Beta 2 Server Letsencrypt issue.

Discussion in 'Developers' Forum' started by brainsys, Sep 25, 2020.

  1. brainsys

    brainsys Member

    The good news is I installed Beta 2 on a fresh Debian 10 setup. I followed the Perfect Server tutorial and it all went spiffingly well apart from when it failied to get a Letsencrypt certificate for the server/control panel. It defaulted to a self-signed.

    The Letsencrypt log pointed to the failure to set up an account due to an invalid email address [[email protected]$hostname]. I'm pretty sure I inputted a valid address& FQDN whenever prompted elsewhere but can't exclude finger trouble.

    I then did the usual 3.1 trick of setting up a site and sharing its certificate. That worked so certbot appears to be working OK. Any ideas on where the missing address/hostname is?

    NB hostname -f displays expected FQDN.
    PS I discovered you have moved the favicon into the theme. Fixed that but its worth a note on the changelog unless I missed it.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Thank you for reporting this. the issue has been fixed already a few days ago in git-develop branch. We will make a new beta 3, probably today which contains various other fixes as well.
     
    ahrasis likes this.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Btw. the issue that you had is simply a quoting issue, the code uses single quotes but should have used double-quotes as PHP does not replace variables in strings that are quoted by single quotes.
     
  4. brainsys

    brainsys Member

    Thank you. When I update will it automatically fix the issue or do I need to clear out the existing symbolic links to the shared certificate?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The updater should be able to handle this, when he finds your manually created symlinks.
     
  6. TonyG

    TonyG Member

    I'm not sure if this is the same issue - I just got the message and am just wrapping up for the day, so haven't looked more closely. I think I'm using the latest nightly. I'll try to reproduce the issue on Saturday if required. Thanks!


    Checking / creating certificate for foo.domain.tld
    Using certificate path /etc/letsencrypt/live/foo.domain.tld
    Server's public ip(s) (1.2.3.4) not found in A/AAAA records for foo.domain.tld: 127.0.0.1
    PHP Fatal error: Uncaught Error: Call to a member function simple_query() on null in /var/local/allinstall/ispconfig3-nightly/install/lib/installer_base.lib.php:2841
    Stack trace:
    #0 /var/local/allinstall/ispconfig3-nightly/install/install.php(574): installer_base->make_ispconfig_ssl_cert()
    #1 {main}
    thrown in /var/local/allinstall/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2841
    [email protected]:/var/local/allinstall/ispconfig3-nightly/install#
     
  7. TonyG

    TonyG Member

    I know this is just a result of a failed installation. I tried to continue the installation by simply re-running install.php. That told me to run update.php. OK. The update.php script failed with the following:

    PHP Warning: include_once(/usr/local/ispconfig/server/lib/config.inc.php): failed to open stream: No such file or directory in /var/local/ispconfig/install/update.php on line 108
    PHP Warning: include_once(): Failed opening '/usr/local/ispconfig/server/lib/config.inc.php' for inclusion (include_path='.:/usr/share/php') in /var/local/ispconfig/install/update.php on line 108
    PHP Notice: Undefined variable: conf in /var/local/ispconfig/install/update.php on line 109

    As seen in my last post, I was installing from a different folder. I just moved all files under /var/local/ispconfig, hoping the hardcoded lookup for the config file would find or create it. But it did not.

    My request here is not for a "fix" - again, I see what's happened. I'd like to know what should be done when an installation fails like this. Thanks!
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Instead of running update.php after a failed install, run uninstall.php to clean up your system and then run install.php again. Uninstall may throw some errors depending on at which stage the first installation failed, but it will clean up things as good as possible in that case.
     
  9. TonyG

    TonyG Member

    Thanks for the tips. This process is working, even if the installation isn't. :)

    php -q uninstall.php
    rm -rf /usr/local/ispconfig
    mysql -u root -p
    DROP DATABASE dbispconfig;​

    From there a new installation can be started. But then we get to the same error. This is progress... I'll start looking into the error now until we see something else in this thread. Thanks!!
     
  10. TonyG

    TonyG Member

    /var/local/allinstall/ispconfig3-nightly/install/lib/installer_base.lib.php:2841
    Change $inst to $this.
    Then it continues without fail.
    This might be obvious to others, but the server also needs to be available to the public during the install process, otherwise the cert fails to verify. I usually install with firewall blocking public access and then open it up as required after configuration.

    To rerun the cert process I ran update.php. This does a symlink for the other apps. The result (after opening ports) is a different cert, but then it's broken. This is from the browser page after refresh:

    Secure Connection Failed
    An error occurred during a connection to ns1.freakin.rocks:8080. SSL received a record that exceeded the maximum permissible length.
    Error code: SSL_ERROR_RX_RECORD_TOO_LONG

    It seems the update adds to the existing cert chain (text block) rather than regenerating it. I'll continue to look at this.
     
    Last edited: Sep 26, 2020
  11. TonyG

    TonyG Member

    I'm not understanding what the first highlighted line is telling us. This FQDN is in both /etc/hosts and defined in DNS. I can access the server using ns1.foo.bar. And I don't know if the ispserver.x files should be there or not.
    The current configuration results in the browser error SSL_ERROR_RX_RECORD_TOO_LONG, which Googling reveals is related to TLS 1.3? I've looked at the Apache configs but this is all new to me and now out of my scope of experience.

    Create new ISPConfig SSL certificate (yes,no) [no]: yes
    Checking / creating certificate for ns1.foo.bar
    Using certificate path /etc/letsencrypt/live/ns1.ns1.foo.bar
    Server's public ip(s) (1.2.3.4) not found in A/AAAA records for ns1.foo.bar: 127.0.0.1
    Ignore DNS check and continue to request certificate? (y,n) [n]: y
    Using apache for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for ns1.foo.bar
    Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
    Waiting for verification...
    Cleaning up challenges
    cat: /usr/local/ispconfig/interface/ssl/ispserver.key: No such file or directory
    cat: /usr/local/ispconfig/interface/ssl/ispserver.crt: No such file or directory

    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]:
    Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]:​
     
  12. TonyG

    TonyG Member

    About the missing files, the problem seems to be that the links are self-referencing:

    Restarting services ...
    Update finished.
    [email protected]:/var/local/ispconfig/install# ll /usr/local/ispconfig/interface/ssl
    total 4
    -rwxr-x--- 1 root root 45 Sep 26 08:50 empty.dir*
    lrwxrwxrwx 1 root root 48 Sep 26 08:50 ispserver.crt -> /usr/local/ispconfig/interface/ssl/ispserver.crt
    lrwxrwxrwx 1 root root 48 Sep 26 08:50 ispserver.key -> /usr/local/ispconfig/interface/ssl/ispserver.key
    -rwxr-x--- 1 root root 0 Sep 26 08:50 ispserver.pem*
    [email protected]:/var/local/ispconfig/install#​

    Apache should also be configured for TLS v1.3. The ISPConfig install makes a number of changes to default settings related to SSL. I don't yet know if we should modify ispconfig.vhost to enable SSLProtocol -TLSv1.3.

    I'll stop here and wait for other eyes on this. Thanks again. (I'm having fun with this.)
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Use the current nightly build instead as it contains many bugfixes since beta2 incl.

    https://www.ispconfig.org/downloads/ISPConfig-3-nightly.tar.gz

    Besides that, if your system is not reachable from the internet, the installer falls back to a self-signed SSL cert automatically instead of using let's encrypt.

    Do not manually edit any files, there are no changes in any vhost files needed. The error is not only TLS 1.3 related, it is a general SSL failure message and just pops up due to the failed SSL creation on your system.
     
    ahrasis likes this.
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Regarding issue in line 2841, I'll commit a fix in a few minutes, so this will be part of the next nightly build.
     
    ahrasis likes this.
  15. TonyG

    TonyG Member

    To re-run the install, I delete the database, delete 'live' certs, delete /usr/local/ispconfig, and delete related apache files. Then I download from nightly into /tmp, tar, install.php. Am I missing something?
    Despite these errors, the site is live, just with a self-signed cert. Progress! Thanks.

    Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:

    Checking / creating certificate for ns1.foo.bar
    Using certificate path /etc/letsencrypt/live/ns1.foo.bar
    Server's public ip(s) (1.2.3.4) not found in A/AAAA records for ns1.foo.bar: 127.0.0.1
    Ignore DNS check and continue to request certificate? (y,n) [n]: y

    PHP Warning: symlink(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2857
    PHP Warning: symlink(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2860
    PHP Warning: symlink(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2863
    PHP Warning: chown(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2865
    PHP Warning: chown(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2866
    PHP Warning: chown(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2867
    PHP Warning: chmod(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2868
    PHP Warning: chmod(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2869
    PHP Warning: chmod(): No such file or directory in /tmp/ispconfig3-nightly/install/lib/installer_base.lib.php on line 2870
    Using apache for certificate validation
    Unable to find renew-hook command letsencrypt_renew_hook.sh in the PATH.
    (PATH is /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin)
    Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus (2 primes)
    ..............++++
    ........................++++
    e is 65537 (0x010001)
    You are about to be asked to enter information that will be incorporated
    into your certificate request.​
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    It's to be expected that you get errors when you choose to ignore that no LE cert can be issued according to the automatic test. The symlink warnings should not be shown of course, we'll fix that until final release.

    Your /etc/hosts file is wrong, the server hostname must not point to the localhost IP address, it must point to the 'external' IP address of your system.
     
  17. TonyG

    TonyG Member

    With head hung low in embarrassment ... how could I have missed something so obvious. Sorry about that.
    Current /etc/hosts for my DNS1:
    127.0.0.1 ns1.foo.bar ns1 localhost.localdomain localhost
    1.2.3.5 ns2.foo.bar ns2​
    Will change to:
    127.0.0.1 localhost
    1.2.3.4 ns1.foo.bar # This is me=DNS1
    1.2.3.5 ns2.foo.bar # FQDN gets external address
    10.0.0.1 ns1 # hostnames get internal address
    10.0.0.2 ns2 # private addresses used for inbound MySQL​
    With that pattern it seems the same /etc/hosts can be copied around the network.

    I spent most of today dealing with MySQL issues when setting up DNS2. But that's not a part of this Beta2 exercise. On Sunday I will blow away the servers again and start over. Thanks as always.
     
  18. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    It seems you did not stick to the installation instructions. I guess you executes
    Code:
    php -q install/update.php
    instead of changing to the correct directory by
    Code:
    cd install ; php -q update.php
    That leads to incorrect working directory inside the installer.
     
  19. brainsys

    brainsys Member

    Hi, me again. I did the Nightly update (0928). When it asked for if I wanted a new certificate I answered 'yes'. I expected this to overwrite the 'old trick' of symlinking to a shared site SSL. It did - but it created a symlink to itself and hence no certificate could be found for the control panel and connection was refused. The Control Panel was inaccessible. Couldn't use http as that is disabled.

    I mention this because if it is repeatable it could cause an upgrade error for 3.1 users who, like me, used that trick. I'm guessing that may be quite a lot.

    I had to truncate and restore the original database and symlinks to fix the issue
     
  20. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    That does not make any sense. Why restore the database? The issue with the symlink is a problem as this should already be fixed I thought.
    Are you using certbot or acme.sh?

    Edit: and did the installer create a *.bak file for the existing symlinks?
     

Share This Page