Facing Errors when running ansible-playbook certbot.yml

CPIMS
1

Hey @irlawrence , I am facing the following error when running “ansible-playbook certbot.yml". I am aware that there is a similar topic that already exists on this particular issue. I had left a comment there reaching out for help but got no response instead. Therefore creating this new topic.

we are using the: GitHub - primeroIMS/primero: Primero is an application designed to help child protection workers and social workers in humanitarian and development contexts manage data on vulnerable children and survivors of violence. Please carefully read our LICENSE. If you would like access to the CPIMS+ and GBVIMS+ configurations, please contact: childprotectioninnovation@gmail.com [developementV2 branch]

DNS records are pointing to our Ubuntu public IP and I am getting the same error as you did when I am running the last command from the self-hosting V2 Primero documentation: ansible-playbook certbot.yml.

Please help me out. Thanks in advance :slight_smile:

Error:

fatal: [think201.xyz]: FAILED! => changed=true
cmd:

  • /srv/primero/bin/run-certbot.sh
    delta: ‘0:00:06.659176’
    end: ‘2023-06-20 12:26:55.147845’
    msg: non-zero return code
    rc: 1
    start: ‘2023-06-20 12:26:48.488669’
    stderr: |-
    • exec /srv/primero/bin/certbot -d think201.xyz --cert-name primero -m puneeth@think201.xyz -p primero
      Saving debug log to /var/log/letsencrypt/letsencrypt.log
      Plugins selected: Authenticator webroot, Installer None
      Performing the following challenges:
      http-01 challenge for think201.xyz
      Using the webroot path /usr/share/nginx/html for all unmatched domains.
      Waiting for verification…
      Challenge failed for domain think201.xyz
      http-01 challenge for think201.xyz
      Cleaning up challenges
      Some challenges have failed.
      Traceback (most recent call last):
      File “/srv/primero/bin/certbot”, line 141, in
      code = _main(sys.argv)
      File “/srv/primero/bin/certbot”, line 128, in _main
      _check_call(command)
      File “/srv/primero/bin/certbot”, line 26, in _check_call
      subprocess.check_call(args, *popenargs, **kwargs)
      File “/usr/lib/python3.10/subprocess.py”, line 369, in check_call
      raise CalledProcessError(retcode, cmd)
      subprocess.CalledProcessError: Command ‘[‘docker’, ‘run’, ‘–rm’, ‘–interactive’, ‘–volume’, ‘primero_certbot_certificates:/etc/letsencrypt’, ‘–volume’, ‘primero_certbot_challenges:/usr/share/nginx/html/.well-known/acme-challenge’, ‘–volume’, ‘/tmp/tmp_py31420:/tmp/deploy-hook-dir’, ‘certbot/certbot:v1.11.0’, ‘certonly’, ‘–non-interactive’, ‘–domain’, ‘think201.xyz’, ‘–cert-name’, ‘primero’, ‘–email’, ‘puneeth@think201.xyz’, ‘–agree-tos’, ‘–rsa-key-size’, ‘2048’, ‘–deploy-hook’, ‘touch /tmp/deploy-hook-dir/renewed && chmod a+r -R /etc/letsencrypt/live && chmod a+r -R /etc/letsencrypt/archive’, ‘–webroot’, ‘–webroot-path’, ‘/usr/share/nginx/html’]’ returned non-zero exit status 1.
      stderr_lines:
      stdout: |-
      Requesting a certificate for think201.xyz
      IMPORTANT NOTES:

    • The following errors were reported by the server:

      Domain: think201.xyz
      Type: connection
      Detail: 65.0.49.192: Fetching
      http://think201.xyz/.well-known/acme-challenge/3d9IyOTAhfry6hZhGcyBPwbSlkg0VPv2EMbjVYgbf28:
      Error getting validation data

      To fix these errors, please make sure that your domain name was
      entered correctly and the DNS A/AAAA record(s) for that domain
      contain(s) the right IP address. Additionally, please check that
      your computer has a publicly routable IP address and that no
      firewalls are preventing the server from communicating with the
      client. If you’re using the webroot plugin, you should also verify
      that you are serving files from the webroot path you provided.

    • docker run --rm --interactive --volume primero_certbot_certificates:/etc/letsencrypt --volume primero_certbot_challenges:/usr/share/nginx/html/.well-known/acme-challenge --volume /tmp/tmp_py31420:/tmp/deploy-hook-dir certbot/certbot:v1.11.0 certonly --non-interactive --domain think201.xyz --cert-name primero --email puneeth@think201.xyz --agree-tos --rsa-key-size 2048 --deploy-hook ‘touch /tmp/deploy-hook-dir/renewed && chmod a+r -R /etc/letsencrypt/live && chmod a+r -R /etc/letsencrypt/archive’ --webroot --webroot-path /usr/share/nginx/html
      stdout_lines:
2

Certbot is failing likely due to a firewall or some such.
Check that your inventory looks something like this (this is cherry picked some parts are missing)

hosts:
    think201.xyz:
      primero_postgres_version: 14
      primero_host: 'think201.xyz'
      primero_tag: 'v2.6.0.2'
      locale_all: 'en'
      # These 3 variables are used to drive the build task.
      # Can be omitted if pulling images from Dockerhub
      primero_repo_branch: 'v2.6.0.2'
      # If you want to seed from a private configuration repo
      use_lets_encrypt: 'true'
      # The other certbot/lets_encrypt variables are optional. Include only if using Let's Encrypt
      certbot_domain:
      - '{{ primero_host }}'
      certbot_email: 'puneeth@think201.xyz'
      lets_encrypt_domain: '{{ primero_host }}'
      lets_encrypt_email: '{{ certbot_email }}'
      # Different for self-signed certs
      nginx_ssl_cert_path: '/etc/letsencrypt/live/primero/fullchain.pem'
      nginx_ssl_key_path: '/etc/letsencrypt/live/primero/privkey.pem'
      use_external_certs: 'false'

If it fails on your infrastructure try on a small linode to make sure the inventory works. Then work out what is blocking on your own systems

3

Hey @irlawrence, thanks for the response.

The firewall is disabled on the remote machine. I have also updated the inventory file as you have mentioned above. The primero_tag and primero_repo_branch were something that needed the updated.
I still get the same error from the “ansible-playbook certbot.yml” command. Do you think there is something wrong with the Nginx container?

4

Here is my inventory.yml after updates

---
all:
  hosts:
    think201.xyz:
      primero_postgres_version: 14
      ansible_user: 'ubuntu'
      primero_host: 'think201.xyz'
      primero_tag: 'v2.6.0.2'
      locale_all: 'en'
      always_pull: true,
      # These 3 variables are used to drive the build task.
      # Can be omitted if pulling images from Dockerhub
      primero_repo_branch: 'v2.6.0.2'
      build_docker_tag: 'latest'
      build_docker_container_registry: ''
      # If you want to seed from a private configuration repo
      #primero_configuration_repo: 'git@bitbucket.org:quoin/primero-x-configuration.git'
      #primero_configuration_repo_branch: 'master'
      #primero_configuration_path: 'directory/of/config/loader/script'
      use_lets_encrypt: 'true'
      # The other certbot/lets_encrypt variables are optional. Include only if using Let's Encrypt
      certbot_domain:
      - '{{ primero_host }}'
      certbot_email: 'puneeth@think201.xyz'
      lets_encrypt_domain: '{{ primero_host }}'
      lets_encrypt_email: '{{ certbot_email }}'
      # Different for self-signed certs
      nginx_ssl_cert_path: '/etc/letsencrypt/live/primero/fullchain.pem'
      nginx_ssl_key_path: '/etc/letsencrypt/live/primero/privkey.pem'
      # use_external_certs: 'false'
      # Optionally parametrize Primero containers with other environment attributes.
      # Do not use this dictionary for secrets!!!
      environment_variables:
        PRIMERO_DEFAULT_USERS: 'true' # Seed default users when using the managed Primero SaaS configs
        # LOCALE_DEFAULT: 'ar' # Optionally override English as the default locale.
5

These are the containers running on the remote machine.
Also, without the SSL cert shouldn’t I be able to see the application running in HTTP instead of HTTPS?
Right now I am seeing the 400 BAD REQUEST message from Nginx.

Screenshot from 2023-07-13 18-00-47
Screenshot from 2023-07-13 18-00-471887×178 43.6 KB

6

I started the setup on a fresh remote server with the updated inventory.yml file and the certbot command worked fine and the primer is up and running on my domain. Thank you so much @irlawrence for the changes in the inventory.yml file
But I know I am unable to log in with the default credentials: primero/primer0! Can you please help me here @irlawrence

Primero-primerov2.think201.xyz-2023.07.14-13_08_17
Primero-primerov2.think201.xyz-2023.07.14-13_08_171920×975 26.9 KB

7

Hi Srinivasa,
You will have to reset password from backend. Before that please check if the users are present.

Fir log in to remote server and open rails console.
check in the console if users are present and if present select the primero user and reset the password from the console.

Regards,
Ajit Shetty

8

Instructions to do that are here Errors when running ansible-playbook certbot.yml - #9 by operations