https://bugs.contribs.org/show_bug.cgi?id=10300
--- Comment #28 from Stefan Schulz <[email protected]> ---
I'd like to share some more information.
I created under a registered domain two subdomains. One called
servername.registereddomain.de, the other called mail.registereddomain.de. I
added/changed the cname of those two subdomain to a dyndns account.
I changed my server domain from *.local to the registered domain *.de.
I installed the letsencrypt contrib and configured only the hosts with
1. db hosts setprop servername.registereddomain.de letsencryptSSLcert enabled
2. db hosts setprop mail.registereddomain.de letsencryptSSLcert enabled
3. config setprop letsencrypt email [email protected]
4. config setprop letsencrypt ACCEPT_TERMS yes
5. config setprop letsencrypt status test
6. signal-event console-save
7. in the domains.txt there are only servername.registereddomain.de and
mail.registereddomain.de
(I don't know/understand if this is correct. But the only thing I want is
sending emails from a host, with a letsencrypt trusted cert. Nothing more.)
Now running dehydrated -c brings up:
# dehydrated -c
# INFO: Using main config file /etc/dehydrated/config
+ Generating account key...
+ Registering account key with ACME server...
Processing saturn.ivbonline.de with alternative names: mail.ivbonline.de
+ Signing domains...
+ Creating new directory /etc/dehydrated/certs/saturn.ivbonline.de ...
+ Generating private key...
+ Generating signing request...
+ Requesting challenge for saturn.ivbonline.de...
+ Requesting challenge for mail.ivbonline.de...
+ Responding to challenge for saturn.ivbonline.de...
+ Challenge is valid!
+ Responding to challenge for mail.ivbonline.de...
+ Challenge is valid!
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
+ ERROR: An error occurred while sending get-request to
http://cert.stg-int-x1.letsencrypt.org/ (Status 400)
Details:
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN"
"http://www.w3.org/TR/html4/strict.dtd";>
<html><head>
<meta type="copyright" content="Copyright (C) 1996-2016 The Squid Software
Foundation and contributors">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title>ERROR: The requested URL could not be retrieved</title>
<style type="text/css"><!--
/*
* Copyright (C) 1996-2016 The Squid Software Foundation and contributors
*
* Squid software is distributed under GPLv2+ license and includes
* contributions from numerous individuals and organizations.
* Please see the COPYING and CONTRIBUTORS files for details.
*/
/*
Stylesheet for Squid Error pages
Adapted from design by Free CSS Templates
http://www.freecsstemplates.org
Released for free under a Creative Commons Attribution 2.5 License
*/
/* Page basics */
* {
font-family: verdana, sans-serif;
}
html body {
margin: 0;
padding: 0;
background: #efefef;
font-size: 12px;
color: #1e1e1e;
}
/* Page displayed title area */
#titles {
margin-left: 15px;
padding: 10px;
padding-left: 100px;
background: url('/squid-internal-static/icons/SN.png') no-repeat left;
}
/* initial title */
#titles h1 {
color: #000000;
}
#titles h2 {
color: #000000;
}
/* special event: FTP success page titles */
#titles ftpsuccess {
background-color:#00ff00;
width:100%;
}
/* Page displayed body content area */
#content {
padding: 10px;
background: #ffffff;
}
/* General text */
p {
}
/* error brief description */
#error p {
}
/* some data which may have caused the problem */
#data {
}
/* the error message received from the system or other software */
#sysmsg {
}
pre {
font-family:sans-serif;
}
/* special event: FTP / Gopher directory listing */
#dirmsg {
font-family: courier;
color: black;
font-size: 10pt;
}
#dirlisting {
margin-left: 2%;
margin-right: 2%;
}
#dirlisting tr.entry td.icon,td.filename,td.size,td.date {
border-bottom: groove;
}
#dirlisting td.size {
width: 50px;
text-align: right;
padding-right: 5px;
}
/* horizontal lines */
hr {
margin: 0;
}
/* page displayed footer area */
#footer {
font-size: 9px;
padding-left: 10px;
}
body
:lang(fa) { direction: rtl; font-size: 100%; font-family: Tahoma, Roya,
sans-serif; float: right; }
:lang(he) { direction: rtl; }
--></style>
</head><body id=ERR_INVALID_URL>
<div id="titles">
<h1>ERROR</h1>
<h2>The requested URL could not be retrieved</h2>
</div>
<hr>
<div id="content">
<p>The following error was encountered while trying to retrieve the URL: <a
href="/">/</a></p>
<blockquote id="error">
<p><b>Invalid URL</b></p>
</blockquote>
<p>Some aspect of the requested URL is incorrect.</p>
<p>Some possible problems are:</p>
<ul>
<li><p>Missing or incorrect access protocol (should be <q>http://</q> or
similar)</p></li>
<li><p>Missing hostname</p></li>
<li><p>Illegal double-escape in the URL-Path</p></li>
<li><p>Illegal character in hostname; underscores are not allowed.</p></li>
</ul>
<p>Your cache administrator is <a
href="mailto:[email protected]?subject=CacheErrorInfo%20-%20ERR_INVALID_URL&body=CacheHost%3A%20localhost%0D%0AErrPage%3A%20ERR_INVALID_URL%0D%0AErr%3A%20%5Bnone%5D%0D%0ATimeStamp%3A%20Tue,%2016%20May%202017%2023%3A54%3A51%20GMT%0D%0A%0D%0AClientIP%3A%20192.168.42.10%0D%0A%0D%0AHTTP%20Request%3A%0D%0A%0D%0A%0D%0A";>[email protected]</a>.</p>
<br>
</div>
<hr>
<div id="footer">
<p>Generated Tue, 16 May 2017 23:54:51 GMT by localhost (squid/3.5.23)</p>
<!-- ERR_INVALID_URL -->
</div>
</body></html>
This is a message from squid. As I stated the server is behind an opnsense
firewall, squid is enabled. DNS for the SME is the opnsense. Proxys on the SME
are turned off. The server in the firewall proxy is unrestricted. I tried
whitelisting of all letsencrypt domains, it didn't help.
The logs on the firewall are saying:
1494978688.346 0 192.168.42.10 TAG_NONE/400 3909 GET / - HIER_NONE/- text/html
i.e. the log while fetching the contrib says:
1494978085.681 0 192.168.42.10 TCP_HIT/200 26302 GET
http://mirror.canada.pialasse.com/releases/9/smecontribs/i386/RPMS/dehydrated-0.4.0.20170205.git1163864-1.el6.sme.noarch.rpm
- HIER_NONE/- application/octet-stream
I am able to reach from outside
https://servername.registereddomain.de/.well-known/acme-challenge/
Index of /.well-known/acme-challenge
Icon Name Last modified Size Description[DIR] Parent
Directory -
It seems to me, the status 400 error is the problem. Dig brings up:
# dig http://cert.stg-int-x1.letsencrypt.org
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.62.rc1.el6_9.2 <<>>
http://cert.stg-int-x1.letsencrypt.org
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 26051
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;http://cert.stg-int-x1.letsencrypt.org. IN A
;; Query time: 14 msec
;; SERVER: 192.168.42.10#53(192.168.42.10)
;; WHEN: Wed May 17 02:29:02 2017
;; MSG SIZE rcvd: 56
I'm sorry, all this is beyond my knowledge or abilities. If I can help further,
let me know.
--
You are receiving this mail because:
You are the QA Contact for the bug._______________________________________________
Mail for each SME Contribs bug report
To unsubscribe, e-mail [email protected]
Searchable archive at https://lists.contribs.org/mailman/public/contribteam/
