Workaround to the Permission denied (publickey,password) problem

[duub]

Hello, I've read the issues #6 #23 but I still have the same problem doing it the official way.

If I use sudo I get this message, if I don't use it then I get an error for not having writting permissions in some folders.

I discovered that there are different parameters to define the folders where to write those files, so the command I'm using now is this one:

$ certbot certonly --domains VHOST \
--authenticator letsencrypt-gandi:gandi-shs \
    --letsencrypt-gandi:gandi-shs-name SHS-NAME \
    --letsencrypt-gandi:gandi-shs-vhost VHOST \
    --letsencrypt-gandi:gandi-shs-api-key APIKEY \
  --installer letsencrypt-gandi:gandi-shs \
  --logs-dir ./certbot/log --config-dir ./certbot/config --work-dir ./certbot/work

I think it can help other people to know this workaround to the official guide.

[ghost]

Hello ! I did update SHS.py file, and I tried your code @duub but I get the same results :

sftp ['sftp', '-o', 'UserKnownHostsFile=/Users/Stan/.ssh/known_hosts', 
Connected to sftp.dc2.gpaas.net.

Permission denied (publickey,password).
Connection closed
Cleaning up challenges
Permission denied (publickey,password).
Connection closed
Permission denied (publickey,password).
Connection closed
Couldn't place file in domain: .../htdocs//.well-known/acme-challenge`

Anyone has an idea how to solve this ?

Thanks :)

[duub]

have you checked all the requirements and limitations?

You must have a "M"-sized (or greater) Simple Hosting instance to enable SSL
You must add the certificate's domain name to your instance's VHOSTS
You need to have SSH Key authentication setup on the Simple Hosting instance
Your SSH Key must be added to your local ssh-agent (use ssh-add /path/to/key to add it)
The RSA key for certificates to be used with Simple Hosting can only be of 2048 bits.

Limitations

Currently, only PHP and Ruby instances will work without modification of your code (in most cases). Simply follow the instructions and the plugin will take care of obtaining and installing the certificates for you.
Python and Node.js instance users must add a special route to their application prior to using the plugin (examples provided below)

[paulstone]

Hi,

Are you on Mac? I find that on the latest OS version (10.12/Sierra) I need to re-load my public key from Keychain for ssh to use after each reboot of my machine.

If you type the following to see if your key is available:

ssh-add -L (that's 'L' for list)

If it isn't available, you'll just see 'The agent has no identities'. To load/make available your key, you can type:

ssh-add -K to add your public key from the keychain. I guess the 'K' means keychain?

If you do ssh-add -L again you should see your key returned.

After that, your normal certbot/Gandi scripts should work (assuming you meet the requirements/limitations that @duub mentioned.

Hope that helps. Paul

[ghost]

Thanks to you two !

I noticed the server size I have is "S"...

It might be the cause of all my troubles.

[matt1]

In case it is any help to anyone else, I was trying this on a raspberry pi. I could sftp in fine as the default pi user, but the script was prompting for the password. This worked but I needed to enter the password many times. I added a '-v' command to the sftp processes in the shs.py script and saw that it was using root's SSH keys, not the current user's keys.

The resolution was to generate a SSH keypair as root (not as pi or any other user! change into root with sudo su then generate a keypair and add to gandi control panel) then it worked fine.

[jcharlet]

Hi all, thanks guys for you feedback, in my case, I forgot to add my public ssh key to Gandi admin interface