Cannot get Let's Encrypt certificate for website

Discussion in 'General' started by SilkBC, May 8, 2018.

  1. SilkBC

    SilkBC New Member

    Hello,

    I am on ISPConfig 3.1.11 and I am trying to get a Let's Encrypt SSL certificate for one of my hosted sites, but it keeps failing (on the properties of the website I am just ticking the "SSL" and "Let's Encrypt SSL" boxes, then clicking "Save". I am not doing anything on the "SSL" tab)

    I have posted the output of the DEBUG info from running 'server.sh' below (I changed the domains for privacy purposes, but yes, the domains in question *so* point to my sever and come up when I go to them). I have gone through the "Let's Encrypt FAQ" and performed the steps in there. It looks like some sort of permissions or authentication issue, but I don't know the cause or how to fix.

    Thoughts and ideas greatly appreciated.

    Code:
    [email protected]:/opt/letsencrypt# /usr/local/ispconfig/server/server.sh
    			
    
    07.05.2018-16:37 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    07.05.2018-16:37 - DEBUG - Found 1 changes, starting update process.
    07.05.2018-16:37 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    07.05.2018-16:37 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    07.05.2018-16:37 - DEBUG - Create Let's Encrypt SSL Cert for: mydomain.com
    07.05.2018-16:37 - DEBUG - Let's Encrypt SSL Cert domains:  --domains mydomain.com --domains www.mydomain.com --domains mydomain2.com --domains www.mydomain2.com
    07.05.2018-16:37 - DEBUG - exec: /opt/eff.org/certbot/venv/bin/certbot certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected]  --domains mydomain.com --domains www.mydomain.com --domains mydomain2.com --domains www.mydomain2.com --webroot-path /usr/local/ispconfig/interface/acme
    You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for mydomain.com
    http-01 challenge for www.mydomain.com
    http-01 challenge for mydomain2.com
    http-01 challenge for www.mydomain2.com
    Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
    Waiting for verification...
    Cleaning up challenges
    Failed authorization procedure. www.mydomain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mydomain.com/.well-known/acme-challenge/TaaTOLxcctdWHuJ-4Cq05kfOO6lZyIkL7BG8AHQXcHY: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>500 Internal Server Error</title>
    </head><body>
    <h1>Inter", www.mydomain2.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mydomain2.com/.well-known/acme-challenge/EK4brv6bx9PB8oSCLCV2SR4TLPJ8_h39vtwkOz5R23I: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>500 Internal Server Error</title>
    </head><body>
    <h1>Inter", mydomain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.com/.well-known/acme-challenge/LjZElmi4wiQ7FdMLSNT6fsCcXUNXwjbUlRH0DCnDkQo: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>500 Internal Server Error</title>
    </head><body>
    <h1>Inter", mydomain2.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain2.com/.well-known/acme-challenge/1CmNKLLQ93tJzTAm_74Uc-9vyomh05y0BWOoLa2KMEg: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>500 Internal Server Error</title>
    </head><body>
    <h1>Inter"
    07.05.2018-16:37 - WARNING - Let's Encrypt SSL Cert for: mydomain.com could not be issued.
    07.05.2018-16:37 - WARNING - /opt/eff.org/certbot/venv/bin/certbot certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected]  --domains mydomain.com --domains www.mydomain.com --domains mydomain2.com --domains www.mydomain2.com --webroot-path /usr/local/ispconfig/interface/acme
    07.05.2018-16:37 - DEBUG - Add server alias: mydomain2.com
    07.05.2018-16:37 - DEBUG - Creating fastcgi starter script: /srv/websites/php-fcgi-scripts/web19/.php-fcgi-starter
    07.05.2018-16:37 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/mydomain.com.vhost
    07.05.2018-16:37 - DEBUG - Apache status is: running
    07.05.2018-16:37 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    07.05.2018-16:37 - DEBUG - Restarting httpd: /etc/init.d/apache2 restart
    07.05.2018-16:37 - DEBUG - Apache restart return value is: 0
    07.05.2018-16:37 - DEBUG - Apache online status after restart is: running
    07.05.2018-16:37 - DEBUG - Processed datalog_id 1147
    07.05.2018-16:37 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished.
    
    Thanks! :)
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You can test manually what LEteies to verify your domain.

    1) Create a test token file:

    touch /usr/local/ispconfig/interface/acme/hello.txt

    2) Now you must be able to fetcht this hello.txt file on all domains that shall be authorized:

    http://mydomain.com/.well-known/acme-challenge/hello.txt
    If thsi does not work, then LE will not issue the cert.

    The path .well-known/acme-challenge/ of each website is an alias that points to directory /usr/local/ispconfig/interface/acme/

    One reason that this fails can be that you have some custom rewrite rules in the apache directives field of the site or in a .htaccess file which prevents access to the path .well-known/acme-challenge/ in that site.
     

Share This Page