TLS Certificate Auto-Renewal

gabeotisbenson · January 3, 2017, 2:47pm

Hi all,

I’ve got an issue with my box that seems to be a similar issue to those mentioned here, and here, however none of those threads have solutions other than wiping the vm and starting over, which seems a little drastic to me.

From what I can tell, it seems like mailinabox just checks daily on the TLS certificate, sees that it’s invalid, and then tries to obtain a new one. However, since it’s happening every day, and the rate limit was broken at some point in the past (not sure when/why that would’ve happened), it continually fails because it’s always requesting more than is allowed per week.

My thought is that if I can just stop mailinabox from attempting to automatically get a new certificate for a week, then the limit will be cleared and I can turn the auto-retrieval back on, it’ll grab a new certificate successfully, and all will run smoothtly. So my question would just be how can I do this? Obviously I can just turn my box off for a week, but I’d rather not since I use that as my main email now.

Any ideas/suggestions/pointers? I’d really like to get this fixed, even if it’s not completely breaking my system.

Thanks in advance!

EDIT: Just for reference, here’s the error message:

Something unexpected went wrong: Error creating new cert :: Too many certificates already issued for exact set of domains: [mydomain]

sevocomm · January 6, 2017, 12:16pm

Hi guys,

I have the following error on the Let’s Encrypt auto renew on the certificates:
1st. I got the error in the web admin “Something went wrong, sorry.” after clicking provisioning.
2nd. after I looked in the log I saw following:
“Jan 6 13:03:18 eml Exception on /ssl/provision [POST]#012Traceback (most recent call last):#012 File “/usr/lib/python3/dist-packages/flask/app.py”, line 1817, in wsgi_app#012 response = self.full_dispatch_request()#012 File “/usr/lib/python3/dist-packages/flask/app.py”, line 1477, in full_dispatch_request#012 rv = self.handle_user_exception(e)#012 File “/usr/lib/python3/dist-packages/flask/app.py”, line 1381, in handle_user_exception#012 reraise(exc_type, exc_value, tb)#012 File “/usr/lib/python3/dist-packages/flask/_compat.py”, line 33, in reraise#012 raise value#012 File “/usr/lib/python3/dist-packages/flask/app.py”, line 1475, in full_dispatch_request#012 rv = self.dispatch_request()#012 File “/usr/lib/python3/dist-packages/flask/app.py”, line 1461, in dispatch_request#012 return self.view_functionsrule.endpoint#012 File “/usr/local/bin/mailinabox-daemon”, line 55, in newview#012 return viewfunc(*args, **kwargs)#012 File “/usr/local/bin/mailinabox-daemon”, line 384, in ssl_provision_certs#012 jsonable=True)#012 File “/root/mailinabox/management/ssl_certificates.py”, line 272, in provision_certificates#012 import acme.messages#012 File “/usr/local/lib/python3.4/dist-packages/acme/messages.py”, line 4, in #012 from acme import challenges#012 File “/usr/local/lib/python3.4/dist-packages/acme/challenges.py”, line 9, in #012 import OpenSSL#012ImportError: No module named ‘OpenSSL’”

@JoshData is here a solution, I am running the latest version of MIAB and tried also to “sudo mailinabox” command but without success of solving the renewing issue.

Thanks,
Sebastian

sevocomm · January 12, 2017, 12:07pm

Hi guys,

Does somebody have a solution for this SSL renewal?
I also tried to do it manually via the following command: ./management/ssl_certificates.py --force
and got an error here to, see results:
Traceback (most recent call last): File "./management/ssl_certificates.py", line 807, in <module> provision_certificates_cmdline() File "./management/ssl_certificates.py", line 450, in provision_certificates_cmdline status = provision_certificates(env, agree_to_tos_url=agree_to_tos_url, logger=my_logger, force_domains=force_domains, show_extended_problems=show_extended_problems) File "./management/ssl_certificates.py", line 337, in provision_certificates logger=my_logger) File "/usr/local/lib/python3.4/dist-packages/free_tls_certificates/client.py", line 64, in issue_certificate agree_to_tos_url, validation_method, acme_server, logger) File "/usr/local/lib/python3.4/dist-packages/free_tls_certificates/client.py", line 112, in validate_domain_ownership acme_server=acme_server) File "/usr/local/lib/python3.4/dist-packages/free_tls_certificates/client.py", line 317, in create_client client = acme.client.Client(acme_server, key) File "/usr/local/lib/python3.4/dist-packages/acme/client.py", line 69, in __init__ self.net.get(directory).json()) File "/usr/local/lib/python3.4/dist-packages/acme/client.py", line 641, in get self._send_request('GET', url, **kwargs), content_type=content_type) File "/usr/local/lib/python3.4/dist-packages/acme/client.py", line 614, in _send_request response = self.session.request(method, url, *args, **kwargs) File "/usr/local/lib/python3.4/dist-packages/requests/sessions.py", line 488, in request resp = self.send(prep, **send_kwargs) File "/usr/local/lib/python3.4/dist-packages/requests/sessions.py", line 609, in send r = adapter.send(request, **kwargs) File "/usr/local/lib/python3.4/dist-packages/requests/adapters.py", line 423, in send timeout=timeout File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/connectionpool.py", line 594, in urlopen chunked=chunked) File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/connectionpool.py", line 350, in _make_request self._validate_conn(conn) File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/connectionpool.py", line 835, in _validate_conn conn.connect() File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/connection.py", line 311, in connect cert_reqs=resolve_cert_reqs(self.cert_reqs), File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/util/ssl_.py", line 267, in create_urllib3_context context.set_ciphers(ciphers or DEFAULT_CIPHERS) File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/contrib/pyopenssl.py", line 385, in set_ciphers self._ctx.set_cipher_list(ciphers) TypeError: must be str, not bytes
I hope somebody can help me here, thanks in advanced.
BR,
Sebastian

tramtrist · January 12, 2017, 10:43pm

exactly same issue here… no fix yet… following it in another thread

Mckbrother · January 13, 2017, 7:47am

Facing the same problem here.

gabeotisbenson · January 13, 2017, 12:54pm

Could I get the link to that thread, too?

IcyPalm · January 13, 2017, 1:08pm

Exactly same issue here!

benschumacher · January 13, 2017, 5:28pm

I solved this issue by removing the system installed version of pyopenssl and making sure that the pip install version was up-to-date.

These two commands:

$ sudo apt-get remove python3-openssl
$ sudo pip3 install --upgrade pyopenssl

Good luck!

sevocomm · January 13, 2017, 8:36pm

Thx, but this didn’t do the trick here…
After your possible solution I get following:
./management/ssl_certificates.py --force Traceback (most recent call last): File "./management/ssl_certificates.py", line 807, in <module> provision_certificates_cmdline() File "./management/ssl_certificates.py", line 450, in provision_certificates_cmdline status = provision_certificates(env, agree_to_tos_url=agree_to_tos_url, logger=my_logger, force_domains=force_domains, show_extended_problems=show_extended_problems) File "./management/ssl_certificates.py", line 272, in provision_certificates import acme.messages File "/usr/local/lib/python3.4/dist-packages/acme/messages.py", line 4, in <module> from acme import challenges File "/usr/local/lib/python3.4/dist-packages/acme/challenges.py", line 9, in <module> import OpenSSL ImportError: No module named 'OpenSSL'
But I have latest version running of OpenSSL… or did I miss something here?

Cheers, Sebastian

tramtrist · January 14, 2017, 1:47am

Sounds like you’re getting further than me…
All I get is
File “./ssl_certificates.py”, line 207
<<<<<<< HEAD
^

IcyPalm · January 14, 2017, 8:15am

Jep, same for me, reïnstalled python3-openssl and then we get this again:

root@box:~/mailinabox# ./management/ssl_certificates.py Traceback (most recent call last): File "./management/ssl_certificates.py", line 807, in <module> provision_certificates_cmdline() File "./management/ssl_certificates.py", line 450, in provision_certificates_cmdline status = provision_certificates(env, agree_to_tos_url=agree_to_tos_url, logger=my_logger, force_domains=force_domains, show_extended_problems=show_extended_problems) File "./management/ssl_certificates.py", line 337, in provision_certificates logger=my_logger) File "/usr/local/lib/python3.4/dist-packages/free_tls_certificates/client.py", line 64, in issue_certificate agree_to_tos_url, validation_method, acme_server, logger) File "/usr/local/lib/python3.4/dist-packages/free_tls_certificates/client.py", line 112, in validate_domain_ownership acme_server=acme_server) File "/usr/local/lib/python3.4/dist-packages/free_tls_certificates/client.py", line 317, in create_client client = acme.client.Client(acme_server, key) File "/usr/local/lib/python3.4/dist-packages/acme/client.py", line 69, in __init__ self.net.get(directory).json()) File "/usr/local/lib/python3.4/dist-packages/acme/client.py", line 641, in get self._send_request('GET', url, **kwargs), content_type=content_type) File "/usr/local/lib/python3.4/dist-packages/acme/client.py", line 614, in _send_request response = self.session.request(method, url, *args, **kwargs) File "/usr/local/lib/python3.4/dist-packages/requests/sessions.py", line 488, in request resp = self.send(prep, **send_kwargs) File "/usr/local/lib/python3.4/dist-packages/requests/sessions.py", line 609, in send r = adapter.send(request, **kwargs) File "/usr/local/lib/python3.4/dist-packages/requests/adapters.py", line 423, in send timeout=timeout File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/connectionpool.py", line 594, in urlopen chunked=chunked) File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/connectionpool.py", line 350, in _make_request self._validate_conn(conn) File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/connectionpool.py", line 835, in _validate_conn conn.connect() File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/connection.py", line 311, in connect cert_reqs=resolve_cert_reqs(self.cert_reqs), File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/util/ssl_.py", line 267, in create_urllib3_context context.set_ciphers(ciphers or DEFAULT_CIPHERS) File "/usr/local/lib/python3.4/dist-packages/requests/packages/urllib3/contrib/pyopenssl.py", line 385, in set_ciphers self._ctx.set_cipher_list(ciphers) TypeError: must be str, not bytes

NatCC · January 14, 2017, 9:19am

I had the same problem with the TypeError; see https://github.com/mail-in-a-box/mailinabox/issues/1020.
pip3 uninstall pyOpenSSL
pip3 install pyOpenSSL

These two steps worked for me, but some others also had to run the line below:
sudo pip3 install pyOpenSSL --upgrade

Try these steps, reboot, and then try running
./management/ssl_certificates.py again.

Other approaches and steps are available from the link above; solutions are about two thirds of the way down.

cromulus · January 14, 2017, 11:31pm

@tramtrist looks like you have a git conflict.

If I were in your shoes, I’d do something like:
cd /root/mailinabox && git fetch && git reset --hard HEAD^ && git checkout tags/v0.21b

that should get you up to the latest mailinabox version. Be sure to both make a backup before you do that and afterwards, run the new version migration.

cromulus · January 14, 2017, 11:41pm

It appears we have three separate issues going on in this thread:

Hitting the rate limit for letsencrypt
Outdated python openssl packages
A git conflict in the ssl_certificates.py file.

I think the outdated SSL python packages seem to be solved.
and @tramtrist should fix the git conflict which should solve their problem.

As for @gabeotisbenson:
Do you have a large number of subdomains, I.E. more than 20? That’s the only way I could see that you’d hit the rate limit that quickly. In that case, we may need to change how we register certs to add subdomains into a single cert.

see the documentation here: https://letsencrypt.org/docs/rate-limits/

tramtrist · January 15, 2017, 3:57am

@cromulus You’re the man! This fixed my issue! The git repo and then reinstalling pyopenssl worked.

IcyPalm · January 15, 2017, 12:59pm

Wow, it turned out I had two conflicts, both a git conflict and a pyOpenSSL problem!

Thanks @NatCC and @cromulus! It is all working smoothly again

Pfew, I had two days to go on my certificates

backpackhasjetz · January 15, 2017, 9:04pm

Something seems to definitely be weird/buggy with Mail-in-a-Box’s usage of LetsEncrypt, though. I have a single domain, and have upgraded/used MIAB like normal, but started getting these “too many cert” errors.

Also have a totally separate MIAB instance (for a different domain) running on a different IP, and getting the same error there.

gabeotisbenson · January 16, 2017, 2:18am

@cromulus I’ve only got two subdomains, one of which is the “box” subdomain for mailinabox. I’m not sure how it happened either. I’m unable to try the things mentioned in this thread, but will report back once I have!

Mckbrother · January 16, 2017, 8:22am

Thanks, this worked for me!

sevocomm · January 16, 2017, 9:22am

@cromulus Thanks! this upgrade part with pip3 worked for me.
The certs where re-newed, excellent.

Thanks again and greetz,
Sebastian