TLS Certificate Provisioning Failure

Maintenance
1

My AWS EC2 Ubuntu 22.04 box is generating the following errors when trying to renew the certificate for the mail hosting domain: office.sucofa.com All other certificates e.g. autoconfig.sucofa.com are renewing without problem. The following message is generated:
Traceback (most recent call last):
File “/root/mailinabox/management/ssl_certificates.py”, line 683, in
provision_certificates_cmdline()
File “/root/mailinabox/management/ssl_certificates.py”, line 395, in provision_certificates_cmdline
status = provision_certificates(env, limit_domains=domains)
File “/root/mailinabox/management/ssl_certificates.py”, line 371, in provision_certificates
ret.extend(post_install_func(env))
File “/root/mailinabox/management/ssl_certificates.py”, line 481, in post_install_func
if cert and os.readlink(system_ssl_certificate) != cert[‘certificate’]:
OSError: [Errno 22] Invalid argument: ‘/home/user-data/ssl/ssl_certificate.pem’

Before restoring the server when I moved to v60, I deleted /home/user-data/ssl/.
DNS hosting is with Cloudflare. The website for this domain (sucofa.com and www.sucofa.com) are on another machine.

Any ideas would be appreciated.

Thanks,
Dana

2

Hi @dfowlkes

Please show the output of sudo ls /home/user-data/

3

sudo ls -la /home/user-data/
total 60
drwxr-xr-x 10 user-data user-data 4096 Nov 14 19:03 .
drwxr-xr-x 4 root root 4096 Oct 20 10:52 …
-rw-r–r-- 1 user-data user-data 220 Apr 5 2018 .bash_logout
-rw-r–r-- 1 user-data user-data 3771 Apr 5 2018 .bashrc
-rw-r–r-- 1 user-data user-data 807 Apr 5 2018 .profile
drwxr-xr-x 4 root root 4096 Oct 20 16:04 backup
drwxr-xr-x 3 root root 4096 Dec 26 2020 dns
drwxrwxr-x 8 root www-data 4096 Nov 14 22:35 mail
-rw-r–r-- 1 user-data user-data 3 Dec 10 2021 mailinabox.version
drwxrwx— 9 www-data www-data 4096 Nov 15 15:37 owncloud
drwxr-xr-x 8 root root 4096 Nov 1 00:06 owncloud-backup
-rw-r–r-- 1 root root 15 Jan 2 2021 settings.yaml
drwx–x— 3 ubuntu ubuntu 4096 Nov 14 18:14 ssl
drwxr-xr-x 3 root root 4096 Oct 16 03:02 ssl_old
drwxr-xr-x 3 user-data root 4096 Dec 26 2020 www

4

chown root:root /home/user-data/ssl/
chmod 755 /home/user-data/ssl/

should fix you up. You need to run these as root.

5

Thanks again for you help!
I tried these and have the same result. As root user, I even tried chown -R root:root /home/user-data/ssl/ which made all the contents of the directory root:root (some files were ubuntu:ubuntu).
Something seems wrong with Letsencrypt. The directory /etc/letsencrypt/live is empty. Perhaps Letsencrypt is setup differently in MIAB compared to an Apache website? I would normally expect to see the domain and sub-domains that have issued certificates there.
If I run ‘sudo certbot certificates’ the response is “No certificates found”. Strange?

Any other suggestions would be appreciated.

6

Yes it is set up differently.

Rerun sudo mailinabox which should reinstall LE. But first, delete the contents of the /home/user-data/ssl/ directory … at the point you are at the directory should be empty, so I am not sure what contents you are referring to when you mention that the ownership of the files is root:root.

7

Hi,
The directory was not empty. I deleted its contents and re-ran ‘sudo mailinabox’.
Now when I try to provision the certificates I get:

office.sucofa.com, mta-sts.office.sucofa.com, autoconfig.sucofa.com, autodiscover.sucofa.com, mta-sts.sucofa.com, mta-sts.mta-sts.sucofa.com

Log:

Saving debug log to /var/log/letsencrypt/letsencrypt.log You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.Processing: letsencrypt_log.txt…

Is there a convenient way for me to upload the letsencrypt log file for you to see?

8

I think I have it sorted out now. My instance of Ubuntu had Certbot installed. I have purged that and deleted the ssl directory and re-ran Mailinbox. The certificates have provisioned correctly now.

Hopefully this is a one off situation.

Thanks for your help.

9

It should be. Glad that you have it sorted now.

10

This topic was automatically closed 40 days after the last reply. New replies are no longer allowed.