unable to authorize letsencrypt

157 views
Skip to first unread message

Adrian Tritschler

unread,
Feb 26, 2018, 5:45:49 PM2/26/18
to Camlistore
I've been running a reasonably up-to-date camlistore on my home ubuntu box for a few years, periodically breaking and fixing it as bugs come and go.  I'd been running it on port 443, via dynamic dns registered to $HOMEPC.dyndns.org

A few weeks ago the current version stopped working for me and I've not been able to get it going again.

2018/02/27 09:35:26 Starting camlistored version 2018-02-26-1c69fb09da; Go go1.10 (linux/amd64)
2018/02/27 09:35:26 TLS enabled, with Let's Encrypt for $HOMEPC.dyndns.org
2018/02/27 09:35:26 Starting to listen on https://localhost:443
2018/02/27 09:35:27 Starting index integrity check.
2018/02/27 09:35:27 Index integrity check done.
  :
2018/02/27 09:35:27 ui: serving Closure from embedded resources
2018/02/27 09:35:27 Available on https://$HOMEPC.dyndns.org:443/ui/

When I try to access it from a browser, the browser reports "Try running Network Diagnostics. ERR_SSL_PROTOCOL_ERROR"

While camlistored reports:

2018/02/27 09:36:12 http: TLS handshake error from XX.XX.XX.XX:61361: acme/autocert: unable to authorize "$HOMEPC.dyndns.org"; tried ["tls-sni-02" "tls-sni-01" "http-01"]

Any suggestions?
  Adrian

(Values of $HOMEPC available on request)

Mathieu Lonjaret

unread,
Feb 26, 2018, 5:54:38 PM2/26/18
to camli...@googlegroups.com
Let's Encrypt now uses the http-01 challenge, so camlistored (for now) has to listen on port 80 too for Let's Encrypt to work. Since you're not getting any error message about that, I suppose this part at least is working. But are packets to port 80 getting to your camlistored instance? Do you have a frontend or a router where you need to open that maybe?



--
You received this message because you are subscribed to the Google Groups "Camlistore" group.
To unsubscribe from this group and stop receiving emails from it, send an email to camlistore+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Adrian Tritschler

unread,
Feb 26, 2018, 6:04:07 PM2/26/18
to Camlistore


On Tuesday, 27 February 2018 09:54:38 UTC+11, mpl wrote:
Let's Encrypt now uses the http-01 challenge, so camlistored (for now) has to listen on port 80 too for Let's Encrypt to work. Since you're not getting any error message about that, I suppose this part at least is working. But are packets to port 80 getting to your camlistored instance? Do you have a frontend or a router where you need to open that maybe?

That sounds like it, its behind an ADSL NAT home router and has only been set up to route 443 to the ubuntu box.  I think 80 is black-holed, I'll check it out when I get home and can access the router.  Do I have to update the "listen" entry in server-config.json as well?  Currently it says:

    "listen": ":443",

  Adrian
 
On 26 February 2018 at 23:45, Adrian Tritschler <adrian.t...@gmail.com> wrote:
I've been running a reasonably up-to-date camlistore on my home ubuntu box for a few years, periodically breaking and fixing it as bugs come and go.  I'd been running it on port 443, via dynamic dns registered to $HOMEPC.dyndns.org

A few weeks ago the current version stopped working for me and I've not been able to get it going again.

2018/02/27 09:35:26 Starting camlistored version 2018-02-26-1c69fb09da; Go go1.10 (linux/amd64)
2018/02/27 09:35:26 TLS enabled, with Let's Encrypt for $HOMEPC.dyndns.org
2018/02/27 09:35:26 Starting to listen on https://localhost:443
2018/02/27 09:35:27 Starting index integrity check.
2018/02/27 09:35:27 Index integrity check done.
  :
2018/02/27 09:35:27 ui: serving Closure from embedded resources
2018/02/27 09:35:27 Available on https://$HOMEPC.dyndns.org:443/ui/

When I try to access it from a browser, the browser reports "Try running Network Diagnostics. ERR_SSL_PROTOCOL_ERROR"

While camlistored reports:

2018/02/27 09:36:12 http: TLS handshake error from XX.XX.XX.XX:61361: acme/autocert: unable to authorize "$HOMEPC.dyndns.org"; tried ["tls-sni-02" "tls-sni-01" "http-01"]

Any suggestions?
  Adrian

(Values of $HOMEPC available on request)

--
You received this message because you are subscribed to the Google Groups "Camlistore" group.
To unsubscribe from this group and stop receiving emails from it, send an email to camlistore+...@googlegroups.com.

Mathieu Lonjaret

unread,
Feb 26, 2018, 6:07:57 PM2/26/18
to camli...@googlegroups.com
Nope, the "listen" one is still about your Perkeep instance per-se. the port 80 is specifically for the Let's Encrypt challenge, and it's hard-coded for now:


To unsubscribe from this group and stop receiving emails from it, send an email to camlistore+unsubscribe@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages