Issue with installing on esxi 8

[kylejericson]

I could just be dumb but I can't get this installed.

[kylejericson]

I tried via ssh and same issue

[kylejericson]

I guess this is installed by default on esxi 8 but it still seems to fail.

[Churro]

Can you please check /var/log/syslog without grep? Most likely there are error messages around these time frames that will provide insights into why cert retrieval didn't work.

[kylejericson]

That is a lot logs what should I look for?

[kylejericson]

I can get this far. I wonder why when it does a verify it looks at 127.0.0.1

[Churro]

It's fine that it lists 127.0.0.1 but based on the output, which is unfortunately truncated in the screenshot, the acme_tiny.py script has thrown an exception. The lines immediately afterwards would be interesting...

[kylejericson]

Is there a way I can DM you the full log?

[Churro]

The issue is that the host is not Internet-reachable on port 80. After retrieving the certificate it will be served on port 443 but before obtaining that, Let's Encrypt performs the HTTP challenge on port 80. Also see here:

The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.

Hence, please unblock port 80 in your firewall and try again

[Churro]

Hmm, there may be a redirect happening to port 443 when Let's Encrypt requests the files, which would also need to be unblocked.

[Churro]

No, the WAN side would need to be 443 to 443 as well because this is the standard port Let's Encrypt expects.

[kylejericson]

ah so my rule on 443 is breaking this.

[kylejericson]

Sorry new error

[root@vmhost:/usr/lib/vmware/hostd/docroot] /etc/init.d/w2c-letsencrypt start Running 'start' action Starting certificate renewal. Existing cert for vmhost.mydomainname.com not issued by Let's Encrypt. Requesting a new one! Serving HTTP on 0.0.0.0 port 8120 (http://0.0.0.0:8120/) ... Parsing account key... Parsing CSR... Found domains: vmhost.mydomainname.com Getting directory... Traceback (most recent call last): File "./acme_tiny.py", line 199, in main(sys.argv[1:]) File "./acme_tiny.py", line 195, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port) File "./acme_tiny.py", line 105, in getcrt directory, , _ = _do_request(directory_url, err_msg="Error getting directory") File "./acme_tiny.py", line 46, in _do_request raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data)) ValueError: Error getting directory: Url: https://acme-v02.api.letsencrypt.org/directory Data: None Response Code: None Response: <urlopen error [Errno 97] Address family not supported by protocol> Certificate will not expire Warning: No cert obtained from Let's Encrypt. Keeping the existing one as it is still valid. usage: clusterAgent [-h] ACTION clusterAgent: error: the following arguments are required: ACTION usage: esxio-commd [-h] ACTION esxio-commd: error: the following arguments are required: ACTION logger: Invalid PID 'Usage: fsvmsockrelay ' logger: Invalid PID '{start|stop|status|restart} [--vmci VMCI_ID]' usage: gpuManager [-h] ACTION gpuManager: error: the following arguments are required: ACTION hostd signalled. watchdog-lsud[1060587]: Terminating watchdog process with PID 1060209 lsud stopped lsud started VMware HTTP reverse proxy signalled. sfcbd-init[1060672]: args ('') sfcbd-init[1060672]: Getting Exclusive access, please wait... sfcbd-init[1060672]: Exclusive access granted. sfcbd-init[1060683]: args ('ssl_reset') sfcbd-init[1060683]: Getting Exclusive access, please wait... sfcbd-init[1060683]: Exclusive access granted. sfcbd-init[1060683]: sfcbd is not running. logger: Invalid PID 'Usage: vdfsd ' logger: Invalid PID '{start|stop|status|restart|' vpxa signalled. vsanperfsvc is not running. /etc/init.d/vvold ssl_reset, PID 1060794 vvold is not running.

[Churro]

No clue, to be honest. I assume it's not a persistent error because in one of your previous screenshots https://github.com/w2c/letsencrypt-esxi/issues/11#issuecomment-1387669535, the connection to Let's Encrypt already worked. With the most recent error, obviously even the initial request fails.

You may either try to restart individual services like vxpa or try your luck with a reboot of the entire machine.

[kylejericson]

Ok yeah getting this every time now.

[root@vmhost:~] /etc/init.d/w2c-letsencrypt start Running 'start' action Starting certificate renewal. Existing cert for vmhost.mydomain.com not issued by Let's Encrypt. Requesting a new one! Serving HTTP on 0.0.0.0 port 8120 (http://0.0.0.0:8120/) ... Parsing account key... Parsing CSR... Found domains: vmhost.mydomain.com Getting directory... Traceback (most recent call last): File "./acme_tiny.py", line 199, in main(sys.argv[1:]) File "./acme_tiny.py", line 195, in main signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca, disable_check=args.disable_check, directory_url=args.directory_url, contact=args.contact, check_port=args.check_port) File "./acme_tiny.py", line 105, in getcrt directory, , _ = _do_request(directory_url, err_msg="Error getting directory") File "./acme_tiny.py", line 46, in _do_request raise ValueError("{0}:\nUrl: {1}\nData: {2}\nResponse Code: {3}\nResponse: {4}".format(err_msg, url, data, code, resp_data)) ValueError: Error getting directory: Url: https://acme-v02.api.letsencrypt.org/directory Data: None Response Code: None Response: <urlopen error [Errno 97] Address family not supported by protocol> Certificate will not expire Warning: No cert obtained from Let's Encrypt. Keeping the existing one as it is still valid. usage: clusterAgent [-h] ACTION clusterAgent: error: the following arguments are required: ACTION usage: esxio-commd [-h] ACTION esxio-commd: error: the following arguments are required: ACTION logger: Invalid PID 'Usage: fsvmsockrelay ' logger: Invalid PID '{start|stop|status|restart} [--vmci VMCI_ID]' usage: gpuManager [-h] ACTION gpuManager: error: the following arguments are required: ACTION hostd signalled. watchdog-lsud[1052675]: Terminating watchdog process with PID 1052148 lsud stopped lsud started VMware HTTP reverse proxy signalled. sfcbd-init[1052758]: args ('') sfcbd-init[1052758]: Getting Exclusive access, please wait... sfcbd-init[1052758]: Exclusive access granted. sfcbd-init[1052769]: args ('ssl_reset') sfcbd-init[1052769]: Getting Exclusive access, please wait... sfcbd-init[1052769]: Exclusive access granted. sfcbd-init[1052769]: sfcbd is not running. logger: Invalid PID 'Usage: vdfsd ' logger: Invalid PID '{start|stop|status|restart|' vpxa signalled. vsanperfsvc is not running. /etc/init.d/vvold ssl_reset, PID 1052880 vvold is not running.

[kylejericson]

I've reboot and uninstall this and reinstalled.

[Churro]

I'm pretty sure it's a networking-related issue and nothing specific to this project or VIB. My best guess would be that your recent firewall changes have blocked ESXi from reaching external hosts on port 443. This thought is based on the previous screenshot that showed that connections to Let's Encrypt worked. As only you are familiar with your environment and how it is setup, I doubt I provide you with any further helpful advice.

[kylejericson]

ok thanks

[kylejericson]

Just an update I got this working!!

[Churro]

Cool, glad to hear that 👍