Three months ago I could create Let's Encrypt certs on Mac successfully by following the instructions in this tutorial.
Now that I have tried to do exactly the same, the let's encrypt updated itself and it shows me the following error:
Macbook$ pwd
/Applications/certbot
Macbook$ ./certbot-auto certonly --standalone -d domain1.com -d domain2.com -d domain3.com -d domain4.com
Requesting root privileges to run certbot...
/Users/Me/.local/share/letsencrypt/bin/letsencrypt certonly --standalone -d domain1.com -d domain2.com -d domain3.com -d domain4.com
Password:
An unexpected error occurred:
ValueError: Invalid header value 'CertbotACMEClient/0.8.0 (darwin 10.10.5\n) Authenticator/standalone Installer/None'
Please see the logfiles in /var/log/letsencrypt for more details.
I removed the letsencrypt folder and tried this time installing git clone https://github.com/certbot/certbot but I still get the same error :(
I don't know if this is the same reported issue at github and I don't know either whether this has been solved or not.
I just tried again by downloading one more time the clone file but, it still doesn't work. :(
Does anybody know how to fix this??? Or is there another and simple way out there to get the certs (for example, online)?
I have found this one but it still looks complicated.
I had this problem too, and this pull request (that has been merged to master) seems to have fixed it:
https://github.com/certbot/certbot/pull/3118
Note that after updating your git checkout to this code, you still may still see the issue if a cached version of certbot is used or if certbot-auto updates itself and overwrites the fix from the source code.
Note the recommendation in this comment to remove cached files and run with --no-self-upgrade:
$ rm -fr ~/.local/share/letsencrypt
$ ./certbot-auto --no-self-upgrade --debug certonly ...
Related
It's been a while since I asked this question. To simplify, I just want a lifecycle configuration in AWS SageMaker which can successfully install a private GitHub repo.
I'm trying to install a private github repo with a bash script. The script does the following:
makes sure there's an ssh agent active
adds the ssh key from a persistent portion of memory
attempts to install the github repo
This is all happening in a SageMaker AWS EC2 instance via a lifecycle configuration. The implementation looks something like this:
HOME=/home/ec2-user/
ENVPIP=$HOME/anaconda3/envs/tensorflow2_p36/bin/pip
eval "$(ssh-agent -s)"
ssh-add ${HOME}SageMaker/Setup/id_rsa
yes | $ENVPIP install git+ssh://git#github.com/...
Running this, I get the following error:
ERROR: Command errored out with exit status 128: git clone -q 'ssh://****#github.com/...' /tmp/pip-req-build-ysacff_l Check the logs for full command output.
Here's all the pertinent output from cloudwatch:
Agent pid 5146
Identity added: /home/ec2-user/SageMaker/Setup/id_rsa (/home/ec2user/SageMaker/Setup/id_rsa)
2020-09-07T17:11:00.605-04:00
Collecting git+ssh://****#github.com/********1/*****-*****Library
Cloning ssh://****#github.com/********1/*****-*****Library to /tmp/pip-req-build-ysacff_l
2020-09-07T17:11:00.605-04:00
Copy
ERROR: Command errored out with exit status 128: git clone -q 'ssh://****#github.com/********1/*****-*****Library' /tmp/pip-req-build-ysacff_l Check the logs for full command output.
looking into it, this seems like an issue with the cloning protocol, but I couldn't find anything pertinent to ssh.
P.s.
running the same few lines in the terminal works
I sanity checked the url to the repo, went right to it, so I don't think its a problem with anything after the ...
Updates:
tried updating git with yum install git. Apparently my version is up to date, so doing this resulted in the same error.
I commented out the pip install so that the EC2 Instance would start up successfully, then ran curl http://www.google.com, which resulted in a bunch of html. So it appears, at least after the EC2 instance boots, outbound traffic is allowed.
running curl http://www.google.com within the bash script (lifecycle configuration, with the problematic code commented out) results in the same html output, and the instance started up perfectly. this leads me to believe that there is, indeed, outbound traffic allowed on instance startup
a lot of people have viewed this question, and no one has answered it. I'm not married to the specific way I'm trying to install the repo, so if there are any working alternatives I'll gladly take them.
Is it possible that I'm encountering a race condition with some other system? this is happening close to when the instance starts. Are their any way to check that all dependent systems are running?
while doing some other stuff, in console I got the same error. I reinitialized the ssh agent, added the key, and it worked. I wonder if it's a race condition between eval "$(ssh-agent -s)" and yes | $ENVPIP install git+ssh://git#github.com/...?
i got a Puppet Enterprise Master Server 2018.1.3 which should get the Code with Code Manager from a git-Repository via https, where the server certificate of the git server is signed by a third party CA.
after getting everything afaik correctly configured, i get following:
> puppet-code deploy --dry-run
Dry-run deploying all environments.
Errors while collecting a list of environments to deploy (exit code: 1).
ERROR -> Unable to determine current branches for Git source 'puppet'
(/etc/puppetlabs/code-staging/environments)
Original exception:
The SSL certificate is invalid
executing directly r10k produces a similar error. which makes sense, since i have not installed the third party CA certificate anywhere yet.
so i thought, r10k most likely runs jruby which runs java (i do not any idea about ruby), so i will install the certificate in the jvm:
keytool -import -file gitCA.cer -alias gitCA -keystore /opt/puppetlabs/server/apps/java/lib/jvm/java/jre/lib/security/cacerts -storepass changeit
but i am still getting the same error, also after a system restart, so ok, it means r10k does not use jruby but ruby, so i will install also the certificate in the OS, put the certificate under /etc/pki/trust/anchors and called update-ca-certificates (on SLES12). After that, i can access the git-Repo-URL with wget without getting any certificate error, so the certificate is installed in the OS correctly, but still, even after a system restart, i am getting the same error with r10k.
after lot of goggling for certificate stores and ruby i found out that
export SSL_CERT_FILE=<path_to_cert>
fixes the direct call of r10k:
> r10k deploy display --fetch ---
:sources:
- :name: :puppet
:basedir: "/etc/puppetlabs/code/environments"
:remote: https://xxx#git.xxx/git/puppet
:environments:
- develop
- master
- production
- puppet_test
but puppet-code still not working with same error message. but i thought, obviously i am right now root and puppet-code is executed by user pe-puppet, so i put the export command in the /etc/profile.local file, so it is available to all users.
still not working. even after system restart and deleting /opt/puppetlabs/server/data/puppetserver/r10k/ that was created with user root while directly calling r10k.
first question: why does r10k works, but puppet-code not?
second question: where is the correct place for that certificate?
many thanks
Michael
UPDATE: 27.AUG.2018
i tried this:
sudo -H -u pe-puppet bash -c '/opt/puppetlabs/puppet/bin/r10k deploy display --fetch'
which did not work, despite i am setting the SSL_CERT_FILE variable in the /etc/profile.local file.
but i got it working by setting the variable in the /etc/environment file.
but puppet code still not working. why?
for those looking for a solution to this problem checkout this post on the Puppet Support Base.
Simply put you have two options:
Use a Git source instead of an HTTPS source to refer to your repository in your Puppetfile. This option requires adding SSH keys to your Puppet master and your repository.
Add a certificate authority (CA) cert for the repository to the list of trusted CAs in /opt/puppetlabs/puppet/ssl/cert.pem.
Option one: Use a Git source instead of an HTTPS source
To deploy code from your repository using a Git source, configure a private SSH key on your Puppet master and a public SSH key on your repository:
In your Puppetfile, change references to your Git repository from an HTTPS source to a Git source:
For example, change:
mod 'site_date', :git: 'https://example.com/user/site_data.git',
to:
mod 'site_data', :git: 'ssh://user#example.com:22/user/site_data.git',
Configure your SSH keys. Configure the private key using our documentation on how to Declare module or data content with SSH private key authentication for PE 2018.1.
Note: Use the version selector to choose the right version of our documentation for your deployment.
The details of configuring your public key depend on how your Git repository is configured. Talk to your Git repository administrator.
Option two: Add a trusted CA cert
If you are unable to specify a Git s
ource, add your repository to the list of CAs trusted by Code Manager by adding a CA cert to the file /opt/puppetlabs/puppet/ssl/cert.pem.
Transfer the cert (ca.pem) file to your CA node.
On the CA node, add the cert to the list of CAs trusted by Code Manager: cat ca.pem >> /opt/puppetlabs/puppet/ssl/cert.pem
Agent runs won't revert changes made to cert.pem because the file isn't managed by PE, but upgrades to PE will overwrite the file. After you upgrade PE, you must add the CA cert to cert.pem again.
so, i got it working, but not happy with the solution.
i turned on debug logging on /etc/puppetlabs/puppetserver/logback.xml, confirming that puppet-code is indeed calling r10k:
2018-08-27T14:54:24.149+02:00 DEBUG [qtp462609859-78] [p.c.core] Invoking shell:
/opt/puppetlabs/bin/r10k deploy --config /opt/puppetlabs/server/data/code-manager/r10k.yaml --verbose warn display --format=json --fetch
2018-08-27T14:54:24.913+02:00 ERROR [qtp462609859-78] [p.c.app] Errors while collecting a list of environments to deploy (exit code: 1).
ERROR -> Unable to determine current branches for Git source 'puppet' (/etc/puppetlabs/code-staging/environments)
Original exception:
The SSL certificate is invalid
so i did it the very quick and dirty way:
cd /opt/puppetlabs/puppet/bin/
mv r10k r10k-bin
touch r10k
chmod +x r10k
vi r10k
and
#!/bin/bash
export SSL_CERT_FILE=<new_cert_path>
/opt/puppetlabs/puppet/bin/r10k-bin "$#"
now it is working:
puppet:~ # puppet-code deploy --dry-run
Dry-run deploying all environments.
Found 5 environments.
but not happy, any better idea?
I am writing a bash script which bootstraps the whole project infrastructure in the freshly installed server and i want to configure ssl installation with letcecrypt certbot. After I execute line:
certbot --nginx -d $( get_server_name ) -d www.$( get_server_name ).com
I get prompted for few questions. Can certbot be run without any interactions while passing some of the params as arguments or something ?
You can run certbot 'silently' by adding the following options:
--non-interactive --agree-tos -m webmaster#example.com
The full list of config options is available here:
https://certbot.eff.org/docs/using.html
There are several inline flags and "subcommands" (their nickname) provided by Certbot that can help to automate the process of generating free SSL certificates using Bash or shell scripts.
The most relevant flag as mentioned by #match is:
--noninteractive ...or alternatively... --non-interactive
However in reality this flag is not very helpful, because it doesn't do very much. If there are critical flags missing from your script, for example, the certificate will still fail to generate. Frankly, I think it would be better for Certbot to cancel the above flag, because it's rather misleading.
Here are the minimum flags required:
--agree-tos
--register-unsafely-without-email ...or... -m username#example.com
-d example.com and/or -d www.example.com
You also must specify what type of Let's Encrypt installer plugin (environment) you want, for example you can choose from "standalone" or "manual" etc... for most cases, like a WordPress web server, you should choose "webroot" so that Certbot can easily verify ownership via the public root (make sure access to /.well-known* is not blocked):
--webroot -w /var/www/html/
Here is the complete command we use in SlickStack to install SSL certs:
## install Certbot SSL certificate ##
certbot certonly --noninteractive --agree-tos --cert-name slickstack -d ${SITE_TLD} -d www.${SITE_TLD} -d staging.${SITE_TLD} -d dev.${SITE_TLD} --register-unsafely-without-email --webroot -w /var/www/html/
In our case we hardcode the --cert-name to be slickstack because only one website is installed on each VPS server, so it makes other server admin tasks (and scripts) easier to manage. However, if you are installing several domains and SSL certs on the same server, you could change the subcommand --cert-name to be named after each TLD domain instead, etc. This affects the SSL directory names, thus helping to keep your files/folders nice and tidy.
I'm trying to deploy an app that I already deployed to in the past but started getting
Unable to authenticate app.
Please make sure your applicationId and masterKey in "config/global.json" is correct
I got both masterKey and applicationId set in the file. I tried adding jsKey just to be sure. I also tried regenerating the master key and deploy but I still get the same error.
Wierd thing is that when I exeucte parse releases I get the list. So if this is an authentication error how could this request pass ?
Anyways, I'm stuck and I would appreciate any help.
I had the same problem and solved updating parse:
$ sudo parse update
but the binary was unzipped, see below:
$ file /usr/local/bin/parse
/usr/local/bin/parse: gzip compressed data, was "parse-osx-2.1.2", from Unix, last modified: Mon Jun 29 18:48:09 2015
so I copy and change the file name, unzip it and finally replace the original:
$ cp /usr/local/bin/parse ~/tmp/parse.gz
$ cd ~/tmp
$ gunzip parse.gz
$ sudo cp parse.gz /usr/local/bin/parse
There is a parse.com ticket on this issue already but it is currently still an issue for me.
https://developers.facebook.com/bugs/1606090639641473/?search_id
I'm not sure what's wrong with my heroku account, but I'm no longer able to clone my heroku project.
NOTE : Please do not close this question considering as duplicate question of this
as I have described below that I tried all solutions mentioned in the answers to that question
! Your key with fingerprint XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX is not authorized to access genqr
Whenever I do
git clone git#heroku.com:genqr.git
I have done everything humanly possible.
1. I have deleted all my keys of heroku added a new key
using
heroku keys:remove
and
heroku keys:add /home/vire2egi/.ssh/setup.pub
Still, the same problem when cloning the project happens.
2. I also added heroku key to ssh-add
ssh-add /home/vire2egi/.ssh/setup
3. Also added key to keychain
eval `keychain --eval setup`
All the above commands result in success but still I can't clone the repo
4. I also did
heroku keys:remove
heroku auth:logout
heroku auth:login ## Authenticated myself and then added the key: still no success
Still no success
5. I also defined a config for heroku, something like
Host heroku.com
Hostname heroku.com
User viren2egi
IdentityFile /home/vire2egi/.ssh/setup
Still no success.
6. Out of fustration I created a brand new key.
ssh-keygen -t rsa
And repeated all the above set for that key too, but still I get the same problem.
I also cleaned my known_hosts everytime I ran anyone of the above commands just to make sure it does not pick from it.
Note :
Whenever I tried heroku:keys, it always presented me with the correct information of the key that I have added
Can anyone help me?
When you do a git operation it uses any ssh keys you have loaded locally in some order (I believe the order in which they were loaded). It may be that you have an old key still loaded and when you do a git operation it tries that key first and fails and does not go on to the next key if there's a failure.
So... try unloading all your ssh-keys with ssh-add -D, then loading the most recent key you created and added to heroku:
$ ssh-add -D
$ ssh-add /home/vire2egi/.ssh/setup
$ git clone git#heroku.com:genqr.git
???
I had the same problem. The steps described in http://rakshasingh.weebly.com/1/post/2013/04/accessing-multiple-heroku-accounts-from-one-machine.html helped me well. Last part about cloning from existing heroku app is important.