ignore is the dhparams part in the manual. Certbot does that for you.

Once I did all that, it worked like a charm.

I’m on Debian, so I didn’t need to use webroot. You shouldn’t have to either. Let me do some research on your OS and see if it’s similar to how I had to do it on Debian.


#32

Ok… Your version of Raspbian is Debian Stretch based, which means you should be able to use the same method I did. First thing you need to do is change your Nginx config file back to the way it was prior to trying this and also your Seafile configuration. Get rid of all the SSL and https stuff and verify that Seafile is working.

Once you have that done, let me know and we can step through this.


#33

Thanks for your answer.

So, if i understand, i need to edit my seafile.conf to go back to my previous config, which was:

server {
listen 8080;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
error_page 497  https://$host:$server_port$request_uri;

location / {
    fastcgi_pass    127.0.0.1:8000 ;
    fastcgi_param   SCRIPT_FILENAME     $document_root$fastcgi_script_name;
    fastcgi_param   PATH_INFO           $fastcgi_script_name;

    fastcgi_param   SERVER_PROTOCOL $server_protocol;
    fastcgi_param   QUERY_STRING        $query_string;
    fastcgi_param   REQUEST_METHOD      $request_method;
    fastcgi_param   CONTENT_TYPE        $content_type;
    fastcgi_param   CONTENT_LENGTH      $content_length;
    fastcgi_param   SERVER_ADDR         $server_addr;
    fastcgi_param   SERVER_PORT         $server_port;
    fastcgi_param   SERVER_NAME         $server_name;
    fastcgi_param   HTTPS   on;
    fastcgi_param HTTP_SCHEME https;
    fastcgi_param   REMOTE_ADDR         $remote_addr;

    access_log      /var/log/nginx/seahub.access.log;
    error_log       /var/log/nginx/seahub.error.log;
}
location /seafhttp {
    rewrite ^/seafhttp(.*)$ $1 break;
    proxy_pass http://127.0.0.1:8082;
    client_max_body_size 0;
}
location /media {
    root /home/pi/seafile/seafile-server-latest/seahub;
}}

And then, i run certbot-auto --nginx?
Because the tutorial i followed for the seafile installation make me delete the default nginx config file in /sites-availaible, so i don’t know how is the default nginx config file.
Sorry if i’m asking some begginer questions…


#34

Ok… So, if that was your original config, were you are already set up for https? It looks like you already had a key and certificate. So, that leads me to ask you why you are trying to do another one?

You don’t have to delete the default config file. I still have mine, and it’s the one that monitors port 80. You’ll need your Nginx config to be listening on port 80 in order to pull this off. We can configure that, no problem.


#35

Yes i already have https, but with a self-signed certificate… and i would like to get something more “clean and secure”… :smile:

The self-signed certificate lead to some secure error in browser and some mobile app (like Keepass2Android)…


#36

I also noticed that you are still using Fastcgi… What version of Seafile are you on? Fastcgi is deprecated now.


#37

6.2.5 for Raspbian.

I think so the tutorial i followed was a little bit old… :confused:


#38

Ok… It’s really not a big deal and shouldn’t affect us, but keep in mind that since fastcgi is no longer used by Seafile, at some point in the future, they’ll probably remove the usage of it from the code, and you’ll be stuck with a non-working server until you change it. I just wanted you to be aware of it…

Ok, so, we can try this like it sits with your current SSL in place to see if it works. Since you deleted your default config file and you also are using an alternate port, we need to set up a listening port in your NGinx file.

Here is a sample of my listen port, with my server name changed, of course. You’ll need to change it to yours… Note that it’s different than most configs. Since I now have port 80 open to the world for certbot use, I have it return a 408 error rather than the default NGinx welcome page. :slight_smile:

server {
listen 80;

server_name localhost;

 server_name  your.domain.com;
 return 408;

 server_tokens off;

So, go ahead and add that listen port to your config file, restart NGinx, and then try to hit it from the web… such as http://your.domain.com. If you get ERR_EMPTY_RESPONSE in Chrome, or THE CONNECTION WAS RESET in Firefox, then it worked.


#39

Oh, and don’t forget the } at the end of it.


#40

It should look like this when you finish.

server {
listen 80;
server_name your.domain.com;
return 408;

server_tokens off;
}

server {
listen 8080;
ssl on;
ssl_certificate /etc/nginx/ssl/nginx.crt;
ssl_certificate_key /etc/nginx/ssl/nginx.key;
error_page 497 https://$host:$server_port$request_uri;

location / {
blah blah blah
}
}