Failed to get the certificates

[dpadron]

Log for Container letsencrypt_1

End of life plan for ACMEv1 Any solution to use ACMEv2?

STARTING LETSENCRYPT ENTRYPOINT ---------------------

Wed Nov 13 15:03:38 UTC 2019

Trying to get PRODUCTION certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred

The client lacks sufficient authorization :: Account creation on ACMEv1 is disabled.
Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555.
See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.

Please see the logfiles in /var/log/letsencrypt for more details.
Failed to get the certificates !

Specifications

• GeoNode version: 2.10.1
• Installation method (manual, GeoNode Docker, SPCGeoNode Docker): Docker
• Platform: Ubuntu 18.04
• Additional details:

[t-book]

ACMEv1 has reached EOL in November. I think we need to update the certbot.

[t-book]

hi @dpadron could you kindly test to replace https://github.com/GeoNode/geonode/blob/master/scripts/spcgeonode/letsencrypt/docker-entrypoint.sh

with this updated version https://gist.github.com/t-book/339c58c889025a08696f2166628c046c

don't forget to rebuild your containers and let me know if it works.

[dpadron]

Hi t-book, I performed the test and the following error is generated:

STARTING LETSENCRYPT ENTRYPOINT ---------------------
Sun Nov 17 09:38:02 UTC 2019
Trying to get PRODUCTION certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:
KeyError: 'Directory field not found'
Please see the logfiles in /var/log/letsencrypt for more details.
Failed to get the certificates !
Waiting 30s to avoid hitting Letsencrypt rate limits before it's even possible to react
$\n\n\n

[dpadron]

Solved
Updated FROM alpine: 3.8

in /docker/letsencrypt/Dockerfile

Thanks t-book for the help

[t-book]

great! this is what I actually just planned to try :))

the reason is the acme2 protocol has been added in certbot 22+ the current alpine image has certbot below:

/ # certbot --version
certbot 0.14.0

As I currently do not use spc can you do me a favour and test alpine 3.8 image with the original entrypoint? the question is if the newer certbot already respects acme2 without the --server option.

[t-book]

@dpadron okay tested it. it looks we need the --server for acme2

[dpadron]

Hi t-book,
I tried it in geonode-project -master
Mode: Docker
S.O. Ubuntu 18.04

Directory: /docker/letsencrypt/
Edit: docker-entrypoint.sh and Dockerfile

Everything worked correctly

I'm going to do tests in SPC and I tell you

I attach content files Dockerfile and docker-entrypoint.sh

#####Dockerfile

FROM alpine:3.8

# 1-2. Install system dependencies
RUN apk add --no-cache certbot py-pip && pip install pyopenssl==16.0.0 # Need to downgrade PyOpenSSL to 16.0.0 to avoid conflicts and solve the cryptography error : https://github.com/plesk/letsencrypt-plesk/issues/117

# Installing scripts
ADD docker-entrypoint.sh /docker-entrypoint.sh
RUN chmod +x /docker-entrypoint.sh

# Installing cronjobs
ADD crontab /crontab
RUN /usr/bin/crontab /crontab && \
    rm /crontab

# Setup the entrypoint
ENTRYPOINT ["./docker-entrypoint.sh"]

# We run cron in foreground to update the certificates
CMD /usr/sbin/crond -f

docker-entrypoint.sh

#!/bin/sh

# Exit script in case of error
set -e

echo $"\n\n\n"
echo "-----------------------------------------------------"
echo "STARTING LETSENCRYPT ENTRYPOINT ---------------------"
date

# We make the config dir
mkdir -p "/geonode-certificates/$LETSENCRYPT_MODE"

# Do not exit script in case of error
set +e

# We run the command
if [ "$LETSENCRYPT_MODE" == "staging" ]; then
    printf "\nTrying to get STAGING certificate\n"
    certbot --config-dir "/geonode-certificates/$LETSENCRYPT_MODE" certonly certonly --webroot -w "/geonode-certificates" -d "$HTTPS_HOST" -m "$ADMIN_EMAIL" --agree-tos --non-interactive --staging --server https://acme-v02.api.letsencrypt.org/directory
elif [ "$LETSENCRYPT_MODE" == "production" ]; then
    printf "\nTrying to get PRODUCTION certificate\n"
    certbot --config-dir "/geonode-certificates/$LETSENCRYPT_MODE" certonly --webroot -w "/geonode-certificates" -d "$HTTPS_HOST" -m "$ADMIN_EMAIL" --agree-tos --non-interactive --server https://acme-v02.api.letsencrypt.org/directory
else
    printf "\nNot trying to get certificate (simulating failure, because LETSENCRYPT_MODE variable was neither staging nor production\n"
    /bin/false
fi

# If the certbot comand failed, we will create a placeholder certificate
if [ ! $? -eq 0 ]; then
    # Exit script in case of error
    set -e

    printf "\nFailed to get the certificates !\n"

    printf "\nWaiting 30s to avoid hitting Letsencrypt rate limits before it's even possible to react\n"
    sleep 30

    exit 1
fi

printf "\nCertificate have been created/renewed successfully\n"

echo "-----------------------------------------------------"
echo "FINISHED LETSENCRYPT ENTRYPOINT ---------------------"
echo "-----------------------------------------------------"

# Run the CMD 
exec "$@"

[7scorp]

Has this solution been merged into the main geonode docker install? If not, where do I find the updated file t-book mentioned?