What is the LetsEncrypt challenge method?

Hi Friends!

I’m struggling with a fresh install using latest Trellis on a fresh Ubuntu 16 LTS. I have ultra paranoid nerds running the data centre. The LetsEncrypt challenge is failing. I’d like to just run the commands myself on the server to track down the error. I’ve manually installed a LetsEncrypt using Certbot and that has worked just fine. So I’m assuming the Trellis gods have set up the LetsEncrypt challenge using a different method.

Does anyone have any insight or can advise me of the challenge method or even just point me at the right lines of code in the repo to look at?

BTW I’ve tried these already fullyint’s suggestions here and here.

It’s here that my server is failing. Test Acme Challenge file

Here is the error after running

ansible-playbook server.yml -e env=production

(Note the A record is set to the server’s IP)

Could not access the challenge file for the hosts/domains:
yf.splendidperch.co. Let's Encrypt requires every domain/host be publicly
accessible. Make sure that a valid DNS record exists for yf.splendidperch.co
and that they point to this server's IP. If you don't want these domains in
your SSL certificate, then remove them from `site_hosts`. See
https://roots.io/trellis/docs/ssl for more details.

failed: [yf.splendidperch.co] (item=yf.splendidperch.co) => {"failed": true, "item": "yf.splendidperch.co"}

And then after running

ansible-playbook server.yml -e env=production --tags wordpress

nginx: [emerg] BIO_new_file("/etc/nginx/ssl/letsencrypt/yf.splendidperch.co-
04685df-bundled.cert") failed (SSL: error:02001002:system library:fopen:No
such file or directory:fopen('/etc/nginx/ssl/letsencrypt/yf.splendidperch.co-
04685df-bundled.cert','r') error:2006D080:BIO routines:BIO_new_file:no such
file)
nginx: configuration file /etc/nginx/nginx.conf test failed
fatal: [yf.splendidperch.co]: FAILED! => {"changed": true, "cmd": ["nginx", "-t"], "delta": "0:00:00.026666", "end": "2017-08-25 02:27:10.214012", "failed": true, "rc": 1, "start": "2017-08-25 02:27:10.187346", "stderr": "nginx: [emerg] BIO_new_file(\"/etc/nginx/ssl/letsencrypt/yf.splendidperch.co-04685df-bundled.cert\") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/ssl/letsencrypt/yf.splendidperch.co-04685df-bundled.cert','r') error:2006D080:BIO routines:BIO_new_file:no such file)\nnginx: configuration file /etc/nginx/nginx.conf test failed", "stderr_lines": ["nginx: [emerg] BIO_new_file(\"/etc/nginx/ssl/letsencrypt/yf.splendidperch.co-04685df-bundled.cert\") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/ssl/letsencrypt/yf.splendidperch.co-04685df-bundled.cert','r') error:2006D080:BIO routines:BIO_new_file:no such file)", "nginx: configuration file /etc/nginx/nginx.conf test failed"], "stdout": "", "stdout_lines": []}

Cheers, beers and koala beers y’all
Ian

You aren’t giving us much information to go on. Logs/output of the failure?

The task you mentioned is literally just creating an empty file:

- name: Create test Acme Challenge file
  shell: touch {{ acme_tiny_challenges_directory }}/ping.txt
  args:
    creates: "{{ acme_tiny_challenges_directory }}/ping.txt"
    warn: false

I’d expect other things with LE to go wrong, but not this.

Updated first post! Thanks for a prompt reply.

You’re right, it’s this one that’s failing

Test Acme Challenges

With error

failed: [yf.splendidperch.co] (item=yf.splendidperch.co) => {"changed": false, "failed": true, "failed_hosts": ["yf.splendidperch.co"], "item": "yf.splendidperch.co", "rc": 1}

But to clarify, I’d like to login in and manually run these commands but am not sure which challenge method is being used, or what I should look for.

This is the module that the task is using: https://github.com/roots/trellis/blob/4459ab5b9eb7f7cd235debb62eab23ba18820b72/roles/letsencrypt/library/test_challenges.py

It’s really just doing an HTTP request to http://yf.splendidperch.co/.well-known/acme-challenge/ping.txt.

Trellis is testing this first because if your own server can’t access that challenge file, then LE won’t be able to either.

Ok thanks that helps. I notice I can’t ping when I’m logged into the server. I can’t do this:

ping yf.splendidperch.co

or

curl http://yf.splendidperch.co/.well-known/acme-challenge/ping.txt

Yet I can from my local machine.

You could look into whether your internal networking/routing isn’t enabling requests to yf.splendidperch.co to resolve correctly, when initiated from within the network.

In the meantime, given that the .well-known/acme-challenge/ping.txt is publicly accessible, you could try this:

• Comment out these two tasks that are blocking
• Set the staging letsencrypt_ca in a group_vars file
• ansible-playbook server.yml -e env=production --tags letsencrypt

If the playbook completes without failure (your browser will still show a warning because it’s just a test cert), remove the staging letsencrypt_ca definition and run the playbook again to get a real cert.

I think the steps above will spare you having to manually step through the process. But really, all the steps are viewable in the letsencrypt role code, particularly in the certificates.yml file.

If you’re using Trellis anyway, I’d not bother with the cert you acquired via Certbot, just letting Trellis do its thing instead. In a pinch, you could get a copy of your Certbot cert and key onto your local machine and use them as provider: manual.

Thanks @swalkinshaw and @fullyint!

Ok I’ve now enabled the IMCP protocol, which means this command is possible:

python -c 'import requests; print requests.get("https://acme-v01.api.letsencrypt.org/directory").text'

I think the IT boffins have been a bit paranoid. I never have issues with AWS or DO servers.

I will try the staging CA instructions above.

Thanks a bunch!

Thanks for your suggestions everyone. Turned out there is some ultra paranoid firewall restricting the http request that the LetsEncrypt domain validation / authorisation uses. We just purchased an expensive SSL and did a manual install instead.