Closed miklasz closed 8 years ago
neurobin
commented
8 years ago Seems like it asks for password where it shouldn't. Please give me the exact prompt that is asking the password, and also the version number of ssh
ssh -VAnd for the prompt, simply run lcget and go until you have that problem, and post the output of the screen here.
miklasz
commented
8 years ago oooook, few hours later.... aaaand i found the reason...
i was setting up public key access for my user@mydomain, and when use sudo lcget i had to setup seperate public access for root as I use sudo
so basicly ive added priv key to authorised_keys in .ssh/ folder (for root) and copy config key from user to root
and now ssh works fine, but now i have different error :D
i didnt research it yet as i got to go to work early morning looks like file permition maybe
Make sure your web server displays the following content at http://miklaszewski.com/.well-known/acme-challenge/ITbHn07JxztKTdhn8srk1vUAf7NOO_gqcA1DluXQEqE before continuing:
ITbHn07JxztKTdhn8srk1vUAf7NOO_gqcA1DluXQEqE.PNWFtoo9O4yjI0Ug5BEJCzyIGleOgyKpi-TL7MkxGnk
If you don't have HTTP server configured, you can run the following command on the target server (as root):
mkdir -p /tmp/letsencrypt/public_html/.well-known/acme-challenge cd /tmp/letsencrypt/public_html printf "%s" ITbHn07JxztKTdhn8srk1vUAf7NOO_gqcA1DluXQEqE.PNWFtoo9O4yjI0Ug5BEJCzyIGleOgyKpi-TL7MkxGnk > .well-known/acme-challenge/ITbHn07JxztKTdhn8srk1vUAf7NOO_gqcA1DluXQEqE run only once per server: $(command -v python2 || command -v python2.7 || command -v python2.6) -c \ "import BaseHTTPServer, SimpleHTTPServer; \ s = BaseHTTPServer.HTTPServer(('', 80), SimpleHTTPServer.SimpleHTTPRequestHandler); \ s.serve_forever()" Press ENTER to continue
Protocol: http:// Domain: miklaszewski.com Dir: .well-known/acme-challenge/ITbHn07JxztKTdhn8srk1vUAf7NOO_gqcA1DluXQEqE Content: ITbHn07JxztKTdhn8srk1vUAf7NOO_gqcA1DluXQEqE.PNWFtoo9O4yjI0Ug5BEJCzyIGleOgyKpi-TL7MkxGnk
Trying to complete challenge for miklaszewski.com
stdin: is not a tty Completing challenge... Created dir .well-known/acme-challenge/ITbHn07JxztKTdhn8srk1vUAf7NOO_gqcA1DluXQEqE cd to dir .well-known/acme-challenge/ITbHn07JxztKTdhn8srk1vUAf7NOO_gqcA1DluXQEqE Created index.html Challenge completed on /home9/miklaszewski/public_html/.well-known/acme-challenge
Done for miklaszewski.com
2016-05-27 00:05:53,591:WARNING:letsencrypt.plugins.manual:Self-verify of challenge failed. Failed authorization procedure. miklaszewski.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://miklaszewski.com/.well-known/acme-challenge/ITbHn07JxztKTdhn8srk1vUAf7NOO_gqcA1DluXQEqE: "<!DOCTYPE html> <html class="" xmlns="https://www.w3.org/1999/xhtml" lang="en-US" prefix="og: http://ogp.me/ns# fb: http://ogp.m"
IMPORTANT NOTES:
The following errors were reported by the server:
Domain: miklaszewski.com Type: unauthorized Detail: Invalid response from http://miklaszewski.com/.well-known /acme-challenge/ITbHn07JxztKTdhn8srk1vUAf7NOO_gqcA1DluXQEqE: "<!DOCTYPE html> <html class="" xmlns="https://www.w3.org/1999/xhtml" lang="en-US" prefix="og: http://ogp.me/ns# fb: http://ogp.m"
To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
neurobin
commented
8 years ago I just noticed, why are you running lcget with sudo in the first place? Running lcget with sudo doesn't give anything special, it's just a burden (it opens a subshell)...
You could probably do it in another way if you really want sudo (I don't see why you would though)
sudo su
lcget ...\ The best way is to run lcget without sudo, and when the official letsencrypt asks for sudo access, give it the access, it's clean and secure.
miklasz
commented
8 years ago i did had some permission issue that is why i use sudo, if i go without it gives me some errors, i did installed letsencrypt lcget and jssh in sudo so maybe thats why, i do have some other programs i use and i have to use sudo with them so i guess i didit with sudo as I use to use it all the time.
i have small problem, I get this:
2016-05-27 17:42:51,147:WARNING:letsencrypt.plugins.manual:Self-verify of challenge failed.
`Failed authorization procedure. miklaszewski.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://miklaszewski.com/.well-known/acme-challenge/5SpNf9FZf5SJPl7fEzOghK2di1Sp-Cfj7Xd3P8dbgdE: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p", www.miklaszewski.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.miklaszewski.com/.well-known/acme-challenge/k6AmzWwTZ9oli_704l0Gkk7Dqs8MVrWEhG_7FeV_YS4: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"`but when i go to: http://miklaszewski.com/.well-known/acme-challenge/5SpNf9FZf5SJPl7fEzOghK2di1Sp-Cfj7Xd3P8dbgdE i can see the file no problem there ...
same with
http://www.miklaszewski.com/.well-known/acme-challenge/k6AmzWwTZ9oli_704l0Gkk7Dqs8MVrWEhG_7FeV_YS4
miklasz
commented
8 years ago ok, I think I know where is the problem:
can you please help me modify script ?
basicly lcget created folders for example:
http://www.miklaszewski.com/.well-known/acme-challenge/02CUfhjnMXxV2Z-QHie_2WJQdF5x16788VDPJe3cxk4and when you paste this link it will give you error however if i add "/" at the end of the folder name
http://www.miklaszewski.com/.well-known/acme-challenge/02CUfhjnMXxV2Z-QHie_2WJQdF5x16788VDPJe3cxk4/it works fine,
is there a way to modify the script or should i contact my isp ?
many thanks
Bartosz
neurobin
commented
8 years ago The above link is actually fine. The slash at end is handled by your server and it's working well too. Even if you paste it without / it will be automatically handled nicely.
your server is redirecting all htttp traffic to https, thus letsecnrypt isn't being able to get it in pure http. This is actually quite new, previously when I wrote the script it didn't matter if I had such redirects in my server, letsencrypt would actually handle it somehow. But it rejects https as a whole now, I don't know if it's a bug or new documented security exception as I haven't gone through their documentation lately...
One thing you can do is remove the redirection temporarily. You are probably using .htaccess file (if apache) to redirect http to https. Just put a hash before those two(or whatever) lines and change them back when you are done.
Another way is to use a dedicated subdomain whose sole purpose will be to complete the acme challenge. In this case you will have to use letsacme. Don't go through its documentation, it scares people (It's pretty huge and technically difficult). Instead follow this tutorial. This method will require you to set the redirects just once, while the above method will require you to change/revert redirects everytime you do it.
And if you do want to modify the script and test what you thought is actually the problem, then, you can change the method a little:
This is actually what I wanted to implement for an update, but i didn't get the motivation to do so, as I had actually found a better solution with acme-tiny and made another client letsacme from it...
if you do want to change the code this way, I will appreciate it if you forked my repo and do a pull request after testing the code...
This is the function that generates code to be run on remote server:
proc get_ssh_command_for_http_challenge {dom cdir cont} {
if {$dom == ""} {
puts "E: Couldn't parse domain. Abort."
exit 1
}
if {$cdir == ""} {
puts "E: Couldn't parse directory name. Abort."
exit 1
}
if {$cont == ""} {
puts "E: Couldn't parse content. Abort."
exit 1
}
set comms "echo 'Completing challenge...'
if mkdir -p '$cdir'; then
echo 'Created dir $cdir'
if cd '$cdir';then
echo 'cd to dir $cdir'
if echo -n '$cont' >index.html;then
echo 'Created index.html'
printf 'Challenge completed on '
dirname \`pwd\`
else
echo 'E: Failed to write file. Abort.'
fi
else
echo 'E: cd to $cdir failed. Abort.'
fi
else
echo 'E: Could not create directory. Abort.'
exit 1
fi"
return "$comms"
}
You will need to change this part only:
set comms "echo 'Completing challenge...'
if mkdir -p '$cdir'; then
echo 'Created dir $cdir'
if cd '$cdir';then
echo 'cd to dir $cdir'
if echo -n '$cont' >index.html;then
echo 'Created index.html'
printf 'Challenge completed on '
dirname \`pwd\`
else
echo 'E: Failed to write file. Abort.'
fi
else
echo 'E: cd to $cdir failed. Abort.'
fi
else
echo 'E: Could not create directory. Abort.'
exit 1
fi"to:
set comms "echo 'Completing challenge...'
if printf '%s' '$cont' > '$cdir'; then
echo 'Challenge completed for $dom '
else
echo 'E: Failed to complete challenge for $dom. Abort.'
exit 1
fi"It's pretty fast and simple actually, but I don't have the time to test this piece of code. If you do, that will be great...
Regards, Jahid
miklasz
commented
8 years ago I thought I did it before with https…
Ok so I will give it a go and get back in some time as this weekend is sooo obusy for me :D
Thx so much for hints :D
From: Md Jahidul Hamid [mailto:notifications@github.com] Sent: Friday, May 27, 2016 8:03 PM To: neurobin/lcget lcget@noreply.github.com Cc: Bartosz Miklaszewski bartosz@miklaszewski.com; Author author@noreply.github.com Subject: Re: [neurobin/lcget] having problem with login to some remote servers (#1)
The above link is actually fine. The slash at end is handled by your server and it's working well too. Even if you paste it without / it will be automatically handled nicely.
The problem is: your server is redirecting all htttp traffic to https, thus letsecnrypt isn't being able to get it in pure http. This is actually quite new, previously when I wrote the script it didn't matter if I had such redirects in my server, letsencrypt would actually handle it somehow. But it rejects https as a whole now, I don't know if it's a bug or new documented security exception as I haven't gone through their documentation lately...
One thing you can do is remove the redirection temporarily. You are probably using .htaccess file (if apache) to redirect http to https. Just put a hash before those two(or whatever) lines and change them back when you are done.
Another way is to use a dedicated subdomain whose sole purpose will be to complete the acme challenge. In this case you will have to use https://github.com/neurobin/letsacme . Don't go through its documentation, it scares people (It's pretty huge and technically difficult). Instead follow this tutorialhttps://neurobin.org/docs/web/letsacme/get-letsencrypt-certficate-for-shared-hosting/
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHubhttps://github.com/neurobin/lcget/issues/1#issuecomment-222228243, or mute the threadhttps://github.com/notifications/unsubscribe/AL3kU5OxOQGqNWQmnZRU_l0o2UYXLIl8ks5qFz_YgaJpZM4InwjA.
neurobin
commented
8 years ago @miklasz Added code segements (in previous post) on how you can modify the source to get what you wanted...
neurobin
commented
8 years ago @miklasz
I have updated the tool and done some testing too. You don't need to apply the patch anymore. It now uses a file based method i.e it creates a file with the token as its name and puts the auth key inside this file instead of a separate directory and index.html. This method is actually the general convention that is employed by other clients as well.
miklasz
commented
8 years ago ok so i downloaded new version 0.0.3 with wget, than change mod and copy to usr/bin when run command i have error:
bartron@ssl:~/lcget$ sudo lcget certonly --manual -d miklaszewski.com -d www.miklaszewski.com -m bartosz@miklaszewski.com -jp /usr/bin/jssh
/usr/bin/lcget: 6: /usr/bin/lcget: Syntax error: newline unexpected
miklasz
commented
8 years ago ok, i copied the code from website and paste nano lcget and works fine i have now other errors on the website it self but its configuration, i am moving domain now so it might be related will let you know when i finish moving
thx for update :)
miklasz
commented
8 years ago :WARNING:letsencrypt.plugins.manual:Self-verify of challenge failed.
Failed authorization procedure. www.miklaszewski.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.miklaszewski.com/.well-known/acme-challenge/dj0yPfndSxuAt1fPTQP0pZQkt-EEXpfDPmNO6UsT8iQ: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
but when i go to web address it works:
http://www.miklaszewski.com/.well-known/acme-challenge/dj0yPfndSxuAt1fPTQP0pZQkt-EEXpfDPmNO6UsT8iQ
i had few times error, but when i turn off the cache it works fine every time.
is this could be related ?
i did try in lynx and i have same problem until i clear cache
miklasz
commented
8 years ago ok, it turns out it was something deeper at the hosting side :D its working perfect :) many thanks
neurobin
commented
8 years ago Just an FYI:
/usr/bin/lcget: 6: /usr/bin/lcget: Syntax error: newline unexpected
Seems like you used a wrong url to download the file. try this:
wget https://raw.githubusercontent.com/neurobin/lcget/release/lcgetjust to let you know the reason i had 403 errors was my ISP use some kind of protection/security and when use .file (hidden file or folders it lock it out automatically) but they add me to white list and its working like a charm :D
and yes i use right click copy link and paste in terminal, but i manage to copy straight from github and paste in to file :)
really good script !!!
all the best :)
now i need to find a way to automatically copy certs to remote location :)
thx
Bartosz
basicly i use lcget in the same way for 2 different domain
domain1.com which is (godaddy hosting) i use command:
sudo lcget certonly --manual -d domain1.com -d www.domain1.com -m my@email.com -jp /usr/bin/jsshand it asks me for password for sudo than it asks me for password for remote host I type password and all works fine i get new cert.
however with domain 2 i have problem
sudo lcget certonly --manual -d domain2.com -d www.domain2.com -m my@email.com -jp /usr/bin/jsshit ask me for sudo password, than asks for remote host password so i type the password BUT this time i can actually see password i type, where i couldnt see anything what i type with domain1.com
so now when i type password and hit enter nothing happens... i get timed out after some time
any idea ?
i can login to remote server - no problem but when use lcget its not working
and i would understand if this would happen for all domains but its only with one :(
any idea ?