Daniel Rodriguez's picture

 

Hello, as they are I greet you from Honduras CA, I have a problem that has broken my head and I need help please, install my own Moodle server and I have it under a public IP but when I redirect it to the domain I always get the connection is not private I have enabled SSL certificates but it does not work it will help me please in advance thank you very much

Forum: 
Jeremy Davis's picture

Assuming that you are using our Moodle server, then all our servers ship with "self signed" certificates. These certificates are legitimate certificates, however, because they are self signed, anyone can create them and anyone can pretend to be anyone else. So to stop that, browsers show a warning for self signed certs. To avoid the warning requires certificates that been signed by a registered (and approved) Certificate Authority.

If you already have the domain set up so that it points to the public IP of your Moodle server, then all you should need to do is use Confconsole (via Advanced menu) to get a free Let's Encrypt certificate (Let's Encrypt is a registered/approved CA)! Once you have that set up (and assuming that it works successfully) be sure to enable the auto updates!

Daniel Rodriguez's picture

 

if i am using turkley moodle server but i have tried in various ways up to this blog "https://github.com/turnkeylinux/confconsole/releases/tag/v1.1.2" but it has not worked for me

Jeremy Davis's picture

If not, then that's what I recommend (that's the latest release. The v16.0 appliance ships with Confconsole v2.0.x (i.e. much newer than v1.1.x) so it should "just work" - no workarounds required...

If you are using v16.0 and it didn't work, then my guess is that there is something else going wrong. If you've installed Confconsole v1.1.2 in v16.0, then it might be easiest and best to just trash this server and start again.

With v16.0 running, if it still fails, please share the contents of the Confconsole log file. Also posting your domain will be useful, so I can double check that your DNS is set up properly.

Daniel Rodriguez's picture

 

where can I install the Confconsole v2.0.x or does it come by default, if so what should I do to install the certificate, thank you very much?

Jeremy Davis's picture

You can double check like this:

apt policy confconsole

It should return something like this:

confconsole:
  Installed: 2.0.1+9+g86f73bd
  Candidate: 2.0.1+9+g86f73bd
  Version table:
 *** 2.0.1+9+g86f73bd 999
        999 http://archive.turnkeylinux.org/debian buster/main amd64 Packages
        100 /var/lib/dpkg/status

If you look at the "Installed" line, my output shows that I have "2.0.1+9+g86f73bd". You can also see that the "Candidate" is the exact same version. If your "Candidate" is different version to what is "Installed" then you can update like this:

apt install confconsole

Although I'm pretty sure that there wasn't any changes to Let's Encrypt, so I doubt it will make any difference (but it also won't hurt).

Also out of interest, you can double check the TurnKey version like this:

turnkey-version

For v16.0 Moodle, it should return this:

turnkey-mysql-16.0-buster-amd64
Daniel Rodriguez's picture

 

I don't get this "999 http://archive.turnkeylinux.org/debian buster / main amd64 Packages"

Jeremy Davis's picture

Perhaps post the full output? Then I might be able to work out what is going on.

Regardless, if you have v2.0.1 or higher, you should be fine.

Jeremy Davis's picture

Please share the contents of the log file: /var/log/confconsole/letsencrypt.log

That should explain why it failed. Also as I said earlier, if you share the domain name with me, I can double check your DNS settings.

Daniel Rodriguez's picture

 

yes of course my domain is jaguarsbschool.ipvisionhn.com username and the ip where I have it redirected is 181.115.34.26

Jeremy Davis's picture

Until I see your log I can't be sure, but my guess is that perhaps Let's Encrypt isn't following the redirect? I see that the 'A' record points to a different IP and its a 301 redirect that points it to your current IP.

The other problem that may have occurred is that perhaps your IP has been blacklisted? If you keep retrying and it keeps failing, at some point Let's Encrypt will blacklist your IP and refuse to give you a certificate. I forget how long it takes for that blacklisting to time out.

Anyway, until I see your log, I'm really just guessing...

Daniel Rodriguez's picture

How do I identify if I am blacklisted? And if so, what alternative do I have?

Jeremy Davis's picture

I don't recall the exact message, but it will be something like "too many failures" or similar.

If that happens, you just need to wait until the blacklist is removed. IIRC it's an hour (i.e. wait and hour and try again)...

Actually, I found the Let's Encrypt - Rate Limits doc page. It says that there is a "Failed Validation limit of 5 failures per account, per hostname, per hour". My reading suggests that if you hit the limit, you are blocked for one week! So it might pay to wait an hour before you retry to make sure you don't hit that limit!

Daniel Rodriguez's picture

 

this is the error you have in letsencrypt.log 

root@moodle .../log/confconsole# tail -f letsencrypt.log "detail": "DNS problem: NXDOMAIN looking up A for jaguarsbschoo.ipvisionhn.com - check that a DNS record ex
ists for this domain",                                                                                         
    "status": 400                                                                                              
  },                                                                                                           
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/5738395781/ARmsmQ",                               
  "token": "eqxDmGc_Z0DlcRHa5JXgmoRzh94XvyWpAk5CqocXvDI"                                                       
})                                                                                                             
[2020-07-08 04:08:37] dehydrated-wrapper: FATAL: dehydrated exited with a non-zero exit code.                  
[2020-07-08 04:08:37] dehydrated-wrapper: WARNING: Python is still listening on port 80                        
[2020-07-08 04:08:37] dehydrated-wrapper: WARNING: Something went wrong, restoring original cert, key and combi
ned files.                                                                                                     
[2020-07-08 04:08:38] dehydrated-wrapper: WARNING: Check today's previous log entries for details of error. 

Jeremy Davis's picture

DNS problem: NXDOMAIN looking up A for jaguarsbschoo.ipvisionhn.com - check that a DNS record exists for this domain

Update it to jaguarsbschool.ipvisionhn.com (note the missing 'l' above).

Daniel Rodriguez's picture

 

Jeremy I already installed the certificate, but the browser continues to tell me that the address is not private that you think you could review because the certificate is already working, but it still tells me that the connection is not private thanks for your support

Jeremy Davis's picture

Great that you have the certificate.

The issue that you're hitting now is that your domain is redirecting to IP address, but you can't get a certificate for an IP address, only a domain name. So essentially the certificate that your site is providing doesn't match what is in the adrress bar

Ideally you'd be best off changing your DNS so your domain name just points directly to your server's actual IP address (instead of being redirected).

Otherwise you'll need to change the rewrite. AFAIK, it should be possible to redirect but keep the domain in the address bar. It's not something I've done before, and exactly how you do that will depend on the how you have the current redirect set up (and what web server it is), but I'm almost certain that it's possible and it should make the certificate work properly (the domain will match the certificate).

Note that regardless of which way you go, you'll probably need to clear the cache and cookies from your browser. You need to do that to clear out the 301 redirect.

Add new comment