3

I'm trying to get a let's encrypt certificate for my domain with Ansible. I have been reading this tutorial which is a bit outdated and the Ansible documentation.

My playbook is a mix of what I have found in the tutorial mentioned and the documentation.

--- - name: "Create required directories in /etc/letsencrypt" file: path: "/etc/letsencrypt/{{ item }}" state: directory owner: root group: root mode: u=rwx,g=x,o=x with_items: - account - certs - csrs - keys - name: Generate let's encrypt account key openssl_privatekey: path: "/etc/letsencrypt/account/account.key" - name: Generate let's encrypt private key with the default values (4096 bits, RSA) openssl_privatekey: path: "/etc/letsencrypt/keys/domain.me.key" - name: Generate an OpenSSL Certificate Signing Request community.crypto.openssl_csr: path: "/etc/letsencrypt/csrs/domain.me.csr" privatekey_path: "/etc/letsencrypt/keys/domain.me.key" common_name: www.domain.me # Create challenge - name: Create a challenge for domain.me using an account key file. acme_certificate: acme_directory: "https://acme-v02.api.letsencrypt.org/directory" acme_version: 2 account_key_src: "/etc/letsencrypt/account/account.key" account_email: "[email protected]" terms_agreed: yes challenge: "http-01" src: "/etc/letsencrypt/csrs/domain.me.csr" dest: "/etc/letsencrypt/certs/domain.me.crt" fullchain_dest: "/etc/letsencrypt/certs/domain.me-fullchain.crt" register: acme_challenge_domain_me - name: "Create .well-known/acme-challenge directory" file: path: "project/dir/path/.well-known/acme-challenge" state: directory owner: root group: root mode: u=rwx,g=rx,o=rx - name: "Implement http-01 challenge files" copy: content: "{{ acme_challenge_domain_me['challenge_data'][item]['http-01']['resource_value'] }}" dest: "project/dir/path/{{ acme_challenge_domain_me['challenge_data'][item]['http-01']['resource'] }}" with_items: - "domain.me" - "www.domain.me" when: acme_challenge_domain_me is changed and domain_name|string in acme_challenge_domain_me['challenge_data'] - name: Let the challenge be validated and retrieve the cert and intermediate certificate acme_certificate: acme_directory: "https://acme-v02.api.letsencrypt.org/directory" acme_version: 2 account_key_src: "/etc/letsencrypt/account/account.key" account_email: "[email protected]" challenge: "http-01" src: "/etc/letsencrypt/csrs/domain.me.csr" cert: "/etc/letsencrypt/certs/domain.me.crt" fullchain: "/etc/letsencrypt/certs/domain.me-fullchain.crt" chain: "{/etc/letsencrypt/certs/domain.me-intermediate.crt" remaining_days: "60" data: "{{ acme_challenge_domain_me }}" when: acme_challenge_domain_me is changed

When I run the playbook, I'm getting this error:

fatal: [web_server]: FAILED! =>

{ "changed": false, "msg": "Failed to validate challenge for dns:www.domain.me: Status is \"invalid\". Challenge http-01: Error urn:ietf:params:acme:error:connection: \"xxx.xxx.x.ip: Fetching http://www.domain.me/.well-known/acme-challenge/NRkTQSpAVbWtjFNq206YES55lEoHHinHUn9cjR7vm7k: Connection refused\".", "other": { "authorization": { "challenges": [ { "error": { "detail": "xxx.xxx.x.ip: Fetching http://www.domain.me/.well-known/acme-challenge/NRkTQSpAVbWtjFNq206YES55lEoHHinHUn9cjR7vm7k: Connection refused", "status": 400, "type": "urn:ietf:params:acme:error:connection" }, "status": "invalid", "token": "NRkTQSpAVbWtjFNq206YES55lEoHHinHUn9cjR7vm7k", "type": "http-01", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/103702154687/UdA36w", "validated": "2022-04-30T16:01:32Z", "validationRecord": [ { "addressUsed": "xxx.xxx.x.ip", "addressesResolved": ["xxx.xxx.x.ip"], "hostname": "www.domain.me", "port": "80", "url": "http://www.domain.me/.well-known/acme-challenge/NRkTQSpAVbWtjFNq206YES55lEoHHinHUn9cjR7vm7k" } ] } ], "expires": "2022-05-07T15:57:28Z", "identifier": { "type": "dns", "value": "www.domain.me" }, "status": "invalid", "uri": "https://acme-v02.api.letsencrypt.org/acme/authz-v3/103702154687"}, "identifier": "dns:www.domain.me" } }

Command UFW status gives:

To Action From -- ------ ---- OpenSSH ALLOW Anywhere 80 ALLOW Anywhere 5432/tcp ALLOW Anywhere 443/tcp ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) 80 (v6) ALLOW Anywhere (v6) 5432/tcp (v6) ALLOW Anywhere (v6) 443/tcp (v6) ALLOW Anywhere (v6)

The nginx configuration is :

upstream project { server unix:///tmp/project.sock; } server { listen 443 ssl; server_name www.domain.me; ssl_certificate /etc/letsencrypt/certs/domain.me.crt; ssl_certificate_key /etc/letsencrypt/keys/domain.me.key; listen 80; server_name domain.me www.domain.me; charset utf-8; client_max_body_size 4M; return 302 https://$server_name$request_uri; # Serving static files directly from Nginx without passing through uwsgi location /app/static/ { alias /home/admin/project/app/static/; } location / { # kill cache add_header Last-Modified $date_gmt; add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; if_modified_since off; expires off; etag off; uwsgi_pass project; include /home/admin/project/uwsgi_params; } #location /404 { # uwsgi_pass project; # include /home/admin/project/uwsgi_params; #} }

Could you help me understand where the problem is coming from and how to solve it?

I'm not sure if my mistakes are coming from the playbook, Nginx settings, or somewhere else, so apologize if the question isn't perfectly targeted. It's my first time doing this, so please include details and explanations to help me understand.

Thank you.

Improve this question
2
  • You are redirecting every singlle call on http to its https counterpart. A bit of a shortcut here but in a common default setup this basically can't work as let's encrypts needs access over unencrypted http to get the challenge files. Moreover, I don't see any configuration in nginx to allow acessing /.well-known/acme-challenge/* files (unless you already tested this works from you app folder....). In a typical let's encrypt setup, you allow accessing the /.well-known path (and all its subdirs) over http and redirect the rest to https. Commented Jun 4, 2022 at 7:36
  • @Zeitounator yes, I was missing the /.well-known/acme-challenge/ and there were a couple of mistakes in my task. Commented Jun 14, 2022 at 21:12

1 Answer 1

Reset to default
1

There were a couple mistakes in my tasks, but this one works:

--- # Create the directories required by letsencrypt to store keys and certificates. - name: "Create required directories in /etc/letsencrypt" become: yes file: path: "/etc/letsencrypt/{{ item }}" state: directory owner: root group: root mode: u=rwx,g=x,o=x with_items: - account - certs - csrs - keys # https://docs.ansible.com/ansible/2.9/modules/acme_certificate_module.html#acme-certificate-module - name: Generate let's encrypt account key become: yes openssl_privatekey: path: "{{ letsencrypt_account_key }}" # https://docs.ansible.com/ansible/latest/collections/community/crypto/openssl_privatekey_module.html#openssl-privatekey-module - name: Generate let's encrypt private key with the default values (4096 bits, RSA) become: yes openssl_privatekey: path: "{{letsencrypt_keys_dir}}/{{ domain_name }}.key" # https://docs.ansible.com/ansible/latest/collections/community/crypto/openssl_csr_module.html#openssl-csr-module - name: Generate an OpenSSL Certificate Signing Request become: yes community.crypto.openssl_csr: path: "{{letsencrypt_csrs_dir}}/{{ domain_name }}.csr" privatekey_path: "{{letsencrypt_keys_dir}}/{{ domain_name }}.key" common_name: "{{domain_name}}" # Create letsencrypt challenge. - name: Create a challenge for {{domain_name}} using a account key file. become: yes community.crypto.acme_certificate: acme_directory: "{{acme_directory}}" acme_version: "{{acme_version}}" account_email: "{{acme_email}}" terms_agreed: yes account_key_src: "{{letsencrypt_account_key}}" csr: "{{letsencrypt_csrs_dir}}/{{domain_name}}.csr" dest: "{{letsencrypt_certs_dir}}/{{domain_name}}.crt" remaining_days: "{{remaining_days}}" register: acme_challenge # Create the directory to hold the validation token. - name: "Create .well-known/acme-challenge directory" become: yes file: path: "{{project_path}}/.well-known/acme-challenge" state: directory owner: root group: root mode: u=rwx,g=rx,o=rx # Copy the necessary files for the http-01 challenge. - name: "Implement http-01 challenge files" become: yes copy: dest: "{{project_path}}/{{ acme_challenge['challenge_data'][item]['http-01']['resource'] }}" content: "{{ acme_challenge['challenge_data'][item]['http-01']['resource_value'] }}" with_items: - "{{ domain_name }}" when: acme_challenge is changed and domain_name|string in acme_challenge['challenge_data'] # Execute letsencrypt challenge. - name: Let the challenge be validated and retrieve the cert and intermediate certificate become: yes community.crypto.acme_certificate: account_key_src: "{{letsencrypt_account_key}}" csr: "{{letsencrypt_csrs_dir}}/{{domain_name}}.csr" cert: "{{letsencrypt_certs_dir}}/{{domain_name}}.crt" acme_directory: "{{acme_directory}}" acme_version: "{{acme_version}}" account_email: "{{acme_email}}" challenge: "{{acme_challenge_type}}" fullchain: "{{letsencrypt_certs_dir}}/{{domain_name}}-fullchain.crt" chain: "{{letsencrypt_certs_dir}}/{{domain_name}}-intermediate.crt" remaining_days: "{{remaining_days}}" data: "{{ acme_challenge }}" when: acme_challenge is changed

The corresponding Nginx config file is:

upstream {{project_name}} { server unix:{{socket_location}}; } server { listen 80; location /.well-known/acme-challenge/ { root {{project_path}}; } server_name {{domain_name}} www.{{domain_name}} {{web_server_ip}}; return 301 https://{{domain_name}}$request_uri; } server { listen 443 ssl; ssl_certificate /etc/letsencrypt/certs/{{domain_name}}-fullchain.crt; ssl_certificate_key /etc/letsencrypt/keys/{{domain_name}}.key; charset utf-8; client_max_body_size 4M; # Serving static files directly from Nginx without passing through uwsgi location /app/static/ { alias {{project_path}}/app/static/; } location /.well-known/acme-challenge/ { root {{project_path}}; } location / { # kill cache add_header Last-Modified $date_gmt; add_header Cache-Control 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0'; if_modified_since off; expires off; etag off; uwsgi_pass {{project_name}}; include {{project_path}}/uwsgi_params; } }
Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.