Site down after running Bitnami HTTPS Configuration Tool

Hi @jota

Got “no crontab for root” after running “sudo crontab -l”, can you tell me where is the crontab located ?

Thanks

Hi @jota
In the Troubleshooting for this tool, there is
Manually Revoking An Existing Certificate
If we don’t want to use this tool anymore, do we need to change these 2 lines?
SSLCertificateFile “/opt/bitnami/apache2/conf/server.crt”
SSLCertificateKeyFile “/opt/bitnami/apache2/conf/server.key”

Your earlier response is highly appreciated.

Hi @mubiesam,

The alternative approach uses the lego tool. It’s a client written in go that allows you generate Let’s Encrypt certificates. It does support other challenge types like the DNS one that allows you to use wildcards

https://github.com/go-acme/lego
https://letsencrypt.org/es/docs/challenge-types/

I mentioned that our guide uses the TLS challenge so you will need to use the DNS one when running the lego tools.

Well, our tool takes care of creating the SSL certificates, configuring the webserver and configuring the renewal process. I told you to remove the line in the cron job to not to perform the renew (because you will use a different tool to generate the new certificates and configure the renew process so you will avoid problems when removing the existing cron job) but the certificates will be kept in the instance. Please note that they are just files that contain the information about your domain.

Ok, can you check the bitnami’s crontab?

sudo crontab -l -u bitnami

If you revoke the certificates and use the dummy ones we include, you will run into the security issues that you got before. I’d keep the certificates while you generate the new ones using the wildcards. This way, you will be able to access your current domains using HTTPS. Once you have the new certificates with the wildcard, you can change the Apache’s configuration to start using them.

Happy to help!


Was my answer helpful? Click on :heart:

Hi @jota
Sorry to bother you so much, but do need your help to go through this complication.

This is what I did…

sudo crontab -l -u bitnami

0 0 1 * * sudo /opt/bitnami/letsencrypt/lego --path /opt/bitnami/letsencrypt --email="mubiesam@gmail.com" --http --http-timeout 30 --http.webroot /opt/bitnami/apps/letsencrypt --domains=johocen.com renew && sudo 
/opt/bitnami/apache2/bin/httpd -f /opt/bitnami/apache2/conf/httpd.conf -k graceful # bncert-autorenew

sudo /opt/bitnami/letsencrypt/lego --dns --email="mubiesam@gmail.com" --domains="johocen.com" --domains="*.johocen.com" --path="/opt/bitnami/letsencrypt" run
2019/09/13 03:49:39 You have to pass an account (email address) to the program using --email or -m

Not sure what to do here, is it because I changed --tls to --dns ?
There is no instruction in Alternative Approach for using dns instead of tls.

Thanks

Hi @mubiesam,

First of all, remember to remove the lego line in the crontab when we finish creating the new ones. You can simply edit the file by running this command

sudo crontab -e -u bitnami

Note: we were using the -l option previously to list the lines but the -e option allows you to edit the file.

You are missing some parameters when running the lego command. You will need to set the provider and provide the required information

Credentials for DNS providers must be passed through environment variables.

To display the documentation for a DNS providers:

  $ lego dnshelp -c code

All DNS codes:
  acme-dns, alidns, auroradns, azure, bindman, bluecat, cloudflare, cloudns, cloudxns, conoha, designate, digitalocean, dnsimple, dnsmadeeasy, dnspod, dode, dreamhost, duckdns, dyn, easydns, exec, exoscale, fastdns, gandi, gandiv5, gcloud, glesys, godaddy, hostingde, httpreq, iij, inwx, joker, lightsail, linode, linodev4, manual, mydnsjp, namecheap, namedotcom, namesilo, netcup, nifcloud, ns1, oraclecloud, otc, ovh, pdns, rackspace, rfc2136, route53, sakuracloud, selectel, stackpath, transip, vegadns, versio, vscale, vultr, zoneee

More information: https://go-acme.github.io/lego/dns

You can either review the lego documentation, ask in its forum to know more about that, follow the approach of this other user who followed the Lightsail documentation (please note that you are using Google) or use the same method you used in the past to generate the certificates

I hope it helps

Hi @jota

Thank you for the explanation, but sorry for my poor English with not enough technical background, still not quite sure after studying all the documents. Please correct me if there is anything wrong for the steps I’m going to do:

  1. Obtain a certificate using the DNS challenge

    sudo /opt/bitnami/ctlscript.sh stop
    NAMESILO_API_KEY=xxxxxxxxxxxa84330febba8a83208921177bffe733
    sudo /opt/bitnami/letsencrypt/lego --dns namesilo --domains=“johocen.com” --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" run
    Is the Additional Configuration necessary as stated in https://go-acme.github.io/lego/dns/namesilo/ ???

  2. Configure The Web Server To Use The Let’s Encrypt Certificate For Apache:

    sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
    sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
    sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old
    sudo ln -sf /opt/bitnami/letsencrypt/certificates/johocen.com.key /opt/bitnami/apache2/conf/server.key
    sudo ln -sf /opt/bitnami/letsencrypt/certificates/johocen.com.crt /opt/bitnami/apache2/conf/server.crt
    sudo chown root:root /opt/bitnami/apache2/conf/server*
    sudo chmod 600 /opt/bitnami/apache2/conf/server*
    sudo /opt/bitnami/ctlscript.sh start

  3. Test The Configuration

  4. Renew The Let’s Encrypt Certificate

    sudo /opt/bitnami/ctlscript.sh stop
    sudo /opt/bitnami/letsencrypt/lego --dns namesilo --domains=“johocen.com” --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" renew --days 90
    sudo /opt/bitnami/ctlscript.sh start

  5. Create a script

    sudo nano /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
    Save the following content into script

#!/bin/bash

sudo /opt/bitnami/ctlscript.sh stop apache
sudo /opt/bitnami/letsencrypt/lego --dns namesilo --domains="johocen.com" --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start apache
  1. Make the script executable:

    chmod +x /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
    sudo crontab -e -u bitnami

  2. Add the following lines to the crontab file and save it:

0 0 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null

But where is the crontab file located???

Thanks

Hi @jota
I tried

NAMESILO_API_KEY=xxxxxxxxxxx \
sudo /opt/bitnami/letsencrypt/lego --dns="namesilo" --domains="johocen.com" --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" run 

But got

namesilo: some credentials information are missing: NAMESILO_API_KEY

Your help is highly appreciated.

Hi @mubiesam,

Try this command

sudo NAMESILO_API_KEY=xxxxxxxxxxx /opt/bitnami/letsencrypt/lego --dns="namesilo" --domains="johocen.com" --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" run

And ensure you don’t need to set the API key when renewing the certificate.

Thanks

Hi @jota

Do you mean supposedly I should set the API key when renewing the certificate? or where I can find the instruction to ensure?

I think you will need to set the API Key value when running the renew command. You can try to renew the certificate once you finish creating it, this command will allow you to run the renewal process

sudo /opt/bitnami/letsencrypt/lego --dns namesilo --domains="johocen.com" --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" renew --days 90

If it doesn’t return any error, you are good to go.

Hi @jota

Got error “time out”, do I need to set Additional Configuration for NAMESILO_PROPAGATION_TIMEOUT?

2019/09/16 10:31:02 [INFO] [johocen.com, .johocen.com] acme: Obtaining bundled SAN certificate
2019/09/16 10:31:03 [INFO] [
.johocen.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/255366779
2019/09/16 10:31:03 [INFO] [johocen.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/366085102
2019/09/16 10:31:03 [INFO] [johocen.com] acme: authorization already valid; skipping challenge
2019/09/16 10:31:03 [INFO] [.johocen.com] acme: use dns-01 solver
2019/09/16 10:31:03 [INFO] [
.johocen.com] acme: Preparing to solve DNS-01
2019/09/16 10:31:03 [INFO] [.johocen.com] acme: Trying to solve DNS-01
2019/09/16 10:31:03 [INFO] [
.johocen.com] acme: Checking DNS record propagation using [169.254.169.254:53]
2019/09/16 10:31:03 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2019/09/16 10:31:04 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:06 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:08 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:10 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:12 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:14 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:16 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:18 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:20 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:22 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:24 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:26 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:28 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:30 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:32 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:34 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:36 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:38 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:40 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:42 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:45 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:47 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:49 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:51 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:53 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:55 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:57 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:59 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:32:01 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:32:03 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:32:05 [INFO] [.johocen.com] acme: Cleaning DNS-01 challenge
2019/09/16 10:32:06 Could not obtain certificates:
acme: Error -> One or more domains had a problem:
[
.johocen.com] time limit exceeded: last error: NS ns1.dnsowl.com. did not return the expected TXT record [fqdn: _acme-challenge.johocen.com., value: Bp1IZfoGqWIzZwFFBOQhXlkC
fqTLunZPwG2t5TrkZEg]: 13DobYBLHfgdWXBwwyiw4sRlOqktG3kQ-xxxxxxxxxx

Hi @mubiesam,

It seems that the DNS configuration is not properly set and Let’s Encrypt can’t validate your domain, did you follow the instructions here?

https://letsencrypt.org/docs/challenge-types/#dns-01-challenge

As I mentioned above, the lego support team will probably provide you more information about how to proceed

https://github.com/go-acme/lego

In case you want to use any other method to generate the SSL certificate, please use the one you are more familiar with and once you have the certificates, we will help you to configure the SSL certificates in the Bitnami solution.

Thanks

Hi @jota

It seems that “acme: authorization already valid; skipping challenge”
But “Wait for propagation” got “time limit exceeded”

I had asked for help both on lego support and namesilo, but in case you have any new thought, please let me know.

Thanks for your help.

Hi @jota

Sorry to bother you again, but it’s really driving me crazy since I used Bitnami HTTP configuration tool, please help me to get a way out.

I had asked for help on lego support for “time limit exceeded”, got answer “you can change the timeout by defining the env var NAMESILO_PROPAGATION_TIMEOUT”

So I tried with

sudo NAMESILO_API_KEY=xxxxxxxxxxxxxxxxxxxxx NAMESILO_PROPAGATION_TIMEOUT=15m /opt/bitnami/letsencrypt/lego --dns="namesilo" --domains="johocen.com" --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" run

But got
acme: error presenting token: namesilo: failed to add record code: 280, details: could not add resource record to domain since it already exists (duplicate)

I checked NAMESILO, there are 5 _acme-challenge in txt record, (4 _acme-challenge + 1 _acme-challenge.www), I had add 2 manually before using Bitnami HTTP configuration tool, so the other 3 should be created by Bitnami tool.

Should I delete all 5 existing and run the lego command again? or how can I identify which should be kept?

Thanks

2019/09/17 09:31:59 [INFO] [johocen.com, *.johocen.com] acme: Obtaining bundled SAN certificate 
2019/09/17 09:32:00 [INFO] [*.johocen.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/380243879 
2019/09/17 09:32:00 [INFO] [johocen.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/380243881 
2019/09/17 09:32:00 [INFO] [*.johocen.com] acme: use dns-01 solver 2019/09/17 09:32:00 [INFO] [johocen.com] acme: Could not find solver for: tls-alpn-01 
2019/09/17 09:32:00 [INFO] [johocen.com] acme: Could not find solver for: http-01 
2019/09/17 09:32:00 [INFO] [johocen.com] acme: use dns-01 solver 2019/09/17 09:32:00 [INFO] [*.johocen.com] acme: Preparing to solve DNS-01 
2019/09/17 09:32:01 [INFO] [johocen.com] acme: Preparing to solve DNS-01 
2019/09/17 09:32:02 [INFO] [*.johocen.com] acme: Cleaning DNS-01 challenge 
2019/09/17 09:32:03 [INFO] [johocen.com] acme: Cleaning DNS-01 challenge 
2019/09/17 09:32:04 Could not obtain certificates: acme: Error -> One or more domains had a problem: 
[*.johocen.com] [*.johocen.com] acme: error presenting token: namesilo: failed to add record code: 280, details: could not add resource record to domain since it already exists (duplicate) 
[johocen.com] [johocen.com] acme: error presenting token: namesilo: failed to add record code: 280, details: could not add resource record to domain since it already exists (duplicate)

Hi @mubiesam,

We have not tried that process yet and think that there is something wrong with the DNS configuration or the lego tool. As I mentioned before, I think the lego developers or the your DNS company’s support team will probably provide more information about the errors you are getting.

At the beginning of the thread, you mentioned that you didn’t have problems when adding wildcards before, did you try that other process? Did you follow a different approach?

Thanks

Hi @jota

To be honest, you are the only one who responded to my questions every time earliest, I appreciate very much.

I’m still waiting for lego support and namesilo, but do need your help to find earlier solution.

The way I did for creating SSL on Let’s Encrypt, was Manually Verify Domain (DNS)
https://www.sslforfree.com/create?domains=johocen.com+www.johocen.com
I don’t need to use wildcards, yet every new sub domain added will automatically get SSL.
But it’s painful to do it manually every 90 days.

That will be my last step to go back, but if no other choice, still need to do so.
Please also tell me do I need to revoke anything which is created by Bitnami HTTP configuration tool.

Thanks

Hi @mubiesam,

Your site is already secure so you have some time before worrying about the SSL certificate renewal process.

If you used a Certificate Authority to sign the certificates before, you didn’t need to configure the DNS settings or use any tool to generate them. You simply needed to copy the files to the server and start to use them. With Let’s Encrypt, the server needs to validate that your domain is really yours so that’s why they provide different validation processes.

The renewal process should have been configured in the instance when you used the Bitnami HTTPS configuration tool so this shouldn’t be a problem for now. As you can see, the cron output shows the command to renew it.

I wouldn’t remove anything for now. As I mentioned before, I’d finish generating the domain with the DNS validation (so you can use wildcards) and then we will help you to substitute the certificates and the renewal process to use them from that time on.

Hi @jota

Thanks for your reply, it calms me down a lot.

But we do need the wildcards for the new site that created automatically, since our project is counting on this, we do have time pressure before certificate renewal process.

Anyway, will wait for your further notice.

Thanks again!

Hi @jota

FYR, got reply from Namesilo…

this is what we got back from our IT:
Can user get us full log? This is not a issue of namesilo. It`s not implemented feature of Letsencrypt via our api. Customer can use http method to get certs.

I had sent them the full log and reminded them Our use case do need wildcards, so dns challenge is the only choice.

But from their reply, do you think they did not implement dns challenge ? In case of that, what will be our best approach?

Thanks

Hi @jota

Finally, it seems working after adding Additional Configuration…

NAMESILO_PROPAGATION_TIMEOUT=3600 NAMESILO_POLLING_INTERVAL=120 NAMESILO_TTL=3600

although with a nonce error retry: acme: error: 400

2019/09/21 08:34:27 [INFO] [johocen.com] The server validated our request
2019/09/21 08:34:27 [INFO] [*.johocen.com] acme: Cleaning DNS-01 challenge
2019/09/21 08:34:28 [INFO] [johocen.com] acme: Cleaning DNS-01 challenge
2019/09/21 08:34:29 [INFO] [johocen.com, *.johocen.com] acme: Validations succeeded; requesting certificates
2019/09/21 08:34:31 [INFO] [johocen.com] Server responded with a certificate.

But I forgot to

sudo /opt/bitnami/ctlscript.sh stop

So, should I do now to Configure The Web Server To Use The Let’s Encrypt Certificate For Apache, with these…

sudo /opt/bitnami/ctlscript.sh stop
sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/johocen.com.key /opt/bitnami/apache2/conf/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/johocen.com.crt /opt/bitnami/apache2/conf/server.crt
sudo chown root:root /opt/bitnami/apache2/conf/server*
sudo chmod 600 /opt/bitnami/apache2/conf/server*        
sudo /opt/bitnami/ctlscript.sh start

And then Renew The Let’s Encrypt Certificate, but with Additional Configuration or not? (also in the script?)