Closed kylejericson closed 1 year ago
I tried via ssh and same issue
I guess this is installed by default on esxi 8 but it still seems to fail.
Can you please check /var/log/syslog
without grep
?
Most likely there are error messages around these time frames that will provide insights into why cert retrieval didn't work.
That is a lot logs what should I look for?
I can get this far. I wonder why when it does a verify it looks at 127.0.0.1
It's fine that it lists 127.0.0.1 but based on the output, which is unfortunately truncated in the screenshot, the acme_tiny.py
script has thrown an exception. The lines immediately afterwards would be interesting...
Is there a way I can DM you the full log?
The issue is that the host is not Internet-reachable on port 80. After retrieving the certificate it will be served on port 443 but before obtaining that, Let's Encrypt performs the HTTP challenge on port 80. Also see here:
The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.
Hence, please unblock port 80 in your firewall and try again
Hmm, there may be a redirect happening to port 443 when Let's Encrypt requests the files, which would also need to be unblocked.
No, the WAN side would need to be 443 to 443 as well because this is the standard port Let's Encrypt expects.
ah so my rule on 443 is breaking this.
Sorry new error
[root@vmhost:/usr/lib/vmware/hostd/docroot] /etc/init.d/w2c-letsencrypt start
Running 'start' action
Starting certificate renewal.
Existing cert for vmhost.mydomainname.com not issued by Let's Encrypt. Requesting a new one!
Serving HTTP on 0.0.0.0 port 8120 (http://0.0.0.0:8120/) ...
Parsing account key...
Parsing CSR...
Found domains: vmhost.mydomainname.com
Getting directory...
Traceback (most recent call last):
File "./acme_tiny.py", line 199, in
No clue, to be honest. I assume it's not a persistent error because in one of your previous screenshots https://github.com/w2c/letsencrypt-esxi/issues/11#issuecomment-1387669535, the connection to Let's Encrypt already worked. With the most recent error, obviously even the initial request fails.
You may either try to restart individual services like vxpa
or try your luck with a reboot of the entire machine.
Ok yeah getting this every time now.
[root@vmhost:~] /etc/init.d/w2c-letsencrypt start
Running 'start' action
Starting certificate renewal.
Existing cert for vmhost.mydomain.com not issued by Let's Encrypt. Requesting a new one!
Serving HTTP on 0.0.0.0 port 8120 (http://0.0.0.0:8120/) ...
Parsing account key...
Parsing CSR...
Found domains: vmhost.mydomain.com
Getting directory...
Traceback (most recent call last):
File "./acme_tiny.py", line 199, in
I've reboot and uninstall this and reinstalled.
I'm pretty sure it's a networking-related issue and nothing specific to this project or VIB. My best guess would be that your recent firewall changes have blocked ESXi from reaching external hosts on port 443. This thought is based on the previous screenshot that showed that connections to Let's Encrypt worked. As only you are familiar with your environment and how it is setup, I doubt I provide you with any further helpful advice.
ok thanks
Just an update I got this working!!
Cool, glad to hear that 👍
I could just be dumb but I can't get this installed.