Not sure if it’s related to the Firewallthreads, I’m having a problem getting SSL certificates from LetsEncrypt. I can access the site fine. I’m not seeing the /srv/*/public/htdocs/.well-known/acme-challenge/ directory being created while it’s fetching the new certificate.
When running sudo sympl-ssl --verbose vps2-test.domain.tld
* Examining certificates for vps2-test.domain.tld
No valid certificate sets found.
Fetching a new certificate from LetsEncrypt.
!! Failed: execution expired
I don’t think this is related to the firewall issue, but instead it’s something you sometimes see on IPv6-only connections, as the old Ruby libraries which sympl-ssl uses don’t understand the situation.
There’s a helper wrapper script which should fix this (it adds an entry to /etc/hosts for the LE API), but it sounds like it may be misbehaving.
sympl-ip -a | grep -c '\.'
sudo ip route | grep -c default.*[0-9]\.
The wrapper script is looking for an IPv4 address on the server, and only updating /etc/hosts when it finds one. If you have another IPv4 address on the server, even if it’s not being used, it may wrongly think you’re not IPv6 only.
If that’s the case you probably won’t have a default route set, so checking for that should be a good alternative.
This has solved the issue and I’m now getting Applying IPv6 only workaround... at the start and Removed IPv6 only workaround at the end of running sudo sympl-ssl --verbose.
I’ve also had an issue with the following error: !! Failed: Error creating new registration :: email domain name does not end in a IANA suffix showing. The hostname command returns a .me.uk address which should be an IANA suffix.
So 2 options, first is to manually specify the email in the config /srv/[domain]/config/ssl/letsencrypt/email, or as I have now done switch the order of the items /etc/hosts so that the hostname domain that I’m using with the FQDN IANA suffix is first which means that the above Socket.getaddrinfo uses the domain that I’m expecting. This second method also prevents issues for any future domains that are added.
The other thing that I’ve noticed is the www.* version of domains are checked even when there’s no DNS pointing to them. Should these be turned off in this scenario? Under Symbiosis with Bytemark the www. domain was automatically created and uploaded to the DNS even if you didn’t want it.
That’s coming from Let’s Encrypt, rather than being generated by sympl-ssl - it defaults to root@ the ‘default domain’, ie: the same domain which should be the result of hostname -a, but can end up getting confused in some situations - if that happens, add the relevant email address to config/ssl/letsencrypt/email and that will be used instead for the domain.
This will change when sympl-ssl is upgraded (including trying to retrieve certs for non-existent domains), as it’s getting a full refresh to use up-to-date functionality, so it won’t be a problem for too long.
I suspect the way I had setup the hostname of the machine was the underlying cause, as changing the order of the domains listed in /etc/hosts fixed the issue. The ruby code for determining the hostname seems to run twice looking for different info, which I won’t know enough about to fully understand.
Good to hear that’s it’s being revamped in the future.