RPi Buster?

[IoTPlay]

Hi there, will this work on Buster? The docs on Galaxy says Jessie only.

[nickjj]

Hi,

I have not tested it on Buster, I would say give it a whirl and see how it goes.

I'm currently working on a more robust role to handle certs but I still do actively run this role as is on a number of older hosts.

[IoTPlay]

It executed 11 Tasks successfully, on the 12th it fails, here is the fail.

[nickjj]

Does the same exact configuration work on jessie?

That almost looks like there's either a misconfiguration of things with your nginx set up. your DNS hasn't updated yet or you have a firewall blocking connections to your server. With no other context I'm leaning towards 1 of the last 2.

[IoTPlay]

Okay let me check the suggestions minus trying on Jessie. Thank you so far !

[IoTPlay]

Hi Nick, I think I am further now, still stuck at step 11, TASK [nickjj.letsencrypt : Show SSL certificate generation output], as I opened access to the server the certs must be written to, but now I am getting:

"Parsing account key...\nParsing CSR...\nFound domains: mydomain.com\nGetting directory...\nDirectory found!\nRegistering account...\nRegistered!\nCreating new order...\nOrder created!\nVerifying gothrivecoach.com...\nTraceback (most recent call last):\n  File \"/usr/local/bin/acme_tiny\", line 201, in <module>\n    main(sys.argv[1:])\n  File \"/usr/local/bin/acme_tiny\", line 197, in main\n    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact)\n  File \"/usr/local/bin/acme_tiny\", line 146, in get_crt\n    raise ValueError(\"Wrote file to {0}, but couldn't download {1}: {2}\".format(wellknown_path, wellknown_url, e))\nValueError: Wrote file to /usr/share/nginx/challenges/.well-known/acme-challenge/SOREbZvMCLeFaaIXEpQHiXUZG7xfIh1uhZajBc6uRWY, but couldn't download http://mydomain.com/.well-known/acme-challenge/SOREbZvMCLeFaaIXEpQHiXUZG7xfIh1uhZajBc6uRWY: 'ascii' codec can't encode character u'\\u2192' in position 3812: ordinal not in range(128)",

See the last part: 'ascii' codec can't encode character u'\\u2192' in position 3812: ordinal not in range(128)", here is a stack overflow issue & solution about same, maybe? UnicodeEncodeError: 'ascii' codec can't encode character u'\xa0' in position 20: ordinal not in range(128)

Do you have any idea in which direction I should be looking?

[nickjj]

Are you using Python 3.x or 2.x?

You might want to try updating acme-tiny script to the latest release at: https://github.com/diafygi/acme-tiny/blob/master/acme_tiny.py

You can try dropping that in as a replacement for my version and see if that fixes it. You would replace this file: https://github.com/nickjj/ansible-letsencrypt/blob/master/files/usr/local/bin/acme_tiny

[IoTPlay]

Nick, Python 2.7.16, dropped the acme_tiny.py in, but still the same message. Do you have other ideas on where I can have a look? Check output in below file.

error.txt

[nickjj]

What domain names are you trying to get certs for? Are there any weird characters in it by mistake?

[IoTPlay]

No, stockstandard .com domain name. And here is my nginx conf file:

 server {
    listen 80;
    server_name mydomain.com www.mydomain.com;
    return 301 https://mydomain.com$request_uri;
}
server {
    listen 443 ssl default_server;
    server_name mydomain.com;

    client_max_body_size 50M;

    location / {
        proxy_pass http://localhost:2368;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_buffering off;
    }

    ssl on;
    ssl_certificate /usr/local/acme-tiny/mydomain.com.crt; 
    ssl_certificate_key etc/nginx/ssl/mydomain.com.key; 
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
    ssl_session_timeout 5m;

[nickjj]

Is there any chance you can try the same set up on Debian 9 that isn't on a RPi, or at least Buster on something like DigitalOcean (or any other cloud provider)?

[nickjj]

I just pushed v0.3.2 to the Galaxy. Let me know if this changes anything on your end.

I just had some certificates fail to renew from acme-tiny blowing up, but I didn't get the same error as you. In the end, I updated this role to use the latest version of acme-tiny (as of Jan 29th 2020) and updated the tasks in this role to use --directory-url instead of --ca.

In my inventory, I also changed the URLs to reference the new directory based v2 API. The README file has both the staging and live URLs.

Once I did the above, the role ran successfully -- at least on an older Debian Jessie box. I tested it on both the staging and live URLs.

[IoTPlay]

Thank you, I am on business travels in Canada, will try again sometime.

On Wed, 29 Jan 2020 at 17:33, Nick Janetakis notifications@github.com wrote:

I just pushed v0.3.2 to the Galaxy. Let me know if this changes anything on your end.

I just had some certificates fail to renew from acme-tiny blowing up, but I didn't get the same error as you. In the end, I updated this role to use the latest version of acme-tiny (as of Jan 29th 2020) and updated the tasks in this role to use --directory-url instead of --ca.

In my inventory, I also changed the URLs to reference the new directory based v2 API. The README file has both the staging and live URLs.

Once I did the above, the role ran successfully -- at least on an older Debian Jessie box. I tested it on both the staging and live URLs.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/nickjj/ansible-letsencrypt/issues/7?email_source=notifications&email_token=AHDTT5GUXEU2RKLH4GMVZUDRAIN4TA5CNFSM4KFWXL4KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKJIXVI#issuecomment-580029397, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHDTT5GDFHUOTJCLKFOTOKTRAIN4TANCNFSM4KFWXL4A .