Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Registering letsencrypt certificates via the web interface does not work on clean installs #635

Open
curtishall opened this issue Dec 8, 2023 · 2 comments
Open

Registering letsencrypt certificates via the web interface does not work on clean installs #635

curtishall opened this issue Dec 8, 2023 · 2 comments
Assignees
@curtishall @andrey-utkin

Comments

@curtishall
Copy link
Member

certbot is installed in /root/.local/bin/certbot but the scripts are calling 'certbot'.

Command line of how I resolved this:

root@v3demo:~/.local/bin# ./certbot certonly --non-interactive --agree-tos --work-dir=/tmp --logs-dir=/tmp --config-dir=/usr/share/bluecherry/nginx-includes/letsencrypt/ --dns-subdomain-provider-credentials /tmp/dns-subdomain-credentials.ini -m [email protected] --authenticator dns-subdomain-provider -d demo.bluecherry.app
Saving debug log to /tmp/letsencrypt.log
Requesting a certificate for demo.bluecherry.app
Unsafe permissions on credentials configuration file: /tmp/dns-subdomain-credentials.ini
Waiting 10 seconds for DNS changes to propagate

Successfully received certificate.
Certificate is saved at: /usr/share/bluecherry/nginx-includes/letsencrypt/live/demo.bluecherry.app/fullchain.pem
Key is saved at: /usr/share/bluecherry/nginx-includes/letsencrypt/live/demo.bluecherry.app/privkey.pem
This certificate expires on 2024-03-07.
These files will be updated when the certificate renews.

NEXT STEPS:

  • The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

If you like Certbot, please consider supporting our work by:
@andrey-utkin
Copy link
Contributor

I haven't reproduced the issue yet, but speculatively, it might be because we don't seem to enforce the presence of admin's email. We could add such a check, or at least do some shell quoting to avoid messing up the arguments order:

--- a/scripts/update_subdomain_certs.sh
+++ b/scripts/update_subdomain_certs.sh
@@ -54,7 +54,7 @@ echo "Generating certs..."
 certbot certonly --non-interactive --agree-tos --work-dir=/tmp --logs-dir=/tmp \
     --config-dir=/usr/share/bluecherry/nginx-includes/letsencrypt/ \
     --dns-subdomain-provider-credentials $credentials \
-    -m $email --authenticator dns-subdomain-provider \
+    -m "$email" --authenticator dns-subdomain-provider \
     -d $subdomain.bluecherry.app -v

 rm $credentials

andrey-utkin added a commit to andrey-utkin/bluecherry-apps that referenced this issue Dec 19, 2023
@andrey-utkin
Use pip-installed certbot if available
b0eb2e1 
See bluecherrydvr#635

Give pip-installed one a priority as it's more likely to be up to date,
which is useful long-term as LetsEncrypt matters sometimes change on
short notice.
andrey-utkin added a commit to andrey-utkin/bluecherry-apps that referenced this issue Dec 19, 2023
@andrey-utkin
Use pip-installed certbot if available
4c37d1e 
See bluecherrydvr#635

Give pip-installed one a priority as it's more likely to be up to date,
which is useful long-term as LetsEncrypt matters sometimes change on
short notice.
@andrey-utkin
Copy link
Contributor

Draft fix is in #638

andrey-utkin added a commit to andrey-utkin/bluecherry-apps that referenced this issue Jan 4, 2024
@andrey-utkin
Use pip-installed certbot if available
a2fb691 
See bluecherrydvr#635

Give pip-installed one a priority as it's more likely to be up to date,
which is useful long-term as LetsEncrypt matters sometimes change on
short notice.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@curtishall curtishall

@andrey-utkin andrey-utkin

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@curtishall @andrey-utkin