snikket-im / snikket-server Goto Github PK
View Code? Open in Web Editor NEWImage builder for Snikket server
Home Page: https://snikket.org/service/
License: Apache License 2.0
Image builder for Snikket server
Home Page: https://snikket.org/service/
License: Apache License 2.0
Currently Prosody is configured to use the internal backend for everything, including archives. This works fine for most setups, especially given the default retention period of 7 days.
Switching to SQLite would:
I'm not sure if the apps use it, but it would be the correct thing to do, protocol-wise.
Normally, when one of your roster entries is not reachable via s2s, a type="error" presence stanza is generated for them with the error message indicating the s2s error and this stanza is sent to the client during the initial presence phase.
For isolated users, the behaviour for non-local roster entries should be similar to mirror normal s2s issues. Again, not sure if the apps use it in any way.
Hi,
I'm trying to install snikket server and each time i get Challenge failed for domain esmailelbob.xyz
error when snikket start to run let'scrypt but what is odd is when i run certbot
command outside docker it works just great so i'm not sure what causes it break inside docker...
My domain is: esmailelbob.xyz
I ran this command: docker-compose up
It produced this output:
root@debian:~/docker-compose/snikket# docker-compose exec snikket_certs cat /var/log/letsencrypt/letsencrypt.log
2021-12-23 11:24:46,874:DEBUG:certbot.main:certbot version: 0.31.0
2021-12-23 11:24:46,875:DEBUG:certbot.main:Arguments: ['-n', '--webroot', '--webroot-path', '/var/www', '--cert-path', '/etc/ssl/certbot', '--keep', '--agree-tos', '--email', '[email protected]', '--expand', '--allow-subset-of-names', '--config-dir', '/snikket/letsencrypt', '--domain', 'esmailelbob.xyz', '--domain', 'share.esmailelbob.xyz', '--domain', 'groups.esmailelbob.xyz']
2021-12-23 11:24:46,876:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-12-23 11:24:46,885:DEBUG:certbot.log:Root logging level set at 20
2021-12-23 11:24:46,885:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-12-23 11:24:46,886:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2021-12-23 11:24:46,887:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f1668414a20>
Prep: True
2021-12-23 11:24:46,887:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f1668414a20> and installer None
2021-12-23 11:24:46,887:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2021-12-23 11:24:46,906:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
2021-12-23 11:24:46,908:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
2021-12-23 11:24:47,639:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
2021-12-23 11:24:47,640:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:47 GMT
Content-Type: application/json
Content-Length: 658
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"9oS3c7MMyNc": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
"keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
"meta": {
"caaIdentities": [
"letsencrypt.org"
],
"termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
"website": "https://letsencrypt.org"
},
"newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
"newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
"newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
"revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
}
2021-12-23 11:24:47,641:DEBUG:acme.client:Requesting fresh nonce
2021-12-23 11:24:47,641:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
2021-12-23 11:24:47,873:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
2021-12-23 11:24:47,874:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:47 GMT
Connection: keep-alive
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 01024D8CJCkI7ia2pnf-BDRojQjemNIVn-GNtAZBJRSzABw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
2021-12-23 11:24:47,874:DEBUG:acme.client:Storing nonce: 01024D8CJCkI7ia2pnf-BDRojQjemNIVn-GNtAZBJRSzABw
2021-12-23 11:24:47,874:DEBUG:acme.client:JWS payload:
b'{\n "contact": [\n "mailto:[email protected]"\n ],\n "termsOfServiceAgreed": true,\n "resource": "new-reg"\n}'
2021-12-23 11:24:47,882:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-acct:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAiandrIjogeyJuIjogIndnNDBmZ0hpbmdXaExmNloyQW1aU0hfanphcHktNDdVZE1aTWZjZ2wySmsyNkFjTVFNdTM4Mm5KeS16YzJTUXp0OG1CZnZwZEE0dFFFblhYQUlOelJrNU8zWHhtSUtQc3FZMW92enhlN0JTcFFTSzlxRENmUHFQNWdKMHFpVTQ0c2xneExMdnZzbDFCVEVxd0lFa3FYcTB3UW03RUMyS0Ftd1FkeHZ3SVR3RWVfVXpkanU1MlZJM3I1V3J0OVRobFlSa25hS280UkhCeHJNN1IxdVFtbC11UnYtbkdXbWxPSUhDUEFCb2V6M1BXMy00QzduRWpkcnh6RTdhQ1BzSFNUZ2VJVklkR0I5UHVyaTFuSHk1THYwSVd5SEgweXQ5MFJ1UndkdXJxY3dZbTVYampmeXppaDBKbFBWM2xfenR5T1VuanRIWnFySkdybERRa3dYSU0ydyIsICJlIjogIkFRQUIiLCAia3R5IjogIlJTQSJ9LCAibm9uY2UiOiAiMDEwMjREOENKQ2tJN2lhMnBuZi1CRFJvalFqZW1OSVZuLUdOdEFaQkpSU3pBQnciLCAidXJsIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL25ldy1hY2N0In0",
"signature": "Ku9Hy4L93FrRlGTbjBqgZQTHlvJk3mC3RGvw2x9tv1GjKwa9iIUcsiv1rNAD8_tarftnYD5XMedcBuHyk2om9Yxz-YAuq6TclqQKm1pg0s1EVqAP7WYsDV30YN2zS6AiwV-s5cSk6DCLMA8XnkHOV7So22PlMgJBPlGIla__CkJQHLP3SN82mFOtrRrkd9_sqZYmFnZWQzRKgFLksQ6EeA32SyPT97T01XYO3sKj3ZQYNPRA81-YQN2NRyOfa5Bm9BzJ1dr3YfheVGir0yOaVmlvMSw2aS9m3VYfqxF1oNtsYPhEhhQq_c0_XAtaWPYsn1Bm4cMiMAD82Sxzp8-1Zw",
"payload": "ewogICJjb250YWN0IjogWwogICAgIm1haWx0bzplc21haWxAZXNtYWlsZWxib2IueHl6IgogIF0sCiAgInRlcm1zT2ZTZXJ2aWNlQWdyZWVkIjogdHJ1ZSwKICAicmVzb3VyY2UiOiAibmV3LXJlZyIKfQ"
}
2021-12-23 11:24:48,190:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-acct HTTP/1.1" 201 563
2021-12-23 11:24:48,191:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Thu, 23 Dec 2021 11:24:48 GMT
Content-Type: application/json
Content-Length: 563
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf>;rel="terms-of-service"
Location: https://acme-v02.api.letsencrypt.org/acme/acct/333092700
Replay-Nonce: 01022RqoflNyfXzVh7FyTUNKzppiFdME-ZDQ02KZkQE9BEc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"key": {
"kty": "RSA",
"n": "wg40fgHingWhLf6Z2AmZSH_jzapy-47UdMZMfcgl2Jk26AcMQMu382nJy-zc2SQzt8mBfvpdA4tQEnXXAINzRk5O3XxmIKPsqY1ovzxe7BSpQSK9qDCfPqP5gJ0qiU44slgxLLvvsl1BTEqwIEkqXq0wQm7EC2KAmwQdxvwITwEe_Uzdju52VI3r5Wrt9ThlYRknaKo4RHBxrM7R1uQml-uRv-nGWmlOIHCPABoez3PW3-4C7nEjdrxzE7aCPsHSTgeIVIdGB9Puri1nHy5Lv0IWyHH0yt90RuRwdurqcwYm5Xjjfyzih0JlPV3l_ztyOUnjtHZqrJGrlDQkwXIM2w",
"e": "AQAB"
},
"contact": [
"mailto:[email protected]"
],
"initialIp": "41.45.73.75",
"createdAt": "2021-12-23T11:24:48.047153714Z",
"status": "valid"
}
2021-12-23 11:24:48,191:DEBUG:acme.client:Storing nonce: 01022RqoflNyfXzVh7FyTUNKzppiFdME-ZDQ02KZkQE9BEc
2021-12-23 11:24:48,194:DEBUG:certbot.reporter:Reporting to user: Your account credentials have been saved in your Certbot configuration directory at /snikket/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.
2021-12-23 11:24:48,197:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f16683c2208>)>), contact=('mailto:[email protected]',), agreement=None, status='valid', terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/333092700', new_authzr_uri=None, terms_of_service='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'), 9fe9db839755f5eb7ecf4314ede22ce2, Meta(creation_dt=datetime.datetime(2021, 12, 23, 11, 24, 48, tzinfo=<UTC>), creation_host='bd51503ea3b4'))>
2021-12-23 11:24:48,198:INFO:certbot.main:Obtaining a new certificate
2021-12-23 11:24:48,326:DEBUG:certbot.crypto_util:Generating key (2048 bits): /snikket/letsencrypt/keys/0000_key-certbot.pem
2021-12-23 11:24:48,331:DEBUG:certbot.crypto_util:Creating CSR: /snikket/letsencrypt/csr/0000_csr-certbot.pem
2021-12-23 11:24:48,332:DEBUG:acme.client:JWS payload:
b'{\n "identifiers": [\n {\n "type": "dns",\n "value": "esmailelbob.xyz"\n },\n {\n "type": "dns",\n "value": "share.esmailelbob.xyz"\n },\n {\n "type": "dns",\n "value": "groups.esmailelbob.xyz"\n }\n ]\n}'
2021-12-23 11:24:48,336:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzMzMDkyNzAwIiwgIm5vbmNlIjogIjAxMDIyUnFvZmxOeWZYelZoN0Z5VFVOS3pwcGlGZE1FLVpEUTAyS1prUUU5QkVjIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
"signature": "k_gH-m9vCTnHPtzRQVkvR3uq4ZAkbVOmYOCAk3sr_1KNI5ZEiVt9p0XPB3YGZ_jTEt20qKvMySapyVPeJiAfuxgSrRmy7UkHw2h6IlJeihBgAHlzyxp4jzXuVeMZ9yhMXKzWJuKUtldWFI9mEBElyi8stCm52RQtikwAiUjrdvpQaMRXC5nNzuNg3GOveRBm3moFSZ6_6frif5D_hMl65BUqZQUgHOZ1nTGQ5_gqReTUeBRSZTBt_DV89_oieg4QkKm5VAzvWOUoa3vDSsCGFnYB3wsHiPVgPmsQjXEUx1UjYA6QNlUeTj4gKoUY1Ge0x8Sy8FXKyuK5U-cVbuBf1A",
"payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogImVzbWFpbGVsYm9iLnh5eiIKICAgIH0sCiAgICB7CiAgICAgICJ0eXBlIjogImRucyIsCiAgICAgICJ2YWx1ZSI6ICJzaGFyZS5lc21haWxlbGJvYi54eXoiCiAgICB9LAogICAgewogICAgICAidHlwZSI6ICJkbnMiLAogICAgICAidmFsdWUiOiAiZ3JvdXBzLmVzbWFpbGVsYm9iLnh5eiIKICAgIH0KICBdCn0"
}
2021-12-23 11:24:48,791:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 201 625
2021-12-23 11:24:48,792:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx
Date: Thu, 23 Dec 2021 11:24:48 GMT
Content-Type: application/json
Content-Length: 625
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Location: https://acme-v02.api.letsencrypt.org/acme/order/333092700/49524646720
Replay-Nonce: 0101FGuh9KEfbz3sFVtAhwazLhkIHdmfutTi_EVrkGE6bBU
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"status": "pending",
"expires": "2021-12-30T11:24:48Z",
"identifiers": [
{
"type": "dns",
"value": "esmailelbob.xyz"
},
{
"type": "dns",
"value": "groups.esmailelbob.xyz"
},
{
"type": "dns",
"value": "share.esmailelbob.xyz"
}
],
"authorizations": [
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735720",
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735730",
"https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735740"
],
"finalize": "https://acme-v02.api.letsencrypt.org/acme/finalize/333092700/49524646720"
}
2021-12-23 11:24:48,792:DEBUG:acme.client:Storing nonce: 0101FGuh9KEfbz3sFVtAhwazLhkIHdmfutTi_EVrkGE6bBU
2021-12-23 11:24:48,793:DEBUG:acme.client:JWS payload:
b''
2021-12-23 11:24:48,796:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735720:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzMzMDkyNzAwIiwgIm5vbmNlIjogIjAxMDFGR3VoOUtFZmJ6M3NGVnRBaHdhekxoa0lIZG1mdXRUaV9FVnJrR0U2YkJVIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My82MTIzMTczNTcyMCJ9",
"signature": "IG_Oi8_IPnbxQDz3-VbN0VUb20NVxm9XcRaE6JkTof5JSg5B3Sm3ruxWBQtUazc0VGQNOb3AQedUF75mrN0aIg3ZX1mXdcVc3DM6_xXqXI0_NkpnjYFgKWoSBQTv4lattDoHJFJam9x4Z7p-7rkY43_x70bMWsMHpFj4CySSFgeWdwvU62uVbC8a1LyyudwDBO6VKeEsefDtV9Hff6z_gx0mkf8SGsrUNqlxetzaVjyT5aACdCPbFpzjLPRGlbmruk3b7NrG8gVh5XNzZYbGAOUeDMRmSSTEVd4lOMLuA89JBobL3Ni2f9L5sAYPka9qk-eduxN-JkeKte6Na0q1lw",
"payload": ""
}
2021-12-23 11:24:49,049:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/61231735720 HTTP/1.1" 200 796
2021-12-23 11:24:49,049:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:48 GMT
Content-Type: application/json
Content-Length: 796
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102gQSkUgVDr2oSgIIApTU7ov0BDzB7qKc5z22veZxAxB4
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "esmailelbob.xyz"
},
"status": "pending",
"expires": "2021-12-30T11:24:48Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735720/ogpqGw",
"token": "PAeFhIrEPptslvzVmkZeHzj_S1UahDUYVFq9Py043IE"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735720/Ybnufg",
"token": "PAeFhIrEPptslvzVmkZeHzj_S1UahDUYVFq9Py043IE"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735720/AL-zhA",
"token": "PAeFhIrEPptslvzVmkZeHzj_S1UahDUYVFq9Py043IE"
}
]
}
2021-12-23 11:24:49,049:DEBUG:acme.client:Storing nonce: 0102gQSkUgVDr2oSgIIApTU7ov0BDzB7qKc5z22veZxAxB4
2021-12-23 11:24:49,050:DEBUG:acme.client:JWS payload:
b''
2021-12-23 11:24:49,053:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735730:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzMzMDkyNzAwIiwgIm5vbmNlIjogIjAxMDJnUVNrVWdWRHIyb1NnSUlBcFRVN292MEJEekI3cUtjNXoyMnZlWnhBeEI0IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My82MTIzMTczNTczMCJ9",
"signature": "QZLNgeVv7oi8R0I-Xd_Hn2Eihw_7oXZLBre9XbhZTVtakgzAqeDzMSv-voMI3Sp-nlWX6BOfdjPjUEer4F3CakfTEoDl7sUcLHtmsQNkQZZvoIO9cy3AU0od2_dRqpcF3FzcBiXKAMvavciazuIBh6WWOhztV5K1S_rnhiMfFTaaENGcmchob9g-NaXPsKM_EMxqq7VNWt_7n108kPhhF-UtHKXPMAfLtTy_fcWOgpREwoOqsZnvbwug6Ic80ffIDUGXxUMuKqQAF3YZfWgf1q23vENhlMKylmS6_7YsGTLPJ5iltuDowCT0bWDT2d96YJ8aBSA6zefau1FlKESEgg",
"payload": ""
}
2021-12-23 11:24:49,300:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/61231735730 HTTP/1.1" 200 803
2021-12-23 11:24:49,301:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:49 GMT
Content-Type: application/json
Content-Length: 803
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102OItbcbZpB4ENwEMUrQUhTBTSMQ7lKB-LlBbGZYVnBZY
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "groups.esmailelbob.xyz"
},
"status": "pending",
"expires": "2021-12-30T11:24:48Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735730/WsHbhQ",
"token": "o91n9oezBXoxf28ZmWGU06-Kb4IL7olUzBatCygpuR4"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735730/5JBLXw",
"token": "o91n9oezBXoxf28ZmWGU06-Kb4IL7olUzBatCygpuR4"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735730/Akoo8g",
"token": "o91n9oezBXoxf28ZmWGU06-Kb4IL7olUzBatCygpuR4"
}
]
}
2021-12-23 11:24:49,301:DEBUG:acme.client:Storing nonce: 0102OItbcbZpB4ENwEMUrQUhTBTSMQ7lKB-LlBbGZYVnBZY
2021-12-23 11:24:49,302:DEBUG:acme.client:JWS payload:
b''
2021-12-23 11:24:49,306:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735740:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzMzMDkyNzAwIiwgIm5vbmNlIjogIjAxMDJPSXRiY2JacEI0RU53RU1VclFVaFRCVFNNUTdsS0ItTGxCYkdaWVZuQlpZIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My82MTIzMTczNTc0MCJ9",
"signature": "YCe7OjpDARTBZ0cFmtsMaEqXXnY3gxPAdj6cDLjqa-jz9dmMIW4cylc_Kdw2HElC4LX17Wmy4pEIahytr2XHI_SZGDuktsce6UFLbnmNtuqVSIy6caE-jtRF93r-CJ657W8NfqWWo0s6RkeDnweTsDaYTQA2IPZvdRJX3c2oD-FyUNRc4pPS1jK48xhI83uLDv-P9R8uPYpxhrW_IoifyL54g6sqY8vYG_Fl8ReAOl2aKaXd8ol3Vkl6fGDC3P1Drm-Wc4M6SvN8CNiGCvKN3vPYqFzgt_whGMgQCLYKxE6ex87_nhfvf9WzlqMFsurh_qur-x_sBRTvUMxF7B1t7A",
"payload": ""
}
2021-12-23 11:24:49,589:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/61231735740 HTTP/1.1" 200 802
2021-12-23 11:24:49,590:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:49 GMT
Content-Type: application/json
Content-Length: 802
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102_qRICkGs96_Z92W3jhZDhTa44Yil9Cj2_Y0HXNzwN9I
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "share.esmailelbob.xyz"
},
"status": "pending",
"expires": "2021-12-30T11:24:48Z",
"challenges": [
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735740/DZA3FQ",
"token": "QOH1fDeT1z2cHMXF56Gn9t7AOzP5s6s2kmRcTS0eseY"
},
{
"type": "dns-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735740/pfcguA",
"token": "QOH1fDeT1z2cHMXF56Gn9t7AOzP5s6s2kmRcTS0eseY"
},
{
"type": "tls-alpn-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735740/K4SXxA",
"token": "QOH1fDeT1z2cHMXF56Gn9t7AOzP5s6s2kmRcTS0eseY"
}
]
}
2021-12-23 11:24:49,590:DEBUG:acme.client:Storing nonce: 0102_qRICkGs96_Z92W3jhZDhTa44Yil9Cj2_Y0HXNzwN9I
2021-12-23 11:24:49,591:INFO:certbot.auth_handler:Performing the following challenges:
2021-12-23 11:24:49,591:INFO:certbot.auth_handler:http-01 challenge for esmailelbob.xyz
2021-12-23 11:24:49,591:INFO:certbot.auth_handler:http-01 challenge for groups.esmailelbob.xyz
2021-12-23 11:24:49,591:INFO:certbot.auth_handler:http-01 challenge for share.esmailelbob.xyz
2021-12-23 11:24:49,592:INFO:certbot.plugins.webroot:Using the webroot path /var/www for all unmatched domains.
2021-12-23 11:24:49,592:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/.well-known/acme-challenge
2021-12-23 11:24:49,592:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/.well-known/acme-challenge
2021-12-23 11:24:49,592:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/.well-known/acme-challenge
2021-12-23 11:24:49,597:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/www/.well-known/acme-challenge/PAeFhIrEPptslvzVmkZeHzj_S1UahDUYVFq9Py043IE
2021-12-23 11:24:49,601:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/www/.well-known/acme-challenge/o91n9oezBXoxf28ZmWGU06-Kb4IL7olUzBatCygpuR4
2021-12-23 11:24:49,606:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/www/.well-known/acme-challenge/QOH1fDeT1z2cHMXF56Gn9t7AOzP5s6s2kmRcTS0eseY
2021-12-23 11:24:49,606:INFO:certbot.auth_handler:Waiting for verification...
2021-12-23 11:24:49,606:DEBUG:acme.client:JWS payload:
b'{\n "resource": "challenge",\n "type": "http-01"\n}'
2021-12-23 11:24:49,610:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735720/ogpqGw:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzMzMDkyNzAwIiwgIm5vbmNlIjogIjAxMDJfcVJJQ2tHczk2X1o5MlczamhaRGhUYTQ0WWlsOUNqMl9ZMEhYTnp3TjlJIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My82MTIzMTczNTcyMC9vZ3BxR3cifQ",
"signature": "ObM5xKXrTuLrAyufaRVi2p5g5uLCotOAwik4v_IAZ4VfVMUHMpVleTwJoNw4UiPAF6S2GQePQi1SC8aJdmI1Jjg-sb_IKzsfA5Szv_-cqBOPtjSeCdBvQEsiwGt6aCRueZqB64_-nkcRqci9Zueb03lGhAbs6dpib5-4hntdwGKbgqJMssLx3ZV2SzoWAB9-fKoey5LW9IfeuWQJzodDDhwK4sD9C5wAF1v0RMqSUzi7PKELjTT4rJY86XvIq2ZaU2KNSxQpLH_4LApLoIGjVHT1YSYb3buv9u75W9e8FOR_4Lr_NdjiD4FwXStISX8aeIY-pRkcNThvk2jIUruXJw",
"payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
2021-12-23 11:24:49,874:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/61231735720/ogpqGw HTTP/1.1" 200 186
2021-12-23 11:24:49,875:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:49 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735720>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735720/ogpqGw
Replay-Nonce: 01029lL3UwbyresHdDVITqP59aHZaLI2p0L74D4MZuYqQv8
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735720/ogpqGw",
"token": "PAeFhIrEPptslvzVmkZeHzj_S1UahDUYVFq9Py043IE"
}
2021-12-23 11:24:49,875:DEBUG:acme.client:Storing nonce: 01029lL3UwbyresHdDVITqP59aHZaLI2p0L74D4MZuYqQv8
2021-12-23 11:24:49,876:DEBUG:acme.client:JWS payload:
b'{\n "resource": "challenge",\n "type": "http-01"\n}'
2021-12-23 11:24:49,880:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735730/WsHbhQ:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzMzMDkyNzAwIiwgIm5vbmNlIjogIjAxMDI5bEwzVXdieXJlc0hkRFZJVHFQNTlhSFphTEkycDBMNzRENE1adVlxUXY4IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My82MTIzMTczNTczMC9Xc0hiaFEifQ",
"signature": "H5Jb1ODu5fYftg7a3AhGejm9YdBp5ftAlfwRpfBi7znLAD4BC1lC1vDNipbim56XKiBTNm8NJTQ2jyIHG_fZER5hoRjDEXct3umgBGn5bjR6mDcsITbp4qySSDCIPNmEu6KHW09QpuRhSvqCo_zD0C-DGEl3NPpi9bIn71_3sOo5XFoqXS_UxZtXWqhlA1D9I8HrxnrI0ZsWslSQlk2dyR7ViiXphmmv-zXvdjFl1iT50VCl_uk6pwtgwoE-8WsRFG6otHnNdaHsKvG0YX45LlBc3uYzgHSJOOWVVF7Ah0a5rW-eSgeri-MsgvhxYtH9lCLjrj4hznWcjSfZP21xCA",
"payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
2021-12-23 11:24:50,143:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/61231735730/WsHbhQ HTTP/1.1" 200 186
2021-12-23 11:24:50,143:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:50 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735730>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735730/WsHbhQ
Replay-Nonce: 0102MX_Al5PRUdyuulILm3HHejPx79W1WIjNOpoyKzbC4Uc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735730/WsHbhQ",
"token": "o91n9oezBXoxf28ZmWGU06-Kb4IL7olUzBatCygpuR4"
}
2021-12-23 11:24:50,143:DEBUG:acme.client:Storing nonce: 0102MX_Al5PRUdyuulILm3HHejPx79W1WIjNOpoyKzbC4Uc
2021-12-23 11:24:50,144:DEBUG:acme.client:JWS payload:
b'{\n "resource": "challenge",\n "type": "http-01"\n}'
2021-12-23 11:24:50,148:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735740/DZA3FQ:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzMzMDkyNzAwIiwgIm5vbmNlIjogIjAxMDJNWF9BbDVQUlVkeXV1bElMbTNISGVqUHg3OVcxV0lqTk9wb3lLemJDNFVjIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9jaGFsbC12My82MTIzMTczNTc0MC9EWkEzRlEifQ",
"signature": "j2MI2TkllaRAI2lrRzJy92f23q9a4ndpxuRbFadaw9GuIjR6ZU1oSnGtHy9VKk_PJdch4N9egR2xxiuKvZ0jVZBA1f5-RizyuI4I70bic7ep7o5HHj4VYdYlvEDNjTN_seGO924b1wq2yE8BZoRhD251XHVlfz8_hCqxmp273u83P97jArmBF1-SobXwvYrDfJhN3pAMOXQrxDZWmT8raSAbR4slT0SD8v3XdM2BcYenQ30w2BVcKNS060D_zkNyG7Mp0W9DpEv-XNS6pGdV0EmNteIentGAlXp2_lnvXhIj8a_LPgz9Wwc1JPlrJLFsMgmythGJyAW5JkdyqhUTGA",
"payload": "ewogICJyZXNvdXJjZSI6ICJjaGFsbGVuZ2UiLAogICJ0eXBlIjogImh0dHAtMDEiCn0"
}
2021-12-23 11:24:50,412:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/chall-v3/61231735740/DZA3FQ HTTP/1.1" 200 186
2021-12-23 11:24:50,413:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:50 GMT
Content-Type: application/json
Content-Length: 186
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index", <https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735740>;rel="up"
Location: https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735740/DZA3FQ
Replay-Nonce: 0102bENB-1haWJs5eJ4_4i4tTKxttSE4H4UlfwMRK7sDcPw
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"type": "http-01",
"status": "pending",
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735740/DZA3FQ",
"token": "QOH1fDeT1z2cHMXF56Gn9t7AOzP5s6s2kmRcTS0eseY"
}
2021-12-23 11:24:50,413:DEBUG:acme.client:Storing nonce: 0102bENB-1haWJs5eJ4_4i4tTKxttSE4H4UlfwMRK7sDcPw
2021-12-23 11:24:53,416:DEBUG:acme.client:JWS payload:
b''
2021-12-23 11:24:53,420:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735720:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzMzMDkyNzAwIiwgIm5vbmNlIjogIjAxMDJiRU5CLTFoYVdKczVlSjRfNGk0dFRLeHR0U0U0SDRVbGZ3TVJLN3NEY1B3IiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My82MTIzMTczNTcyMCJ9",
"signature": "XS_tMV-LCU1aM8tSk6y4OIKCkWuNsocLvyhE5zIefOHINUJM_xZsT8AvnQDRDLkHbKntmB8HArj9UxjN2soGYZu0P2EPBN10hFj8-ZOGUekChvW8e37e2SS8FXgPaOqzLFS6zbI-hAPcAbBXwKqtE2MFGuwAPEzC8NmGzhxFB_gFkmE2AlS26E3hjqSNxYCm1YSp721LfSo0ZpshwVmX1PbCn93P_Ev3LPwJucqg2fsuQTDO7CJdftzabarlfzTy5DE8QHDMqcTlY2O-RVzLkJI8aEre-DMG61qz7bMPkDxJL5HlhIOnWA5rLQY_EeZGApWpa4w_VdXEH2rrqyowZA",
"payload": ""
}
2021-12-23 11:24:53,671:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/61231735720 HTTP/1.1" 200 1245
2021-12-23 11:24:53,672:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:53 GMT
Content-Type: application/json
Content-Length: 1245
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0101Q8UcQPElRR0zcrhAPrepbfyTrB4rQhb6h3IjnQH_o2s
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "esmailelbob.xyz"
},
"status": "invalid",
"expires": "2021-12-30T11:24:48Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://esmailelbob.xyz/.well-known/acme-challenge/PAeFhIrEPptslvzVmkZeHzj_S1UahDUYVFq9Py043IE [41.45.73.75]: \"\u003c!DOCTYPE html\u003e\\n\u003chtml lang=\\\"en\\\"\u003e\\n\\t\u003chead\u003e\\n\\t\\t\\n\\t\\t\u003ctitle\u003eError: Nothing here\u003c/title\u003e\\n\\t\\t\u003cmeta http-equiv=\\\"Content-Type\\\" content=\\\"text\"",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735720/ogpqGw",
"token": "PAeFhIrEPptslvzVmkZeHzj_S1UahDUYVFq9Py043IE",
"validationRecord": [
{
"url": "http://esmailelbob.xyz/.well-known/acme-challenge/PAeFhIrEPptslvzVmkZeHzj_S1UahDUYVFq9Py043IE",
"hostname": "esmailelbob.xyz",
"port": "80",
"addressesResolved": [
"41.45.73.75"
],
"addressUsed": "41.45.73.75"
}
],
"validated": "2021-12-23T11:24:49Z"
}
]
}
2021-12-23 11:24:53,672:DEBUG:acme.client:Storing nonce: 0101Q8UcQPElRR0zcrhAPrepbfyTrB4rQhb6h3IjnQH_o2s
2021-12-23 11:24:53,672:WARNING:certbot.auth_handler:Challenge failed for domain esmailelbob.xyz
2021-12-23 11:24:53,673:DEBUG:acme.client:JWS payload:
b''
2021-12-23 11:24:53,677:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735730:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzMzMDkyNzAwIiwgIm5vbmNlIjogIjAxMDFROFVjUVBFbFJSMHpjcmhBUHJlcGJmeVRyQjRyUWhiNmgzSWpuUUhfbzJzIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My82MTIzMTczNTczMCJ9",
"signature": "MYE9SjLWAv8Wot4_ZqLJQf6pDWalWiwh-bYsCqAIhUUYajjHH1Wq6Y80u9S_jlssUDXaFyXmn-2W7Qcwk-QYQll6H7j-Tiy-Vp1OHOqFr_GWF1hWyqMC-YsfrR8FIAgKw6M9yvRJyoFDYDV8vJK6E50jOi0EM2rEh26j2EqChk3aTv_YtIopy-zfwhaQmI3v2Zzvl0fDgg9_LkgjYiIkonrmHsQ0cROlT-E8IMpLj_XUQrznKCZ1vZXaneVC3C7zfuOgcmhB6fQP_ijK7DuY94favjFVyyNxxv2bVS-lp-o7P0QJ5a2uKTyFmmB5j5GwJODzO2RnZ76xMYR2t3dllQ",
"payload": ""
}
2021-12-23 11:24:53,945:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/61231735730 HTTP/1.1" 200 1273
2021-12-23 11:24:53,946:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:53 GMT
Content-Type: application/json
Content-Length: 1273
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0101gTDVNGVFpUWlSrY06C65_S-84vHLdqXIvh4ffZvDzZc
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "groups.esmailelbob.xyz"
},
"status": "invalid",
"expires": "2021-12-30T11:24:48Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://groups.esmailelbob.xyz/.well-known/acme-challenge/o91n9oezBXoxf28ZmWGU06-Kb4IL7olUzBatCygpuR4 [41.45.73.75]: \"\u003c!DOCTYPE html\u003e\\n\u003chtml lang=\\\"en\\\"\u003e\\n\\t\u003chead\u003e\\n\\t\\t\\n\\t\\t\u003ctitle\u003eError: Nothing here\u003c/title\u003e\\n\\t\\t\u003cmeta http-equiv=\\\"Content-Type\\\" content=\\\"text\"",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735730/WsHbhQ",
"token": "o91n9oezBXoxf28ZmWGU06-Kb4IL7olUzBatCygpuR4",
"validationRecord": [
{
"url": "http://groups.esmailelbob.xyz/.well-known/acme-challenge/o91n9oezBXoxf28ZmWGU06-Kb4IL7olUzBatCygpuR4",
"hostname": "groups.esmailelbob.xyz",
"port": "80",
"addressesResolved": [
"41.45.73.75"
],
"addressUsed": "41.45.73.75"
}
],
"validated": "2021-12-23T11:24:49Z"
}
]
}
2021-12-23 11:24:53,946:DEBUG:acme.client:Storing nonce: 0101gTDVNGVFpUWlSrY06C65_S-84vHLdqXIvh4ffZvDzZc
2021-12-23 11:24:53,946:WARNING:certbot.auth_handler:Challenge failed for domain groups.esmailelbob.xyz
2021-12-23 11:24:53,947:DEBUG:acme.client:JWS payload:
b''
2021-12-23 11:24:53,949:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/61231735740:
{
"protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzMzMDkyNzAwIiwgIm5vbmNlIjogIjAxMDFnVERWTkdWRnBVV2xTclkwNkM2NV9TLTg0dkhMZHFYSXZoNGZmWnZEelpjIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My82MTIzMTczNTc0MCJ9",
"signature": "ayhqxjEDV78ggCKzqV_4b6o-yFbHFySHwEKGfGktv4Fd0X5oPKZuCpFJcDaih5ODmv6GmblKK0mmTBj87CgCRZnD8gJoaQhNhEZUiclDvnecTa1nJ2EkqFqi5KIPxCKUmXys5CA8yHPhJ2vMzlWQpTPZis3hr3AjpgyN3_3XZm6Z08LoDEKurCENib1h8vlFx8FIUNT0sL2T11I3XnEWbFQvuwNH690Z0rPQI2z3BAcvud2Bcw143i5PmbxpYxqyJe8HX40RDE7ZxIq_3-ww1CESLUncIWyXHLmC1LkYmGRiHtZNqczpjG6J0xNX8X561ctec5H78k2u5QrAjB2t5w",
"payload": ""
}
2021-12-23 11:24:54,217:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/61231735740 HTTP/1.1" 200 1269
2021-12-23 11:24:54,218:DEBUG:acme.client:Received response:
HTTP 200
Server: nginx
Date: Thu, 23 Dec 2021 11:24:54 GMT
Content-Type: application/json
Content-Length: 1269
Connection: keep-alive
Boulder-Requester: 333092700
Cache-Control: public, max-age=0, no-cache
Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
Replay-Nonce: 0102wXDD4tzXS5PpK2T05nZydVoU4n86iXcXT3AZPBASw58
X-Frame-Options: DENY
Strict-Transport-Security: max-age=604800
{
"identifier": {
"type": "dns",
"value": "share.esmailelbob.xyz"
},
"status": "invalid",
"expires": "2021-12-30T11:24:48Z",
"challenges": [
{
"type": "http-01",
"status": "invalid",
"error": {
"type": "urn:ietf:params:acme:error:unauthorized",
"detail": "Invalid response from http://share.esmailelbob.xyz/.well-known/acme-challenge/QOH1fDeT1z2cHMXF56Gn9t7AOzP5s6s2kmRcTS0eseY [41.45.73.75]: \"\u003c!DOCTYPE html\u003e\\n\u003chtml lang=\\\"en\\\"\u003e\\n\\t\u003chead\u003e\\n\\t\\t\\n\\t\\t\u003ctitle\u003eError: Nothing here\u003c/title\u003e\\n\\t\\t\u003cmeta http-equiv=\\\"Content-Type\\\" content=\\\"text\"",
"status": 403
},
"url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/61231735740/DZA3FQ",
"token": "QOH1fDeT1z2cHMXF56Gn9t7AOzP5s6s2kmRcTS0eseY",
"validationRecord": [
{
"url": "http://share.esmailelbob.xyz/.well-known/acme-challenge/QOH1fDeT1z2cHMXF56Gn9t7AOzP5s6s2kmRcTS0eseY",
"hostname": "share.esmailelbob.xyz",
"port": "80",
"addressesResolved": [
"41.45.73.75"
],
"addressUsed": "41.45.73.75"
}
],
"validated": "2021-12-23T11:24:50Z"
}
]
}
2021-12-23 11:24:54,218:DEBUG:acme.client:Storing nonce: 0102wXDD4tzXS5PpK2T05nZydVoU4n86iXcXT3AZPBASw58
2021-12-23 11:24:54,219:WARNING:certbot.auth_handler:Challenge failed for domain share.esmailelbob.xyz
2021-12-23 11:24:54,219:DEBUG:certbot.error_handler:Calling registered functions
2021-12-23 11:24:54,219:INFO:certbot.auth_handler:Cleaning up challenges
2021-12-23 11:24:54,219:DEBUG:certbot.plugins.webroot:Removing /var/www/.well-known/acme-challenge/PAeFhIrEPptslvzVmkZeHzj_S1UahDUYVFq9Py043IE
2021-12-23 11:24:54,219:DEBUG:certbot.plugins.webroot:Removing /var/www/.well-known/acme-challenge/o91n9oezBXoxf28ZmWGU06-Kb4IL7olUzBatCygpuR4
2021-12-23 11:24:54,219:DEBUG:certbot.plugins.webroot:Removing /var/www/.well-known/acme-challenge/QOH1fDeT1z2cHMXF56Gn9t7AOzP5s6s2kmRcTS0eseY
2021-12-23 11:24:54,220:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2021-12-23 11:24:54,220:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in <module>
load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1250, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 93, in handle_authorizations
"Challenges failed for all domains")
certbot.errors.AuthorizationError: Challenges failed for all domains
My web server is (include version): nginx
The operating system my web server runs on is (include version): debian 11
My hosting provider, if applicable, is: none, it's self hosted
I can login to a root shell on my machine (yes or no, or I don't know): yes
I'm using a control panel to manage my site (no, or provide the name and version of the control panel): no
The version of my client is (e.g. output of certbot --version
or certbot-auto --version
if you're using Certbot): certbot 1.12.0
Currently, snikket does not enable bosh/websocket for use with converse.js.
Good day,
I'm trying to run the docker image of Snikket, but it is stuck at
snikket | Waiting for certificates...
Is there any way to disable cert-monitor.sh or otherwise circumvent the check?
I have configured HAProxy to solve the acme challenges using a separate certbot + acme.sh container, so it's not quite compatible with Snikket's built-in solution.
I received certificates for the following 3 domains:
groups.snikket.<myserver>
share.snikket.<myserver>
snikket.<myserver>
and tried pointing the container to the appropriate directory:
...
snikket_server:
...
volumes:
- <path_to_my_certs>:/etc/ssl/certbot
Yet it doesn't seem to help.
I'm quite new to the XMPP ecosystem, but I discovered that there is a web interface for using XMPP and that you already added the conversejs module here.
However, nothing is accessible on chat.example.com/conversejs
, it returns me a 404.
What is still needed to deploy it? Do we need to add the module name to the configuration file? Is it sufficient?
From what I understand from the documentation there isn't much to be done. So maybe it could be a great improvement to have a web interface and have one XMPP web interface available on all desktops (GNU/Linux, Mac OS and Windows).
In certain circumstances the JMI proposal will be delivered into MAM, no clients will receive it until they come online, and the caller will be stuck until it times out.
Proposal:
We should consider tracking and rescuing proposals that get stuck in 198 queues as well.
These changes should reduce user frustration on the caller side. It also enables us to be more relaxed about displaying the call button even if no client is currently available (see e.g. snikket-im/snikket-ios#157).
The welcome message currently includes the server admins email address. This is already good.
But wouldn't it be useful to also include the admins xmpp URI in this welcome message? Maybe as a clickable link. Clickable link comes for free when adding the xmpp: URI scheme.
Same would be for email - but mailto: is currently not handled by snikket (or even upstream conversations)
Having this clickable link would reduce the barrier to contact the admin for questions by a lot.
I guess for the small instances this is anyway going to be the person who sent you the individual invite, but if there is e.g. a soccer club, this might get a bit more anonymous.
Hei there
Thanks for developing such a great project. I'd really like to host a snikket server but my web server set up is based on traefik as a reverse proxy. Would it be possible to add some sort of guide or example conf-file for traefik?
https://doc.traefik.io/traefik/
Thanks in advance.
I'd like to invite users of other xmpp servers to my groupchat on my snikket server. I don't seem to be allowed to do this? gajim does not let me configure the chatroom.
Hi. Please, add support and instructions to the reverse proxy section for Caddy web server.
Caddy is a web server commonly used by self-hosters. After trying for a few days, I have not been able to make it work with snikket.
Caddy:
Thank you for your work and effort. Snikket is a great project
I am currently testing the invites API and found a small mistake in the documentation at https://modules.prosody.im/mod_invites_api.
The command
prosodyctl mod_invites_api create example.com "My test key"
should be
prosodyctl mod_invites_api example.com create "My test key"
Thank's for developing snikket 👍
When I try to run the container on a raspberry I get "Error response from daemon: Container is restarting, wait until the container is running". docker logs --tail 50 --follow --timestamps snikket
returns "exec user process caused: exec format error". Googling a bit it seems that happens when you're trying to run adm packages on arm. Im just confused as the quick setup explicitly says "For the server [...] you can use a physical device such as a Raspberry Pi." Is the raspberry not supported yet?
This issue is to track enabling IPv6 by default in the snikket-server image. It can currently be enabled by setting the environment variable SNIKKET_TWEAK_IPV6=1
.
There are some hurdles. Docker does not enable IPv6 by default, which means it will be broken unless the admin explicitly enables it. This probably (hopefully?) doesn't affect host network mode, which is currently in use but changing this back has been discussed, e.g. in snikket-im/snikket-web-portal#72
Another consideration is lack of "happy eyeballs" support in Prosody. Certain network configuration issues/malfunctions may cause undesirable user experiences with federation. I think work on this should be prioritized.
When changing the role of a user in the web portal, their current XMPP connections are killed to let the changes take effect, but web portal sessions continue to live on.
This means that I can nicely test everything with my own user because I can change my role to Limited and have it take effect in the app without de-admin-ing myself in the portal :). However, obviously this is a problem in real deployments, because in a bad situation, you might want to be able to take admin permissions away immediately, without the subject being able to do things with those permissions afterward (such as restoring their admin permissions and taking yours away).
Hello,
I installed Snikket on a server and also installed the Snikket app through F-Droid. It all worked well.
I know Snikket is still on Alpha, but is it possible to allow backups?
To do this I think we should make the Docker volume available on the host. What is required to be backed up? On Prosody's documentation I read /etc/prosody
, but maybe as Snikket already configures everything it is not needed and /var/lib/prosody
is empty in the container.
However, there is plenty of files in /snikket
. Should we backup this entire folder? Or maybe only subfolders like /snikket/prosody/chat.example.com/accounts
?
I have never managed a XMPP server, but I think the only important thing is to have the accounts backed up in order to avoid users to have to register themselves again.
For the moment I will configure the backups myself with Restic for /etc/prosody
and entire /snikket
folder.
I installed server using docker and when I try to create admin account I get message about invitation expired.
docker exec snikket create-invite --admin --group default
Server is running behind haproxy reverse proxy.
Hi,
I installed snikket server on Debian 10 following instructions provided in the Quick Guide.
Server is working fine, I can chat with firends correctly but each time I try to send a picture it fails.
Is there any way to look at a log file to see what is happening ?
Thanks!
How can i configure, that my id is [email protected], but the server runs on chat.domain.at?
There seem to be options (--reset
?), but maybe there are none. It does not fail if I pass --fnord
, and it doesn’t print a useful --help
either.
A popular request from admins is the ability to set the welcome message that is sent to users after account creation.
Known issues with the current welcome message flow:
The current goals of the welcome message are:
People have requested:
Why not just make the welcome message fully editable by the admin:
Next steps
We need to identify the kinds of information that Snikket itself needs to convey to people when they register a new account, and what kinds information an admin may want to additionally convey to the users. For each type of information, we need to figure out the best place for it. We then need to put effort into improving or removing the current welcome message.
In snikket-im/snikket-web-portal#42, support for changing roles of users was implemented in the web portal. Now we "just" need to make that do anything beyond admin vs. normal.
What restrictions should prosody:restricted users have? Where and how should they be enforced?
Restricted users cannot communicate out of the local server. However, inbound messages are not filtered. That should be changed to avoid weird one-way situations and also to fulfill one of the use cases (accounts for children) properly.
Some thought should go into how to respond to messages from remotes: it should not be possible to discern a non-existant account, an account which is restricted and an account which exists, but to which no presence subscription exists.
That basically only leaves "blackhole", which is not a good UX if the role is changed later, or if initial communication is attempted to be established.
I suggest however:
When I change the role of a user in the current dev build, remote entities with a presence subscription see "Role changed" as reason for going offline.
I'm not sure if this is a problem, but I wanted to note it anyway.
Dear all,
first of all thank you for your work and this new project :)
I am having some trouble with the set up in my docker environment. I guess it could be a combination with the "nginx-proxy-letsencrypt" container for providing SSL certificates.
For the basic set up I followed the quick-start instructions over here https://snikket.org/service/quickstart/. I extended it environmental variable with the parameters VIRTUAL_HOST=tld, LETSENCRYPT_HOST=tld and the VIRUTAL_PORT=8083. In the set up I cannot just use the ports 80 and 443 case they are used by the nginx-proxy-letsencrypt container for providing SSL certificates to other containers as well.
After deploying the container and generating a invite links with "sudo docker exec snikket create-invite --admin" I am able to ob the link in a browser with a valid SSL certificate. Opening the invitation with the snikket Android App I cannot create the account and/or login. The message is "TLS-handling error".
The logs from the container are not helping me that much:
2020-06-05T08:33:05.938526444Z c2s563a12a8a4b0 info Client connected
2020-06-05T08:33:05.960633897Z c2s563a12a8a4b0 info Client disconnected: no shared cipher,
In my firewall I have opened the ports as mentioned here: https://github.com/snikket-im/snikket-server/blob/master/docs/advanced/firewall.md
docker-compose:
version: "3.3"
services:
snikket:
container_name: snikket
image: snikket/snikket:alpha
ports:
- 5222:5222
- 5269:5269
- 5000:5000
- 3478:3478
- 3479:3479
- 5349:5349
- 5350:5350
- 49152:49152
- 8083:80
- 5080:80
- 5443:443
env_file: snikket.conf
restart: unless-stopped
network_mode: host
volumes:
- snikket_data:/snikket
network_mode: hostingnetwork
hostname: snikketcontainer
volumes:
snikket_data:
snikket.conf
# The primary domain of your Snikket instance
SNIKKET_DOMAIN=tld
# An email address where the admin can be contacted
# (also used to register your Let's Encrypt account to obtain certificates)
SNIKKET_ADMIN_EMAIL=user@tld
VIRTUAL_HOST=tld
LETSENCRYPT_HOST=tld
VIRUTAL_PORT=8083
SNIKKET_TWEAK_HTTP_PORT=5080
SNIKKET_TWEAK_HTTPS_PORT=5443
Could you please help me with my setup?
Best regards
Most XMPP software usually put an easily discoverable section titled Implemented XEPs
(or similar) listing what they have implemented. This would be nice for Snikket too.
What motivates me to open this issue is wondering if Snikket supports XEP 0054, specifically its Description marker which, as I understand, can be used to set a status message/about text similar to WhatsApp/Signal.
As an addition to #58 with focus on circle admins: it came up in the general chat that it would be nice to be able to able to customise the avatar of the main circle. There is currently a work-around documented in https://gist.github.com/horazont/1e80c64315dc67dc091ad037914cafd1. Maybe there is other stuff to request on this ticket idk.
In the beginning, there was a server, and everyone within the server saw each other.
Then, we implemented Circles, to allow multiple such groups of people within the same domain (separate your friends and family, etc.). To avoid major disruption, the transition to Circles was designed to keep the server operating exactly as before, for people who did not make any changes (such as creating new circles or modifying circle membership).
One thing we strongly want to avoid is a user being invited and having an empty contact list. As well as being a bad experience, such a scenario makes no sense for a Snikket server - which is designed with social relationships as a guiding principle.
For this reason we do not currently allow circle-less invitations.
That's the then and now. It was intended from the start that this circle-only design was just a first step, so now let's move on to the future.
New admin settings in web portal
allow_user_invites
and allow_contact_invites
settings. Need a way to control and persist this setting (#57).Required plumbing
Future
We want to be able to allow people to invite new users to circles as well. Within the app this can be an option in the menu of the circle's MUC.
The notification body upon receipt of a new message has the standard OMEMO error message about client not supporting OMEMO rather than being empty when the iOS app is backgrounded.
I just experienced this today with a test user on my server.
User is removed from users and circle, and circle count decreases by one
User is removed from users and circle, but the user count of the circle remains the same
Currently we need to create invitations through the command line.
As there is already a web page online, it could be more practical to allow admin users to log in into the Web interface and to manage users through it.
It could allow admin users to create accounts while being away from their computers, just with a simple smartphone for example, and share links with people while being talking about Snikket instead of having to come home and SSH to the server.
Or maybe is it already possible on the Snikket mobile app?
The nginx reverse proxy guide proxies to the HTTP port only. This may cause a redirect loop because the built-in snikket proxy will try to redirect to HTTPS.
To make this work easily, we should update the guide to use:
location / {
proxy_pass https://localhost:5443/;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# REMOVE THIS IF YOU CHANGE `localhost` TO ANYTHING ELSE ABOVE
proxy_ssl_verify off;
proxy_set_header X_FORWARDED_PROTO https;
proxy_ssl_server_name on;
}
for the SSL sections.
These new settings appear undocumented. Guessed example values.
SNIKKET_TWEAK_TURNSERVER=0|1
SNIKKET_TWEAK_TURNSERVER_DOMAIN=stun-turn.example.com
SNIKKET_TWEAK_TURNSERVER_SECRET=secret-token:c2VjcmV0LXRva2Vu
Hi all,
I just installed snikket and after containers upgrade the problem I had in #61 has been solved. Snikket works and looks fine.
The only questions I have now:
Or the basic installation is quite safe and I have nothing to worry about?
Thanks
When one deletes a circle from the admin dashboard the associated group chat still persists in client applications. While this may be desired, there is no indication that the group chat is no longer functional. Additionally, users may still send messages in the group chat.
Steps to reproduce:
I created a self hosted server, everything worked fine.
When it started it creates a group named chat.myserver.com
But I added a user, mainly i have generated a link (using command line) [email protected], but the user has never joined the application.
I have deleted that user (using web interface).
Now it is impossible for users to send messages to the group chat.myserver.com. When I try it shows a screen asking to validate the fingerprints, but the user [email protected] is present in the list and it says "No valid key is available for this user. [....]".
Now nobody can send messages to that group but I can create other groups and add all the users.
Strange thing is that now this users appear twice in the android app, but when I open the web admin interface the user is not present.
Server : Debian 10
There are certain settings that ought to be configurable via the web portal.
We need a simple API for fetching/updating these, a way to store them, and a way to apply them within Prosody.
Currently the welcome message is English-only, we need to come up with a workflow for snikket-server translation.
Some appliances restrict the range of ports in single a port forwarding rule. This makes difficilt/unpractical to comply with the required very large udp port range.
It would be nice to reduce that range and/or configure it basing on real needs (e.g. max envisioned number of contemporay a/v calls.
People would like to use Snikket with JIDs @example.com
while also having an existing website on example.com
. This is currently tricky, particularly when Snikket is running on a different machine.
Things that need to happen:
_acme-challenge
recordTo build a future web portal UI for federation status/diagnostics, we need to expose an API. We don't currently have/store much of this data, so we'll need to do that as a first step.
Rough API/model overview:
For restarting all services on OS reboot I added this file /etc/systemd/system/snikket.service for systemd. Feel free to integrate it somehow.
[Unit]
Description=Snikket service
After=docker.service
Requires=docker.service
[Service]
User=root
Group=root
TimeoutStartSec=0
RestartSec=10
Restart=always
WorkingDirectory=/etc/snikket
ExecStartPre=-/usr/local/bin/docker-compose down
ExecStart=/usr/local/bin/docker-compose up
ExecStop=/usr/local/bin/docker-compose down
[Install]
WantedBy=multi-user.target
Hi guys,
Sorry for that "issue spam", just want to ask where I can read about calls logic that Snikket use. I took a look at the explanation what STUN is and checked connection flow between two nodes. Do I understand it right, that a couple of Snikket applications uses my own server in order to find theirs public IPs and establish direct connection after that? So, the traffic doesn't flow through my or your server, correct?
What would happen if they couldn't find any option to establish direct connection? Would them use my server as proxy then?
I'd appreciate if you can say a couple of words in regards to the audio/video calls logic. Couldn't find it in docs directory on github.
Thanks.
Currently, we only send invitations. While that is nice and will pull in at least Snikket Android, it’s not perfect because it doesn’t allow clients which missed the invitation to join.
Note for the future:
This way of adding the repo
snikket-server/ansible/tasks/prosody.yml
Lines 8 to 13 in d6b2676
could in the future be done by installing extrepo
(available in Debian 11/bullseye or buster-backports) and then extrepo enable prosody
.
Note: Doesn't work at the time of this writing because the entry for the Prosody repo in Edit: Merged.extrepo-data
doesn't include bullseye
. MR'd to update.
I'm trying to install my own server and use it with reverse_proxy. When I'm starting all containers the "snikket" got "unhealthy" after about 2 minutes and on my domains (via port 80) I see in browser the info that snikket is starting and obtaining sertificates but it never ends. Same as for #40.
What should I check first in order to solve it? DNS are find and I put configuration from reverse proxy in nginx config.
One more thing, in
ss -4 -na
output I see only 5080 port, but not 5443, despite I have lines
SNIKKET_TWEAK_HTTP_PORT=5080
SNIKKET_TWEAK_HTTPS_PORT=5443
in snikket.conf
Thanks in advance
When you reset your password (I tried with a generated password reset link from Admin panel), the user will receive the "Welcome to snikket" message again.
It's not a big deal, but maybe this message could rather be some info that the passwor was changed?
Steps to reproduce:
Expected:
Nothing - or a warning/info that password was changed
Actual:
Same welcome message as before.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.