RAS 19 - Lets encrypt - anyone get it working? How?

Discussion in 'Parallels Remote Application Server' started by IainA2, Sep 5, 2022.

?

Did you get Let's Encrypt working in RAS 19?

  1. Yes

    0 vote(s)
    0.0%
  2. No

    0 vote(s)
    0.0%
  1. IainA2

    IainA2 Bit poster

    Messages:
    3
    My acme logs show the below (sanitised) error. Port 80 is open externally and redirects to https (currently self signed) as it should. All DNS resolutions are working and correct in the log - it seems like the /.well-known/acme-challenge/<token> route is not responding on the server. Same occurs if "Only allow Let's Encrypt verification" is selected in secure gateway config, but redirect returns 404.
    Version 19.0.2 (build 23329) on Server 2019

    Error in log:
    Action on cerificate with id: 2 failed with error 'The http challenge failed. { "identifier": { "type": "dns", "value": "correct.domain.name" }, "status": "invalid", "expires": "2022-09-13T00:24:08Z", "challenges": [ { "type": "http-01", "status": "invalid", "error": { "type": "urn:ietf:params:acme:error:connection", "detail": "correct.IP.ADDR: Fetching http://correct.domain.name/.well-known/acme-challenge/<token goes here>: Timeout during connect (likely firewall problem)", "status": 400 }, "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/<token goes here>/<token goes here>", "token": "<token goes here>", "validationRecord": [ { "url": "http://jiwar2.ids-g.net/.well-known/acme-challenge/<token goes here>", "hostname": "correct.host.name", "port": "80", "addressesResolved": [ "correct.IP.ADDR" ], "addressUsed": "correct.IP.ADDR" } ], "validated": "2022-09-06T00:26:08Z" } ] }'
     
  2. StefanB6

    StefanB6 Bit poster

    Messages:
    4
    Did you make any progress here?

    I think the LE-Support is not very well thought thought and not well documented.
    I didn't see the "Only allow Let's Encrypt verification"-Option so far, which is exactly which I was discussing with support without any helpful reply.
    Unfortunatly this does not seem to make sense with Halb-Appliance SSl-Offloading, which always redirects to port 80.
     
  3. IainA2

    IainA2 Bit poster

    Messages:
    3
    I did get this working in the end - something odd with the firewall, disabled the rules (blocked access) while I did other things, and when I re-enabled to demonstrate to support, it started working. That said, rather than a port 80 challenge, i would prefer additional challenge options, such as a DNS token.
     

Share This Page