Converting to SSL Fails

Collapse
X
Collapse
 
  • Page of 1
  • Time
  • Show
Clear All
new posts
Previous template Next
  • cardigansam
    replied
    You got it. Here is a step-by-step to ensure I'm not missing something:

    Removed all docker containers.
    Code:
    <user>@EspoCRM:~$ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
    Cleaned /var/www except for backups.
    Code:
    <user>@EspoCRM:~$ sudo ls /var/www/
espocrm-backup html
​
    ​Port 80 unattached.
    Code:
    <user>@EspoCRM:~$ sudo lsof -n -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dhclient 675 root 7u IPv4 29161 0t0 UDP *:bootpc
sshd 47280 root 3u IPv4 900997 0t0 TCP *:ssh (LISTEN)
sshd 47280 root 4u IPv6 900999 0t0 TCP *:ssh (LISTEN)
sshd 2178904 root 4u IPv4 40572299 0t0 TCP 192.168.22.213:ssh->192.168.22.168:60003 (ESTABLISHED)
sshd 2178910 <user> 4u IPv4 40572299 0t0 TCP 192.168.22.213:ssh->192.168.22.168:60003 (ESTABLISHED)​
    Newest install.sh
    Code:
    <user>@EspoCRM:~$ wget https://github.com/espocrm/espocrm-installer/releases/latest/download/install.sh
--2024-05-13 08:10:24-- https://github.com/espocrm/espocrm-installer/releases/latest/download/install.sh
Resolving github.com (github.com)... 140.82.112.3
Connecting to github.com (github.com)|140.82.112.3|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://github.com/espocrm/espocrm-installer/releases/download/2.4.0/install.sh [following]
--2024-05-13 08:10:25-- https://github.com/espocrm/espocrm-installer/releases/download/2.4.0/install.sh
Reusing existing connection to github.com:443.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/372446601/fa7b0c45-b59a-475d-976e-ce7b239b3277?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240513%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240513T131025Z&X-Amz-Expires=300&X-Amz-Signature=9edf7ee07bca996cd5e8208c0a990e64d5106db4 a6e37a92214ba9a1b352c7d9&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=372 446601&response-content-disposition=attachment%3B%20filename%3Dinstall.sh& response-content-type=application%2Foctet-stream [following]
--2024-05-13 08:10:25-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/372446601/fa7b0c45-b59a-475d-976e-ce7b239b3277?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240513%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240513T131025Z&X-Amz-Expires=300&X-Amz-Signature=9edf7ee07bca996cd5e8208c0a990e64d5106db4 a6e37a92214ba9a1b352c7d9&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=372 446601&response-content-disposition=attachment%3B%20filename%3Dinstall.sh& response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.109.133|:4 43... connected.
HTTP request sent, awaiting response... 200 OK
Length: 25543 (25K) [application/octet-stream]
Saving to: ‘install.sh’

install.sh 100%[================================================== ==================================>] 24.94K --.-KB/s in 0.01s

2024-05-13 08:10:26 (2.14 MB/s) - ‘install.sh’ saved [25543/25543]​



    Install the instance via script:
    Code:
    <user>@EspoCRM:~$ sudo bash install.sh --ssl --letsencrypt --domain=material.<domain>.com --email=<user>@<domain>.com
This script will install EspoCRM with all the needed prerequisites (including Docker, Nginx, PHP, MariaDB).
Do you want to continue the installation? [y/n] y

Summary information:
Domain: material.<domain>.com
Mode: Let's Encrypt certificate
Email for the Let's Encrypt certificate: <user>@<domain>.com

Do you want to continue? [y/n] y
Hit:1 https://download.docker.com/linux/debian bookworm InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease
Get:3 http://security.debian.org/debian-security bookworm-security InRelease [48.0 kB]
Get:4 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
Get:5 http://security.debian.org/debian-security bookworm-security/main Sources [95.9 kB]
Get:6 http://security.debian.org/debian-security bookworm-security/main amd64 Packages [156 kB]
Get:7 http://security.debian.org/debian-security bookworm-security/main Translation-en [92.9 kB]
Fetched 448 kB in 5s (84.2 kB/s)
Reading package lists... Done
08b363f55773b5216a6cf0452eadafdd47985042cf27101cad 79789bb9019b46
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for material.<domain>.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
Domain: material.<domain>.com
Type: unauthorized
Detail: During secondary validation: 69.55.45.147: Invalid response from http://material.<domain>.com/.well-known/acme-challenge/s2qBpf19nqc8kyBi1-9LlkYz8pxpzW62yI3m00ZBbhU: 403

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.​


    HTTP is now bound to a docker container.
    Code:
    <user>@EspoCRM:~$ sudo lsof -n -i
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
dhclient 675 root 7u IPv4 29161 0t0 UDP *:bootpc
sshd 47280 root 3u IPv4 900997 0t0 TCP *:ssh (LISTEN)
sshd 47280 root 4u IPv6 900999 0t0 TCP *:ssh (LISTEN)
sshd 2178904 root 4u IPv4 40572299 0t0 TCP 192.168.22.213:ssh->192.168.22.168:60003 (ESTABLISHED)
sshd 2178910 <user> 4u IPv4 40572299 0t0 TCP 192.168.22.213:ssh->192.168.22.168:60003 (ESTABLISHED)
docker-pr 2180077 root 4u IPv4 40569157 0t0 TCP *:http (LISTEN)
docker-pr 2180084 root 4u IPv6 40560404 0t0 TCP *:http (LISTEN)​
    Only the nginx temp container is running.
    Code:
    <user>@EspoCRM:~$ sudo docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
08b363f55773 nginx "/docker-entrypoint.…" 3 minutes ago Up 3 minutes 0.0.0.0:80->80/tcp, :::80->80/tcp espocrm-nginx-tmp​
    It is running on port 80 as if I access the domain from a web browser, i get a 404 Not Found nginx/1.25.5. (Attempting to access the generated credential file also gets me 404 not found nginx/1.25.5.)
    Last edited by cardigansam; 05-13-2024, 01:36 PM.

      Leave a comment:

    • lazovic
      replied
      Hi cardigansam,

      Please make sure that you have open and free port 80 during the installation. This is required to initialize the certbot. In any case, try the following:
      1. Stop all Docker containers related to EspoCRM and remove them, also delete files related to EspoCRM. If your server only hosts EspoCRM (installed by script), you can use the following commands to rstop and remove all Docker containers from the system:
        Code:
        	docker stop $(docker ps -a -q)
	docker rm $(docker ps -a -q)
      2. Free port 80 and open it in case it is closed.
      3. Install EspoCRM again using the script​.
      Please let me know the result.

        Leave a comment:

      • cardigansam
        replied
        I apologize for missing on this for so long. I'm still struggling with this issue.

        I have tried clean installation of espo, clean install all the way down to reloading debian, and just converting. I tried to convert to lets-encrypt again after updating the install script a few moments ago and the output is (user and domain changed for anonymity, the http version of the site is accessible from the open internet):

        Code:
        <user>@EspoCRM:~$ sudo bash install.sh --ssl --letsencrypt --domain=material.<domain>.com --email=<user>@<domain>.com
This script will install EspoCRM with all the needed prerequisites (including Docker, Nginx, PHP, MariaDB).
Do you want to continue the installation? [y/n] y

The installed EspoCRM instance is found.

Summary information:
  Domain: material.<domain>.com
  Mode: Let's Encrypt certificate
  Email for the Let's Encrypt certificate: <user>@<domain>.com

Do you want to continue? [y/n] y

Starting the reinstallation process...
Creating a backup...
Backup is created: /home/<user>/espocrm-backup/2024-05-10_120021

[+] Running 6/6
 ✔ Container espocrm-daemon         Removed                                                                                                    10.3s
 ✔ Container espocrm-nginx          Removed                                                                                                     0.9s
 ✔ Container espocrm-websocket      Removed                                                                                                    10.3s
 ✔ Container espocrm                Removed                                                                                                     0.3s
 ✔ Container espocrm-db             Removed                                                                                                     0.5s
 ✔ Network espocrm_espocrm-network  Removed                                                                                                     0.4s
Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
Hit:2 http://deb.debian.org/debian bookworm InRelease
Hit:3 http://deb.debian.org/debian bookworm-updates InRelease
Hit:4 https://download.docker.com/linux/debian bookworm InRelease
Reading package lists... Done
e49d2a97c737b3d5d9a6fc6771dd626cff88fef2f9eaf1aac679232d9d7794b3
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for material.<domain>.com

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: material.<domain>.com
  Type:   unauthorized
  Detail: During secondary validation: 69.55.45.147: Invalid response from http://material.<domain>.com/.well-known/acme-challenge/fmSjZu8T14K7dU4                            OH4xU5kzdQXsVV4nXLrRNt9TfUAk: 403

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their conte                            nt from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot wit                            h -v for more details.

<user>@EspoCRM:~$ sudo /var/www/espocrm/command.sh cert-generate
341fc1b19c556bfab7adf73641f7ce336e049ebb3ade6c9b6bdd8d0ecabf83d9
docker: Error response from daemon: driver failed programming external connectivity on endpoint espocrm-nginx (a1b6d46c8eac9bf0c9fcf045c0a760aba3c762                            4d182abc1f5a809282eeb000f1): Bind for 0.0.0.0:80 failed: port is already allocated.

<user>@EspoCRM:~$ sudo /var/www/espocrm/command.sh stop

<user>@EspoCRM:~$ sudo docker container ls
CONTAINER ID   IMAGE     COMMAND                  CREATED         STATUS         PORTS                               NAMES
e49d2a97c737   nginx     "/docker-entrypoint.…"   3 minutes ago   Up 3 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp   espocrm-nginx-tmp
​​
        You can see the the script terminates and leaves the nginx-tmp container running which has to be killed.

        The letsencrypt log doesn't note an issue:
        Code:
        2024-05-10 00:19:48,724:DEBUG:certbot._internal.main:certbot version: 2.1.0
2024-05-10 00:19:48,725:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2024-05-10 00:19:48,725:DEBUG:certbot._internal.main:Arguments: ['-q', '--no-random-sleep-on-renew']
2024-05-10 00:19:48,725:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2024-05-10 00:19:48,729:DEBUG:certbot._internal.log:Root logging level set at 40
2024-05-10 00:19:48,729:DEBUG:certbot._internal.display.obj:Notifying user:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-05-10 00:19:48,729:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2024-05-10 00:19:48,730:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2024-05-10 00:19:48,730:DEBUG:certbot._internal.renewal:no renewal failures​
        Last edited by cardigansam; 05-10-2024, 05:28 PM.

          Leave a comment:

        • lazovic
          replied
          Hi cardigansam,

          Unfortunately, I can't reproduce this issue. Please tell me, are you running the installation script on a clean server? Do any errors occur in the instance, does it even start? I would be grateful for more details.

            Leave a comment:

          • cardigansam
            started a topic Converting to SSL Fails

            Converting to SSL Fails

            When I setup a clean ESPOCRM instance, it runs fine in HTTP (install.sh) mode using the install script. When I try to convert to SSL, either letsencrypt (install.sh --ssl --letsencrypt) fails to verify the files on the domain or when using my own generated keys (install.sh --ssl --owncertificate), it runs until I stop the nginix server and replace the keys and restart with them in place. It's not even listening for TLS connections.

            I'm not sure what I'm missing.

            Run "clean":
            Code:
            sudo lsof -n -i
COMMAND      PID     USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
dhclient     675     root    7u  IPv4   29161      0t0  UDP *:bootpc
sshd       47280     root    3u  IPv4  900997      0t0  TCP *:ssh (LISTEN)
sshd       47280     root    4u  IPv6  900999      0t0  TCP *:ssh (LISTEN)
sshd      391205     root    4u  IPv4 7654111      0t0  TCP 192.168.22.213:ssh->192.168.22.168:56015 (ESTABLISHED)
sshd      391211     user    4u  IPv4 7654111      0t0  TCP 192.168.22.213:ssh->192.168.22.168:56015 (ESTABLISHED)
docker-pr 443267     root    4u  IPv4 7909958      0t0  TCP *:http-alt (LISTEN)
docker-pr 443273     root    4u  IPv6 7908300      0t0  TCP *:http-alt (LISTEN)
docker-pr 443601     root    4u  IPv4 7917672      0t0  TCP *:http (LISTEN)
docker-pr 443606     root    4u  IPv6 7916730      0t0  TCP *:http (LISTEN)​


            First run after converting to SSL:
            Code:
            COMMAND      PID     USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
dhclient     675     root    7u  IPv4   29161      0t0  UDP *:bootpc
sshd       47280     root    3u  IPv4  900997      0t0  TCP *:ssh (LISTEN)
sshd       47280     root    4u  IPv6  900999      0t0  TCP *:ssh (LISTEN)
sshd      391205     root    4u  IPv4 7654111      0t0  TCP 192.168.22.213:ssh->192.168.22.168:56015 (ESTABLISHED)
sshd      391211     user    4u  IPv4 7654111      0t0  TCP 192.168.22.213:ssh->192.168.22.168:56015 (ESTABLISHED)
docker-pr 445134     root    4u  IPv4 7922474      0t0  TCP *:http-alt (LISTEN)
docker-pr 445143     root    4u  IPv6 7920273      0t0  TCP *:http-alt (LISTEN)
docker-pr 445638     root    4u  IPv4 7917429      0t0  TCP *:https (LISTEN)
docker-pr 445645     root    4u  IPv6 7918785      0t0  TCP *:https (LISTEN)
docker-pr 445660     root    4u  IPv4 7908940      0t0  TCP *:http (LISTEN)
docker-pr 445668     root    4u  IPv6 7922526      0t0  TCP *:http (LISTEN)​
            After restarting with new ssl keys in place:
            Code:
            COMMAND      PID     USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
dhclient     675     root    7u  IPv4   29161      0t0  UDP *:bootpc
sshd       47280     root    3u  IPv4  900997      0t0  TCP *:ssh (LISTEN)
sshd       47280     root    4u  IPv6  900999      0t0  TCP *:ssh (LISTEN)
sshd      391205     root    4u  IPv4 7654111      0t0  TCP 192.168.22.213:ssh->192.168.22.168:56015 (ESTABLISHED)
sshd      391211     user    4u  IPv4 7654111      0t0  TCP 192.168.22.213:ssh->192.168.22.168:56015 (ESTABLISHED)
docker-pr 446504     root    4u  IPv4 7928879      0t0  TCP *:http-alt (LISTEN)
docker-pr 446510     root    4u  IPv6 7925035      0t0  TCP *:http-alt (LISTEN)​
            Tags: None
            Previous template Next
            Working...