ansible-letsencrypt
ansible-letsencrypt copied to clipboard
nickjj
RPi Buster?
Hi,
I have not tested it on Buster, I would say give it a whirl and see how it goes.
I'm currently working on a more robust role to handle certs but I still do actively run this role as is on a number of older hosts.
Does the same exact configuration work on jessie?
That almost looks like there's either a misconfiguration of things with your nginx set up. your DNS hasn't updated yet or you have a firewall blocking connections to your server. With no other context I'm leaning towards 1 of the last 2.
Okay let me check the suggestions minus trying on Jessie. Thank you so far !
Hi Nick, I think I am further now, still stuck at step 11, TASK [nickjj.letsencrypt : Show SSL certificate generation output], as I opened access to the server the certs must be written to, but now I am getting:
"Parsing account key...\nParsing CSR...\nFound domains: mydomain.com\nGetting directory...\nDirectory found!\nRegistering account...\nRegistered!\nCreating new order...\nOrder created!\nVerifying gothrivecoach.com...\nTraceback (most recent call last):\n File \"/usr/local/bin/acme_tiny\", line 201, in <module>\n main(sys.argv[1:])\n File \"/usr/local/bin/acme_tiny\", line 197, in main\n signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)\n File \"/usr/local/bin/acme_tiny\", line 146, in get_crt\n raise ValueError(\"Wrote file to {0}, but couldn't download {1}: {2}\".format(wellknown_path, wellknown_url, e))\nValueError: Wrote file to /usr/share/nginx/challenges/.well-known/acme-challenge/SOREbZvMCLeFaaIXEpQHiXUZG7xfIh1uhZajBc6uRWY, but couldn't download http://mydomain.com/.well-known/acme-challenge/SOREbZvMCLeFaaIXEpQHiXUZG7xfIh1uhZajBc6uRWY: 'ascii' codec can't encode character u'\\u2192' in position 3812: ordinal not in range(128)",
See the last part: 'ascii' codec can't encode character u'\\u2192' in position 3812: ordinal not in range(128)", here is a stack overflow issue & solution about same, maybe?
UnicodeEncodeError: 'ascii' codec can't encode character u'\xa0' in position 20: ordinal not in range(128)
Do you have any idea in which direction I should be looking?
Are you using Python 3.x or 2.x?
You might want to try updating acme-tiny script to the latest release at: https://github.com/diafygi/acme-tiny/blob/master/acme_tiny.py
You can try dropping that in as a replacement for my version and see if that fixes it. You would replace this file: https://github.com/nickjj/ansible-letsencrypt/blob/master/files/usr/local/bin/acme_tiny
Nick, Python 2.7.16, dropped the acme_tiny.py in, but still the same message. Do you have other ideas on where I can have a look? Check output in below file.
What domain names are you trying to get certs for? Are there any weird characters in it by mistake?
No, stockstandard .com domain name. And here is my nginx conf file:
server {
listen 80;
server_name mydomain.com www.mydomain.com;
return 301 https://mydomain.com$request_uri;
}
server {
listen 443 ssl default_server;
server_name mydomain.com;
client_max_body_size 50M;
location / {
proxy_pass http://localhost:2368;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_buffering off;
}
ssl on;
ssl_certificate /usr/local/acme-tiny/mydomain.com.crt;
ssl_certificate_key etc/nginx/ssl/mydomain.com.key;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
ssl_session_timeout 5m;
Is there any chance you can try the same set up on Debian 9 that isn't on a RPi, or at least Buster on something like DigitalOcean (or any other cloud provider)?
I just pushed v0.3.2 to the Galaxy. Let me know if this changes anything on your end.
I just had some certificates fail to renew from acme-tiny blowing up, but I didn't get the same error as you. In the end, I updated this role to use the latest version of acme-tiny (as of Jan 29th 2020) and updated the tasks in this role to use --directory-url instead of --ca.
In my inventory, I also changed the URLs to reference the new directory based v2 API. The README file has both the staging and live URLs.
Once I did the above, the role ran successfully -- at least on an older Debian Jessie box. I tested it on both the staging and live URLs.
Thank you, I am on business travels in Canada, will try again sometime.
On Wed, 29 Jan 2020 at 17:33, Nick Janetakis [email protected] wrote:
I just pushed v0.3.2 to the Galaxy. Let me know if this changes anything on your end.
I just had some certificates fail to renew from acme-tiny blowing up, but I didn't get the same error as you. In the end, I updated this role to use the latest version of acme-tiny (as of Jan 29th 2020) and updated the tasks in this role to use --directory-url instead of --ca.
In my inventory, I also changed the URLs to reference the new directory based v2 API. The README file has both the staging and live URLs.
Once I did the above, the role ran successfully -- at least on an older Debian Jessie box. I tested it on both the staging and live URLs.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/nickjj/ansible-letsencrypt/issues/7?email_source=notifications&email_token=AHDTT5GUXEU2RKLH4GMVZUDRAIN4TA5CNFSM4KFWXL4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKJIXVI#issuecomment-580029397, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHDTT5GDFHUOTJCLKFOTOKTRAIN4TANCNFSM4KFWXL4A .