Page 1 of 1

Lets Encrypt STILL not working?

Posted: Fri May 03, 2019 9:24 pm
by viraladmin
Since the day 24 was released, lets encrypt has been failing. I have checked nearly every post on this forum about the topic.

On this post viewtopic.php?t=18593 users were asked to hand over root access of the server to get it fixed.

On this post viewtopic.php?f=11&t=18597 users are explaining that reinstalling may fix for some, but not for everyone - one person even expressing the problem on fresh installs.

On this post viewtopic.php?t=18347 we can see imperio said it was understood a fix is needed immediately and that it cannot wait until a sept. release.

Reports have been made from people using CentOS, Ubuntu 14.04 and Ubuntu 16.04. Reports have been made that it afftects setting up lets encrypo on new domains as well as on renewal of old domains.

Here we are 3 months after imperio said he understood a fix was need immediately - still with no fix.

I have tried reinstalling - doesn't solve anything.
I have tried using command line - same errors.
I have tried using web interface - same errors.
I have applied the fix changing $rdomain to $domain variable.

The errors I see are always either "Error: Let's Encrypt new auth status 400" or "Error: Let's Encrypt validation status".

I get that things are free and we get what we pay for... but at the same time, as one by one sites start failing without the ability to use letsencrypt, what are we suppose to do? One would think if a full release can come out in Sept. that equally a bug fix could come out in a LOT shorter time than 3+ months.

I am at a complete loss as to what to do on a MAJOR bug (lets face it not having SSL is now a MAJOR issue with browsers and user trust) so well reported, with no actual fixes.

I have NO idea how to manually install certbot and set it all up using "manual mode" which it seems to me is currently the only viable solution.

Has anyone come up with any sort of fix I have not yet found?

Re: Lets Encrypt STILL not working? [ubuntu apache+nginx temp fix]

Posted: Sun May 05, 2019 6:57 pm
by viraladmin
This ended up being my work around solution:

This solution is specifically for ubuntu running nginx + apache

First I manually installed certbot from lets encrypt:

Code: Select all

sudo apt-get update
sudo apt-get install software-properties-common
sudo add-apt-repository universe
sudo add-apt-repository ppa:certbot/certbot
sudo apt-get update
sudo apt-get install certbot python-certbot-nginx 
Next I issued:

Code: Select all

sudo certbot --nginx certonly -d "mydomain.com"
Next I opened

Code: Select all

/etc/letsencrypt/live/mydomain.com/cert.pem
I copied the entire contents of the file and pasted it to SSL Certificate field in the vestacp admin >> WEB >> edit domain >> advanced >> ssl (leaving lets encrypt unchecked)

Next I opened

Code: Select all

/etc/letsencrypt/live/mydomain.com/privkey.pem
I copied the entire contents of the file and pasted it to the SSL Key field in the vestacp admin >> WEB >> edit domain >> advanced >> ssl (leaving lets encrypt unchecked)

Then I opened

Code: Select all

/etc/letsencrypt/live/mydomain.com/chain.pem
I copied the entire contents of the file and pasted it to the SSL Certificate Authority / Intermediate (optional) field in the vestacp admin >> WEB >> edit domain >> advanced >> ssl (leaving lets encrypt unchecked). I also added at the top of that field an extra

Code: Select all

-----END CERTIFICATE-----
<blank space>
So the SSL Certificate Authority / Intermediate (optional) field looks something like:

Code: Select all

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
THE KEY
-----END CERTIFICATE-----
I saved the vestacp page.

SSL immediately started working.

Finally I opened:

Code: Select all

/usr/local/vesta/data/users/username/web.conf
I found the domain in question and changed the

Code: Select all

LETSENCRYPT='no' 
to

Code: Select all

LETSENCRYPT='yes'

*** NOTES ***

When following these instuctions note that "mydomain.com" is actually the domain of the site you are creating a certificate for. ALso not that "username" in the final steps is the actual name of the user account who's domain the name is under.

It's a BAND-AID fix. It works, but I make no promises to whether auto-renew will work.