You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Jacques Le Roux <ja...@les7arts.com> on 2017/08/04 14:29:17 UTC
[FYI] Let's encrypt certificate renewal failed
Hi,
Today I noticed our Let's encrypt certificate renewal failed. So I asked help on Infra Hipchat. It's a known issue and actually easy to fix.
For history and possibly future need, here the discussion I had with Chris Thistlethwaite:
[4:14 PM] Jacques Le Roux: Hi, we have an issue with let'sEncrypt certificate (3 months, right?) renewal for OFBiz demos:
https://demo-trunk.ofbiz.apache.org
I remember we had that already, but did not find a request into my closed infra request.
So I guess I asked for a solution here and did not note it
[4:15 PM] Chris Thistlethwaite: most likely in here :)
[4:16 PM] Jacques Le Roux: yep, but too late for history I guess
[4:16 PM] Jacques Le Roux: BTW we are Pupettized if that helps :)
[4:19 PM] Chris Thistlethwaite: @jleroux fixed!
[4:19 PM] Jacques Le Roux: Great stuff @christ :) What was it?
[4:20 PM] Chris Thistlethwaite: we have a bit of an issue with letsencrypt renewals as the renewal process tries to use port 443, which httpd is bound
to, thus it fails. Work around is to stop httpd, run the renewal, start httpd back up
[4:21 PM] Jacques Le Roux: I should be able to do that myself on our VM, right?
[4:21 PM] Jacques Le Roux: Mmm not sure about "run the renewal"...
[4:21 PM] Chris Thistlethwaite: you have sudo on that right? if so then yeah
[4:22 PM] Chris Thistlethwaite: check the cron job for root
[4:22 PM] Jacques Le Roux: Yes sudo I have
[4:22 PM] Jacques Le Roux: OK I note that, thanks !
[4:22 PM] Chris Thistlethwaite: np, hope we have that fixed before it needs renewed again
[4:22 PM] Jacques Le Roux: yep, let's see ;)
FWIW (I did not try myself)
Jacques
Re: [FYI] Let's encrypt certificate renewal failed
Posted by Jacques Le Roux <ja...@les7arts.com>.
Yes thanks Pierre,
Actually Chris did it then (On Fri, Aug 4, 2017 at 4:29 PM). Maybe we will need to ask again in 3 months. It's the 2nd time I do that. I simply ask
for help in HipChat Infra room.
Jacques
Le 14/08/2017 à 09:21, Pierre Smits a écrit :
> Hey Jacques,
>
> It seems to be correct again for:
>
> - https://demo-trunk.ofbiz.apache.org
> - https://demo-stable.ofbiz.apache.org
> - https;//demo-old.ofbiz.apache.org
>
>
> The expiration date is now: Nov 2nd, 2017
>
> Best regards,
>
> Pierre Smits
>
> ORRTIZ.COM <http://www.orrtiz.com>
> OFBiz based solutions & services
>
> OEM - the independent OFBiz Extensions Marketplace
> http://oem.ofbizci.net/oci-2/
>
> On Fri, Aug 4, 2017 at 4:29 PM, Jacques Le Roux <
> jacques.le.roux@les7arts.com> wrote:
>
>> Hi,
>>
>> Today I noticed our Let's encrypt certificate renewal failed. So I asked
>> help on Infra Hipchat. It's a known issue and actually easy to fix.
>>
>> For history and possibly future need, here the discussion I had with Chris
>> Thistlethwaite:
>>
>> [4:14 PM] Jacques Le Roux: Hi, we have an issue with let'sEncrypt
>> certificate (3 months, right?) renewal for OFBiz demos:
>> https://demo-trunk.ofbiz.apache.org
>> I remember we had that already, but did not find a request into my closed
>> infra request.
>> So I guess I asked for a solution here and did not note it
>> [4:15 PM] Chris Thistlethwaite: most likely in here :)
>> [4:16 PM] Jacques Le Roux: yep, but too late for history I guess
>> [4:16 PM] Jacques Le Roux: BTW we are Pupettized if that helps :)
>> [4:19 PM] Chris Thistlethwaite: @jleroux fixed!
>> [4:19 PM] Jacques Le Roux: Great stuff @christ :) What was it?
>> [4:20 PM] Chris Thistlethwaite: we have a bit of an issue with letsencrypt
>> renewals as the renewal process tries to use port 443, which httpd is bound
>> to, thus it fails. Work around is to stop httpd, run the renewal, start
>> httpd back up
>> [4:21 PM] Jacques Le Roux: I should be able to do that myself on our VM,
>> right?
>> [4:21 PM] Jacques Le Roux: Mmm not sure about "run the renewal"...
>> [4:21 PM] Chris Thistlethwaite: you have sudo on that right? if so then
>> yeah
>> [4:22 PM] Chris Thistlethwaite: check the cron job for root
>> [4:22 PM] Jacques Le Roux: Yes sudo I have
>> [4:22 PM] Jacques Le Roux: OK I note that, thanks !
>> [4:22 PM] Chris Thistlethwaite: np, hope we have that fixed before it
>> needs renewed again
>> [4:22 PM] Jacques Le Roux: yep, let's see ;)
>>
>> FWIW (I did not try myself)
>>
>> Jacques
>>
>>
Re: [FYI] Let's encrypt certificate renewal failed
Posted by Pierre Smits <pi...@gmail.com>.
Hey Jacques,
It seems to be correct again for:
- https://demo-trunk.ofbiz.apache.org
- https://demo-stable.ofbiz.apache.org
- https;//demo-old.ofbiz.apache.org
The expiration date is now: Nov 2nd, 2017
Best regards,
Pierre Smits
ORRTIZ.COM <http://www.orrtiz.com>
OFBiz based solutions & services
OEM - the independent OFBiz Extensions Marketplace
http://oem.ofbizci.net/oci-2/
On Fri, Aug 4, 2017 at 4:29 PM, Jacques Le Roux <
jacques.le.roux@les7arts.com> wrote:
> Hi,
>
> Today I noticed our Let's encrypt certificate renewal failed. So I asked
> help on Infra Hipchat. It's a known issue and actually easy to fix.
>
> For history and possibly future need, here the discussion I had with Chris
> Thistlethwaite:
>
> [4:14 PM] Jacques Le Roux: Hi, we have an issue with let'sEncrypt
> certificate (3 months, right?) renewal for OFBiz demos:
> https://demo-trunk.ofbiz.apache.org
> I remember we had that already, but did not find a request into my closed
> infra request.
> So I guess I asked for a solution here and did not note it
> [4:15 PM] Chris Thistlethwaite: most likely in here :)
> [4:16 PM] Jacques Le Roux: yep, but too late for history I guess
> [4:16 PM] Jacques Le Roux: BTW we are Pupettized if that helps :)
> [4:19 PM] Chris Thistlethwaite: @jleroux fixed!
> [4:19 PM] Jacques Le Roux: Great stuff @christ :) What was it?
> [4:20 PM] Chris Thistlethwaite: we have a bit of an issue with letsencrypt
> renewals as the renewal process tries to use port 443, which httpd is bound
> to, thus it fails. Work around is to stop httpd, run the renewal, start
> httpd back up
> [4:21 PM] Jacques Le Roux: I should be able to do that myself on our VM,
> right?
> [4:21 PM] Jacques Le Roux: Mmm not sure about "run the renewal"...
> [4:21 PM] Chris Thistlethwaite: you have sudo on that right? if so then
> yeah
> [4:22 PM] Chris Thistlethwaite: check the cron job for root
> [4:22 PM] Jacques Le Roux: Yes sudo I have
> [4:22 PM] Jacques Le Roux: OK I note that, thanks !
> [4:22 PM] Chris Thistlethwaite: np, hope we have that fixed before it
> needs renewed again
> [4:22 PM] Jacques Le Roux: yep, let's see ;)
>
> FWIW (I did not try myself)
>
> Jacques
>
>
Re: [FYI] Let's encrypt certificate renewal failed
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Richard, All,
As you may have seen, I have actually rather sent an email to infra (subject: "Let's encrypt certificate renewal failed")
Let's see...
Jacques
Le 14/08/2017 à 13:57, Jacques Le Roux a écrit :
> Thanks Richard,
>
> I'll speak about it with the ASF infra team
>
> Jacques
>
>
> Le 14/08/2017 à 13:29, Richard Siddall a écrit :
>> Jacques,
>>
>> Sorry, that was the README.md on the GetSSL project, https://github.com/srvrco/getssl/blob/master/README.md, which is what GitHub displays when you
>> go to https://github.com/srvrco/getssl.
>>
>> There are tons of Let's Encrypt clients out there. The infra team may not have looked at many. The original client works well enough for many
>> people. It works well with Apache httpd, but I think it's harder to use with Tomcat.
>>
>> I have not looked for a Java client that can be integrated into OFBiz.
>>
>> Richard.
>>
>> Jacques Le Roux wrote:
>>> Thanks Richard,
>>>
>>> That's interesting. Which README are you speaking about ? I guess the
>>> infra team is aware, but maybe we could push in this direction...
>>>
>>> Jacques
>>>
>>>
>>> Le 13/08/2017 à 17:03, Richard Siddall a écrit :
>>>> I have been using GetSSL (https://github.com/srvrco/getssl) instead of
>>>> the old Let's Encrypt ACME client. It's fairly easy to extend with
>>>> shell scripts to get challenge files in the correct place. I have not
>>>> used DNS challenges.
>>>>
>>>> I just noticed that the README says "If you use puppet, there is a
>>>> GetSSL Puppet module by dthielking."
>>>>
>>>> Richard
>>>>
>>>> Jacques Le Roux wrote:
>>>>> Hi,
>>>>>
>>>>> Today I noticed our Let's encrypt certificate renewal failed. So I asked
>>>>> help on Infra Hipchat. It's a known issue and actually easy to fix.
>>>>>
>>>>> For history and possibly future need, here the discussion I had with
>>>>> Chris Thistlethwaite:
>>>>>
>>>>> [4:14 PM] Jacques Le Roux: Hi, we have an issue with let'sEncrypt
>>>>> certificate (3 months, right?) renewal for OFBiz demos:
>>>>> https://demo-trunk.ofbiz.apache.org
>>>>> I remember we had that already, but did not find a request into my
>>>>> closed infra request.
>>>>> So I guess I asked for a solution here and did not note it
>>>>> [4:15 PM] Chris Thistlethwaite: most likely in here :)
>>>>> [4:16 PM] Jacques Le Roux: yep, but too late for history I guess
>>>>> [4:16 PM] Jacques Le Roux: BTW we are Pupettized if that helps :)
>>>>> [4:19 PM] Chris Thistlethwaite: @jleroux fixed!
>>>>> [4:19 PM] Jacques Le Roux: Great stuff @christ :) What was it?
>>>>> [4:20 PM] Chris Thistlethwaite: we have a bit of an issue with
>>>>> letsencrypt renewals as the renewal process tries to use port 443, which
>>>>> httpd is bound to, thus it fails. Work around is to stop httpd, run the
>>>>> renewal, start httpd back up
>>>>> [4:21 PM] Jacques Le Roux: I should be able to do that myself on our VM,
>>>>> right?
>>>>> [4:21 PM] Jacques Le Roux: Mmm not sure about "run the renewal"...
>>>>> [4:21 PM] Chris Thistlethwaite: you have sudo on that right? if so then
>>>>> yeah
>>>>> [4:22 PM] Chris Thistlethwaite: check the cron job for root
>>>>> [4:22 PM] Jacques Le Roux: Yes sudo I have
>>>>> [4:22 PM] Jacques Le Roux: OK I note that, thanks !
>>>>> [4:22 PM] Chris Thistlethwaite: np, hope we have that fixed before it
>>>>> needs renewed again
>>>>> [4:22 PM] Jacques Le Roux: yep, let's see ;)
>>>>>
>>>>> FWIW (I did not try myself)
>>>>>
>>>>> Jacques
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
Re: [FYI] Let's encrypt certificate renewal failed
Posted by Jacques Le Roux <ja...@les7arts.com>.
Thanks Richard,
I'll speak about it with the ASF infra team
Jacques
Le 14/08/2017 à 13:29, Richard Siddall a écrit :
> Jacques,
>
> Sorry, that was the README.md on the GetSSL project, https://github.com/srvrco/getssl/blob/master/README.md, which is what GitHub displays when you
> go to https://github.com/srvrco/getssl.
>
> There are tons of Let's Encrypt clients out there. The infra team may not have looked at many. The original client works well enough for many
> people. It works well with Apache httpd, but I think it's harder to use with Tomcat.
>
> I have not looked for a Java client that can be integrated into OFBiz.
>
> Richard.
>
> Jacques Le Roux wrote:
>> Thanks Richard,
>>
>> That's interesting. Which README are you speaking about ? I guess the
>> infra team is aware, but maybe we could push in this direction...
>>
>> Jacques
>>
>>
>> Le 13/08/2017 à 17:03, Richard Siddall a écrit :
>>> I have been using GetSSL (https://github.com/srvrco/getssl) instead of
>>> the old Let's Encrypt ACME client. It's fairly easy to extend with
>>> shell scripts to get challenge files in the correct place. I have not
>>> used DNS challenges.
>>>
>>> I just noticed that the README says "If you use puppet, there is a
>>> GetSSL Puppet module by dthielking."
>>>
>>> Richard
>>>
>>> Jacques Le Roux wrote:
>>>> Hi,
>>>>
>>>> Today I noticed our Let's encrypt certificate renewal failed. So I asked
>>>> help on Infra Hipchat. It's a known issue and actually easy to fix.
>>>>
>>>> For history and possibly future need, here the discussion I had with
>>>> Chris Thistlethwaite:
>>>>
>>>> [4:14 PM] Jacques Le Roux: Hi, we have an issue with let'sEncrypt
>>>> certificate (3 months, right?) renewal for OFBiz demos:
>>>> https://demo-trunk.ofbiz.apache.org
>>>> I remember we had that already, but did not find a request into my
>>>> closed infra request.
>>>> So I guess I asked for a solution here and did not note it
>>>> [4:15 PM] Chris Thistlethwaite: most likely in here :)
>>>> [4:16 PM] Jacques Le Roux: yep, but too late for history I guess
>>>> [4:16 PM] Jacques Le Roux: BTW we are Pupettized if that helps :)
>>>> [4:19 PM] Chris Thistlethwaite: @jleroux fixed!
>>>> [4:19 PM] Jacques Le Roux: Great stuff @christ :) What was it?
>>>> [4:20 PM] Chris Thistlethwaite: we have a bit of an issue with
>>>> letsencrypt renewals as the renewal process tries to use port 443, which
>>>> httpd is bound to, thus it fails. Work around is to stop httpd, run the
>>>> renewal, start httpd back up
>>>> [4:21 PM] Jacques Le Roux: I should be able to do that myself on our VM,
>>>> right?
>>>> [4:21 PM] Jacques Le Roux: Mmm not sure about "run the renewal"...
>>>> [4:21 PM] Chris Thistlethwaite: you have sudo on that right? if so then
>>>> yeah
>>>> [4:22 PM] Chris Thistlethwaite: check the cron job for root
>>>> [4:22 PM] Jacques Le Roux: Yes sudo I have
>>>> [4:22 PM] Jacques Le Roux: OK I note that, thanks !
>>>> [4:22 PM] Chris Thistlethwaite: np, hope we have that fixed before it
>>>> needs renewed again
>>>> [4:22 PM] Jacques Le Roux: yep, let's see ;)
>>>>
>>>> FWIW (I did not try myself)
>>>>
>>>> Jacques
>>>>
>>>>
>>>
>>>
>>
>>
>
>
Re: [FYI] Let's encrypt certificate renewal failed
Posted by Richard Siddall <ri...@elirion.net>.
Jacques,
Sorry, that was the README.md on the GetSSL project,
https://github.com/srvrco/getssl/blob/master/README.md, which is what
GitHub displays when you go to https://github.com/srvrco/getssl.
There are tons of Let's Encrypt clients out there. The infra team may
not have looked at many. The original client works well enough for many
people. It works well with Apache httpd, but I think it's harder to use
with Tomcat.
I have not looked for a Java client that can be integrated into OFBiz.
Richard.
Jacques Le Roux wrote:
> Thanks Richard,
>
> That's interesting. Which README are you speaking about ? I guess the
> infra team is aware, but maybe we could push in this direction...
>
> Jacques
>
>
> Le 13/08/2017 à 17:03, Richard Siddall a écrit :
>> I have been using GetSSL (https://github.com/srvrco/getssl) instead of
>> the old Let's Encrypt ACME client. It's fairly easy to extend with
>> shell scripts to get challenge files in the correct place. I have not
>> used DNS challenges.
>>
>> I just noticed that the README says "If you use puppet, there is a
>> GetSSL Puppet module by dthielking."
>>
>> Richard
>>
>> Jacques Le Roux wrote:
>>> Hi,
>>>
>>> Today I noticed our Let's encrypt certificate renewal failed. So I asked
>>> help on Infra Hipchat. It's a known issue and actually easy to fix.
>>>
>>> For history and possibly future need, here the discussion I had with
>>> Chris Thistlethwaite:
>>>
>>> [4:14 PM] Jacques Le Roux: Hi, we have an issue with let'sEncrypt
>>> certificate (3 months, right?) renewal for OFBiz demos:
>>> https://demo-trunk.ofbiz.apache.org
>>> I remember we had that already, but did not find a request into my
>>> closed infra request.
>>> So I guess I asked for a solution here and did not note it
>>> [4:15 PM] Chris Thistlethwaite: most likely in here :)
>>> [4:16 PM] Jacques Le Roux: yep, but too late for history I guess
>>> [4:16 PM] Jacques Le Roux: BTW we are Pupettized if that helps :)
>>> [4:19 PM] Chris Thistlethwaite: @jleroux fixed!
>>> [4:19 PM] Jacques Le Roux: Great stuff @christ :) What was it?
>>> [4:20 PM] Chris Thistlethwaite: we have a bit of an issue with
>>> letsencrypt renewals as the renewal process tries to use port 443, which
>>> httpd is bound to, thus it fails. Work around is to stop httpd, run the
>>> renewal, start httpd back up
>>> [4:21 PM] Jacques Le Roux: I should be able to do that myself on our VM,
>>> right?
>>> [4:21 PM] Jacques Le Roux: Mmm not sure about "run the renewal"...
>>> [4:21 PM] Chris Thistlethwaite: you have sudo on that right? if so then
>>> yeah
>>> [4:22 PM] Chris Thistlethwaite: check the cron job for root
>>> [4:22 PM] Jacques Le Roux: Yes sudo I have
>>> [4:22 PM] Jacques Le Roux: OK I note that, thanks !
>>> [4:22 PM] Chris Thistlethwaite: np, hope we have that fixed before it
>>> needs renewed again
>>> [4:22 PM] Jacques Le Roux: yep, let's see ;)
>>>
>>> FWIW (I did not try myself)
>>>
>>> Jacques
>>>
>>>
>>
>>
>
>
Re: [FYI] Let's encrypt certificate renewal failed
Posted by Jacques Le Roux <ja...@les7arts.com>.
Thanks Richard,
That's interesting. Which README are you speaking about ? I guess the infra team is aware, but maybe we could push in this direction...
Jacques
Le 13/08/2017 à 17:03, Richard Siddall a écrit :
> I have been using GetSSL (https://github.com/srvrco/getssl) instead of the old Let's Encrypt ACME client. It's fairly easy to extend with shell
> scripts to get challenge files in the correct place. I have not used DNS challenges.
>
> I just noticed that the README says "If you use puppet, there is a GetSSL Puppet module by dthielking."
>
> Richard
>
> Jacques Le Roux wrote:
>> Hi,
>>
>> Today I noticed our Let's encrypt certificate renewal failed. So I asked
>> help on Infra Hipchat. It's a known issue and actually easy to fix.
>>
>> For history and possibly future need, here the discussion I had with
>> Chris Thistlethwaite:
>>
>> [4:14 PM] Jacques Le Roux: Hi, we have an issue with let'sEncrypt
>> certificate (3 months, right?) renewal for OFBiz demos:
>> https://demo-trunk.ofbiz.apache.org
>> I remember we had that already, but did not find a request into my
>> closed infra request.
>> So I guess I asked for a solution here and did not note it
>> [4:15 PM] Chris Thistlethwaite: most likely in here :)
>> [4:16 PM] Jacques Le Roux: yep, but too late for history I guess
>> [4:16 PM] Jacques Le Roux: BTW we are Pupettized if that helps :)
>> [4:19 PM] Chris Thistlethwaite: @jleroux fixed!
>> [4:19 PM] Jacques Le Roux: Great stuff @christ :) What was it?
>> [4:20 PM] Chris Thistlethwaite: we have a bit of an issue with
>> letsencrypt renewals as the renewal process tries to use port 443, which
>> httpd is bound to, thus it fails. Work around is to stop httpd, run the
>> renewal, start httpd back up
>> [4:21 PM] Jacques Le Roux: I should be able to do that myself on our VM,
>> right?
>> [4:21 PM] Jacques Le Roux: Mmm not sure about "run the renewal"...
>> [4:21 PM] Chris Thistlethwaite: you have sudo on that right? if so then
>> yeah
>> [4:22 PM] Chris Thistlethwaite: check the cron job for root
>> [4:22 PM] Jacques Le Roux: Yes sudo I have
>> [4:22 PM] Jacques Le Roux: OK I note that, thanks !
>> [4:22 PM] Chris Thistlethwaite: np, hope we have that fixed before it
>> needs renewed again
>> [4:22 PM] Jacques Le Roux: yep, let's see ;)
>>
>> FWIW (I did not try myself)
>>
>> Jacques
>>
>>
>
>
Re: [FYI] Let's encrypt certificate renewal failed
Posted by Richard Siddall <ri...@elirion.net>.
I have been using GetSSL (https://github.com/srvrco/getssl) instead of
the old Let's Encrypt ACME client. It's fairly easy to extend with
shell scripts to get challenge files in the correct place. I have not
used DNS challenges.
I just noticed that the README says "If you use puppet, there is a
GetSSL Puppet module by dthielking."
Richard
Jacques Le Roux wrote:
> Hi,
>
> Today I noticed our Let's encrypt certificate renewal failed. So I asked
> help on Infra Hipchat. It's a known issue and actually easy to fix.
>
> For history and possibly future need, here the discussion I had with
> Chris Thistlethwaite:
>
> [4:14 PM] Jacques Le Roux: Hi, we have an issue with let'sEncrypt
> certificate (3 months, right?) renewal for OFBiz demos:
> https://demo-trunk.ofbiz.apache.org
> I remember we had that already, but did not find a request into my
> closed infra request.
> So I guess I asked for a solution here and did not note it
> [4:15 PM] Chris Thistlethwaite: most likely in here :)
> [4:16 PM] Jacques Le Roux: yep, but too late for history I guess
> [4:16 PM] Jacques Le Roux: BTW we are Pupettized if that helps :)
> [4:19 PM] Chris Thistlethwaite: @jleroux fixed!
> [4:19 PM] Jacques Le Roux: Great stuff @christ :) What was it?
> [4:20 PM] Chris Thistlethwaite: we have a bit of an issue with
> letsencrypt renewals as the renewal process tries to use port 443, which
> httpd is bound to, thus it fails. Work around is to stop httpd, run the
> renewal, start httpd back up
> [4:21 PM] Jacques Le Roux: I should be able to do that myself on our VM,
> right?
> [4:21 PM] Jacques Le Roux: Mmm not sure about "run the renewal"...
> [4:21 PM] Chris Thistlethwaite: you have sudo on that right? if so then
> yeah
> [4:22 PM] Chris Thistlethwaite: check the cron job for root
> [4:22 PM] Jacques Le Roux: Yes sudo I have
> [4:22 PM] Jacques Le Roux: OK I note that, thanks !
> [4:22 PM] Chris Thistlethwaite: np, hope we have that fixed before it
> needs renewed again
> [4:22 PM] Jacques Le Roux: yep, let's see ;)
>
> FWIW (I did not try myself)
>
> Jacques
>
>