[SOLVED] TLS handhshake error :; acme: Could not find solver for: http-01; acme: Could not find solver for: dns-01


#1

Hi, everyone
At the moment i use Mattermost through HTTPS protocol. SSL certificate was generated by Lets’Encrypt. The problem is that the TLS authorization running with error :

2018/01/24 12:33:17 [INFO] acme: Registering account for
2018/01/24 12:33:19 [INFO][chat. acme: Obtaining bundled SAN certificate
2018/01/24 12:33:20 [INFO][chat. AuthURL: https://acme-v01.api.letsencrypt.org/acme/authz/fxBNbsVJa6IVSZjMkMZiDSAgxxZyc8DxgISmu7UVdMQ
2018/01/24 12:33:20 [INFO][chat. acme: Could not find solver for: dns-01
2018/01/24 12:33:20 [INFO][chat. acme: Could not find solver for: http-01
2018/01/24 12:33:20 http: TLS handshake error from 80.154.65.20:60867: map[:[
acme: Could not determine solvers]
2018/01/24 12:33:20 http: TLS handshake error from 80.154.65.20:34496: map[:[
acme: Could not determine solvers]
2018/01/24 12:33:20 http: TLS handshake error from 80.154.65.20:53884: map[:[
acme: Could not determine solvers]
2018/01/24 12:33:20 http: TLS handshake error from 80.154.65.20:34653: map[
:[chat.mountain-software.eu] acme: Could not determine solvers]

The Developers from Lets’encrypt says that the problem is in Let’s Encrypt integration for Mattermost :

jshaBoulder engineer13h
Based on the log output, I’m guessing that Mattermost is written in Go (because the log output matches Go’s style). From that I’m further guessing that it may use the Go autocert package. If so, that package recently incorporated some changes to switch to the HTTP-01 challenge. So, try updating your Mattermost install. If that doesn’t work, notify the Mattermost developers that they need to update their Let’s Encrypt integration, and if that happens to be autocert, there’s an update ready to be incorporated into their project.

Can i found a special mattermost update for this issue ?


#2

Thread at the Let’s Encrypt community: https://community.letsencrypt.org/t/tls-handshake-error-map-acme-could-not-determine-solvers-could-not-find-solver-for-dns-01-could-not-find-solver-for-http-01/51177

I am also having this issue. I’ve tried to add the token from the AuthURL to my DNS records, but it doesn’t seem to work:


#3

@electronix001 @carstenhag

Thanks for your feedback,

Let’s Encrypt certificates are broken on Mattermost servers. We’re working on a fix https://mattermost.atlassian.net/browse/ABC-198

A workaround is to terminate SSL at the proxy, or set up let’s encrypt manually directly on the Mattermost server.

Here is the forum post relating to this issue.


#4

I have just upgraded to 4.6.1 and NOW I have letsencrpyt issues:
Jan 31 20:16:11 www.xxx.de platform[18962]: 2018/01/31 20:16:11 http: TLS handshake error from 109.90.178.19:53377: acme/autocert: unable to authorize “chat.xxx.de”; tried [“tls-sni-02” “tls-sni-01”]

Jan 31 20:16:11 www.xxx.de platform[18962]: 2018/01/31 20:16:11 http: TLS handshake error from 109.90.178.19:53379: acme/autocert: missing certificate

Update:
I got the certs via certbot manually and edited the config accordingly and it now works again…


#5

I was just wondering, am I the only one seeing the letsencrypt problem with 4.6.1 (which would mean I should start troubleshooting) or is it a general problem?


#6

Just perhaps, it started “being broken” because it wanted to renew the certs, and the renewal process started because the service/program started up after the update?


#7

It couldn´t renew the certificates after the update so I removed the letsencrypt cache. Now it still cannot get new certificates althought this worked without problems with 4.5. I tried again now but I still get:

Feb 09 22:23:21 www.xxx.de platform[8876]: 2018/02/09 22:23:21 http: TLS handshake error from 109.90.178.19:59064: acme/autocert: unable to authorize “chat.xxx.de”; tried [“tls-sni-02” “tls-sni-01”]
Feb 09 22:23:24 www.xxx.de platform[8876]: 2018/02/09 22:23:24 http: TLS handshake error from 109.90.178.19:59082: acme/autocert: missing certificate
Feb 09 22:23:27 www.xxx.de platform[8876]: 2018/02/09 22:23:27 http: TLS handshake error from 109.90.178.19:59089: acme/autocert: missing certificate
Feb 09 22:23:30 www.xxx.de platform[8876]: 2018/02/09 22:23:30 http: TLS handshake error from 109.90.178.19:59098: acme/autocert: missing certificate
Feb 09 22:23:34 www.xxx.de platform[8876]: 2018/02/09 22:23:34 http: TLS handshake error from 109.90.178.19:59105: acme/autocert: missing certificate
Feb 09 22:23:37 www.xxx.de platform[8876]: 2018/02/09 22:23:37 http: TLS handshake error from 109.90.178.19:59113: acme/autocert: missing certificate
Feb 09 22:23:40 www.xxx.de platform[8876]: 2018/02/09 22:23:40 http: TLS handshake error from 109.90.178.19:59121: acme/autocert: missing certificate
Feb 09 22:23:50 www.xxx.de platform[8876]: 2018/02/09 22:23:50 http: TLS handshake error from 109.90.178.19:59147: acme/autocert: missing certificate


#8

Hi @Twilek,

This issue should be fixed when v4.7 is released on February 16th.

Here is the ticket to track…


#9

Hmmm I updated to 4.7.0 RC 1 and the problem persists.


#10

Hi @Twilek,

Have you tried the manual workaround mentioned in this post?


#11

Well yes that works for me at the moment, but I still want to use the automatic certificate update that Mattermost offers. Otherwise I will have to renew the certificates manually from now on.


#12

Of course @Twilek :slight_smile:

I’ll check with the team whether the Let’s Encrypt fix was in 4.7 RC1… RC3 has been cut if you’d like to try reproducing?


#13

Just installed the RC3 and the " acme/autocert: unable to authorize “chat.xxx.de”; tried [“tls-sni-02” “tls-sni-01” “http-01”]" persists. Mattermost generates a letsencrypt.cache dir and an acme_account.key but that´s it

My mattermost installation has it´s own IP and is not proxied.


#14

@Twilek The tls-sni 1 and 2 challenge types have been disabled by let’s encrypt. Only one that will work and that the go autocert library supports is http-01.
So you should check a few things:

  • Do you have ports 80 and 443 open on your Mattermost server?
  • Is the Mattermost configuration option Forward80To443 enabled? I think it might actually be required for http-01 to work.

#15

And down the rabbit hole we go. I had an old apache configuration listening on Port 80 of the MM IP which I have now disabled. But a new problem with Mattermost surfaced. When enabling 80to443 forwarding mattermost seems to grab port 80 on all network adapters not only on the IP it is listening to, I have as a listen adress x.x.x.x:443. But even when I allow MM to grab all 80 ports the error doesn´t go away.


#16

Can you verify that 80 and 443 are open to the world?

Can you post the full logs your getting now. In your first post you say it says “tried [“tls-sni-02” “tls-sni-01”]” but later you say “[“tls-sni-02” “tls-sni-01” “http-01”]” just wondering which your getting now.


#17

I think my problem is not really with letsencrypt but with the way mattermost binds port 80 or not https://github.com/mattermost/mattermost-server/issues/8291


#18

Hi @Twilek,

I’ll close this issue off here for now then and we can track via the GitHub issue you’ve linked above (for which there is a ticket scheduled for v4.8