Troubleshooting - w2c/letsencrypt-esxi GitHub Wiki
Potential Issues
Let's Encrypt error while issuing a certificate
Problem
- When running
/etc/init.d/w2c-letsencrypt-esxi start, the Let's Encrypt output showsResponse: <urlopen error [Errno -3] Temporary failure in name resolution>
Resolution
- Ensure that the domain name you want to acquire a certificate for, resolves to an Internet-reachable IP address
No Let's Encrypt certificate after installation
Problem
- Still self-signed certificate
- Error upon installation:
Remote end closed connection without response
$ cat /var/log/syslog.log | grep w2c
2022-05-16T12:28:01Z /opt/w2c-letsencrypt/renew.sh: Starting certificate renewal.
2022-05-16T12:28:03Z /opt/w2c-letsencrypt/renew.sh: Existing cert for example.com not issued by Let's Encrypt. Requesting a new one!
2022-05-16T12:28:11Z /opt/w2c-letsencrypt/renew.sh: Error: No cert obtained from Letsencrypt. Generating a self-signed certificate.
Resolution
- Run the script manually and observe the output:
/etc/init.d/w2c-letsencrypt start - Sometimes errors are shown upon first run (only) as the certificate retrieval adds a delay during VIB installation.
- Check if the hostname is indeed reachable via defined A and/or AAAA records. If not, it will look like this:
Starting certificate renewal.
Existing cert for example.com not issued by Let's Encrypt. Requesting a new one!
Generating RSA private key, 4096 bit long modulus
****************************************************************************************************************++++
********************************************************************************************************++++
e is 65537 (0x10001)
Parsing account key...
Parsing CSR...
...
ValueError: Wrote file to /opt/w2c-letsencrypt/.well-known/acme-challenge/StMcbQ0ONjXWbFWhpvCUQ21NeVjEVUDG2C--fBFQ9Q8, but couldn't download http://example.com/.well-known/acme-challenge/StMcbQ0ONjXWbFWhpvCUQ21NeVjEVUDG2C--fBFQ9Q8: Error:
Url: http://example.com/.well-known/acme-challenge/StMcbQ0ONjXWbFWhpvCUQ21NeVjEVUDG2C--fBFQ9Q8
Data: None
Response Code: None
Response: <urlopen error [Errno -2] Name or service not known>
Error: No cert obtained from Letsencrypt. Generating a self-signed certificate.
AcceptanceConfigError
During VIB Installation
Problem
$ esxcli software vib install -v /tmp/w2c-letsencrypt-esxi.vib
[AcceptanceConfigError]
VIB web-wack-creations_bootbank_w2c-letsencrypt-esxi_1.0.0-0.0.0's acceptance level is community, which is not compliant with the ImageProfile acceptance level partner
To change the host acceptance level, use the 'esxcli software acceptance set' command.
Please refer to the log file for more details.
Alternatively, the error could look like this:
VIB (web-wack-creations_bootbank_w2c-letsencrypt-esxi_1.0.0-0.0.0) failed a check of extensibility rules for acceptance level 'community': [u'(line 23: col 0) Element vib failed to validate content'].
Resolution
A) Install with -f flag: esxcli software vib install -v /tmp/w2c-letsencrypt-esxi.vib -f
B) Before installation set: esxcli software acceptance set --level=CommunitySupported
When trying to set acceptance level PartnerSupported
Problem
$ esxcli software acceptance set --level=PartnerSupported
[AcceptanceConfigError]
Unable to set acceptance level of partner due to installed VIBs web-wack-creations_bootbank_w2c-letsencrypt-esxi_1.0.0-0.0.0 having a lower acceptance level.
Please refer to the log file for more details.
Resolution
esxcli software vib remove -n w2c-letsencrypt-esxi
esxcli software acceptance set --level=PartnerSupported
esxcli software vib install -v /tmp/w2c-letsencrypt-esxi.vib -f
Error during ESXi Upgrade
Problem
An ESXi upgrade via console stops with the following error:
VIB web-wack-creations_bootbank_w2c-letsencrypt-esxi_1.0.0-0.0.0's acceptance level is community, which is not compliant with the ImageProfile acceptance level partner
Resolution
A) Change the acceptance level to CommunitySupported and then repeat the update procedure:
esxcli software acceptance set --level=CommunitySupported
B) Remove w2c-letsencrypt-esxi, then update the host, and re-install it afterwards:
esxcli software vib remove -n w2c-letsencrypt-esxi
esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-7.0U1d-17551050-standard
esxcli software vib install -v /tmp/w2c-letsencrypt-esxi.vib -f
C) Use the -f option to bypass the acceptance level check. E.g.:
esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-7.0U1d-17551050-standard -f
Hostname is no FQDN
Problem
$ cat /var/log/syslog.log | grep w2c
2022-05-16T12:24:08Z /opt/w2c-letsencrypt/renew.sh: Error: Hostname asdf is no FQDN.
Resolution
Set an FQDN, then run the script again:
$ esxcfg-advcfg -s new-example.com /Misc/hostname`
Value of HostName is new-example.com
$ /etc/init.d/w2c-letsencrypt start
Running 'start' action
Starting certificate renewal.