Letsencrypt issues

[daveteu]

Looks likt the following issue only occur when using this repo. When I switch to original repo, the problem went away.

I've search online for several post on similar error but did not get any answers to solving this.

certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:

Encountered exception during recovery:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
    resp = self._solve_challenges(aauthzrs)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 139, in _solve_challenges
    resp = self.auth.perform(all_achalls)
  File "/usr/lib/python3/dist-packages/certbot/plugins/manual.py", line 155, in perform
    self._verify_ip_logging_ok()
  File "/usr/lib/python3/dist-packages/certbot/plugins/manual.py", line 182, in _verify_ip_logging_ok
    if display.yesno(msg, cli_flag=cli_flag, force_interactive=True):
  File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 542, in yesno
    self._interaction_fail(message, cli_flag)
  File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 469, in _interaction_fail
    raise errors.MissingCommandlineFlag(msg)
certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:

KeyError: KeyAuthorizationAnnotatedChallenge(challb=ChallengeBody(chall=DNS01(token=b'{5\xcd\x02\xe9>\xbfo\xa9\xc5\x08L@\xaa\x9b\x94\xe69\xa8\xf1\xca\xe9\xf1\xc7\x10V\xad\xeaEm\x81\xfd'), uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/94252303960/DUrdfA', _url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/94252303960/DUrdfA', status=Status(pending), validated=None, error=None), domain='autoconfig.example.com', account_key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey object at 0x7fc9e5e0bf28>)>))

Update: This also fails for new box

Okay. I'm about to set up [email protected] for you. This account will also
have access to the box's control panel.
password:
 (again):
mail user added
updated DNS: justmailbox.net
web updated


-----------------------------------------------
Mail-in-a-Box uses Let's Encrypt to provision free SSL/TLS certificates
to enable HTTPS connections to your box. We're automatically
agreeing you to their subscriber agreement. See https://letsencrypt.org.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Registering without email!
An unexpected error occurred:
Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/urllib3/connection.py", line 175, in _new_conn
    (self._dns_host, self.port), self.timeout, **extra_kw
  File "/usr/local/lib/python3.6/dist-packages/urllib3/util/connection.py", line 72, in create_connection
    for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
  File "/usr/lib/python3.6/socket.py", line 745, in getaddrinfo
    for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Temporary failure in name resolution

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.6/dist-packages/urllib3/connectionpool.py", line 710, in urlopen
    chunked=chunked,
  File "/usr/local/lib/python3.6/dist-packages/urllib3/connectionpool.py", line 386, in _make_request
    self._validate_conn(conn)
  File "/usr/local/lib/python3.6/dist-packages/urllib3/connectionpool.py", line 1040, in _validate_conn
    conn.connect()
  File "/usr/local/lib/python3.6/dist-packages/urllib3/connection.py", line 358, in connect
    self.sock = conn = self._new_conn()
  File "/usr/local/lib/python3.6/dist-packages/urllib3/connection.py", line 187, in _new_conn
    self, "Failed to establish a new connection: %s" % e
urllib3.exceptions.NewConnectionError: <urllib3.connection.HTTPSConnection object at 0x7efe1ede5470>: Failed to establish a new connection: [Errno -3] Temporary failure in name resolution

[sorokaalex]

Hi, I have same issue trying provisioning TLS (SSL) Certificates using mailinabox-extra repo.

In this mean time, I able to solve issue installing original mail-in-a-box repo with official command (curl -s https://mailinabox.email/setup.sh | sudo bash) provisioning SSL and install mailinabox-extra again.

In my case, is crucial have quota in place, and this is why I'm doing it.

I'm afraid install oficial repo and extra repo back again and broke my server in near future.

@jrsupplee Is there any chance solve SSL issue with mailinabox-extra repo ?

[jrsupplee]

I am traveling at the moment. I will take a look as soon as I can

[sorokaalex]

I am traveling at the moment. I will take a look as soon as I can

thank you per you reply

[sorokaalex]

@jrsupplee did you had chance take a look on this issue? thank you.

[jrsupplee]

SSL renewal works fine for me.

You did not provide the commands you executed that caused the problem. I need those to understand what caused your problem.

[jrsupplee]

I just tried provisioning a new domain and it worked.

[jrsupplee]

From the mailinabox folder try executing:

./management/ssl_certificates.py autoconfig.<domain>

[sorokaalex]

SSL renewal works fine for me.

You did not provide the commands you executed that caused the problem. I need those to understand what caused your problem.

I just tried provisioning an new certificate for new domain under Web Interface, and when I click at Provision button, appear same error message from original post.

[sorokaalex]

From the mailinabox folder try executing:

./management/ssl_certificates.py autoconfig.<domain>

just added new domain to my server and tried to execute above command. bellow follow error message

Provisioning TLS certificates for autoconfig.plasluz.com.br.
error: autoconfig.plasluz.com.br:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Performing the following challenges:
dns-01 challenge for autoconfig.plasluz.com.br
Cleaning up challenges
Encountered exception during recovery:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 75, in handle_authorizations
resp = self._solve_challenges(aauthzrs)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 139, in _solve_challenges
resp = self.auth.perform(all_achalls)
File "/usr/lib/python3/dist-packages/certbot/plugins/manual.py", line 155, in perform
self._verify_ip_logging_ok()
File "/usr/lib/python3/dist-packages/certbot/plugins/manual.py", line 182, in _verify_ip_logging_ok
if display.yesno(msg, cli_flag=cli_flag, force_interactive=True):
File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 542, in yesno
self._interaction_fail(message, cli_flag)
File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 469, in _interaction_fail
raise errors.MissingCommandlineFlag(msg)
certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:
NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that.

Are you OK with your IP being logged?

(You can set this with the --manual-public-ip-logging-ok flag)

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/error_handler.py", line 108, in _call_registered
self.funcs-1
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 323, in _cleanup_challenges
self.auth.cleanup(achalls)
File "/usr/lib/python3/dist-packages/certbot/plugins/manual.py", line 242, in cleanup
env = self.env.pop(achall)
KeyError: KeyAuthorizationAnnotatedChallenge(challb=ChallengeBody(chall=DNS01(token=b'\xd6\xf9z\x96\xbd\x07\x8e\xbd-+\x14\xd3n\xb7\xc5Q X\x8b\xa7{\x07\x85\xe0i$J9y\x0f\x95m'), uri='https://acme-v02.api.letsencrypt.org/acme/chall-v3/179630947117/tNnHWA', _url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/179630947117/tNnHWA', status=Status(pending), validated=None, error=None), domain='autoconfig.plasluz.com.br', account_key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPrivateKey object at 0xff84b9897160>)>))
Missing command line flag or config entry for this setting:
NOTE: The IP of this machine will be publicly logged as having requested this certificate. If you're running certbot in manual mode on a machine that is not your server, please ensure you're okay with that.

Are you OK with your IP being logged?

(You can set this with the --manual-public-ip-logging-ok flag)

[jrsupplee]

What version of Ubuntu are you running?

[sorokaalex]

now my MiaB server is running mailinabox-extra version. if I install official version and try provisioning from web interface, works fine without issues

[sorokaalex]

What version of Ubuntu are you running?

Ubuntu 18.04.6 LTS / v0.57a-extra-0.14-beta.

[sorokaalex]

@jrsupplee I still no lucky trying solve it. I ask a another friend that have MiaB server to install your extra repo and try provision certificate for new domain, and he got exactly same error as I'm getting.

[jrsupplee]

Try adding the following line to /etc/letsencrypt/cli.ini:

manual-public-ip-logging-ok = true

[sorokaalex]

manual-public-ip-logging-ok = true

added , reboot server and try provision

[jrsupplee]

From the mailinabox folder try executing:

./management/ssl_certificates.py autoconfig.<domain>

I need the output from this again. Is it the same?

[jrsupplee]

Also, what version of certbot are you running?

certbot --version

[sorokaalex]

./management/ssl_certificates.py autoconfig.

follow

dns registry is in place

[jrsupplee]

The problem with certbot crashing is solved.

Now it looks like you have a problem with your DNS configuration.

Can you ping your box from another computer. If the name of your box is mail.plasluz.com.br then DNS does not resolve properly (I cannot ping it).

[sorokaalex]

The problem with certbot crashing is solved.

Now it looks like you have a problem with your DNS configuration.

Can you ping your box from another computer. If the name of your box is mail.plasluz.com.br then DNS does not resolve properly (I cannot ping it).

my miab box name is mail.cloudmediabrasil.com.br and plasluz.com.br is a new domain I added to my box and trying provision certificate

[sorokaalex]

ping autoconfig.plasluz.com.br goes to miab box as well

[jrsupplee]

$ dig -t ANY plasluz.com.br

; <<>> DiG 9.10.6 <<>> -t ANY plasluz.com.br
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31807
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;plasluz.com.br.			IN	ANY

;; ANSWER SECTION:
plasluz.com.br.		3600	IN	SOA	b.sec.dns.br. hostmaster.registro.br. 2022327039 86400 900 604800 900
plasluz.com.br.		3600	IN	DNSKEY	257 3 13 gfk/tOOW9nHQCBWPxhuTGGwRq4xow4qA4svu1yS5HYk9Y7Lzs/kl1gxA 7OtdQySdHMnWFh6RMCl5IjfFzLxh3Q==
plasluz.com.br.		900	IN	NSEC	_dmarc.plasluz.com.br. NS SOA MX TXT RRSIG NSEC DNSKEY
plasluz.com.br.		3600	IN	RRSIG	DNSKEY 13 3 3600 20230102164057 20221123154057 25512 plasluz.com.br. FnzPXpjSjmEVHXPhmTGpfISB7jMkwxD7rdSiEI+VktFcEzak8okKYE5k AmTb6Bo65pW118iw5M90jYcCCbsPSA==
plasluz.com.br.		900	IN	RRSIG	NSEC 13 3 900 20230102164057 20221123154057 25512 plasluz.com.br. WKMKSJYhGMWBo4/a2EhQqxSwwZqfrSq1CQoTR6Xgpo1JtdjqIbyEHRiG Or4ThsNL8Jj2e6/kk/BTRqAqHvURew==
plasluz.com.br.		3600	IN	RRSIG	TXT 13 3 3600 20230102164057 20221123154057 25512 plasluz.com.br. K4IIrH8fCsWjQ6Xpt+DYnlNmB22p40b+RzFPHnq+SZw5qCZCSxemSmo2 WX+kJOPyNLJcBXAnDuQCzXlq2J8GxA==
plasluz.com.br.		3600	IN	RRSIG	MX 13 3 3600 20230102164057 20221123154057 25512 plasluz.com.br. coXILZPtxNpZqWOxumSd6hk+YgtOnvyIONWAxwipPiMEeZGCHdNbjIbo F0b45myVihf9QESJy3KVXgxr4Y5A3g==
plasluz.com.br.		3600	IN	RRSIG	SOA 13 3 3600 20230102164057 20221123154057 25512 plasluz.com.br. YuRH8yYg+BSqEMfTdRcXBcfN6Oyv2SEWV1pjvJ47izdzc9VbwbT9fbUY iX2YQ58R89qdc++eM3W6DjARDXG9mQ==
plasluz.com.br.		3600	IN	RRSIG	NS 13 3 3600 20230102164057 20221123154057 25512 plasluz.com.br. SOuwhjoLdmI9kTcz+sYtRN0uPcmBShx22RzxvVACe0cciX5Ry5abkw8m 4prsGJ/NJ6FDNeQXiP6IfnXnpPzIAA==
plasluz.com.br.		3600	IN	TXT	"v=spf1 mx -all"
plasluz.com.br.		3600	IN	MX	10 mail.cloudmediabrasil.com.br.
plasluz.com.br.		3600	IN	NS	b.sec.dns.br.
plasluz.com.br.		3600	IN	NS	c.sec.dns.br.

;; Query time: 489 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Nov 25 14:15:24 EET 2022
;; MSG SIZE  rcvd: 988`

There are no A or MX records!

[sorokaalex]

$ dig -t ANY plasluz.com.br

; <<>> DiG 9.10.6 <<>> -t ANY plasluz.com.br
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31807
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;plasluz.com.br.			IN	ANY

;; ANSWER SECTION:
plasluz.com.br.		3600	IN	SOA	b.sec.dns.br. hostmaster.registro.br. 2022327039 86400 900 604800 900
plasluz.com.br.		3600	IN	DNSKEY	257 3 13 gfk/tOOW9nHQCBWPxhuTGGwRq4xow4qA4svu1yS5HYk9Y7Lzs/kl1gxA 7OtdQySdHMnWFh6RMCl5IjfFzLxh3Q==
plasluz.com.br.		900	IN	NSEC	_dmarc.plasluz.com.br. NS SOA MX TXT RRSIG NSEC DNSKEY
plasluz.com.br.		3600	IN	RRSIG	DNSKEY 13 3 3600 20230102164057 20221123154057 25512 plasluz.com.br. FnzPXpjSjmEVHXPhmTGpfISB7jMkwxD7rdSiEI+VktFcEzak8okKYE5k AmTb6Bo65pW118iw5M90jYcCCbsPSA==
plasluz.com.br.		900	IN	RRSIG	NSEC 13 3 900 20230102164057 20221123154057 25512 plasluz.com.br. WKMKSJYhGMWBo4/a2EhQqxSwwZqfrSq1CQoTR6Xgpo1JtdjqIbyEHRiG Or4ThsNL8Jj2e6/kk/BTRqAqHvURew==
plasluz.com.br.		3600	IN	RRSIG	TXT 13 3 3600 20230102164057 20221123154057 25512 plasluz.com.br. K4IIrH8fCsWjQ6Xpt+DYnlNmB22p40b+RzFPHnq+SZw5qCZCSxemSmo2 WX+kJOPyNLJcBXAnDuQCzXlq2J8GxA==
plasluz.com.br.		3600	IN	RRSIG	MX 13 3 3600 20230102164057 20221123154057 25512 plasluz.com.br. coXILZPtxNpZqWOxumSd6hk+YgtOnvyIONWAxwipPiMEeZGCHdNbjIbo F0b45myVihf9QESJy3KVXgxr4Y5A3g==
plasluz.com.br.		3600	IN	RRSIG	SOA 13 3 3600 20230102164057 20221123154057 25512 plasluz.com.br. YuRH8yYg+BSqEMfTdRcXBcfN6Oyv2SEWV1pjvJ47izdzc9VbwbT9fbUY iX2YQ58R89qdc++eM3W6DjARDXG9mQ==
plasluz.com.br.		3600	IN	RRSIG	NS 13 3 3600 20230102164057 20221123154057 25512 plasluz.com.br. SOuwhjoLdmI9kTcz+sYtRN0uPcmBShx22RzxvVACe0cciX5Ry5abkw8m 4prsGJ/NJ6FDNeQXiP6IfnXnpPzIAA==
plasluz.com.br.		3600	IN	TXT	"v=spf1 mx -all"
plasluz.com.br.		3600	IN	MX	10 mail.cloudmediabrasil.com.br.
plasluz.com.br.		3600	IN	NS	b.sec.dns.br.
plasluz.com.br.		3600	IN	NS	c.sec.dns.br.

;; Query time: 489 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Nov 25 14:15:24 EET 2022
;; MSG SIZE  rcvd: 988`

There are no A or MX records!

A record will be added to another IP address for web page host and MX record was added as well plasluz.com.br. 3600 IN MX 10 mail.cloudmediabrasil.com.br.

[sorokaalex]

I have been added A and MX DNS records for autoconfig.plasluz.com.br as well

[jrsupplee]

There is an MX (I missed that) but the NS records do not point to your mail server (mail.cloudmediabrasil.com.br). The certbot authorization scripts require that DNS is handled by the mail server. That means you will need to configure DNS manually on your DNS server and the auto provisioning of certificates will fail. You will need to customize the DNS provisioning scripts in the tools folder (dns-auth.sh and dns-cleanup.sh) to work with your DNS server.

[jrsupplee]

Also you could use my mailinabox GitHub repository which supports quotas and uses the standard Mail-in-a-box authentication for provisioning certificates.

[jrsupplee]

I have been added A and MX DNS records for autoconfig.plasluz.com.br as well

But you added these on b.sec.dns.br. Not on your mail server. Correct?

[sorokaalex]

Also you could use my mailinabox GitHub repository which supports quotas and uses the standard Mail-in-a-box authentication for provisioning certificates.

I'll do a try on it since on official repo is working fine

[sorokaalex]

I have been added A and MX DNS records for autoconfig.plasluz.com.br as well

But you added these on b.sec.dns.br. Not on your mail server. Correct?

yes, correct under my DNS Server manager and not under miab server

[jrsupplee]

Also you could use my mailinabox GitHub repository which supports quotas and uses the standard Mail-in-a-box authentication for provisioning certificates.

I'll do a try on it since on official repo is working fine

The extra repository uses DNS challenge authentication because the normal authentication does not allow for wildcards (*) in domain names. That is not an issue for you since you define your DNS elsewhere.

[sorokaalex]

Also you could use my mailinabox GitHub repository which supports quotas and uses the standard Mail-in-a-box authentication for provisioning certificates.

I'll do a try on it since on official repo is working fine

The extra repository uses DNS challenge authentication because the normal authentication does not allow for wildcards (*) in domain names. That is not an issue for you since you define your DNS elsewhere.

got it.

tried your https://github.com/jrsupplee/mailinabox.git and works like a charm

thank you very much my friend for all your time and patience giving me this great support.