LetsEncrypt

Moderator: Lillian.W@AST

duckpinchris
Posts: 27
youtube meble na wymiar Warszawa
Joined: Sun Aug 24, 2014 7:32 am

LetsEncrypt

Post by duckpinchris »

ive been waiting weeks for asustor customer service but have not heard back. i keep getting errors when trying to create a new CERT that has all my subdomains on it as my email keeps saying cannot trust server. even though it still works. so i tried to create a new CERT but it keeps failing and then after the 4th try it says i cant create anymore right now i guess for trying and it failing. how can i get this to work so i can use the CERTS on the nas so my email server will be trusted
ea_gbg
Posts: 1
Joined: Mon Apr 18, 2022 6:54 pm

Re: LetsEncrypt

Post by ea_gbg »

I also have problem with both creating and renewing cerificates with Lets encrypt. I has been working fine before.
wingstyle
Posts: 53
Joined: Sun Mar 28, 2021 3:49 am

Re: LetsEncrypt

Post by wingstyle »

I'm having the same issue. I got an error, then I remembered I changed my Web Server ports per Asustor's recommendation for the Deadbolt ransomware issue. I then changed them back to 80 and 443. Still couldn't get a new cert. Tried a couple more times and now I get the error "the number of certificates issued by Let's Encrypt for your domain name has reached its limit. (Ref. 5019)". Not sure what to do from here. I now notice that Web Center overview has a note in red: "Note: Web Center needs Web server and PHP extensions that are found at App Central." at the bottom of the page. I went to App Central and don't see the extensions. Probably because I don't know what I am looking for. I have Apache HTTP Server and PHP 7.3 installed. I also see in the Web Center log page that Web Center shows "web server restart failed"

Can anyone point me in the right direction on what I need to do?

samtzu is saying we are lazy admins. I am not lazy, just not a networking expert like he obviously is :) Maybe he can give some helpful advice rather than belittling those of us that are not as accomplished as him at networks.
User avatar
Nazar78
Posts: 2003
Joined: Wed Jul 17, 2019 10:21 pm
Location: Singapore
Contact:

Re: LetsEncrypt

Post by Nazar78 »

"the number of certificates issued by Let's Encrypt for your domain name has reached its limit. (Ref. 5019)"
This limitation is imposed by Let's Encrypt. https://letsencrypt.org/docs/rate-limits/ Nothing we can do except wait for a week or so. IIRC there's also a limit of which the top level domain can have. E.g. there could be thousands of users using my-asustor-id.myasustor.com, but the limit for myasustor.com is only 500.

This will not be an issue if you're using your own personal domain. For myself, my personal domain is using the wildcard cert with SAN.

I also don't use the Asustor's provided Let's Encrypt app because it still doesn't support wildcard, ECC certificates and DNS TXT records. So instead I'm using acme.sh installed manually in chroot. You can also install acme.sh or certbot in LXC, Docker container, VM or entware. Note this requires some basic shell knowledge. You can Google more about acme.sh (preferred) or certbot.

My advice is to look for other DDNS providers with the least common names then maybe append your myasustor.com DDNS as the SAN. You can start with freedns.afraid.org.

As for the Apache's connectivity, you can use another port if 80/443 is already been used on the NAS. But ensure your router is forwarding the port 443 back to the NAS whichever port Apache is set to listen to.
AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps

When posting, consider checking the box "Notify me when a reply is posted" to get faster response
wingstyle
Posts: 53
Joined: Sun Mar 28, 2021 3:49 am

Re: LetsEncrypt

Post by wingstyle »

Thanks Nazar78. Your information is quite clear and will be helpful once I read and learn more about the items you list/recommend. I will look into my own domain or utilizing freedns.afraid.org.

I do have one question. does me getting the domain name reaching its limit error indicate I have everything set up correctly to request an update to my certificate, and Let's Encrypt is letting me know my (myasustor.com) domain has reached its limit?
User avatar
Nazar78
Posts: 2003
Joined: Wed Jul 17, 2019 10:21 pm
Location: Singapore
Contact:

Re: LetsEncrypt

Post by Nazar78 »

I do have one question. does me getting the domain name reaching its limit error indicate I have everything set up correctly to request an update to my certificate, and Let's Encrypt is letting me know my (myasustor.com) domain has reached its limit?
No prob and yes you're right about this error.
AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps

When posting, consider checking the box "Notify me when a reply is posted" to get faster response
wingstyle
Posts: 53
Joined: Sun Mar 28, 2021 3:49 am

Re: LetsEncrypt

Post by wingstyle »

Nazar78, Thanks for your help. I used freedns.afraid.org to get a new domain/subdomain and then used that to get a new Lets Encrypt certificate. I am now able to use a reverse proxy to connect with photoprism externally using https. All is good again.
User avatar
Nazar78
Posts: 2003
Joined: Wed Jul 17, 2019 10:21 pm
Location: Singapore
Contact:

Re: LetsEncrypt

Post by Nazar78 »

wingstyle wrote:Nazar78, Thanks for your help. I used freedns.afraid.org to get a new domain/subdomain and then used that to get a new Lets Encrypt certificate. I am now able to use a reverse proxy to connect with photoprism externally using https. All is good again.
No problem, don't forget to add the cron to auto update your DDNS if required. You can just use the build-in crontab, SSH into the NAS and run: crontab -e, then edit using vi, add to update every 5mins: */5 * * * * curl -k https://[the update link]...
AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps

When posting, consider checking the box "Notify me when a reply is posted" to get faster response
wingstyle
Posts: 53
Joined: Sun Mar 28, 2021 3:49 am

Re: LetsEncrypt

Post by wingstyle »

Hi Nazar78,
I have been looking at adding to my cron to keep my subdomain updated. I did some research and figured out what cron and vi are, and I am ready to make the addition to my cron.

I tried running your suggestion (*/5 * * * * curl -k https://[the update link]) from my console and get an error: Address "my ip" has not changed. I did find the quick cron examples on freedns.afraid.org. They show curl, wget and fetch examples and say they should all work and can be tested by running manual in console. Curl (curl https://[the update link]) gets the same error as yours. Fetch (fetch -o - https://[the update link]) gets a "fetch: not found" error. Wget (wget --no-check-certificate -O - https://[the update link]) gets (ip and port removed):

--2022-05-21 08:31:40-- https://[the update link}
Resolving freedns.afraid.org (freedns.afraid.org)... "an ip address, not mine"
Connecting to freedns.afraid.org (freedns.afraid.org)|"same ip as above line"|:"port, not mine"... conn ected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]
Saving to: 'STDOUT'

- [<=> ] 0 --.-KB/s
ERROR: Address "my ip" has not changed.
- [ <=> ] 46 --.-KB/s in 0s

2022-05-21 08:31:40 (4.62 MB/s) - written to stdout [46]

Both end with the error that my ip has not changed. Does this mean that they both tried to update, but since it has not expired yet, I get the error?

They suggest 4,9,14,19,24,29,34,39,44,49,54,59 * * * * sleep 31 ; wget --no-check-certificate -O - https://[update link] c. I understand the string of numbers at the beginning is doing the same as your */5 (every five min) and the "sleep 31" pauses for 31 (seconds I assume since there is not a s, m, h, or d). What is " >> /tmp/freedns_"my subdomain:_com.log 2>&1 &" for? They say sleep may or may not be required.

EDIT: I figured out that the address ip has not changed error is because my ip has not changed, so it is working correctly. I still don't know why your suggestion results in only the one line ip not change error and the Freedns.afraid suggestion has a lot of information before the error. Can you answer this? Also, do you know if I have to do anything to keep my freedns.afraid subdomain active, or does it stay active as long as it is being used and the host domain doesn't expire? I can't find anywhere that tells me this.
Last edited by wingstyle on Sun May 22, 2022 2:49 am, edited 1 time in total.
User avatar
Nazar78
Posts: 2003
Joined: Wed Jul 17, 2019 10:21 pm
Location: Singapore
Contact:

Re: LetsEncrypt

Post by Nazar78 »

Yes that error result means the IP is already set to your ISP, so no changes required. You can test by changing your DDNS to a dummy IP i.e 127.0.0.1 on the freedns.afraid.org, then run the update to see it change. Note that due to DNS propagation, it could take up to several hours for your actual DNS to be updated on all the name servers.

My crontab is dead simple, every 5 mins:

Code: Select all

*/5 * * * * curl "http://freedns.afraid.org/dynamic/update.php?RllWcks0R-FAKE-OjEyNTExNjQw"
Edited: "What is " >> /tmp/freedns_"my subdomain:_com.log 2>&1 &" for?"
From on top of my head:
>> in consoles means redirect append the STDOUT to elsewhere other than the STDOUT (standard output) i.e. a tty (typewriter), this case redirect append it to a file /tmp/freedns_my subdomain:_com.log. >> means redirect append, > means redirect overwrite.
2>&1 means redirect the STDERR (&2=standard error) to STDOUT (&1=standard output), that is to redirect all errors output to standard output so they all can be printed to somewhere i.e. a file.
& means fork run in background. To bring an active background process to foreground, we run: fg, to put the active process in background we use, CTRL+Z, then run: bg. We can see all the current active background process by running: jobs. Or kill the jobs specific list using: kill %1.

Commonly you would see the commands such as "foobar>/dev/null 2>&1" which means redirect the STDERR to STDOUT then to null, which means we don't want to have any output from the process. Some native cronjobs with postfix installed will send the outputs to the account email, so we redirect them to /dev/null to avoid piling up the inbox, which is not the case with our stripped down Linux NAS.
AS5304T - 16GB DDR4 - ADM-OS modded on 2GB RAM
Internal:
- 4x10TB Toshiba RAID10 Ext4-Journal=Off
External 5 Bay USB3:
- 4x2TB Seagate modded RAID0 Btrfs-Compression
- 480GB Intel SSD for modded dm-cache (initramfs auto update patch) and Apps

When posting, consider checking the box "Notify me when a reply is posted" to get faster response
Post Reply

Return to “ADM general”