Problem with let´s encrypt

I have installed Passbolt correctly and it works, but now I am trying to use Let´s Encrypt certificates but I can´t.
I use:

dpkg-reconfigure passbolt-ce-server

And then, I say to reconfigure nginx server. When I fill domain name and email I get this error:

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator nginx, Installer nginx
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for passbolt.krack360.com
Waiting for verification...
Challenge failed for domain passbolt.krack360.com
http-01 challenge for passbolt.krack360.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: passbolt.krack360.com
   Type:   dns
   Detail: DNS problem: SERVFAIL looking up A for
   passbolt.krack360.com - the domain's nameservers may be
   malfunctioning; no valid AAAA records found for
   passbolt.krack360.com

I don´t Know the origin of this mistake. My DNS servers are on the cloud, in OVH and I have an A register on DNS.

root@passbolt:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:xx:xx:xx brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 192.168.0.199/24 brd 192.168.0.255 scope global dynamic noprefixroute ens160
       valid_lft 602783sec preferred_lft 602783sec
    inet6 fe80::57fd:233c:dfcc:603/64 scope link noprefixroute 
       valid_lft forever preferred_lft forever

root@passbolt:~# nslookup passbolt.krack360.com
Server:		192.168.0.111
Address:	192.168.0.111#53

Non-authoritative answer:
Name:	passbolt.krack360.com
Address: 192.168.0.199

This is what Let’s Encrypt Log has:

2022-04-25 08:58:58,012:INFO:certbot.auth_handler:Waiting for verification...
2022-04-25 08:58:58,013:DEBUG:acme.client:JWS payload:
b'{\n  "resource": "challenge",\n  "type": "http-01"\n}'
2022-04-25 08:58:58,016:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/101871722807/5ztutw:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNDgzNjMyODgwIiwgIm5vbmNlIjogIjAxMDFmRzZFZXRTUWJjd0xlSkoyZkNuU3lhUHhqVGRJblM0bXVlWnhfVzlmZ2ZNIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My8xMDE4NzE3MjI4MDcvNXp0dXR3In0",
  "signature": "Bz1kK7GU-fE6j2Vg6i96G89TySf577APqPATkZbLL4s-63jeLcbG_GbhvsIzwi8ExblME2orF5nZRRlc90FmyrFd4tMHrtCtJx4O0d7zpFd-NgsyzMuf5JkGQwcVAM1ymEsXDpo4_wlWiYYY8XNSzQwBKVJNtECilveNbGYmE1BS8S_0P6SpmXsMG3siOevnVauU99dgIsih_kPRivjwN4xVoOR3xwPM0lR4OSqlH2xzuY5OJdCjrMmv76J8tCciEH6xTkSQ_mgG9XaJXxmXwjJmWzXhhQbXWt4JZos7iiPUe_KdyK-ofEe4qJtY4ApDxnhetuOXhaDODRXhcVhqMg",
  "payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
2022-04-25 08:58:58,226:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/101871722807/5ztutw HTTP/1.1" 200 187
2022-04-25 08:58:58,227:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 25 Apr 2022 06:58:58 GMT
Content-Type: application/json
Content-Length: 187
Connection: keep-alive
Boulder-Requester: 483632880
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/101871722807>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/101871722807/5ztutw
Replay-Nonce: 0101bRIk5-WyAgcEg9mPZqiLXCqyq7bYHjBPBDJwtKGYuFM
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "type": "http-01",
  "status": "pending",
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/101871722807/5ztutw",
  "token": "53uK1Bg9IcrprSUCEFCPRwJy4kUN9StFBsByO7hlnmk"
}
2022-04-25 08:58:58,227:DEBUG:acme.client:Storing nonce: 0101bRIk5-WyAgcEg9mPZqiLXCqyq7bYHjBPBDJwtKGYuFM
2022-04-25 08:58:59,229:DEBUG:acme.client:JWS payload:
b''
2022-04-25 08:58:59,231:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/101871722807:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNDgzNjMyODgwIiwgIm5vbmNlIjogIjAxMDFiUklrNS1XeUFnY0VnOW1QWnFpTFhDcXlxN2JZSGpCUEJESnd0S0dZdUZNIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMDE4NzE3MjI4MDcifQ",
  "signature": "Hqdxy2bVGktoIcKn6z6YwO_sa1MnfDT9dPmASnP4QAfXvqVDo-yPkGgxOGK80RUkXxqP89D7F_1NGzX2nZh_7Nie1KR-_NeR39WifIuBD_Qs_h6GCM6829emJxrlYxNrYFqVDySieMvRLZQfehIw2umDgrx04prNf6j1aYiSKiw3WRQ_qhbGmGNxIbmIewlHdyQA81XrnqoW-6M_2lcpKiJheeyJGSIYJt21jg0zyD5gc7mI9wWtLbGRqNIds2KSLbtRdtr9zG8BMg7a3mtvC6tWhE8mlQJoeV3juShEC5w6kzusi60OSGUMKFYW9AivEFYt4S5adu-kxO_2pR-yBA",
  "payload": ""
}
2022-04-25 08:58:59,415:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/101871722807 HTTP/1.1" 200 805
2022-04-25 08:58:59,416:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 25 Apr 2022 06:58:59 GMT
Content-Type: application/json
Content-Length: 805
Connection: keep-alive
Boulder-Requester: 483632880
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 01022YRkRLuzNcBae0waLrAlz577R9X1_PU0cUWrIcr_Oo8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "passbolt.krack360.com"
  },
  "status": "pending",
  "expires": "2022-05-02T06:58:56Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/101871722807/5ztutw",
      "token": "53uK1Bg9IcrprSUCEFCPRwJy4kUN9StFBsByO7hlnmk"
    },
    {
      "type": "dns-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/101871722807/7SkFaw",
      "token": "53uK1Bg9IcrprSUCEFCPRwJy4kUN9StFBsByO7hlnmk"
    },
    {
      "type": "tls-alpn-01",
      "status": "pending",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/101871722807/pbKMyQ",
      "token": "53uK1Bg9IcrprSUCEFCPRwJy4kUN9StFBsByO7hlnmk"
    }
  ]
}
2022-04-25 08:58:59,416:DEBUG:acme.client:Storing nonce: 01022YRkRLuzNcBae0waLrAlz577R9X1_PU0cUWrIcr_Oo8
2022-04-25 08:59:02,420:DEBUG:acme.client:JWS payload:
b''
2022-04-25 08:59:02,423:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/101871722807:
{
  "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvNDgzNjMyODgwIiwgIm5vbmNlIjogIjAxMDIyWVJrUkx1ek5jQmFlMHdhTHJBbHo1NzdSOVgxX1BVMGNVV3JJY3JfT284IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My8xMDE4NzE3MjI4MDcifQ",
  "signature": "Ob10Pq7L0yq_nTosa-y0dklZyR-gkPF2EJ1fZpv3WfAbjuRY8E6LqNNXpkDdfee-GoYlbpawqyPRdSO5ikJHYlNIhckpd4tMQcpzkTgn5X9hQrgEZs5uRtHhRJ2om8Tz1J0uVdF036hIY17WPgPr69M6Yju6DgvjkeIgRDWlhf6IazQBfo32Z-6r9JtJEhazCtTOnShIeIww6u84Uq7EGRZLY6ub8d8h7wu0lvd3CYd5bBDn5g2AKXxUnN6GUoeNFp9pXF4INJM5ibt3SoAkjgW8hXwsl_UcGNmlsN2CgsjyOrS-fefWZm0MKGLNl4lWUo12RpwcyguzgDUCBQGtbQ",
  "payload": ""
}
2022-04-25 08:59:02,623:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/101871722807 HTTP/1.1" 200 703
2022-04-25 08:59:02,624:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Mon, 25 Apr 2022 06:59:02 GMT
Content-Type: application/json
Content-Length: 703
Connection: keep-alive
Boulder-Requester: 483632880
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102fovSAqLmz4Kiq3csvUoHPOVAKCblfstGGcUq8KDBfJw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800

{
  "identifier": {
    "type": "dns",
    "value": "passbolt.krack360.com"
  },
  "status": "invalid",
  "expires": "2022-05-02T06:58:56Z",
  "challenges": [
    {
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:dns",
        "detail": "DNS problem: SERVFAIL looking up A for passbolt.krack360.com - the domain's nameservers may be malfunctioning; no valid AAAA records found for passbolt.krack360.com",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/101871722807/5ztutw",
      "token": "53uK1Bg9IcrprSUCEFCPRwJy4kUN9StFBsByO7hlnmk",
      "validated": "2022-04-25T06:58:58Z"
    }
  ]
}
2022-04-25 08:59:02,624:DEBUG:acme.client:Storing nonce: 0102fovSAqLmz4Kiq3csvUoHPOVAKCblfstGGcUq8KDBfJw
2022-04-25 08:59:02,624:WARNING:certbot.auth_handler:Challenge failed for domain passbolt.krack360.com
2022-04-25 08:59:02,625:INFO:certbot.auth_handler:http-01 challenge for passbolt.krack360.com
2022-04-25 08:59:02,625:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: passbolt.krack360.com
Type:   dns
Detail: DNS problem: SERVFAIL looking up A for passbolt.krack360.com - the domain's nameservers may be malfunctioning; no valid AAAA records found for passbolt.krack360.com
2022-04-25 08:59:02,639:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2022-04-25 08:59:02,639:DEBUG:certbot.error_handler:Calling registered functions
2022-04-25 08:59:02,639:INFO:certbot.auth_handler:Cleaning up challenges
2022-04-25 08:59:04,034:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1132, in run
    new_lineage = _get_and_save_cert(le_client, config, domains,
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 417, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

I am using Ubuntu 20.04 machine and Passbolt 3.5.0 version.
I would be so grateful If someone can help me.

Hi @adrianfl55 do you need to add the domain in /etc/hosts file?

192.168.0.199 passbolt.krack360.com

Hi @adrianfl55

Your domain name passbolt.krack360.com is not well configured, as written in Let’s Encrypt log output:

Your server has 192.168.0.199 IP address who is a private IP address from class C. It means it will work in a private network but can’t be routable from the Internet.

More informations on Wikipedia:

You must use a public IP address to be able to use Let’s Encrypt.

Best,

Ok Thank you for the reply. I will try it with public ip

I tried it, but It didn´t work. Even so, my boss has told me that put the public ip address is a bit dangerous. Is there any other options ?

It is possible to use Let’s Encrypt without a public ip address, just not the http challenge feature which passbolt implements.

You said you have an A record in the DNS settings. The domain is not publicly resolvable for me so do you have a firewall implemented?

Yes, they have a firewall. But It is a public domain, I can resolve on my home passbolt.krack360.com

The firewall is probably whitelisting your home ip?

The http challenge requires the Let’s Encrypt servers to access your server to check the certs and replace as needed.

If you are not able to use the http challenge feature because the firewall must stay closed, you could see if your domain provider has an API and use an ACME-based script like GitHub - acmesh-official/acme.sh: A pure Unix shell script implementing ACME client protocol which has an API feature.

ref: ACME Client Implementations - Let's Encrypt

Oh Thank you. I´ll try this option and hopefully It works

I have a problem with part 9. It gives me an error with the comand of the page:

root@passbolt:~/.acme.sh/passbolt.krack360.com# acme.sh --issue -d passbolt.krack360.com --dns
[mié 27 abr 2022 12:20:36 CEST] It seems that you are using dns manual mode. Read this link first: https://github.com/acmesh-official/acme.sh/wiki/dns-manual-mode

And following that link:

root@passbolt:~/.acme.sh/passbolt.krack360.com# acme.sh --issue -d passbolt.krack360.com --dns \ --yes-I-know-dns-manual-mode-enough-go-ahead-please
[mié 27 abr 2022 12:20:54 CEST] Using CA: https://acme.zerossl.com/v2/DV90
[mié 27 abr 2022 12:20:54 CEST] Single domain='passbolt.krack360.com'
[mié 27 abr 2022 12:20:55 CEST] Getting domain auth token for each domain
[mié 27 abr 2022 12:21:31 CEST] Getting webroot for domain='passbolt.krack360.com'
[mié 27 abr 2022 12:21:31 CEST] Verifying: passbolt.krack360.com
mkdir: unrecognized option '--yes-I-know-dns-manual-mode-enough-go-ahead-please/.well-known/acme-challenge'
Pruebe 'mkdir --help' para más información.
/root/.acme.sh/acme.sh: línea 4860: --yes-I-know-dns-manual-mode-enough-go-ahead-please/.well-known/acme-challenge/yqYfX8snICJf4hxPZz1KGhDT0cV_PJnH-XytOqIKjVg: No existe el archivo o el directorio
[mié 27 abr 2022 12:21:31 CEST] passbolt.krack360.com:Can not write token to file : --yes-I-know-dns-manual-mode-enough-go-ahead-please/.well-known/acme-challenge/yqYfX8snICJf4hxPZz1KGhDT0cV_PJnH-XytOqIKjVg
rm: unrecognized option '--yes-I-know-dns-manual-mode-enough-go-ahead-please/.well-known'
Pruebe 'rm --help' para más información.
[mié 27 abr 2022 12:21:31 CEST] Please add '--debug' or '--log' to check more details.
[mié 27 abr 2022 12:21:31 CEST] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh

Any idea of what could be failling?

Thank you very much

It seems your domain provider does not have an API so you need to use manual? That’s a bummer.

For manual, the error shown is expecting a folder path that is missing. Add in the folder path so it can find it, then retry.

Ok. I´ll try it, but I am using manual because we Have Passbolt in a test machine and my boss told me to use Manual instead API

If manual works and API is an option, then a working Manual test is a good report back to the boss to show the API option will work ok. It will do what you are doing manually. The domain provider will allow the creation of an API key and secret which the acme.sh script will use to handle the TXT for you. Hope it works!

Thank you so much, but I don´t understand which folder I have to create

Try a one liner without the backslash.

acme.sh --issue -d passbolt.krack360.com --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

Oh thank you. That was the problem, but now It shows me only one TXT record to add in DNS instead 2 as in the tutorial. Is It a problem ?

I think the example with two is for a domain without subdomain so it’s suggesting www. Seeing just one in your case is right.

Ok. Thank you I will continue with the tutorial

Now I have the certificates:

[mié 27 abr 2022 14:24:46 CEST] Your cert is in: /root/.acme.sh/passbolt.krack360.com/passbolt.krack360.com.cer
[mié 27 abr 2022 14:24:46 CEST] Your cert key is in: /root/.acme.sh/passbolt.krack360.com/passbolt.krack360.com.key
[mié 27 abr 2022 14:24:46 CEST] The intermediate CA cert is in: /root/.acme.sh/passbolt.krack360.com/ca.cer
[mié 27 abr 2022 14:24:46 CEST] And the full chain certs is there: /root/.acme.sh/passbolt.krack360.com/fullchain.cer

Do I have to put them on the nginx site ? (nginx-passbolt.conf) and add listen 443 ?

#
#  Passbolt.conf - Nginx configuration file to run the Passbolt software.
#

server {


  listen [::]:80;
  listen 80;

  # Managed by Passbolt
  # server_name

  client_body_buffer_size     100K;
  client_header_buffer_size   1K;
  client_max_body_size        5M;

  client_body_timeout   10;
  client_header_timeout 10;
  keepalive_timeout     5 5;
  send_timeout          10;

  root /usr/share/php/passbolt/webroot;
  index index.php;
  error_log /var/log/nginx/passbolt-error.log info;
  access_log /var/log/nginx/passbolt-access.log;
# Managed by Passbolt
  # include __PASSBOLT_SSL__

  location / {
    try_files $uri $uri/ /index.php?$args;
  }

  location ~ \.php$ {
    try_files                $uri =404;
    include                  fastcgi_params;
    fastcgi_pass             unix:/run/php/__PHP_VERSION__-fpm.sock;
    fastcgi_index            index.php;
    fastcgi_intercept_errors on;
    fastcgi_split_path_info  ^(.+\.php)(.+)$;
    fastcgi_param            SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param            SERVER_NAME $http_host;
    fastcgi_param PHP_VALUE  "upload_max_filesize=5M \n post_max_size=5M";
  }

}

Hi,

Even if your certificates are given by Let’s Encrypt, you get them with another tool, so you have to follow the manual procedure: Passbolt Help | Manual HTTPS configuration on Debian and Ubuntu with user provided certificates

Basically, it is just a dpkg-reconfigure passbolt-ce-server, then answer to the questions.

Warning: you must use the fullchain certificate: /root/.acme.sh/passbolt.krack360.com/fullchain.cer who contain your certificate + the intermediate. It is mandatory to have a correct SSL configuration to use the mobile app.

The key is /root/.acme.sh/passbolt.krack360.com/passbolt.krack360.com.key.

Cheers,