ACME

Discussion in 'Installation/Configuration' started by Stefan Schumacher, Aug 11, 2021.

  1. Hello,
    I encountered problems with acme very early in the process of familiarizing myself with ISPconfig, so I switched to Certbot, which I know well. I have now decided to give acme another try, mainly because I want to automate the process of getting certificates for individual websites.
    The shell script acme.sh running in standalone mode works without a problem, meaning we can exclude for example firewall issues. This is the output of me generating a new certificate for my server with --force. I stopped apache2 manually before I entered this command.

    [email protected]:/etc# acme.sh --issue --standalone -d mail2.consulting1x1.info --force
    ------------------------------------------------------------------------------------------------------------------------------
    [Mi 11. Aug 14:19:07 CEST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Mi 11. Aug 14:19:07 CEST 2021] Standalone mode.
    [Mi 11. Aug 14:19:07 CEST 2021] Single domain='mail2.consulting1x1.info'
    [Mi 11. Aug 14:19:07 CEST 2021] Getting domain auth token for each domain
    [Mi 11. Aug 14:19:11 CEST 2021] Getting webroot for domain='mail2.consulting1x1.info'
    [Mi 11. Aug 14:19:11 CEST 2021] mail2.consulting1x1.info is already verified, skip http-01.
    [Mi 11. Aug 14:19:11 CEST 2021] Verify finished, start to sign.
    [Mi 11. Aug 14:19:11 CEST 2021] Lets finalize the order.
    [Mi 11. Aug 14:19:11 CEST 2021] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/156104120/16129009871'
    [Mi 11. Aug 14:19:14 CEST 2021] Downloading cert.
    [Mi 11. Aug 14:19:14 CEST 2021] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/049f92bb8ba6b38b3d42643eb66bb5c918d0'
    [Mi 11. Aug 14:19:15 CEST 2021] Cert success.
    ------------------------------------------------------------------------------------------------------------------------------
    What now follows is the output of saying yes to the question if I want to renew my certificates at the end of the forced update of ISPConfig. I already searched the forum and Till asked one user with similar problems if he was using Virtualization. The server I am currently configuring is a VM running on Proxmox PVE7. Since there is a shell error in line 3 I think I should point out that I am using bash. How can I fix this?

    Checking / creating certificate for mail2.consulting1x1.info
    Using certificate path /etc/letsencrypt/live/mail2.consulting1x1.info
    sh: 1: cannot open /dev/tcp/127.0.0.1/80: No such file
    Using apache for certificate validation
    Job for apache2.service failed.
    See "systemctl status apache2.service" and "journalctl -xe" for details.
    acme.sh is installed, overriding certificate path to use /root/.acme.sh/mail2.consulting1x1.info
    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: y
    PHP Warning: symlink(): No such file or directory in /root/ispconfig3_install/install/lib/installer_base.lib.php on line 3176
    PHP Warning: symlink(): No such file or directory in /root/ispconfig3_install/install/lib/installer_base.lib.php on line 3177
    Reconfigure Crontab? (yes,no) [yes]: no
    Restarting services ...
    Job for dovecot.service failed because the control process exited with error code.
    See "systemctl status dovecot.service" and "journalctl -xe" for details.
    Update finished.

    Yours sincerely
    Stefan
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    If you use LE client from command line and it creates or renews certificates that breaks the setup ISPConfig makes and ISPConfig can no longer create or renew certificates. Dry run is OK.
    Also changing the LE client, certbot or acme, to the other is non-trivial and usually involves removing all certificates and creating new ones with the now installed client.
     
    ahrasis likes this.
  3. Hi Taleman,
    the server is not yet in productive use and I have generated only one certificate for mail2.consulting1x1.info. Exchanging this will be rather easy. I can purge certbot and remove /etc/letsencrypt in under 30 seconds. acme.sh is already installed in root. This would not be a problem.

    Yours
    Stefan
     
    Last edited: Aug 11, 2021
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Ok, other thing:
    Code:
    sh: 1: cannot open /dev/tcp/127.0.0.1/80: No such file
    My Linux does not have that file and I suspect Debian 10 never has that file. So some typo in the script perhaps?
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Just to clarify, you had certbot installed, then installed acme.sh afterwards? (That could throw the autoinstaller off if certbot isn't fully removed.)
     
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    If I am are planning a new server, I won't bother much about the error you posted but start a fresh and just follow the tutorial for Debian 10 / Ubuntu 20.04 because I know I will then have a good new server.

    Changing from acme.sh to certbot or vice versa is the cause of many problems if you don't do it right.
     
  7. Would it be enough to do update.php --force or do I have to install the ISPconfig completely new. If yes, is it enough to remove ISPConfig. (Databases and Files, but keep the Software installed) or would I have to start with a new server?
     
  8. Hello
    Well, I just did a full new install - took less than 30 minutes, I am getting the hang of this. This time I stayed conservative and used Debian 10 (to be OldStable in 2-3 days). During the initial configuration run ISPConfig did create only self-signed-certificates. Afterwards I did an update --force and and and was asked if I wanted new certificates. I answered in the yes and was given the following output.
    (Ports 80 and 443 are of course open, Shell was reconfigured to bash.)

    Create new ISPConfig SSL certificate (yes,no) [no]: yes

    Checking / creating certificate for mail3.consulting1x1.info
    Using certificate path /etc/letsencrypt/live/mail3.consulting1x1.info
    Using apache for certificate validation
    acme.sh is installed, overriding certificate path to use /root/.acme.sh/mail3.consulting1x1.info
    [Do 12. Aug 14:06:14 CEST 2021] mail3.consulting1x1.info:Verify error:Fetching http://mail3.consulting1x1.info/.we...e/YhN13Xcaa9cyptJul_IWmKWleaQ4ybKMCKNwB_fB4Po: Connection refused
    [Do 12. Aug 14:06:14 CEST 2021] Please add '--debug' or '--log' to check more details.
    [Do 12. Aug 14:06:14 CEST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
    Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.

    If you compare the error messages to the ones on debian 11 you will see that they are different - no "sh: 1: cannot open /dev/tcp/127.0.0.1/80: No such file" and no "
    Job for apache2.service failed".
    But I still dont have a certificate and will most likely not be able to add certificates to websites or email domains with just the click of a button which is after all the point of using an integrated solution like ISPConfig.
    This is an How-can-I-help-you-to-help-me-Situation: I have tried --debug and --log
    with update.sh but unfortunately this did not produce the desired results.
    How can I get you the information you need to fix this problem?

    Yours
    Stefan
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    And the question is why this happened, it means that your hostname was unreachable or unresolvable at that timepoint, or maybe you pointed it to localhost IP or something similar in /etc/hosts file. To find a solution for your issue, please post the exact details you received on the shell during the initial install (not from a forced update) and what's in the acme.sh log file after initial install. The problem with the forced update ios a different issue, independent from the first one, and probably just caused by this: https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6121
     
  10. Hi,
    well I did a complete new install and made a lot of snapshots so the point of installation of acme can be recreated as well as the first run of ispconfig.

    The new server is called mail1.consulting1x1.info. This is the result of an nmap scan from my Kali installation on an external network before installing acme or ispconfig:

    Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-17 13:16 CEST
    Nmap scan report for mail1.consulting1x1.info (195.34.186.13)
    Host is up (0.00036s latency).
    Not shown: 990 filtered ports
    PORT STATE SERVICE
    22/tcp open ssh
    25/tcp open smtp
    80/tcp open http
    110/tcp open pop3
    143/tcp open imap
    443/tcp open https
    465/tcp open smtps
    587/tcp open submission
    993/tcp open imaps
    995/tcp open pop3s
    Nmap done: 1 IP address (1 host up) scanned in 4.99 seconds

    This is the result of running the acme script on mail1
    [email protected]:~# curl https://get.acme.sh | sh -s
    % Total % Received % Xferd Average Speed Time Time Time Current
    Dload Upload Total Spent Left Speed
    100 937 0 937 0 0 9968 0 --:--:-- --:--:-- --:--:-- 9968
    % Total % Received % Xferd Average Speed Time Time Time Current
    Dload Upload Total Spent Left Speed
    100 203k 100 203k 0 0 856k 0 --:--:-- --:--:-- --:--:-- 856k
    [Di 17. Aug 13:18:17 CEST 2021] Installing from online archive.
    [Di 17. Aug 13:18:17 CEST 2021] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz
    [Di 17. Aug 13:18:17 CEST 2021] Extracting master.tar.gz
    [Di 17. Aug 13:18:17 CEST 2021] Installing to /root/.acme.sh
    [Di 17. Aug 13:18:17 CEST 2021] Installed to /root/.acme.sh/acme.sh
    [Di 17. Aug 13:18:17 CEST 2021] Installing alias to '/root/.bashrc'
    [Di 17. Aug 13:18:17 CEST 2021] OK, Close and reopen your terminal to start using acme.sh
    [Di 17. Aug 13:18:17 CEST 2021] Installing cron job
    no crontab for root
    no crontab for root
    [Di 17. Aug 13:18:17 CEST 2021] Good, bash is found, so change the shebang to use bash as preferred.
    [Di 17. Aug 13:18:18 CEST 2021] OK
    [Di 17. Aug 13:18:18 CEST 2021] Install success!

    and finally the the error during ssl creation:
    Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: y
    Checking / creating certificate for mail1.consulting1x1.info
    Using certificate path /etc/letsencrypt/live/mail1.consulting1x1.info
    Using apache for certificate validation
    acme.sh is installed, overriding certificate path to use /root/.acme.sh/mail1.consulting1x1.info
    [Di 17. Aug 13:33:24 CEST 2021] Please add '--debug' or '--log' to check more details.
    [Di 17. Aug 13:33:24 CEST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
    Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating a RSA private key
    ------------------------------------------------------------

    Some more experiments with acme.sh post-install. The Web Server Apache is up and running.
    [email protected]:/var/www/ispconfig# acme.sh --issue --domain mail1.consulting1x1.info --apache
    [Di 17. Aug 13:48:27 CEST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Di 17. Aug 13:48:27 CEST 2021] Checking if there is an error in the apache config file before starting.
    [Di 17. Aug 13:48:27 CEST 2021] OK
    [Di 17. Aug 13:48:27 CEST 2021] JFYI, Config file /etc/apache2/apache2.conf is backuped to /root/.acme.sh/apache2.conf
    [Di 17. Aug 13:48:27 CEST 2021] In case there is an error that can not be restored automatically, you may try restore it yourself.
    [Di 17. Aug 13:48:27 CEST 2021] The backup file will be deleted on success, just forget it.
    [Di 17. Aug 13:48:27 CEST 2021] Create account key ok.
    [Di 17. Aug 13:48:28 CEST 2021] Registering account: https://acme-v02.api.letsencrypt.org/directory
    [Di 17. Aug 13:48:29 CEST 2021] Registered
    [Di 17. Aug 13:48:29 CEST 2021] ACCOUNT_THUMBPRINT='w2PtUFchrWtHLdrjm-dY78rmb5yEoPM-Qe76KinJd4c'
    [Di 17. Aug 13:48:29 CEST 2021] Creating domain key
    [Di 17. Aug 13:48:29 CEST 2021] The domain key is here: /root/.acme.sh/mail1.consulting1x1.info/mail1.consulting1x1.info.key
    [Di 17. Aug 13:48:29 CEST 2021] Single domain='mail1.consulting1x1.info'
    [Di 17. Aug 13:48:29 CEST 2021] Getting domain auth token for each domain
    [Di 17. Aug 13:48:31 CEST 2021] Getting webroot for domain='mail1.consulting1x1.info'
    [Di 17. Aug 13:48:31 CEST 2021] Verifying: mail1.consulting1x1.info
    [Di 17. Aug 13:48:31 CEST 2021] Pending, The CA is processing your order, please just wait. (1/30)
    [Di 17. Aug 13:48:34 CEST 2021] mail1.consulting1x1.info:Verify error:Invalid response from http://mail1.consulting1x1.info/.we...e/RiMk0m_YHRpD-k_b56G6aWu32Sm6n4PkqoFDBLKwkBs [195.34.186.13]:
    [Di 17. Aug 13:48:34 CEST 2021] Please add '--debug' or '--log' to check more details.

    What follows is the debug output, reduced to the single important line:
    mail1.consulting1x1.info:Verify error:Invalid response from http://mail1.consulting1x1.info/.we...e/sj2nWS2ThrQE58f5s4p49VRrMgwlKMiCtfWOkA1ldXQ [195.34.186.13]:
    This is correct, opening this line gives the output: "Not Found. The requested URL was not found on this server."
    The IP is correct, opening http://mail1.consulting1x1.info/ opens the default debian apache page. As before, stopping apache and using acme standalone produces a valid certificate, which I am now going to use for the moment because a) I have no idea how to get a valid certificate with apache and b) I need to get the email server running and in productive use. I have attached the entire output of --apache --debug to this post, it is several pages long. Maybe someone more knowledgeable in apache can find a solution in there.

    Yours sincerely
    Stefan
     

    Attached Files:

  11. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

  12. These are the ones I created standalone and inserted manually into the vhost config.
    What I want is auto-generated certs and as we have seen this part fails already during the installation process. I can go back to snapshot and repeat the procedure as often as I want, I wont get a valid certificate during the installation process.
     
  13. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    ISPConfig will try to use standalone if your server is not a web server but will use webroot if it is a web server, so creating that on your own is not advisable as there are related hooks that will be added in LE renew conf.

    I read of the fix already added in nightly build but mainly for update and not install, so I think you can try updating using it and see if it can create LE certs for your server that way. If I am not mistaken, that should be included in the next stable release soon.
     
  14. Could you point me to the specific bug which was fixed in the nightly?
     
  15. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I was referring to these posts but not really sure which one in the git. I also am not sure whether this new fix will help you but surely you can try.
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Creating a LE cert at install time works fine, as long as your hostname and DNS setup is correct. There was just a bug that you can't recreate a LE cert at update using the forced update option which has been fixed in nightly builds.
     
  17. Believe me, hostname and DNS are set up correctly. Otherwise, shouldnt it also fail in standalone mode?
    nslookup mail1.consulting1x1.info
    Server: 192.168.99.1
    Address: 192.168.99.1#53

    Non-authoritative answer:
    Name: mail1.consulting1x1.info
    Address: 195.34.186.13
    (mail1.consulting1x1.info is A record by the way)

    /etc/hosts/
    195.34.186.13 mail1.consulting1x1.info mail1
    I can rollback to the snapshot of the initial install every time and despite these settings I wont get an LE certificate. This is not only an issue after a forced update! But let me ask differently: Which additional files should I check and possible correct in order to get an LE certificate at install?

    Yours
    Stefan
     
  18. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    My guess is you included the www. -subdomain to your certificate request.
    Code:
    $ host www.consulting1x1.info
    www.consulting1x1.info has address 217.160.17.169
    [email protected] ~
    $ host mail1.consulting1x1.info
    mail1.consulting1x1.info has address 195.34.186.13
    [email protected] ~
    
    If that is not it, what show commands
    Code:
    hostname
    hostname -f
     
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    Might be that LE blocks your hostname now if you attempted that's several times.

    Then your issue is not related to the bug we closed plus it's an issue that is not reproducible here plus others don't seem to have it as well as we have about a thousand ISPConfig installs daily. But we will add some further debug flags to acme.sh in future versions which will make debugging of such issues easier.
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    And one more hint, you mentioned SSL certs for individual websites, these are also not related to the update issue, it#s a completely separate process.
     

Share This Page