Re: [Taler] Problems with certificates chain using standalone deployment

[Christian Grothoff]

Dear Eduardo,

The reason is simple: you are asking let's encrypt to generate a TLS
certificate for 'taler.net', which is not a domain name you control.

So you must get your own DNS name and change the configuration file(s)
to use that DNS name, or disable the TLS part of the setup and go with
HTTP instead of HTTPS.

Happy hacking!

Christian
p.s.: I guess it would make sense for our code to make it _easier_ to
change the domain name from 'taler.net' to another TLD, so anyone who
wants to send a patch to that effect would be welcome.

On 06/05/2018 01:48 PM, Gonzalez Real, Eduardo wrote:
> Dear developers of GNU Taler,
>  
> I am trying to deploy your system following the Standalone deployment
> [1] in a Debian 9 “Stretch” from Oracle VM VirtualBox and I need your
> support with some issues I am facing.
>  
> At this moment, I am setting up the nginx server using your
> configuration files [2] but there are some problems with the generation
> of the certificates chain. Concretely, certbot is returning unauthorized
> for most of the domains when running your renew-certs.sh [3]. I am
> wondering if I should need any kind of authorized dev email, I have
> tried with the --register-unsafely-without-email  flag and also working
> from a real machine (just in case the problems are related to the
> Virtual Machine).
>  
> Here some logs from nginx:
> /[emerg] 9908#9908:
> BIO_new_file("/etc/letsencrypt/live/taler.net/fullchain.pem") failed
> (SSL: error:02001002:system library:fopen:No such file or
> directory:fopen('/etc/letsencrypt/live/taler.net/fullchain.pem','r')
> error:2006D080:BIO routines:BIO_new_file:no such file)/
>  
> Here a piece of the certbot logs with the unauthorized issue:
> /Domain: api.taler.net/
> /Type:   unauthorized/
> /Detail: Invalid response from/
> /http://api.taler.net/.well-known/acme-challenge/iw8WZEboMyngkhXNVvjJsZKkII4wTYHX-f_WzZtcDo4:/
> /"<html>/
> /<head><title>404 Not Found</title></head>/
> /<body bgcolor="white">/
> /<center><h1>404 Not Found</h1></center>/
> /<hr><center>"/
> /To fix these errors, please make sure that your domain name was/
> /entered correctly and the DNS A record(s) for that domain/
> /contain(s) the right IP address./
>  
> Any idea why this might be happening?
> If you need more specific information about technical stuff please do
> not hesitate.
>  
> Many thanks in advance.
>  
> [1]
> _https://docs.taler.net/onboarding/html/onboarding.html#Standalone-deployment_
> [2] _https://git.taler.net/deployment.git/tree/etc/nginx_
> [3] _https://git.taler.net/deployment.git/tree/taler.net/renew-certs.sh_
>  
> Best regards
> ---------------------------------
> *Eduardo González Real*
> Research & Innovation
> Business & Platform Solutions
> Atos Iberia
> T + 34 922 53 38 88
> address@hidden <mailto:address@hidden>
> _www.es.atos.net_ <http://www.es.atos.net/>
>  
>  
> This e-mail and the documents attached are confidential and intended
> solely for the addressee; it may also be privileged. If you receive this
> e-mail in error, please notify the sender immediately and destroy it. As
> its integrity cannot be secured on the Internet, the Atos group
> liability cannot be triggered for the message content. Although the
> sender endeavors to maintain a computer virus-free network, the sender
> does not warrant that this transmission is virus-free and will not be
> liable for any damages resulting from any virus transmitted.
> 
> Este mensaje y los ficheros adjuntos pueden contener información
> confidencial destinada solamente a la(s) persona(s) mencionadas
> anteriormente y pueden estar protegidos por secreto profesional. Si
> usted recibe este correo electrónico por error, gracias por informar
> inmediatamente al remitente y destruir el mensaje. Al no estar asegurada
> la integridad de este mensaje sobre la red, Atos no se hace responsable
> por su contenido. Su contenido no constituye ningún compromiso para el
> grupo Atos, salvo ratificación escrita por ambas partes. Aunque se
> esfuerza al máximo por mantener su red libre de virus, el emisor no
> puede garantizar nada al respecto y no será responsable de cualesquiera
> daños que puedan resultar de una transmisión de virus.
>  
>  
>  
> This e-mail and the documents attached are confidential and intended
> solely for the addressee; it may also be privileged. If you receive this
> e-mail in error, please notify the sender immediately and destroy it.
> As its integrity cannot be secured on the Internet, the Atos group
> liability cannot be triggered for the message content. Although the
> sender endeavors to maintain a computer virus-free network, the sender
> does not warrant that this transmission is virus-free and will not be
> liable for any damages resulting from any virus transmitted.
> 
> Este mensaje y los ficheros adjuntos pueden contener información
> confidencial destinada solamente a la(s) persona(s) mencionadas
> anteriormente y pueden estar protegidos por secreto profesional.
> Si usted recibe este correo electrónico por error, gracias por informar
> inmediatamente al remitente y destruir el mensaje.
> Al no estar asegurada la integridad de este mensaje sobre la red, Atos
> no se hace responsable por su contenido. Su contenido no constituye
> ningún compromiso para el grupo Atos, salvo ratificación escrita por
> ambas partes.
> Aunque se esfuerza al máximo por mantener su red libre de virus, el
> emisor no puede garantizar nada al respecto y no será responsable de
> cualesquiera daños que puedan resultar de una transmisión de virus.

signature.asc
Description: OpenPGP digital signature