Bncert-tool issue

Keywords: WordPress - AWS - Technical issue - Secure Connections (SSL/HTTPS)
Description:
bncert-tool issue:
Issue: “the public IP address for this machine could not be detected. A public IP address will be required for Let’s Encrypt to verify that your domains point to this machine. Do you want to proceed anyways? [y/N]:”

What I’ve done:

  • Checked community related posting with no resolution. Many similar topics, which did help, but nothing I found solved my issue.
  • Ran dig +short on domain and public IP and both resolved. I also checked several DNS lookup sites and all resole to the correct public IP.
  • Disassociated and re-associated my EIP in AWS

Where I think problem might be: /etc/hosts reads:

The following lines are desirable for IPv6 capable hosts

::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
127.0.0.1 [ip-private IP of my AMI] # bitnami-hosts-patch

  • The last line is pointing to my internal IP on AWS. So I tried changing it after reading a previous post. Changed to my public IP and my domain name. Both efforts drive an error when running bncert-tool , “sudo: unable to resolve host ip-[private AWS AMI IP]
  • I sort of feel this is where the issue lies but not sure how to resolve as prior efforts failed.

Any direction is much appreciated.

Hi @wreckittr,

We have a Support Tool that will gather relevant information for us to analyze your configuration and logs. Could you please execute it on the machine where the stack is running by following the steps described in the guide below?

How to Run the Bitnami Support Tool

Please note that you need to paste the code ID that is shown at the end.

Regards,
Michiel

Thanks a lot Michiel, really appreciate the outreach.

I ran the tool but did receive the following error:
The support bundle file was successfully created, but the automatic upload to Bitnami servers failed. You will need to upload it to your Bitnami Support ticket manually. Please locate the following file in your file browser or in your terminal: /tmp/bitnami-wordpress-info-20200204-171325-24621.zip Exercise caution when uploading the resulting support bundle to public sites as it contains detailed diagnostic information.

I went ahead and scpd the zip file to my local system. Is there another avenue of submission I can use?

Thanks again.

Hi @wreckittr

I just sent you a private message with the information about how to share the .zip file.

Thanks

Thanks much Vikram, really appreciate the support! The upload option in both the private message, and here, pitches a denial statement saying, “New users cannot upload files.” Can the team assist in my authorization privileges?

Thanks again.

Hi @wreckittr,

I increased your trust level. Can you try to upload the file again?

Thanks a lot @gongomgra! Trust increase worked and zip uploaded to the private thread.

Your support is solid, thanks!

Hi @wreckittr,

I have been checking your bnsupport bundle, but I think you explained your issue properly on the first post. Can you check our guide on setting a public static IP address to your instance at https://docs.bitnami.com/aws/faq/configuration/configure-static-address/? If your server doesn’t have a public IP address it can’t be accessed from the Let’s Encrypt servers to generate your SSL certificate.

Hope it helps

Thanks @gongomgra, but I have associated, disassociated, and re-associated my EIP a couple times. This was in my initial post. I’ve also restarted and stoped and started the Bitnami instance a few times. The /etc/hosts fill still reads the same:
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts
127.0.0.1 [ip-private IP of my AMI] # bitnami-hosts-patch

I’m assuming this /etc/hosts config is accurate as I also stood up a new Bitnami instance and that /etc/hosts file read the same, just a different internal IP.

Any thoughts on how this /etc/hosts file should read? In another community blog they refer to the public domain, but the bncert-tool wants to look for the internal IP if I change the file.

Thanks.

Also of note, I tried the the alternative method of manually generating a let’s encrypt certificate for the domain and received the following errors,

2020/02/06 14:23:56 No key found for account [myxxxxemail]@gmail.com. Generating a P384 key.
2020/02/06 14:23:56 Saved key to /opt/bitnami/letsencrypt/accounts/acme-v02.api.letsencrypt.org/ [myxxxxemail]@gmail.com/keys/ [myxxxxemail]@gmail.com.key
2020/02/06 14:24:26 Could not create client: get directory at ‘https://acme-v02.api.letsencrypt.org/directory’: Get https://acme-v02.api.letsencrypt.org/directory: dial tcp x.x.x.x:443: i/o timeout"

Any thoughts on this?

Hi @wreckittr,

It looks like there is an issue with your AWS instance. We highly recommend you to check it with the AWS support team as they can give you better support on their product than we can. Your instance needs to have a public IP address and your domain name has to point to that public IP address so Let’s Encrypt servers can validate your request.

https://aws.amazon.com/premiumsupport/

I think you don’t need to modify the /etc/hosts file, but configure your instance with a public IP address that is accessible from everywhere.

Thanks but as I said in my original post:
What I’ve done:

  • Checked community related posting with no resolution. Many similar topics, which did help, but nothing I found solved my issue.
  • Ran dig +short on domain and public IP and both resolved. I also checked several DNS lookup sites and all resole to the correct public IP.
  • Disassociated and re-associated my EIP in AWS

So that proves I have a public IP.

I’ll close this thread out as it appears we keep going in circles.

Thanks for the effort and looking at the configuration.

Hi @wreckittr,

I think I misunderstood your issue, sorry. I would like to get more information about your server so we can try to help you. Did you launch it from the AWS Marketplace website or using our Launchpad? If you used the Marketplace, please check our guide below on how to get started with the Bitnami application in the AWS marketplace just in case you missed any step when you launched your server

https://docs.bitnami.com/aws/get-started-marketplace/

Apart from that, can you run the next commands in your current server? These are the same commands that the bncert-tool runs internally to get your public IP address and validate the IP address resolution

curl -vLi "http://myip.bitnami.com"
sudo getent hosts YOUR_DOMAIN

Also, can you launch a fresh new instance and try again to install a Let’s Encrypt certificate without doing any modification in the instance? Please run the bnsupport in the new instance too and the commands above.

Hey @gongomgra, I figured out the root issue. My AWS NACL was blocking bncert-tool from running. I opened the NACL and security group up to be safe, but narrowed it down to the NACL later on. Once both were wide open the tool ran perfect!

I verified this was the issue by then locking my SGs and NACLs back down and running your curl -vLi “http://myip.bitnami.com.” Now I just need to identify what port curl is actually using. It appears it can use one of 22 different ports, and while I tested each of those 22 separately, it still wants a broader range. Does the Bitnami team have any thoughts on what should be opened on the NACLs and SGs?

Thanks again. Super excited to have this site locked down and running!

Hi @wreckittr,

I’m glad you found your issue! To be able to access your WordPress server and website, you only need to open ports 22 (SSH, for management) and ports 80 and 443 (Apache default ports). They should be opened by default on your current server security group, but for the NACL service you will need to open them by yourself. You will also need to open any other port that fits your use case.

When you run the command below, the port used is 80

curl -vLi "http://myip.bitnami.com"

Also, for more specific information on the NACL service, we recommend you to check the AWS documentation and ask to the AWS support team.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.