ST12.0.2FP1 Let's encrypt issue

tommaso · October 15, 2024, 11:53am

Hi,

I'm experiencing (again) troubles with Let's Encrypt keys.

I installed a single node Sametime 12.0.2FP1 server with Docker on a Debian 12 server.
Mongo is a Single-Node Cluster (it is a test installation).

After the installation is done (leavng all the configuration files as they are) the server goes Up and seems running correctly.

[
except for th continues production of equals log lines:

sametimepremium1202fp1-jibri-web-1 | 2024/10/15 06:32:28 [emerg] 1659#1659: open() "/config/nginx/nginx.conf" failed (2: No such file or directory)

]

Of course the web browser complains for the the lack SSL key.

Then I edit the .env file and uncomment and fill the following lines:

# Enable Let's Encrypt certificate generation
ENABLE_LETSENCRYPT=1

# Domain for which to generate the certificate
LETSENCRYPT_DOMAIN=<my.hostname.org>

# E-Mail for receiving important account notifications (mandatory)
LETSENCRYPT_EMAIL=<me@hostname.org>

# Use the staging server (for avoiding rate limits while testing)
LETSENCRYPT_USE_STAGING=1

Now the web server is inaccessible (notes client still connect to Sametime) and the log reports periodically the sequence

nginx_1 | [Tue Oct 15 12:41:35 CEST 2024] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
nginx_1 | [Tue Oct 15 12:41:35 CEST 2024] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
nginx_1 | [Tue Oct 15 12:41:35 CEST 2024] Run pre hook:'if [[ -d /run/service/nginx ]]; then s6-svc -d /run/service/nginx; fi'
nginx_1 | [Tue Oct 15 12:41:35 CEST 2024] Standalone mode.
nginx_1 | [Tue Oct 15 12:41:35 CEST 2024] Only RSA or EC key is supported. keyfile=/config/acme.sh/ca/acme-staging-v02.api.letsencrypt.org/account.key
nginx_1 | [Tue Oct 15 12:41:35 CEST 2024] Please add '--debug' or '--log' to check more details.
nginx_1 | [Tue Oct 15 12:41:35 CEST 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
nginx_1 | [Tue Oct 15 12:41:35 CEST 2024] Run post hook:'if [[ -d /run/service/nginx ]]; then s6-svc -u /run/service/nginx; fi'
nginx_1 | Failed to obtain a certificate from the Let's Encrypt CA.

What am I missing?

thanks
tommaso

anon-1872 · October 15, 2024, 12:34pm

This is an issue we discovered after shipping FP1 - due to a change in the certificate format that was supported by the process.

You can work around it by letting the FP1 server start up (and fail) and then manually update the account.key file format from the host:

find sametime-config/web/acme.sh/ca -name account.key -exec sed -i 's/$RSA PRIVATE\|PRIVATE$/RSA PRIVATE/g' {} \;

It should be just a one time thing. BTW: You might have to run it via sudo. The sed script will only change "PRIVATE" to "RSA PRIVATE" and will leave "RSA PRIVATE" alone.

This is addressed in 12.02 FP2.

tommaso · October 15, 2024, 1:00pm

Hi Anthony,

thanks for your quick answer

steps ahead but not enough

the file account.key is now correct but the log return a different message:

nginx_1 | [Tue Oct 15 14:51:22 CEST 2024] Installing to /config/acme.sh
nginx_1 | [Tue Oct 15 14:51:22 CEST 2024] Installed to /config/acme.sh/acme.sh
nginx_1 | [Tue Oct 15 14:51:22 CEST 2024] No profile is found, you will need to go into /config/acme.sh to use acme.sh
nginx_1 | [Tue Oct 15 14:51:22 CEST 2024] Installing cron job
nginx_1 | 47 0 * * * "/config/acme.sh"/acme.sh --cron --home "/config/acme.sh" > /dev/null
nginx_1 | [Tue Oct 15 14:51:22 CEST 2024] Good, bash is found, so change the shebang to use bash as preferred.
nginx_1 | [Tue Oct 15 14:51:22 CEST 2024] OK
nginx_1 | /run/s6-rc:s6-rc-init:Bjbdgl/servicedirs/s6rc-oneshot-runner
nginx_1 | [Tue Oct 15 14:51:22 CEST 2024] Using ACME_DIRECTORY: https://acme-staging-v02.api.letsencrypt.org/directory
nginx_1 | [Tue Oct 15 14:51:23 CEST 2024] Using CA: https://acme-staging-v02.api.letsencrypt.org/directory
nginx_1 | [Tue Oct 15 14:51:23 CEST 2024] Run pre hook:'if [[ -d /run/service/nginx ]]; then s6-svc -d /run/service/nginx; fi'
nginx_1 | [Tue Oct 15 14:51:23 CEST 2024] Standalone mode.
nginx_1 | [Tue Oct 15 14:51:23 CEST 2024] Single domain='<my.host.org>'
nginx_1 | [Tue Oct 15 14:51:23 CEST 2024] Getting domain auth token for each domain
nginx_1 | [Tue Oct 15 14:51:25 CEST 2024] Getting webroot for domain='<my.host.org>'
nginx_1 | [Tue Oct 15 14:51:25 CEST 2024] Verifying: <my.host.org>
nginx_1 | [Tue Oct 15 14:51:25 CEST 2024] Standalone mode server
community_1 | stconvomap 2024-10-15 12:51:25.944 INFO 0 --- 41 : MongoMemberManager - Membership cleanup : Number of records deleted: 0
nginx_1 | [Tue Oct 15 14:51:29 CEST 2024] <my.host.org>:Verify error:<my.ip.add.ress>: Fetching http://<my.host.org>/.well-known/acme-challenge/bPXrxkXk8mLxr87S-mSKofGUx-GknbiLjrQziY6hoQ0: Connection refused
nginx_1 | [Tue Oct 15 14:51:29 CEST 2024] Please add '--debug' or '--log' to check more details.
nginx_1 | [Tue Oct 15 14:51:29 CEST 2024] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
nginx_1 | [Tue Oct 15 14:51:29 CEST 2024] Run post hook:'if [[ -d /run/service/nginx ]]; then s6-svc -u /run/service/nginx; fi'
nginx_1 | Failed to obtain a certificate from the Let's Encrypt CA.
nginx_1 | Exiting.

thanks

t

tommaso · October 15, 2024, 1:20pm

addendum (maybe can be useful)

now the dir
sametime-config/web/acme.sh/<my.host.org>.it

has four file

<my.host.org>.conf <my.host.org>.csr <my.host.org>.csr.conf <my.host.org>.key

and the file
<my.host.org>.key

starts with
-----BEGIN PRIVATE KEY-----

and not with
----BEGIN RSA PRIVATE KEY-----

[
and also dir sametime-config/web/acme.sh/ca/acme-staging-v02.api.letsencrypt.org

has more files than account.key:
account.json account.key account.key.cp ca.conf
]

t

anon-1872 · October 15, 2024, 1:34pm

Port 80 is blocked -

nginx_1 | [Tue Oct 15 14:51:29 CEST 2024] <my.host.org>:Verify error:<my.ip.add.ress>: Fetching http://<my.host.org>/.well-known/acme-challenge/bPXrxkXk8mLxr87S-mSKofGUx-GknbiLjrQziY6hoQ0: Connection refused

so the validation fails -

tommaso · October 15, 2024, 2:31pm

almost

the port was opened but the default in .env file is

# Exposed HTTP port.
HTTP_PORT=8000

so Let's encrypt could never end the challenge.

I moved HTTP_PORT to 80 and I got the keys.

My browsers are still complaining I think because it is a STAGE key

Now I'm trying to get a production key and I think Sametime can go.

It may take sometime and I wait.

In case I will be back here.

Thanks

Tommaso

tommaso · October 15, 2024, 3:52pm

Hi Anthony,

at least I managed to have Sametime 12.0.2FP1 working.

I followed these steps

1)
execute
sametimedir$ sudo ./install.sh

2)
execute
sametimedir$ sudo docker-compose down

3)
change in .env:

from
# Exposed HTTP port.
HTTP_PORT=8000

to

# Exposed HTTP port.
HTTP_PORT=80

and

# Enable Let's Encrypt certificate generation
ENABLE_LETSENCRYPT=1

# Domain for which to generate the certificate
LETSENCRYPT_DOMAIN=<my.host.org>

# E-Mail for receiving important account notifications (mandatory)
LETSENCRYPT_EMAIL=<me@host.org>

leaving commented

# Use the staging server (for avoiding rate limits while testing)
#LETSENCRYPT_USE_STAGING=1

4)
execute
sametimedir$ sudo docker-compose up -d [this creates the dir sametime-config/web/acme.sh/ca]

5)
quickly execute [don't want too much requests, if any, to LE]
sametimedir$ sudo docker-compose down

6)
execute fix
sametimedir$ sudo find sametime-config/web/acme.sh/ca -name account.key -exec sed -i 's/$RSA PRIVATE\|PRIVATE$/RSA PRIVATE/g' {} \;

7)
finally execute
sametimedir$ sudo docker-compose up -d

and sametime is up

thanks

tommaso