Converting to SSL Fails

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • cardigansam
    Junior Member
    • Oct 2022
    • 5

    Converting to SSL Fails

    When I setup a clean ESPOCRM instance, it runs fine in HTTP (install.sh) mode using the install script. When I try to convert to SSL, either letsencrypt (install.sh --ssl --letsencrypt) fails to verify the files on the domain or when using my own generated keys (install.sh --ssl --owncertificate), it runs until I stop the nginix server and replace the keys and restart with them in place. It's not even listening for TLS connections.

    I'm not sure what I'm missing.

    Run "clean":
    Code:
    sudo lsof -n -i
    COMMAND      PID     USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
    dhclient     675     root    7u  IPv4   29161      0t0  UDP *:bootpc
    sshd       47280     root    3u  IPv4  900997      0t0  TCP *:ssh (LISTEN)
    sshd       47280     root    4u  IPv6  900999      0t0  TCP *:ssh (LISTEN)
    sshd      391205     root    4u  IPv4 7654111      0t0  TCP 192.168.22.213:ssh->192.168.22.168:56015 (ESTABLISHED)
    sshd      391211     user    4u  IPv4 7654111      0t0  TCP 192.168.22.213:ssh->192.168.22.168:56015 (ESTABLISHED)
    docker-pr 443267     root    4u  IPv4 7909958      0t0  TCP *:http-alt (LISTEN)
    docker-pr 443273     root    4u  IPv6 7908300      0t0  TCP *:http-alt (LISTEN)
    docker-pr 443601     root    4u  IPv4 7917672      0t0  TCP *:http (LISTEN)
    docker-pr 443606     root    4u  IPv6 7916730      0t0  TCP *:http (LISTEN)​


    First run after converting to SSL:
    Code:
    COMMAND      PID     USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
    dhclient     675     root    7u  IPv4   29161      0t0  UDP *:bootpc
    sshd       47280     root    3u  IPv4  900997      0t0  TCP *:ssh (LISTEN)
    sshd       47280     root    4u  IPv6  900999      0t0  TCP *:ssh (LISTEN)
    sshd      391205     root    4u  IPv4 7654111      0t0  TCP 192.168.22.213:ssh->192.168.22.168:56015 (ESTABLISHED)
    sshd      391211     user    4u  IPv4 7654111      0t0  TCP 192.168.22.213:ssh->192.168.22.168:56015 (ESTABLISHED)
    docker-pr 445134     root    4u  IPv4 7922474      0t0  TCP *:http-alt (LISTEN)
    docker-pr 445143     root    4u  IPv6 7920273      0t0  TCP *:http-alt (LISTEN)
    docker-pr 445638     root    4u  IPv4 7917429      0t0  TCP *:https (LISTEN)
    docker-pr 445645     root    4u  IPv6 7918785      0t0  TCP *:https (LISTEN)
    docker-pr 445660     root    4u  IPv4 7908940      0t0  TCP *:http (LISTEN)
    docker-pr 445668     root    4u  IPv6 7922526      0t0  TCP *:http (LISTEN)​
    After restarting with new ssl keys in place:
    Code:
    COMMAND      PID     USER   FD   TYPE  DEVICE SIZE/OFF NODE NAME
    dhclient     675     root    7u  IPv4   29161      0t0  UDP *:bootpc
    sshd       47280     root    3u  IPv4  900997      0t0  TCP *:ssh (LISTEN)
    sshd       47280     root    4u  IPv6  900999      0t0  TCP *:ssh (LISTEN)
    sshd      391205     root    4u  IPv4 7654111      0t0  TCP 192.168.22.213:ssh->192.168.22.168:56015 (ESTABLISHED)
    sshd      391211     user    4u  IPv4 7654111      0t0  TCP 192.168.22.213:ssh->192.168.22.168:56015 (ESTABLISHED)
    docker-pr 446504     root    4u  IPv4 7928879      0t0  TCP *:http-alt (LISTEN)
    docker-pr 446510     root    4u  IPv6 7925035      0t0  TCP *:http-alt (LISTEN)​
  • lazovic
    Super Moderator
    • Jan 2022
    • 810

    #2
    Hi cardigansam,

    Unfortunately, I can't reproduce this issue. Please tell me, are you running the installation script on a clean server? Do any errors occur in the instance, does it even start? I would be grateful for more details.

    Comment

    • cardigansam
      Junior Member
      • Oct 2022
      • 5

      #3
      I apologize for missing on this for so long. I'm still struggling with this issue.

      I have tried clean installation of espo, clean install all the way down to reloading debian, and just converting. I tried to convert to lets-encrypt again after updating the install script a few moments ago and the output is (user and domain changed for anonymity, the http version of the site is accessible from the open internet):

      Code:
      <user>@EspoCRM:~$ sudo bash install.sh --ssl --letsencrypt --domain=material.<domain>.com --email=<user>@<domain>.com
      This script will install EspoCRM with all the needed prerequisites (including Docker, Nginx, PHP, MariaDB).
      Do you want to continue the installation? [y/n] y
      
      The installed EspoCRM instance is found.
      
      Summary information:
        Domain: material.<domain>.com
        Mode: Let's Encrypt certificate
        Email for the Let's Encrypt certificate: <user>@<domain>.com
      
      Do you want to continue? [y/n] y
      
      Starting the reinstallation process...
      Creating a backup...
      Backup is created: /home/<user>/espocrm-backup/2024-05-10_120021
      
      [+] Running 6/6
       ✔ Container espocrm-daemon         Removed                                                                                                    10.3s
       ✔ Container espocrm-nginx          Removed                                                                                                     0.9s
       ✔ Container espocrm-websocket      Removed                                                                                                    10.3s
       ✔ Container espocrm                Removed                                                                                                     0.3s
       ✔ Container espocrm-db             Removed                                                                                                     0.5s
       ✔ Network espocrm_espocrm-network  Removed                                                                                                     0.4s
      Hit:1 http://security.debian.org/debian-security bookworm-security InRelease
      Hit:2 http://deb.debian.org/debian bookworm InRelease
      Hit:3 http://deb.debian.org/debian bookworm-updates InRelease
      Hit:4 https://download.docker.com/linux/debian bookworm InRelease
      Reading package lists... Done
      e49d2a97c737b3d5d9a6fc6771dd626cff88fef2f9eaf1aac679232d9d7794b3
      Saving debug log to /var/log/letsencrypt/letsencrypt.log
      Account registered.
      Requesting a certificate for material.<domain>.com
      
      Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
        Domain: material.<domain>.com
        Type:   unauthorized
        Detail: During secondary validation: 69.55.45.147: Invalid response from http://material.<domain>.com/.well-known/acme-challenge/fmSjZu8T14K7dU4                            OH4xU5kzdQXsVV4nXLrRNt9TfUAk: 403
      
      Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their conte                            nt from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
      
      Some challenges have failed.
      Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot wit                            h -v for more details.
      
      <user>@EspoCRM:~$ sudo /var/www/espocrm/command.sh cert-generate
      341fc1b19c556bfab7adf73641f7ce336e049ebb3ade6c9b6bdd8d0ecabf83d9
      docker: Error response from daemon: driver failed programming external connectivity on endpoint espocrm-nginx (a1b6d46c8eac9bf0c9fcf045c0a760aba3c762                            4d182abc1f5a809282eeb000f1): Bind for 0.0.0.0:80 failed: port is already allocated.
      
      <user>@EspoCRM:~$ sudo /var/www/espocrm/command.sh stop
      
      <user>@EspoCRM:~$ sudo docker container ls
      CONTAINER ID   IMAGE     COMMAND                  CREATED         STATUS         PORTS                               NAMES
      e49d2a97c737   nginx     "/docker-entrypoint.…"   3 minutes ago   Up 3 minutes   0.0.0.0:80->80/tcp, :::80->80/tcp   espocrm-nginx-tmp
      ​​
      You can see the the script terminates and leaves the nginx-tmp container running which has to be killed.

      The letsencrypt log doesn't note an issue:
      Code:
      2024-05-10 00:19:48,724:DEBUG:certbot._internal.main:certbot version: 2.1.0
      2024-05-10 00:19:48,725:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
      2024-05-10 00:19:48,725:DEBUG:certbot._internal.main:Arguments: ['-q', '--no-random-sleep-on-renew']
      2024-05-10 00:19:48,725:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
      2024-05-10 00:19:48,729:DEBUG:certbot._internal.log:Root logging level set at 40
      2024-05-10 00:19:48,729:DEBUG:certbot._internal.display.obj:Notifying user:
      - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      2024-05-10 00:19:48,729:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
      2024-05-10 00:19:48,730:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
      2024-05-10 00:19:48,730:DEBUG:certbot._internal.renewal:no renewal failures​
      Last edited by cardigansam; 05-10-2024, 05:28 PM.

      Comment

      • lazovic
        Super Moderator
        • Jan 2022
        • 810

        #4
        Hi cardigansam,

        Please make sure that you have open and free port 80 during the installation. This is required to initialize the certbot. In any case, try the following:
        1. Stop all Docker containers related to EspoCRM and remove them, also delete files related to EspoCRM. If your server only hosts EspoCRM (installed by script), you can use the following commands to rstop and remove all Docker containers from the system:
          Code:
          	docker stop $(docker ps -a -q)
          	docker rm $(docker ps -a -q)
        2. Free port 80 and open it in case it is closed.
        3. Install EspoCRM again using the script​.
        Please let me know the result.

        Comment

        • cardigansam
          Junior Member
          • Oct 2022
          • 5

          #5
          You got it. Here is a step-by-step to ensure I'm not missing something:

          Removed all docker containers.
          Code:
          <user>@EspoCRM:~$ sudo docker ps
          CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
          Cleaned /var/www except for backups.
          Code:
          <user>@EspoCRM:~$ sudo ls /var/www/
          espocrm-backup html
          ​
          ​Port 80 unattached.
          Code:
          <user>@EspoCRM:~$ sudo lsof -n -i
          COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
          dhclient 675 root 7u IPv4 29161 0t0 UDP *:bootpc
          sshd 47280 root 3u IPv4 900997 0t0 TCP *:ssh (LISTEN)
          sshd 47280 root 4u IPv6 900999 0t0 TCP *:ssh (LISTEN)
          sshd 2178904 root 4u IPv4 40572299 0t0 TCP 192.168.22.213:ssh->192.168.22.168:60003 (ESTABLISHED)
          sshd 2178910 <user> 4u IPv4 40572299 0t0 TCP 192.168.22.213:ssh->192.168.22.168:60003 (ESTABLISHED)​
          Newest install.sh
          Code:
          <user>@EspoCRM:~$ wget https://github.com/espocrm/espocrm-installer/releases/latest/download/install.sh
          --2024-05-13 08:10:24-- https://github.com/espocrm/espocrm-installer/releases/latest/download/install.sh
          Resolving github.com (github.com)... 140.82.112.3
          Connecting to github.com (github.com)|140.82.112.3|:443... connected.
          HTTP request sent, awaiting response... 302 Found
          Location: https://github.com/espocrm/espocrm-installer/releases/download/2.4.0/install.sh [following]
          --2024-05-13 08:10:25-- https://github.com/espocrm/espocrm-installer/releases/download/2.4.0/install.sh
          Reusing existing connection to github.com:443.
          HTTP request sent, awaiting response... 302 Found
          Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/372446601/fa7b0c45-b59a-475d-976e-ce7b239b3277?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240513%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240513T131025Z&X-Amz-Expires=300&X-Amz-Signature=9edf7ee07bca996cd5e8208c0a990e64d5106db4 a6e37a92214ba9a1b352c7d9&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=372 446601&response-content-disposition=attachment%3B%20filename%3Dinstall.sh& response-content-type=application%2Foctet-stream [following]
          --2024-05-13 08:10:25-- https://objects.githubusercontent.com/github-production-release-asset-2e65be/372446601/fa7b0c45-b59a-475d-976e-ce7b239b3277?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAVCODYLSA53PQK4ZA%2F20240513%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20240513T131025Z&X-Amz-Expires=300&X-Amz-Signature=9edf7ee07bca996cd5e8208c0a990e64d5106db4 a6e37a92214ba9a1b352c7d9&X-Amz-SignedHeaders=host&actor_id=0&key_id=0&repo_id=372 446601&response-content-disposition=attachment%3B%20filename%3Dinstall.sh& response-content-type=application%2Foctet-stream
          Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.109.133, 185.199.110.133, 185.199.111.133, ...
          Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.109.133|:4 43... connected.
          HTTP request sent, awaiting response... 200 OK
          Length: 25543 (25K) [application/octet-stream]
          Saving to: ‘install.sh’
          
          install.sh 100%[================================================== ==================================>] 24.94K --.-KB/s in 0.01s
          
          2024-05-13 08:10:26 (2.14 MB/s) - ‘install.sh’ saved [25543/25543]​



          Install the instance via script:
          Code:
          <user>@EspoCRM:~$ sudo bash install.sh --ssl --letsencrypt --domain=material.<domain>.com --email=<user>@<domain>.com
          This script will install EspoCRM with all the needed prerequisites (including Docker, Nginx, PHP, MariaDB).
          Do you want to continue the installation? [y/n] y
          
          Summary information:
          Domain: material.<domain>.com
          Mode: Let's Encrypt certificate
          Email for the Let's Encrypt certificate: <user>@<domain>.com
          
          Do you want to continue? [y/n] y
          Hit:1 https://download.docker.com/linux/debian bookworm InRelease
          Hit:2 http://deb.debian.org/debian bookworm InRelease
          Get:3 http://security.debian.org/debian-security bookworm-security InRelease [48.0 kB]
          Get:4 http://deb.debian.org/debian bookworm-updates InRelease [55.4 kB]
          Get:5 http://security.debian.org/debian-security bookworm-security/main Sources [95.9 kB]
          Get:6 http://security.debian.org/debian-security bookworm-security/main amd64 Packages [156 kB]
          Get:7 http://security.debian.org/debian-security bookworm-security/main Translation-en [92.9 kB]
          Fetched 448 kB in 5s (84.2 kB/s)
          Reading package lists... Done
          08b363f55773b5216a6cf0452eadafdd47985042cf27101cad 79789bb9019b46
          Saving debug log to /var/log/letsencrypt/letsencrypt.log
          Account registered.
          Requesting a certificate for material.<domain>.com
          
          Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
          Domain: material.<domain>.com
          Type: unauthorized
          Detail: During secondary validation: 69.55.45.147: Invalid response from http://material.<domain>.com/.well-known/acme-challenge/s2qBpf19nqc8kyBi1-9LlkYz8pxpzW62yI3m00ZBbhU: 403
          
          Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.
          
          Some challenges have failed.
          Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.​


          HTTP is now bound to a docker container.
          Code:
          <user>@EspoCRM:~$ sudo lsof -n -i
          COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
          dhclient 675 root 7u IPv4 29161 0t0 UDP *:bootpc
          sshd 47280 root 3u IPv4 900997 0t0 TCP *:ssh (LISTEN)
          sshd 47280 root 4u IPv6 900999 0t0 TCP *:ssh (LISTEN)
          sshd 2178904 root 4u IPv4 40572299 0t0 TCP 192.168.22.213:ssh->192.168.22.168:60003 (ESTABLISHED)
          sshd 2178910 <user> 4u IPv4 40572299 0t0 TCP 192.168.22.213:ssh->192.168.22.168:60003 (ESTABLISHED)
          docker-pr 2180077 root 4u IPv4 40569157 0t0 TCP *:http (LISTEN)
          docker-pr 2180084 root 4u IPv6 40560404 0t0 TCP *:http (LISTEN)​
          Only the nginx temp container is running.
          Code:
          <user>@EspoCRM:~$ sudo docker ps
          CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
          08b363f55773 nginx "/docker-entrypoint.…" 3 minutes ago Up 3 minutes 0.0.0.0:80->80/tcp, :::80->80/tcp espocrm-nginx-tmp​
          It is running on port 80 as if I access the domain from a web browser, i get a 404 Not Found nginx/1.25.5. (Attempting to access the generated credential file also gets me 404 not found nginx/1.25.5.)
          Last edited by cardigansam; 05-13-2024, 01:36 PM.

          Comment

          Working...