Project

General

Profile

[Solved] Let's Encrypt dehydrated lighttpd 1.4.53

Added by Shrike 10 months ago

Hello.
I am trying to use/install Lets Encrypt bootstrap using TLS-ALPN-01 verification challenge and dehydrated (with lighttpd 1.4.53)
As posted on the wiki. /wiki/HowToSimpleSSL

but im running in to a problem.

All goes well until I run the command below
./dehydrated -d www.mydomain.org -t tls-alpn-01 --out /etc/lighttpd/certs --alpn /etc/lighttpd/dehydrated/tls-alpn-01 -c -x

the return result gives this error . =================

#
# !! WARNING !! No main config file found, using default config!
#
Processing www.mydomain.org
 + Checking domain name(s) of existing cert... unchanged.
 + Checking expire date of existing cert...
 + Valid till Feb 17 18:06:27 2020 GMT Certificate will not expire
(Longer than 30 days). Ignoring because renew was forced!
 + Signing domains...
 + Generating private key...
 + Generating signing request...
 + Requesting new certificate order from CA...
 + Received 1 authorizations URLs from the CA
 + Handling authorization for www.mydomain.org
 + Generating ALPN certificate and key for www.mydomain.org...
 + 1 pending challenge(s)
 + Deploying challenge tokens...
 + Responding to challenge for www.mydomain.org authorization...
 + Cleaning challenge tokens...
 + Challenge validation has failed :(
ERROR: Challenge is invalid! (returned: invalid) (result: {
  "type": "tls-alpn-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:tls",
    "detail": "remote error: tls: no application protocol",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/challenge/r0SezKHKl6X1NnpTwsrQTNR0u_gvS6oBNKVc-Ku-Vi8/12715433690",
  "token": "Zu_8OUV2N_hJ3hcv6ABktsdNNh74GHquiPOmr4ZBR94",
  "validationRecord": [
    {
      "hostname": "www.mydomain.org",
      "port": "443",
      "addressesResolved": [
        "xx.xx.xx.xx" 
      ],
      "addressUsed": "xx.xx.xx.xx" 
    }
  ]
})
===================
Domain and IP redacted..

Im using Openssl 1.1.1a
Any help appreciated.

Best regards Shrike,


Replies (22)

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by gstrauss 10 months ago

Any help appreciated.

Step 1: consider providing basic information such as your lighttpd.conf and any messages from the lighttpd error log.
Step 2: I wrote HowToSimpleSSL after running exactly those steps, so you should verify in detail that you have followed the steps as written.

"detail": "remote error: tls: no application protocol",

Do you have lighttpd set up to serve TLS on port 443?

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by Shrike 10 months ago

I have posted my lighttpd.conf here
http://www.shrike.tk/pub/lighttpd.conf

"Do you have lighttpd set up to serve TLS on port 443?"
yea um i have it configured as instructed as on the wiki,

It does work as https as unauthorized.

When I (re)start Lighttpd the error log only reports
"2019-02-18 00:49:18: (server.c.2059) server stopped by UID = 0 PID = 4433
2019-02-18 00:49:20: (server.c.1464) server started (lighttpd/1.4.53)"

but that's is with the self signed keys.. as instructed just the step before in the wiki page.
.

If i can provide more info let me know .

Best regards, Shrike.

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by Shrike 10 months ago

are there any other dependencies i should meet.?
I have lighttpd -v
lighttpd/1.4.53 (ssl) - a light and fast webserver

Openssl 1.1.1a
GnuTLS-3.5.19

Im running LFS (linux from scratch) 8.3
with openssl and lighttpd updated to newest versions.

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by Shrike 10 months ago

Oh forgot ...
I have these modules enabled

/etc/lighttpd/modules.conf

server.modules = (
  "mod_access",
  "mod_alias",
#  "mod_auth",
#  "mod_evasive",
  "mod_redirect",
  "mod_rewrite",
  "mod_openssl",
#  "mod_setenv",
#  "mod_usertrack",
)

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by Shrike 10 months ago

/etc/lighttpd/modules.conf
server.modules = (
"mod_access",
"mod_alias",
"mod_redirect",
"mod_rewrite",
"mod_openssl",
)

=======
the hash tags got translated into numbers.
I re-post this without those lines

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by gstrauss 10 months ago

Are you behind a NAT or other firewall that would prevent Let's Encrypt from reaching your site after a DNS lookup of the site?

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by Shrike 10 months ago

I traced the iptables log... nothings gets blocked.
and everything gets DMZ-ed to the server.

I even tried it with Iptables turned off. (allow everything)

but when iptables is on the DNS port is open to/from the server.

I have this feeling it's something "small" but it just eludes me...

I have tripple checked everything and started from scratch 3 times.
it just the last step.

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by gstrauss 10 months ago

Would you verify that the directories exist?
/etc/lighttpd/dehydrated/tls-alpn-01/
/etc/lighttpd/certs/www.shrike.tk/

Try running ldd on the lighttpd binary and on mod_openssl.so and ensure that they are linked against openssl libs, not GnuTLS.

You probably want to test with Let's Encrypt staging environment https://letsencrypt.org/docs/staging-environment/ with dehydrated so that you don't get blocked by the main server for too many tries.

Try strace on lighttpd during a run of dehydrated and see if lighttpd attempts to read anything from /etc/lighttpd/dehydrated/tls-alpn-01/

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by Shrike 10 months ago

/etc/lighttpd/dehydrated/tls-alpn-01/
exists as empty directory
/etc/lighttpd/certs/www.shrike.tk/
exists and holds the pem files.

I'll post back when I have more info.

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by Shrike 10 months ago

strace log and ldd output in link below
http://www.shrike.tk/pub/debug.txt
no linkages to GnuTLS

----

openat(AT_FDCWD, "/etc/lighttpd/dehydrated/tls-alpn-01/www.shrike.tk.crt.pem", O_RDONLY) = -1 EACCES (Permission denied)

----
thats a bit troubling.

I have given the directory full access to lighttpd (user www)
and chmod it to 776. (even tried 777)

Im running the dehydrated command as root.
So there 'should' be no Permission denied..

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by gstrauss 10 months ago

openat(AT_FDCWD, "/etc/lighttpd/dehydrated/tls-alpn-01/www.shrike.tk.crt.pem", O_RDONLY) = -1 EACCES (Permission denied)
---
thats a bit troubling.

Yes, that would be why lighttpd is unable to serve the certificate to pass the challenge.

You should run dehydrated as the same user under which lighttpd is running. It does not have to run privileged as root. If lighttpd drops privileges to a user other than root, lighttpd will need to be able to read the cert files as this other user. Make sure that dehydrated is writing files with permissions that can be read by the user that lighttpd is running as.

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by Shrike 10 months ago

Success. well almost.

I found the problem.
the user "www" for lighttpd did not have a login shell .ie /bin/bash

Now using the non staging CA.
I get a successful dehydrate response.

==========
Processing www.shrike.tk
+ Checking domain name(s) of existing cert... unchanged.
+ Checking expire date of existing cert...
+ Valid till May 19 19:06:36 2019 GMT Certificate will not expire
(Longer than 30 days). Ignoring because renew was forced!
+ Signing domains...
+ Generating private key...
+ Generating signing request...
+ Requesting new certificate order from CA...
+ Received 1 authorizations URLs from the CA
+ Handling authorization for www.shrike.tk
+ Generating ALPN certificate and key for www.shrike.tk...
+ 1 pending challenge(s)
+ Deploying challenge tokens...
+ Responding to challenge for www.shrike.tk authorization...
+ Challenge is valid!
+ Cleaning challenge tokens...
+ Requesting certificate...
+ Checking certificate...
+ Done!
+ Creating fullchain.pem...
+ Done! =============
And i see newly created symlinks to the pem files.
ie cert.pem -> cert-1550520703.pem
etc. etc.

how ever after i restart lighttpd.
I get a "Secure Connection Failed" when i got to https://www.shrike.tk

lighttpd error log shows
2019-02-18 21:22:17: (mod_openssl.c.1645) SSL: renegotiation initiated by client, killing connection
2019-02-18 21:22:17: (mod_openssl.c.1645) SSL: renegotiation initiated by client, killing connection

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by gstrauss 10 months ago

openssl s_client -connect www.shrike.tk:443
connects to your site, but is immediately disconnected.

See #2912 and the patch in commit 7a7f4f98
Are you sure you're using lighttpd 1.4.53? The above patch was in lighttpd 1.4.51.
If you're using lighttpd 1.4.53, check your cipher list (comment it out and test).

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by Shrike 10 months ago

yes Lighttpd -V
replies

lighttpd/1.4.53 (ssl) - a light and fast webserver

Event Handlers:

        + select (generic)
        + poll (Unix)
        + epoll (Linux)
        - /dev/poll (Solaris)
        - eventports (Solaris)
        - kqueue (FreeBSD)
        - libev (generic)

Network handler:

        + linux-sendfile
        - freebsd-sendfile
        - darwin-sendfile
        - solaris-sendfilev
        + writev
        + write
        - mmap support

Features:

        - IPv6 support
        + zlib support
        + bzip2 support
        + crypt support
        + SSL support
        + PCRE support
        - MySQL support
        - PgSQL support
        - DBI support
        - Kerberos support
        - LDAP support
        - PAM support
        - memcached support
        - FAM support
        - LUA support
        - xml support
        - SQLite support
        - GDBM support

All occurrences of cipher are commented out in the lighttpd.conf
and cipher is not used in any of the conf.d/ files.

And restarted lighttpd. (and rebooted the whole machine)

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by Shrike 10 months ago

note...
with the self signed keys.
I could add the security exception in firefox.
so the mod-openssl does work the the self signed.
but not with the signed from lets encrypt.

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by gstrauss 10 months ago

I have a Let's Encrypt cert on a test site of mine, and the config works with lighttpd 1.4.53.

server.document-root = "/home/xxxxx/web/www.example.com/" 

server.bind = "0.0.0.0" 
server.port = 8080

mimetype.assign = (".txt" => "text/plain")

server.modules += ("mod_openssl")
server.modules += ("mod_setenv")
setenv.add-response-header = (
    "Strict-Transport-Security" => "max-age=63072000; includeSubDomains; preload",
    "X-Frame-Options" => "DENY",
    "X-Content-Type-Options" => "nosniff" 
)

$SERVER["socket"] == "0.0.0.0:8443" {
    ssl.engine = "enable" 
    ssl.privkey= "/home/xxxxx/web/certs/www.example.com/privkey.pem" 
    ssl.pemfile= "/home/xxxxx/web/certs/www.example.com/cert.pem" 
    ssl.ca-file= "/home/xxxxx/web/certs/www.example.com/chain.pem" 
    ssl.acme-tls-1 = "/home/xxxxx/web/acme-tls-1" 
    #ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH" 
    #ssl.openssl.ssl-conf-cmd = ("Protocol" => "-ALL, TLSv1.2, TLSv1.3")
}

This test system is running Fedora Linux 29. You mentioned that you're running Linux From Scratch. That's fine, but would you consider testing on another system? There is something amiss that I can connect to www.shrike.tk port 443, negotiate and get your cert, but then your server disconnects before I can make an HTTP request. Have you tested using the openssl s_client command I provided further above, and looked at the result in the lighttpd error log?

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by Shrike 10 months ago

im willing to try that...
i still have a fedora 27 dual boot that i used as a staging to compile from scratch.

I did try the opensll s-client.. after i did that command nothing showed/happened in console for a minute then i pressed Ctrl-C

whats this mod do ?
server.modules += ("mod_setenv")
do i need it ?

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by Shrike 10 months ago

as aside note.
Im willing to try everything.
when this turns out to be success full im going to write an article about the pitfalls for an LFS user.
And i will try to have the BLFS team include Lighty as a option to install besides the apache.

Im using lighty my self for years just not the ssl/https.

and certbot does not work for LFS users.
certbot just exits with a message "sorry unknown OS and/or Web server "
certbot is to automated and reliant on Distros/apache

Im kinda a lighty fan. :-)

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by gstrauss 10 months ago

I did try the opensll s-client.. after i did that command nothing showed/happened in console for a minute then i pressed Ctrl-C

It handles the encryption and gives you a prompt. Try typing a request. e.g.

GET /index.html HTTP/1.0


(include a second "Enter" at the end of the request)

The mod_setenv stuff is recommended, and comes from https://cipherli.st/ , but is not required.

If openssl s_client works for you connecting from localhost, then try from a remote system.

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by Shrike 10 months ago

nothing happens when i enter "GET /index.html HTTP/1.0"

ohh but i entered the command from the same machine ..
Im working from a Windows SSH connection into my server. putty

i'll try upgrading to F29 tomorrow and set every thing up from there.
will take awhile . day job and such.

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by gstrauss 10 months ago

Just to be clear, when running openssl s_client ..., at the point where it "hangs", that is where it is waiting for you type type the request and press Enter twice.

Before you update to F29, you might copy the certs over to your F27. If you compile lighttpd there, you can try running with the Let's Encrypt certs.

RE: Let's Encrypt dehydrated lighttpd 1.4.53 - Added by Shrike 10 months ago

[Solved]

I compiled a new kernel 4.20.10 with crypto options listed below.
Then i recompiled Lighttp 1.4.53

Now it works.
Im not sure which kernel options are the ones necessary.
A lot of the options where already on. but i turned on some more.

Thank you kindly good Sir for your support, time, effort and patience.

Best regards Shrike,

----------------------------------
These are the kernel crypto options i currently have enabled.

  *** Crypto core or helper ***                                                                               
  -*-   RSA algorithm                                                                                               
  -*-   Cryptographic algorithm manager                                                                             
  [*]   Disable run-time self tests                                                                                 
  -*-   GF(2^128) multiplication functions                                                                          
  -*-   Null algorithms                                                                                             
  <M>   Parallel crypto engine                                                                                     
  {M}   Software async crypto daemon                                                                                
  <*>   Authenc support                                                                                             

  *** Authenticated Encryption with Associated Data ***                                                       
  {*}   CCM support                                                                                                 
  {*}   GCM/GMAC support 
  -*-   Sequence Number IV Generator                                                                                
  <*>   Encrypted Chain IV Generator                                                                                
  *** Block modes ***                                                                                         
  <*>   CBC support                                                                                                 
  <*>   CFB support                                                                                                 
  -*-   CTR support                                                                                                 
  <*>   CTS support                                                                                                 
  -*-   ECB support                                                                                                 
  <*>   LRW support                                                                                                 
  <*>   OFB support                                                                                                 
  <*>   PCBC support                                                                                                
  <*>   XTS support                                                                                                 
  <*>   Key wrapping support                                                                                        
  *** Hash modes ***                                                                                          
  {*}   CMAC support                                                                                               
  -*-   HMAC support                                                                                                
  <*>   XCBC support                                                                                               
  <*>   VMAC support                                                                                               
  *** Digest ***                                                                                              
  -*-   CRC32c CRC algorithm                                                                                       
  <*>   CRC32c INTEL hardware acceleration                                                                          
  <*>   CRC32 CRC algorithm                                                                                         
  <*>   CRC32 PCLMULQDQ hardware acceleration                                                                       
  <*>   CRCT10DIF algorithm                                                                                         
  -*-   GHASH digest algorithm                                                                                      
  -*-   Poly1305 authenticator algorithm                                                                            
  <*>   Poly1305 authenticator algorithm (x86_64/SSE2/AVX2) 

  <*>   Pseudo Random Number Generation for Cryptographic modules
  -*-   NIST SP800-90A DRBG  --->
  -*-   Jitterentropy Non-Deterministic Random Number Generator
  <*>   User-space interface for hash algorithms
  <*>   User-space interface for symmetric key cipher algorithms
  <*>   User-space interface for random number generator algorithms
  <*>   User-space interface for AEAD cipher algorithms 

  -*- Provide system-wide ring of trusted keys                                                                      
  ()    Additional X.509 keys for default system keyring                                                            
  [*]   Reserve area for inserting a certificate without recompiling                                                
  (4096)  Number of bytes to reserve for the extra certificate                                                      
  [*]   Provide a keyring to which extra trustable keys may be added                                                
  [*] Provide system-wide ring of blacklisted keys           
  ()    Hashes to be preloaded into the system blacklist keyring 

    (1-22/22)