Easyengine and Letsencrypt setup

I had this exact same problem. I had a working server. Then I did ee site update xyz.com – letsencrypt and it worked perfectly. Then I deleted that VPS completely, and setup another VPS with EE, and the same website configuration (wordpress). When I setup the site on the new server ee site create xyz.com --wp --php7 --wpfc --letsencrypt everything worked except letsencrypt threw

Unable to setup, Let’s Encrypt Please make sure that your site is pointed to same server on which you are running Let’s Encrypt Client to allow it to verify the site automatically.

As root I also did the git clone https://github.com/letsencrypt/letsencrypt, and cd into /letsencrypt and did the ./letsencrypt-auto certonly… which threw this after about 100 lines of output to the terminal … Downloading certbot_apache-0.8.1-py2-none-any.whl (103kB) Requirement already satisfied (use --upgrade to upgrade): setuptools>=1.0 in /root/.local/share/letsencrypt/lib/python2.7/site-packages (from cryptography==1.2.3->-r /tmp/tmp.MlvVK5hM4g/letsencrypt-auto-requirements.txt (line 35)) THESE PACKAGES DO NOT MATCH THE HASHES FROM THE REQUIREMENTS FILE. If you have updated the package versions, please update the hashes. Otherwise, examine the package contents carefully; someone may have tampered with them. …

rerunning it gives the same output.

I my DNS records appear to be setup properly… it worked on the first server just fine.

the final lines of the output said You are using pip version 8.0.3, however version 8.1.2 is available. You should consider upgrading via the ‘pip install --upgrade pip’ command.

I tried the pip install at the root command line and bash threw “pip: command not found”. So not sure what this pip is.

Ideas?

What do you get with the command below, just after a failed site update domain.com --le?

tail -50 /var/log/ee/ee.log

Please don’t just copy and paste the logs here, if you can’t use MarkDown to properly format it (please make easier for us, who are trying to help you); instead, use http://pastebin.com/ (you paste your log there, publish it, and then add the public link to your response, and we’ll be able to see your logs as they are meant to be viewed).

I’m a bit embarrassed… I did NOT delete the original VPS that I installed the certificates on !! It is still running and so therefore when I tried to install the ssl certs on the second machine with the same domain name… I’m pretty sure it’s supposed to fail… wouldn’t want two machines with the same valid certs. haha … thanks for the rapid response. I’m loving the EE software… super useful! consider this thread solved.

What about set Pause to CloudFlare??

That would not solve the

Please make sure that your site is pointed to
same server on which you are running Let's Encrypt Client
 to allow it to verify the site automatically.```

I just put pause to the domain in cloudflare , and I continue to have the problem :/

Do you have DNS entries for domain.com and www.domain.com? Let’s Encrypt require both to point to same place in order to work fine.

Thank you , yes I did!

Normally I always add an A register with @ and www @

But I have no success with any of my domains

Was about to ask the same thing as portofacil about ensuring both @ and www are Apex records and not CNAME, however below is a step-by-step process which may prove useful:

Rather than using the simple “Pause” option in CloudFlare, navigate to the DNS tab, and toggle the cloud icon to gray instead of orange for the two A records @ and www so they don’t resolve through the reverse proxy.

CloudFlare uses anycast so it shouldn’t take very long to propagate (usually < 30 seconds), however you should use a lookup tool such as http://nwtools.com to do a DNS records check on your domain. Once you see the actual IP of the origin server showing up, and not those of CloudFlare, only then are you good to go for setting up Let’s Encrypt.

Assuming you’ve set up LE via the ee site update mydomain.com -- letsencrypt command, ensure you can access your website and it uses HTTPS correctly, and also ensure that you can login to the WordPress admin.

Head back to CloudFlare and first thing to do is goto the Crypto tab, enable HTTPS using the Full (Strict) option. Also ensure you turn off Automatic HTTPS Rewrites as nginx handles this. I’ve found disabling the Always On feature helps too in some very fringe cases although it’s always off for me as I personally prefer a blank page to CF’s glaring error page anyway. I also usually have no need for the Authenticated Origin Pulls, Opportunistic Encryption, TLS 1.3 BETA options for most websites I create but YMMV.

Finally, head to the DNS records tab and toggle the orange cloud for your @ and www records back to the on position. Then go back to http://nwtools.com and verify that your domain is using CloudFlare’s IP’s, and check recheck your website in the browser to make sure it works the same now that it’s being served by CloudFlare with the LE SSL passthrough.

Hope it helps!

Excelent @paramdeo , Thank you very much for your help!

When I try updating wordpress site with letsencrypt, it gives be following error

#ee site update hhwp.tk --letsencrypt Unable to setup, Let’s Encrypt Please make sure that your site is pointed to same server on which you are running Let’s Encrypt Client to allow it to verify the site automatically.

ee logs have following logs

Command Error: Traceback (most recent call last): File “/usr/lib/python3/dist-packages/virtualenv.py”, line 2363, in main() File “/usr/lib/python3/dist-packages/virtualenv.py”, line 719, in main symlink=options.symlink) File “/usr/lib/python3/dist-packages/virtualenv.py”, line 988, in create_environment download=download, File “/usr/lib/python3/dist-packages/virtualenv.py”, line 918, in install_wheel call_subprocess(cmd, show_stdout=False, extra_env=env, stdin=SCRIPT) File “/usr/lib/python3/dist-packages/virtualenv.py”, line 812, in call_subprocess % (cmd_desc, proc.returncode)) OSError: Command /root/.local/share/letsencrypt/bin/python2.7 - setuptools pkg_resources pip wheel failed with error code 1

Has someone come across such issue? Solution would be much appreciated, I am using easyengine on aws ec2 instance with Ubuntu 16.04.2 LTS.

Found the solution here,

https://github.com/certbot/certbot/issues/2883

i updating wordpress site with letsencrypt

Please make sure that your site is pointed to same server on which you are running Let’s Encrypt Client to allow it to verify the site automatically.

and i tail -50 /var/log/ee/ee.log

Command Error: Saving debug log to /var/log/letsencrypt/letsencrypt.log An unexpected error occurred: ReadTimeout: HTTPSConnectionPool(host=‘acme-v01.api.letsencrypt.org’, port=443): Read timed out. (read timeout=45) Please see the logfiles in /var/log/letsencrypt for more details.

it oki now. thanks

I AM GETTING AND THE SAME ERROR

FOLLOW THE LINK BELOW FOR ERROR LOG

https://pastebin.com/PhUXNS5m

2017-07-17 21:59:43,675:DEBUG:certbot.main:certbot version: 0.16.0 2017-07-17 21:59:43,677:DEBUG:certbot.main:Arguments: [’–webroot’, ‘-w’, ‘/var/www/gardensdubai.com/htdocs/’, ‘-d’, ‘gardensdubai.com’, ‘-d’, ‘www.gardensdubai.com’, ‘–email’, ‘[email protected]’, ‘–text’, ‘–agree-tos’] 2017-07-17 21:59:43,677:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2017-07-17 21:59:43,691:DEBUG:certbot.log:Root logging level set at 20 2017-07-17 21:59:43,692:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2017-07-17 21:59:43,693:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2017-07-17 21:59:43,696:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot Description: Place files in webroot directory Interfaces: IAuthenticator, IPlugin Entry point: webroot = certbot.plugins.webroot:Authenticator Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f29d427fe10> Prep: True 2017-07-17 21:59:43,697:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f29d427fe10> and installer None 2017-07-17 21:59:43,701:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=None, contact=(u’mailto:[email protected]’,), agreement=u’https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf’, key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f29d428c3d0>)>)), uri=u’https://acme-v01.api.letsencrypt.org/acme/reg/18052914’, new_authzr_uri=u’https://acme-v01.api.letsencrypt.org/acme/new-authz’, terms_of_service=u’https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf’), 70c8c8f771fb90ad9805bccd03933dcc, Meta(creation_host=u’easyengine-1.c.spherical-jetty-172018.internal’, creation_dt=datetime.datetime(2017, 6, 27, 21, 11, 25, tzinfo=)))> 2017-07-17 21:59:43,702:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. 2017-07-17 21:59:43,706:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org 2017-07-17 21:59:43,841:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “GET /directory HTTP/1.1” 200 352 2017-07-17 21:59:43,842:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Content-Type: application/json Content-Length: 352 Boulder-Request-Id: kNritl_AloV6S3NahZMH1v1gtMX3EKSU_Cfyr3gTJ78 Replay-Nonce: 0GvdC43x1hVE35OQY6n66WLOqYcmzSzNnDiNB60bP6A X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 Expires: Mon, 17 Jul 2017 21:59:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 17 Jul 2017 21:59:43 GMT Connection: keep-alive { “key-change”: “https://acme-v01.api.letsencrypt.org/acme/key-change”, “new-authz”: “https://acme-v01.api.letsencrypt.org/acme/new-authz”, “new-cert”: “https://acme-v01.api.letsencrypt.org/acme/new-cert”, “new-reg”: “https://acme-v01.api.letsencrypt.org/acme/new-reg”, “revoke-cert”: “https://acme-v01.api.letsencrypt.org/acme/revoke-cert” } 2017-07-17 21:59:43,844:INFO:certbot.main:Obtaining a new certificate 2017-07-17 21:59:43,844:DEBUG:acme.client:Requesting fresh nonce 2017-07-17 21:59:43,844:DEBUG:acme.client:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. 2017-07-17 21:59:43,903:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “HEAD /acme/new-authz HTTP/1.1” 405 0 2017-07-17 21:59:43,904:DEBUG:acme.client:Received response: HTTP 405 Server: nginx Content-Type: application/problem+json Content-Length: 91 Allow: POST Boulder-Request-Id: Dp-9v_TDPYB_Ft8vATVNKE65G2robltmTAXMX0EoR9I Replay-Nonce: xoS28wJhxIiPA3fEf5_8krAyD1B2AyF_LB7Wj8unefI Expires: Mon, 17 Jul 2017 21:59:43 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 17 Jul 2017 21:59:43 GMT Connection: keep-alive 2017-07-17 21:59:43,904:DEBUG:acme.client:Storing nonce: xoS28wJhxIiPA3fEf5_8krAyD1B2AyF_LB7Wj8unefI 2017-07-17 21:59:43,905:DEBUG:acme.client:JWS payload: { “identifier”: { “type”: “dns”, “value”: “gardensdubai.com” }, “resource”: “new-authz” } 2017-07-17 21:59:43,907:DEBUG:acme.client:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz: { “protected”: “eyJub25jZSI6ICJ4b1MyOHdKaHhJaVBBM2ZFZjVfOGtyQXlEMUIyQXlGX0xCN1dqOHVuZWZJIiwgImFsZyI6ICJSUzI1NiIsICJqd2siOiB7ImUiOiAiQVFBQiIsICJrdHkiOiAiUlNBIiwgIm4iOiAib3FOS2JVRHdTV2t0YXhUaWFBTmlVaGxTLWFaTW5OQU1faUpELXJPMFE1Q081MUFuekQ3NGdrUXFaNEVYb1ZIbENrelRiZU1kdERzQ1drTTRsaVhQVmxkZUlRbUtEenZNN3FaYjBXNGlLUmUxem9PMzh0ZHZsQ19TTV8tc1FrLWc3WUdOdllyMnNLbHpHeEM2YkgwZFU0dTlFdV9KVEU3cmNVdnF1WGtKUjZjTjRVbXlHX0tYVEtPd2NFSS1rWGZjRVRXRmNvZmhJSl9xbk9fX2R2SmtuX1ZjZGItVzdQVVh2Z0JFZHZvMmZtOGdtaEtzRnRCMGd5cEJ2aHVCb1RYQkVlWTJRUmhZbDM5UjBzV2I2WFptZGYyRHBLbkthRHZtcmZpSkowUDh3QUZYRXF6Q1FtSUJZUXpBZUlzdGs4NFc2OUlaZ3NhTWQ5M2ZBc3NJVG1Qc0FRIn19”, “payload”: “ewogICJpZGVudGlmaWVyIjogewogICAgInR5cGUiOiAiZG5zIiwgCiAgICAidmFsdWUiOiAiZ2FyZGVuc2R1YmFpLmNvbSIKICB9LCAKICAicmVzb3VyY2UiOiAibmV3LWF1dGh6Igp9”, “signature”: “TEC0_3iLZkE1AzXoDEebmSB_OgmkJdTIQKBaRzb-3tIPULnCFCVt4Wb9Ft-9oA2a-wFm74KKhZhzGy-6JLbzHTtzpDTLhTrhJATJarCLOCr2XW2r2tr_X5bq7E2EJKW1omPqPTL0MICKtQRxWIlLYBDexnejCk1WlN61HaV3k75a1TQCKCbtbKuHHDZpw1sSNyxbVF_lTOpR5FeKArGH6UtiXNXwpuHk1Zujr8WNxEkNY1f6uAEtW2umsBlwIHBC098szEksQUSssJNmvOjBwyqSXvu8PT1QR67mmTGSFP67WrO39i3rq7rpmsI7n_SO_6dO8pKMvbpCvAkLzqyAeg” } 2017-07-17 21:59:48,962:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 “POST /acme/new-authz HTTP/1.1” 500 111 2017-07-17 21:59:48,963:DEBUG:acme.client:Received response: HTTP 500 Server: nginx Content-Type: application/problem+json Content-Length: 111 Boulder-Request-Id: 4Q4or3gwAADB3HMU2-PiTJ4tgGPxujPIiO5-8jdTG88 Replay-Nonce: 2uDNNZEBV8PXTaT8vO3DLVeRIUUdyDdg4Ya49RzzDdA Expires: Mon, 17 Jul 2017 21:59:48 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 17 Jul 2017 21:59:48 GMT Connection: close { “type”: “urn:acme:error:serverInternal”, “detail”: “Failed to get registration by key”, “status”: 500 } 2017-07-17 21:59:48,963:DEBUG:acme.client:Storing nonce: 2uDNNZEBV8PXTaT8vO3DLVeRIUUdyDdg4Ya49RzzDdA 2017-07-17 21:59:48,964:DEBUG:certbot.log:Exiting abnormally: Traceback (most recent call last): File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 11, in sys.exit(main()) File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 743, in main return config.func(config, plugins) File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 683, in certonly lineage = _get_and_save_cert(le_client, config, domains, certname, lineage) File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 82, in _get_and_save_cert lineage = le_client.obtain_and_enroll_certificate(domains, certname) File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py”, line 356, in obtain_and_enroll_certificate certr, chain, key, _ = self.obtain_certificate(domains) File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py”, line 317, in obtain_certificate self.config.allow_subset_of_names) File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 66, in get_authorizations self.authzr[domain] = self.acme.request_domain_challenges(domain) File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 212, in request_domain_challenges typ=messages.IDENTIFIER_FQDN, value=domain), new_authzr_uri) File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 191, in request_challenges response = self.net.post(self.directory.new_authz, new_authz) File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 682, in post return self._post_once(*args, **kwargs) File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 695, in _post_once return self._check_response(response, content_type=content_type) File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/acme/client.py”, line 582, in _check_response raise messages.Error.from_json(jobj) Error: urn:acme:error:serverInternal :: The server experienced an internal error :: Failed to get registration by key

fixed and working thanks

Just adding for reference in case anyone else gets this problem…

I just came across a similar issue bamajr referred to above with a missing PTR record. This was a linode VPS, and linode don’t create any PTR record by default - you have to manually add it.

This alone did not fix the issue though.

Linodes DNS manager can helpfully auto-create A records for IPV6. These were not being handled by the server at all. Simplest solution was to remove them, allow the changes to propogate and finally LetsEncrypt worked.

Short version - if dnscheck.pingdom.com reports ANY problem with your DNS, that is most likely what is preventing the letsencrypt certificate from being installed. The best I could get from the certbot logs was that it was getting a 404 error trying to access the verification URLs for the site - it wasn’t at all clear what the real problem was.

Exactly the same issue for me. bamajr made me think what else could be wrong with the domain records. Well it was an AAAA Record probably from a previous setup and after deleting it the job was done!

I got it solved!

Solution to the error is to create records for both the domain/subdomain you’re trying to verify as well as with www. in front of it. So if I were trying to get a certificate in EasyEngine with Let’s Encrypt for hello.example.com, I’d create records for both hello.example.com as well as www.hello.example.com pointing to my origin.

This will allow Let’s Encrypt to verify your site when EasyEngine makes the request, allowing it to get and install your certificate.

Ref: https://www.requark.com/easyengine-unable-setup-lets-encrypt-solution/

I was using Route53 and my subdomain was not pointing to my server. After pointing the main site and www. All is well now.

add DNS records

Type / hostname / value / TTL

A / * / you-ip-number / 3600

OK