Site down after running Bitnami HTTPS Configuration Tool

Hi @jota

Got error “time out”, do I need to set Additional Configuration for NAMESILO_PROPAGATION_TIMEOUT?

2019/09/16 10:31:02 [INFO] [johocen.com, .johocen.com] acme: Obtaining bundled SAN certificate
2019/09/16 10:31:03 [INFO] [
.johocen.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/255366779
2019/09/16 10:31:03 [INFO] [johocen.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/366085102
2019/09/16 10:31:03 [INFO] [johocen.com] acme: authorization already valid; skipping challenge
2019/09/16 10:31:03 [INFO] [.johocen.com] acme: use dns-01 solver
2019/09/16 10:31:03 [INFO] [
.johocen.com] acme: Preparing to solve DNS-01
2019/09/16 10:31:03 [INFO] [.johocen.com] acme: Trying to solve DNS-01
2019/09/16 10:31:03 [INFO] [
.johocen.com] acme: Checking DNS record propagation using [169.254.169.254:53]
2019/09/16 10:31:03 [INFO] Wait for propagation [timeout: 1m0s, interval: 2s]
2019/09/16 10:31:04 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:06 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:08 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:10 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:12 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:14 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:16 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:18 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:20 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:22 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:24 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:26 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:28 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:30 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:32 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:34 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:36 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:38 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:40 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:42 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:45 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:47 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:49 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:51 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:53 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:55 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:57 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:31:59 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:32:01 [INFO] [.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:32:03 [INFO] [
.johocen.com] acme: Waiting for DNS record propagation.
2019/09/16 10:32:05 [INFO] [.johocen.com] acme: Cleaning DNS-01 challenge
2019/09/16 10:32:06 Could not obtain certificates:
acme: Error -> One or more domains had a problem:
[
.johocen.com] time limit exceeded: last error: NS ns1.dnsowl.com. did not return the expected TXT record [fqdn: _acme-challenge.johocen.com., value: Bp1IZfoGqWIzZwFFBOQhXlkC
fqTLunZPwG2t5TrkZEg]: 13DobYBLHfgdWXBwwyiw4sRlOqktG3kQ-xxxxxxxxxx

Hi @mubiesam,

It seems that the DNS configuration is not properly set and Let’s Encrypt can’t validate your domain, did you follow the instructions here?

https://letsencrypt.org/docs/challenge-types/#dns-01-challenge

As I mentioned above, the lego support team will probably provide you more information about how to proceed

https://github.com/go-acme/lego

In case you want to use any other method to generate the SSL certificate, please use the one you are more familiar with and once you have the certificates, we will help you to configure the SSL certificates in the Bitnami solution.

Thanks

Hi @jota

It seems that “acme: authorization already valid; skipping challenge”
But “Wait for propagation” got “time limit exceeded”

I had asked for help both on lego support and namesilo, but in case you have any new thought, please let me know.

Thanks for your help.

Hi @jota

Sorry to bother you again, but it’s really driving me crazy since I used Bitnami HTTP configuration tool, please help me to get a way out.

I had asked for help on lego support for “time limit exceeded”, got answer “you can change the timeout by defining the env var NAMESILO_PROPAGATION_TIMEOUT”

So I tried with

sudo NAMESILO_API_KEY=xxxxxxxxxxxxxxxxxxxxx NAMESILO_PROPAGATION_TIMEOUT=15m /opt/bitnami/letsencrypt/lego --dns="namesilo" --domains="johocen.com" --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" run

But got
acme: error presenting token: namesilo: failed to add record code: 280, details: could not add resource record to domain since it already exists (duplicate)

I checked NAMESILO, there are 5 _acme-challenge in txt record, (4 _acme-challenge + 1 _acme-challenge.www), I had add 2 manually before using Bitnami HTTP configuration tool, so the other 3 should be created by Bitnami tool.

Should I delete all 5 existing and run the lego command again? or how can I identify which should be kept?

Thanks

2019/09/17 09:31:59 [INFO] [johocen.com, *.johocen.com] acme: Obtaining bundled SAN certificate 
2019/09/17 09:32:00 [INFO] [*.johocen.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/380243879 
2019/09/17 09:32:00 [INFO] [johocen.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/380243881 
2019/09/17 09:32:00 [INFO] [*.johocen.com] acme: use dns-01 solver 2019/09/17 09:32:00 [INFO] [johocen.com] acme: Could not find solver for: tls-alpn-01 
2019/09/17 09:32:00 [INFO] [johocen.com] acme: Could not find solver for: http-01 
2019/09/17 09:32:00 [INFO] [johocen.com] acme: use dns-01 solver 2019/09/17 09:32:00 [INFO] [*.johocen.com] acme: Preparing to solve DNS-01 
2019/09/17 09:32:01 [INFO] [johocen.com] acme: Preparing to solve DNS-01 
2019/09/17 09:32:02 [INFO] [*.johocen.com] acme: Cleaning DNS-01 challenge 
2019/09/17 09:32:03 [INFO] [johocen.com] acme: Cleaning DNS-01 challenge 
2019/09/17 09:32:04 Could not obtain certificates: acme: Error -> One or more domains had a problem: 
[*.johocen.com] [*.johocen.com] acme: error presenting token: namesilo: failed to add record code: 280, details: could not add resource record to domain since it already exists (duplicate) 
[johocen.com] [johocen.com] acme: error presenting token: namesilo: failed to add record code: 280, details: could not add resource record to domain since it already exists (duplicate)

Hi @mubiesam,

We have not tried that process yet and think that there is something wrong with the DNS configuration or the lego tool. As I mentioned before, I think the lego developers or the your DNS company’s support team will probably provide more information about the errors you are getting.

At the beginning of the thread, you mentioned that you didn’t have problems when adding wildcards before, did you try that other process? Did you follow a different approach?

Thanks

Hi @jota

To be honest, you are the only one who responded to my questions every time earliest, I appreciate very much.

I’m still waiting for lego support and namesilo, but do need your help to find earlier solution.

The way I did for creating SSL on Let’s Encrypt, was Manually Verify Domain (DNS)
https://www.sslforfree.com/create?domains=johocen.com+www.johocen.com
I don’t need to use wildcards, yet every new sub domain added will automatically get SSL.
But it’s painful to do it manually every 90 days.

That will be my last step to go back, but if no other choice, still need to do so.
Please also tell me do I need to revoke anything which is created by Bitnami HTTP configuration tool.

Thanks

Hi @mubiesam,

Your site is already secure so you have some time before worrying about the SSL certificate renewal process.

If you used a Certificate Authority to sign the certificates before, you didn’t need to configure the DNS settings or use any tool to generate them. You simply needed to copy the files to the server and start to use them. With Let’s Encrypt, the server needs to validate that your domain is really yours so that’s why they provide different validation processes.

The renewal process should have been configured in the instance when you used the Bitnami HTTPS configuration tool so this shouldn’t be a problem for now. As you can see, the cron output shows the command to renew it.

I wouldn’t remove anything for now. As I mentioned before, I’d finish generating the domain with the DNS validation (so you can use wildcards) and then we will help you to substitute the certificates and the renewal process to use them from that time on.

Hi @jota

Thanks for your reply, it calms me down a lot.

But we do need the wildcards for the new site that created automatically, since our project is counting on this, we do have time pressure before certificate renewal process.

Anyway, will wait for your further notice.

Thanks again!

Hi @jota

FYR, got reply from Namesilo…

this is what we got back from our IT:
Can user get us full log? This is not a issue of namesilo. It`s not implemented feature of Letsencrypt via our api. Customer can use http method to get certs.

I had sent them the full log and reminded them Our use case do need wildcards, so dns challenge is the only choice.

But from their reply, do you think they did not implement dns challenge ? In case of that, what will be our best approach?

Thanks

Hi @jota

Finally, it seems working after adding Additional Configuration…

NAMESILO_PROPAGATION_TIMEOUT=3600 NAMESILO_POLLING_INTERVAL=120 NAMESILO_TTL=3600

although with a nonce error retry: acme: error: 400

2019/09/21 08:34:27 [INFO] [johocen.com] The server validated our request
2019/09/21 08:34:27 [INFO] [*.johocen.com] acme: Cleaning DNS-01 challenge
2019/09/21 08:34:28 [INFO] [johocen.com] acme: Cleaning DNS-01 challenge
2019/09/21 08:34:29 [INFO] [johocen.com, *.johocen.com] acme: Validations succeeded; requesting certificates
2019/09/21 08:34:31 [INFO] [johocen.com] Server responded with a certificate.

But I forgot to

sudo /opt/bitnami/ctlscript.sh stop

So, should I do now to Configure The Web Server To Use The Let’s Encrypt Certificate For Apache, with these…

sudo /opt/bitnami/ctlscript.sh stop
sudo mv /opt/bitnami/apache2/conf/server.crt /opt/bitnami/apache2/conf/server.crt.old
sudo mv /opt/bitnami/apache2/conf/server.key /opt/bitnami/apache2/conf/server.key.old
sudo mv /opt/bitnami/apache2/conf/server.csr /opt/bitnami/apache2/conf/server.csr.old
sudo ln -sf /opt/bitnami/letsencrypt/certificates/johocen.com.key /opt/bitnami/apache2/conf/server.key
sudo ln -sf /opt/bitnami/letsencrypt/certificates/johocen.com.crt /opt/bitnami/apache2/conf/server.crt
sudo chown root:root /opt/bitnami/apache2/conf/server*
sudo chmod 600 /opt/bitnami/apache2/conf/server*        
sudo /opt/bitnami/ctlscript.sh start

And then Renew The Let’s Encrypt Certificate, but with Additional Configuration or not? (also in the script?)

Hi @jota

English is not my mother language, so please help me to confirm my understanding is correct or not, so I can proceed to get the wildcards working before renewal process.

  1. “finish generating the domain with the DNS validation” this is what we did yesterday, got the certificate, right?
  2. “substitute the certificates” this is to “Configure The Web Server To Use The Let’s Encrypt Certificate For Apache”, right?
  3. “renewal process” as you said “The renewal process should have been configured in the instance when you used the Bitnami HTTPS configuration tool”, so we should wait for your help to make sure whether the Additional Configuration is necessary or not?

Thanks

Hi @jota

I did the step 2 “substitute the certificates”, and the wildcards is working as expected.

so the last step is “renewal process” which is not urgent now, but do need your help to make sure whether the Additional Configuration is necessary to add into script or not?

Thanks

Perfect @mubiesam, I’m glad to see that you managed to get it working :slight_smile:

So let’s try to create a script now to renew the certificates. You can create this file wherever you want in the instance and add this content

#!/bin/bash
sudo /opt/bitnami/ctlscript.sh stop apache
sudo NAMESILO_PROPAGATION_TIMEOUT=3600 NAMESILO_POLLING_INTERVAL=120 NAMESILO_TTL=3600 OTHER_ENVIRONMENT_VARIABLES_HERE /opt/bitnami/letsencrypt/lego --dns namesilo --domains="johocen.com" --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start apache

Note: add all the environment variables you used when creating the certificates in the renew command (OTHER_ENVIRONMENT_VARIABLES_HERE)

Edit its permissions

sudo chmod +x your_file

and run it

sudo your_file

It shouldn’t return any error message and the expiration date of the certificates should have changed. Can you confirm this?

If everything looks fine, just edit the crontab file, remove the lego line and add your script (0 0 1 * * sudo your_file)

sudo crontab -e -u bitnami

Happy to help!


Was my answer helpful? Click on :heart:

1 Like

Hi @jota

I had created the script, edit the permissions, and run renew file successfully.

2019/09/25 01:02:21 [INFO] [johocen.com] acme: Trying renewal with 2070 hours remaining
2019/09/25 01:02:21 [INFO] [johocen.com, .johocen.com] acme: Obtaining bundled SAN certificate
2019/09/25 01:02:22 [INFO] [
.johocen.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/438120057
2019/09/25 01:02:22 [INFO] [johocen.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/438120059
2019/09/25 01:02:22 [INFO] [*.johocen.com] acme: authorization already valid; skipping challenge
2019/09/25 01:02:22 [INFO] [johocen.com] acme: authorization already valid; skipping challenge
2019/09/25 01:02:22 [INFO] [johocen.com, *.johocen.com] acme: Validations succeeded; requesting certificates
2019/09/25 01:02:23 [INFO] [johocen.com] Server responded with a certificate.

But when I ran first time without NAMESILO_API_KEY, it responded
2019/09/25 00:59:50 namesilo: some credentials information are missing: NAMESILO_API_KEY
Then I added NAMESILO_API_KEY and ran again, finally successful.
so my question is, do I need to add NAMESILO_API_KEY in the script? or the renew script file had been executed to renew forever, only this time to authenticate, no need for future anymore?

Besides, for the last step, sudo crontab -e -u bitnami , should I add the following with 2> /dev/null at the end as instruction on this page, and what is that for?
https://docs.bitnami.com/general/how-to/generate-install-lets-encrypt-ssl/#alternative-approach

0 0 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null

Thanks

If you needed to add the NAMESILO_API_KEY this time, you will need to add it forever. Lego needs to authenticate with your DNS provider every time it renews the certificate.

Yes, you should. It’s a good approach.

1 Like

Hi @jota

Had received email “Let’s Encrypt certificate expiration notice”, said my certificates “will expire in 19 days (on 14 Dec 19 22:43 +0000)”.

But I had run the renew file successfully on Sep. 25 as my post#35, is it because Let’s Encrypt reminds ahead of time before our renew process will run on Dec. 25 for 90 days period?

Meanwhile, there is a gap between Dec. 14 to Dec. 25, should I manually run the process again before Dec. 19?

Thanks

Hi @mubiesam,

Can you run the renew command and ensure the certificates are renewed properly? If that’s the case, can you share the output of the cron configuration?

sudo crontab -l
crontab -l

Thanks

Hi @jota

Something wrong with my file, when I run
sudo renew-certificate.sh
But got sudo: renew-certificate.sh: command not found
But the file is under /opt/bitnami/letsencrypt/scripts/renew-certificate.sh with permission 755

#!/bin/bash
sudo /opt/bitnami/ctlscript.sh stop apache
sudo NAMESILO_API_KEY=xxxxxxxxxxxxxxxxx NAMESILO_PROPAGATION_TIMEOUT=3600 NAMESILO_POLLING_INTERVAL=120 NAMESILO_TTL=3600 /opt/bitnami/letsencrypt/lego --dns namesilo --domains="johocen.com" --domains="*.johocen.com" --email="mubiesam@gmail.com" --path="/opt/bitnami/letsencrypt" renew --days 90
sudo /opt/bitnami/ctlscript.sh start apache

While trying to figure out what was wrong, I tried

chmod +x /opt/bitnami/letsencrypt/scripts/renew-certificate.sh

but got

chmod: changing permissions of '/opt/bitnami/letsencrypt/scripts/renew-certificate.sh': Operation not permitted

I will try to switch off my computer, and do it again tomorrow since it is late here, please leave your comment, I will check first thing in the morning (around 8 hours later).

Thanks

Hi @mubiesam,

You need to use the whole path when running the command. So if you have renew-certificate.sh in the crontab file, you will need to include the whole path as our documentation mentions

https://docs.bitnami.com/google/how-to/generate-install-lets-encrypt-ssl/#step-5-renew-the-let-s-encrypt-certificate

0 0 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null

You can check that it works manually by running the following commands

sudo chmod +x /opt/bitnami/letsencrypt/scripts/renew-certificate.sh
sudo /opt/bitnami/letsencrypt/scripts/renew-certificate.sh

Was the certificate renewed?

1 Like

Hi @jota ,

Sorry for late response, I was away for some days.

sudo crontab -u bitnami -l

# Edit this file to introduce tasks to be run by cron.
# 
# Each task to run has to be defined through a single line
# indicating with different fields when the task will be run
# and what command to run for the task
# 
# To define the time you can provide concrete values for
# minute (m), hour (h), day of month (dom), month (mon),
# and day of week (dow) or use '*' in these fields (for 'any').# 
# Notice that tasks will be started based on the cron's system
# daemon's notion of time and timezones.
# 
# Output of the crontab jobs (including errors) is sent through
# email to the user the crontab file belongs to (unless redirected).
# 
# For example, you can run a backup of all your user accounts
# at 5 a.m every week with:
# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
# 
# For more information see the manual pages of crontab(5) and cron(8)
# 
# m h  dom mon dow   command
0 0 1 * * /opt/bitnami/letsencrypt/scripts/renew-certificate.sh 2> /dev/null

The crontab above seems to be correct,

Running above 2 commands also got
[johocen.com, *.johocen.com] acme: Validations succeeded; requesting certificates
[johocen.com] Server responded with a certificate.

Anything else I should pay attention?

Thanks