Page MenuHomeGitPull.it

fix jitsi.linux.it certificate
Closed, ResolvedPublic2 Points

Description

Processing /etc/letsencrypt/renewal/login.servizi.linux.it.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Could not choose appropriate plugin: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',)
Attempting to renew cert (login.servizi.linux.it) from /etc/letsencrypt/renewal/login.servizi.linux.it.conf produced an unexpected error: The manual plugin is not working; there may be problems with your existing configuration.
The error was: PluginError('An authentication script must be provided with --manual-auth-hook when using the manual plugin non-interactively.',). Skipping.

Event Timeline

valerio.bozzolan triaged this task as Unbreak Now! priority.Sep 30 2020, 20:08
valerio.bozzolan created this task.

Tried with:

$ letsencrypt certonly -d jitsi.linux.it --webroot --webroot-path=/usr/share/jitsi-meet
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Cert is due for renewal, auto-renewing...
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for jitsi.linux.it
Using the webroot path /usr/share/jitsi-meet for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. jitsi.linux.it (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://jitsi.linux.it/.well-known/acme-challenge/gPU54x5O0vYh3yMYnPtr9C4Oam_c_befr1pgq72lYeI [2a01:4f8:1c0c:738f::1]: "<style type=\"text/css\">h1, h2, h3, p { max-width: 600px; }</style><h1>Sandstorm doesn't recognize this host name</h1><h2>If you "

Note the:

Sandstorm doesn't recognize this host name

But the webroot path works:

$ echo asd > /usr/share/jitsi-meet/.well-known/acme-challenge/gPU54x5O0vYh3yMYnPtr9C4Oam_c_befr1pgq72lYeI
$ wget -O - --quiet --no-check-certificate https://jitsi.linux.it/.well-known/acme-challenge/gPU54x5O0vYh3yMYnPtr9C4Oam_c_befr1pgq72lYeI
asd

Note the:

Sandstorm doesn't recognize this host name

But the webroot path works:

$ echo asd > /usr/share/jitsi-meet/.well-known/acme-challenge/gPU54x5O0vYh3yMYnPtr9C4Oam_c_befr1pgq72lYeI
$ wget -O - --quiet --no-check-certificate https://jitsi.linux.it/.well-known/acme-challenge/gPU54x5O0vYh3yMYnPtr9C4Oam_c_befr1pgq72lYeI
asd

Gotcha:. It seems our jitsi.linux.it nginx virtualhost is not served via IPv6 connections and it seems Let's Encrypt visits us from IPv6.

valerio.bozzolan closed this task as Resolved.EditedOct 1 2020, 10:44
valerio.bozzolan edited projects, added Servizi Linux; removed Italian Linux Society.

Updated from:

/etc/nginx/sites-enabled/jitsi.linux.it.conf
    listen 80;
...
    listen 443 ssl;

To:

/etc/nginx/sites-enabled/jitsi.linux.it.conf
    listen [::]:80;
...
    listen [::]:443 ssl;

But then the IPv4 was not working. Updated to:

/etc/nginx/sites-enabled/jitsi.linux.it.conf
    listen      80;
    listen [::]:80;
...
    listen      443 ssl;
    listen [::]:443 ssl;

Now it works both in IPv4 and IPv6.

Then, renewed successfully with:

letsencrypt certonly -d jitsi.linux.it --webroot --webroot-path=/usr/share/jitsi-meet
NOTE: The prosody.service listening on internal port 5280 and serving /http-bind is showing some warnings:
$ journalctl -u prosody
ott 01 10:32:20 VPS systemd[1]: Started LSB: Prosody XMPP Server.
ott 01 10:32:20 VPS prosody[31378]: certmanager: SSL/TLS: Failed to load '/etc/prosody/certs/auth.jitsi.linux.it.key': Check that the path is correct, and the file exists. (for auth.jitsi.linux.it)
ott 01 10:32:20 VPS prosody[31378]: auth.jitsi.linux.it:tls: Unable to initialize TLS: error loading private key (No such file or directory)
ott 01 10:32:20 VPS prosody[31378]: certmanager: SSL/TLS: Failed to load '/etc/prosody/certs/auth.jitsi.linux.it.key': Previous error (see logs), or other system error. (for auth.jitsi.linux.it)
ott 01 10:32:20 VPS prosody[31378]: auth.jitsi.linux.it:tls: Unable to initialize TLS: error loading private key (system lib)
ott 01 10:32:20 VPS prosody[31378]: certmanager: SSL/TLS: Failed to load '/etc/prosody/certs/auth.jitsi.linux.it.key': Check that the path is correct, and the file exists. (for internal.auth.jitsi.linux.it)
ott 01 10:32:20 VPS prosody[31378]: internal.auth.jitsi.linux.it:tls: Unable to initialize TLS: error loading private key (No such file or directory)
ott 01 10:32:20 VPS prosody[31378]: certmanager: SSL/TLS: Failed to load '/etc/prosody/certs/auth.jitsi.linux.it.key': Previous error (see logs), or other system error. (for internal.auth.jitsi.linux.it)
ott 01 10:32:20 VPS prosody[31378]: internal.auth.jitsi.linux.it:tls: Unable to initialize TLS: error loading private key (system lib)

Tested Jitsi on:

https://jitsi.linux.it/

And it works. Mark as resolved.

valerio.bozzolan set the point value for this task to 2.Oct 6 2020, 16:44