Site down after running Bitnami HTTPS Configuration Tool

Hi @mubiesam,

Sorry for the wrong information. I was not aware about that. Our HTTPS configuration tool uses http or tls verification and those methods don’t support wildcards

https://letsencrypt.org/es/docs/challenge-types/

Yes, if you want to use our tool, you will need to run the tool every time you want to add a new domain.

You were probably using certbot and the dns verification before. You can follow our alternative approach to configure the SSL domains

https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#alternative-approach

However, the commands we have in the documentation use the tls challenge, you will need to use the dns challenge when running the commands and configure the DNS verification in your DNS provider site.

Note: if you don’t want to use the Bitnami HTTPS configuration tool anymore, you will need to remove the renew command in the cron file

sudo crontab -l

Let us know if you have any questions

Hi @jota

The alternative approach you suggested, https://docs.bitnami.com/aws/how-to/generate-install-lets-encrypt-ssl/#alternative-approach
Does it support wildcards? it seems also need to enter all the domains “as many times as the number of domains you want to specify.”

We are using RPA for adding new site, so it’s important to avoid too many additional procedure such as running HTTPS configuration tool for every new site. (It will be nice if you remind that wildcards is not supported for this tool.)

If we don’t want to use this tool anymore, only to remove the renew command sudo crontab -l will be enough to go back to the original status ? or should we remove all this tool related folders and files?

Thanks

Hi @jota

Got “no crontab for root” after running “sudo crontab -l”, can you tell me where is the crontab located ?

Thanks

Hi @jota
In the Troubleshooting for this tool, there is
Manually Revoking An Existing Certificate
If we don’t want to use this tool anymore, do we need to change these 2 lines?
SSLCertificateFile “/opt/bitnami/apache2/conf/server.crt”
SSLCertificateKeyFile “/opt/bitnami/apache2/conf/server.key”

Your earlier response is highly appreciated.

Hi @mubiesam,

The alternative approach uses the lego tool. It’s a client written in go that allows you generate Let’s Encrypt certificates. It does support other challenge types like the DNS one that allows you to use wildcards

https://github.com/go-acme/lego
https://letsencrypt.org/es/docs/challenge-types/

I mentioned that our guide uses the TLS challenge so you will need to use the DNS one when running the lego tools.

Well, our tool takes care of creating the SSL certificates, configuring the webserver and configuring the renewal process. I told you to remove the line in the cron job to not to perform the renew (because you will use a different tool to generate the new certificates and configure the renew process so you will avoid problems when removing the existing cron job) but the certificates will be kept in the instance. Please note that they are just files that contain the information about your domain.

Ok, can you check the bitnami’s crontab?

sudo crontab -l -u bitnami

If you revoke the certificates and use the dummy ones we include, you will run into the security issues that you got before. I’d keep the certificates while you generate the new ones using the wildcards. This way, you will be able to access your current domains using HTTPS. Once you have the new certificates with the wildcard, you can change the Apache’s configuration to start using them.

Happy to help!


Was my answer helpful? Click on :heart:

Hi @jota
Sorry to bother you so much, but do need your help to go through this complication.

This is what I did…

sudo crontab -l -u bitnami

0 0 1 * * sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="mubiesam@gmail.com" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=johocen.com renew && sudo 
/opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf -k graceful # bncert-autorenew

sudo /opt/bitnami/letsencrypt/lego --dns --email="mubiesam@gmail.com" --domains="johocen.com" --domains="*.johocen.com" --path="/opt/bitnami/letsencrypt" run
2019/09/13 03:49:39 You have to pass an account (email address) to the program using --email or -m

Not sure what to do here, is it because I changed --tls to --dns ?
There is no instruction in Alternative Approach for using dns instead of tls.

Thanks

Hi @mubiesam,

First of all, remember to remove the lego line in the crontab when we finish creating the new ones. You can simply edit the file by running this command

sudo crontab -e -u bitnami

Note: we were using the -l option previously to list the lines but the -e option allows you to edit the file.

You are missing some parameters when running the lego command. You will need to set the provider and provide the required information

Credentials for DNS providers must be passed through environment variables.

To display the documentation for a DNS providers:

  $ lego dnshelp -c code

All DNS codes:
  acme-dns, alidns, auroradns, azure, bindman, bluecat, cloudflare, cloudns, cloudxns, conoha, designate, digitalocean, dnsimple, dnsmadeeasy, dnspod, dode, dreamhost, duckdns, dyn, easydns, exec, exoscale, fastdns, gandi, gandiv5, gcloud, glesys, godaddy, hostingde, httpreq, iij, inwx, joker, lightsail, linode, linodev4, manual, mydnsjp, namecheap, namedotcom, namesilo, netcup, nifcloud, ns1, oraclecloud, otc, ovh, pdns, rackspace, rfc2136, route53, sakuracloud, selectel, stackpath, transip, vegadns, versio, vscale, vultr, zoneee

More information: https://go-acme.github.io/lego/dns

You can either review the lego documentation, ask in its forum to know more about that, follow the approach of this other user who followed the Lightsail documentation (please note that you are using Google) or use the same method you used in the past to generate the certificates

I hope it helps

Hi @jota

Thank you for the explanation, but sorry for my poor English with not enough technical background, still not quite sure after studying all the documents. Please correct me if there is anything wrong for the steps I’m going to do:

  1. Obtain a certificate using the DNS challenge

    sudo /opt/bitnami/ctlscript.sh stop
    NAMESILO_API_KEY=xxxxxxxxxxxa84330febba8a83208921177bffe733
    sudo /opt/bitnami/letsencrypt/lego --dns namesilo --domains=“johocen.com” --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" run
    Is the Additional Configuration necessary as stated in https://go-acme.github.io/lego/dns/namesilo/ ???

  2. Configure The Web Server To Use The Let’s Encrypt Certificate For Apache:

    sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
    sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
    sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old
    sudo ln -sf /opt/bitnami/letsencrypt/certificates/johocen.com.key /opt/bitnami/apache2/conf/server.key
    sudo ln -sf /opt/bitnami/letsencrypt/certificates/johocen.com.crt /opt/bitnami/apache2/conf/server.crt
    sudo chown root:root /opt/bitnami/apache2/conf/server*
    sudo chmod 600 /opt/bitnami/apache2/conf/server*
    sudo /opt/bitnami/ctlscript.sh start

  3. Test The Configuration

  4. Renew The Let’s Encrypt Certificate

    sudo /opt/bitnami/ctlscript.sh stop
    sudo /opt/bitnami/letsencrypt/lego --dns namesilo --domains=“johocen.com” --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" renew --days 90
    sudo /opt/bitnami/ctlscript.sh start

  5. Create a script

    sudo nano /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
    Save the following content into script

#!/bin/bash

sudo /opt/bitnami/ctlscript.sh stop apache
sudo /opt/bitnami/letsencrypt/lego --dns namesilo --domains="johocen.com" --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start apache
  1. Make the script executable:

    chmod +x /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
    sudo crontab -e -u bitnami

  2. Add the following lines to the crontab file and save it:

0 0 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null

But where is the crontab file located???

Thanks

Hi @jota
I tried

NAMESILO_API_KEY=xxxxxxxxxxx \
sudo /opt/bitnami/letsencrypt/lego --dns="namesilo" --domains="johocen.com" --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" run 

But got

namesilo: some credentials information are missing: NAMESILO_API_KEY

Your help is highly appreciated.

Hi @mubiesam,

Try this command

sudo NAMESILO_API_KEY=xxxxxxxxxxx /opt/bitnami/letsencrypt/lego --dns="namesilo" --domains="johocen.com" --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" run

And ensure you don’t need to set the API key when renewing the certificate.

Thanks

Hi @jota

Do you mean supposedly I should set the API key when renewing the certificate? or where I can find the instruction to ensure?

I think you will need to set the API Key value when running the renew command. You can try to renew the certificate once you finish creating it, this command will allow you to run the renewal process

sudo /opt/bitnami/letsencrypt/lego --dns namesilo --domains="johocen.com" --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" renew --days 90

If it doesn’t return any error, you are good to go.

Hi @jota

Got error “time out”, do I need to set Additional Configuration for NAMESILO_PROPAGATION_TIMEOUT?

2019/09/16 10:31:02 [INFO] [johocen.com, .johocen.com] acme: Obtaining bundled SAN certificate
2019/09/16 10:31:03 [INFO] [
.johocen.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/255366779
2019/09/16 10:31:03 [INFO] [johocen.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/366085102
2019/09/16 10:31:03 [INFO] [johocen.com] acme: authorization already valid; skipping challenge
2019/09/16 10:31:03 [INFO] [.johocen.com] acme: use dns-01 solver
2019/09/16 10:31:03 [INFO] [
.johocen.com] acme: Preparing to solve DNS-01
2019/09/16 10:31:03 [INFO] [.johocen.com] acme: Trying to solve DNS-01
2019/09/16 10:31:03 [INFO] [
.johocen.com] acme: Checking DNS record propagation using [169.254.169.254:53]
2019/09/16 10:31:03 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2019/09/16 10:31:04 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:06 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:08 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:10 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:12 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:14 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:16 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:18 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:20 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:22 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:24 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:26 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:28 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:30 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:32 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:34 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:36 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:38 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:40 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:42 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:45 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:47 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:49 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:51 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:53 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:55 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:57 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:59 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:32:01 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:32:03 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:32:05 [INFO] [.johocen.com] acme: Cleaning DNS-01 challenge
2019/09/16 10:32:06 Could not obtain certificates:
acme: Error -> One or more domains had a problem:
[
.johocen.com] time limit exceeded: last error: NS ns1.dnsowl.com. did not return the expected TXT record [fqdn: _acme-challenge.johocen.com., value: Bp1IZfoGqWIzZwFFBOQhXlkC
fqTLunZPwG2t5TrkZEg]: 13DobYBLHfgdWXBwwyiw4sRlOqktG3kQ-xxxxxxxxxx

Hi @mubiesam,

It seems that the DNS configuration is not properly set and Let’s Encrypt can’t validate your domain, did you follow the instructions here?

https://letsencrypt.org/docs/challenge-types/#dns-01-challenge

As I mentioned above, the lego support team will probably provide you more information about how to proceed

https://github.com/go-acme/lego

In case you want to use any other method to generate the SSL certificate, please use the one you are more familiar with and once you have the certificates, we will help you to configure the SSL certificates in the Bitnami solution.

Thanks

Hi @jota

It seems that “acme: authorization already valid; skipping challenge”
But “Wait for propagation” got “time limit exceeded”

I had asked for help both on lego support and namesilo, but in case you have any new thought, please let me know.

Thanks for your help.

Hi @jota

Sorry to bother you again, but it’s really driving me crazy since I used Bitnami HTTP configuration tool, please help me to get a way out.

I had asked for help on lego support for “time limit exceeded”, got answer “you can change the timeout by defining the env var NAMESILO_PROPAGATION_TIMEOUT”

So I tried with

sudo NAMESILO_API_KEY=xxxxxxxxxxxxxxxxxxxxx NAMESILO_PROPAGATION_TIMEOUT=15m /opt/bitnami/letsencrypt/lego --dns="namesilo" --domains="johocen.com" --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" run

But got
acme: error presenting token: namesilo: failed to add record code: 280, details: could not add resource record to domain since it already exists (duplicate)

I checked NAMESILO, there are 5 _acme-challenge in txt record, (4 _acme-challenge + 1 _acme-challenge.www), I had add 2 manually before using Bitnami HTTP configuration tool, so the other 3 should be created by Bitnami tool.

Should I delete all 5 existing and run the lego command again? or how can I identify which should be kept?

Thanks

2019/09/17 09:31:59 [INFO] [johocen.com, *.johocen.com] acme: Obtaining bundled SAN certificate 
2019/09/17 09:32:00 [INFO] [*.johocen.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/380243879 
2019/09/17 09:32:00 [INFO] [johocen.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/380243881 
2019/09/17 09:32:00 [INFO] [*.johocen.com] acme: use dns-01 solver 2019/09/17 09:32:00 [INFO] [johocen.com] acme: Could not find solver for: tls-alpn-01 
2019/09/17 09:32:00 [INFO] [johocen.com] acme: Could not find solver for: http-01 
2019/09/17 09:32:00 [INFO] [johocen.com] acme: use dns-01 solver 2019/09/17 09:32:00 [INFO] [*.johocen.com] acme: Preparing to solve DNS-01 
2019/09/17 09:32:01 [INFO] [johocen.com] acme: Preparing to solve DNS-01 
2019/09/17 09:32:02 [INFO] [*.johocen.com] acme: Cleaning DNS-01 challenge 
2019/09/17 09:32:03 [INFO] [johocen.com] acme: Cleaning DNS-01 challenge 
2019/09/17 09:32:04 Could not obtain certificates: acme: Error -> One or more domains had a problem: 
[*.johocen.com] [*.johocen.com] acme: error presenting token: namesilo: failed to add record code: 280, details: could not add resource record to domain since it already exists (duplicate) 
[johocen.com] [johocen.com] acme: error presenting token: namesilo: failed to add record code: 280, details: could not add resource record to domain since it already exists (duplicate)

Hi @mubiesam,

We have not tried that process yet and think that there is something wrong with the DNS configuration or the lego tool. As I mentioned before, I think the lego developers or the your DNS company’s support team will probably provide more information about the errors you are getting.

At the beginning of the thread, you mentioned that you didn’t have problems when adding wildcards before, did you try that other process? Did you follow a different approach?

Thanks

Hi @jota

To be honest, you are the only one who responded to my questions every time earliest, I appreciate very much.

I’m still waiting for lego support and namesilo, but do need your help to find earlier solution.

The way I did for creating SSL on Let’s Encrypt, was Manually Verify Domain (DNS)
https://www.sslforfree.com/create?domains=johocen.com+www.johocen.com
I don’t need to use wildcards, yet every new sub domain added will automatically get SSL.
But it’s painful to do it manually every 90 days.

That will be my last step to go back, but if no other choice, still need to do so.
Please also tell me do I need to revoke anything which is created by Bitnami HTTP configuration tool.

Thanks

Hi @mubiesam,

Your site is already secure so you have some time before worrying about the SSL certificate renewal process.

If you used a Certificate Authority to sign the certificates before, you didn’t need to configure the DNS settings or use any tool to generate them. You simply needed to copy the files to the server and start to use them. With Let’s Encrypt, the server needs to validate that your domain is really yours so that’s why they provide different validation processes.

The renewal process should have been configured in the instance when you used the Bitnami HTTPS configuration tool so this shouldn’t be a problem for now. As you can see, the cron output shows the command to renew it.

I wouldn’t remove anything for now. As I mentioned before, I’d finish generating the domain with the DNS validation (so you can use wildcards) and then we will help you to substitute the certificates and the renewal process to use them from that time on.

Hi @jota

Thanks for your reply, it calms me down a lot.

But we do need the wildcards for the new site that created automatically, since our project is counting on this, we do have time pressure before certificate renewal process.

Anyway, will wait for your further notice.

Thanks again!