Can't issue LE certificate "Solved"

Discussion in 'ISPConfig 3 Priority Support' started by ganewbie, Oct 29, 2019.

  1. ganewbie

    ganewbie Member HowtoForge Supporter

    Server: Debian 10 Apache

    it's been built according to : https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/
    we're trying to issue a certificate for subdomain.mydomain.com so, we checked ssl and let's encrypt and saved but it doesn't create anything and we still see both are unchecked.

    we can open the site subdomain.mydomain.com normally though.
    we cannot find the subdomain in /etc/letsencrypt/renewal

    we ran the below cmd to check certbot installation and we got (Installed "non")
    apt-cache policy certbot | grep -i Installed

    Please advise.
    Thanks!

    Here is the log
    less /var/log/ispconfig/ispconfig.log

    Code:
    28.10.2019-20:39 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    28.10.2019-20:39 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    28.10.2019-20:39 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client7/web18' - return code: 0
    28.10.2019-20:39 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client7/web18' - return code: 0
    28.10.2019-20:39 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client7/web18'|awk 'END{print $2,$NF}' - return code: 0
    28.10.2019-20:39 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
    28.10.2019-20:39 - DEBUG - safe_exec cmd: setquota -u 'web18' '0' '0' 0 0 -a &> /dev/null - return code: 0
    28.10.2019-20:39 - DEBUG - safe_exec cmd: setquota -T -u 'web18' 604800 604800 -a &> /dev/null - return code: 0
    28.10.2019-20:39 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client7/web18' - return code: 0
    28.10.2019-20:39 - DEBUG - Migration mode active, skipping Let's Encrypt SSL Cert creation for: subdomain.mydomain.com
    28.10.2019-20:39 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    28.10.2019-20:39 - DEBUG - Let's Encrypt Cert file:  does not exist.
    28.10.2019-20:39 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    28.10.2019-20:39 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/subdomain.mydomain.com.vhost
    28.10.2019-20:39 - DEBUG - Processed datalog_id 1519
    28.10.2019-20:39 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    28.10.2019-20:39 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    28.10.2019-20:39 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client1/web19' - return code: 0
    28.10.2019-20:39 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web19' - return code: 0
    28.10.2019-20:39 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client1/web19'|awk 'END{print $2,$NF}' - return code: 0
    28.10.2019-20:39 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
    28.10.2019-20:39 - DEBUG - safe_exec cmd: setquota -u 'web19' '0' '0' 0 0 -a &> /dev/null - return code: 0
    28.10.2019-20:39 - DEBUG - safe_exec cmd: setquota -T -u 'web19' 604800 604800 -a &> /dev/null - return code: 0
    28.10.2019-20:39 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web19' - return code: 0
    28.10.2019-20:39 - DEBUG - Migration mode active, skipping Let's Encrypt SSL Cert creation for: subdomain.mydomain.com
    28.10.2019-20:39 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    28.10.2019-20:39 - DEBUG - Let's Encrypt Cert file:  does not exist.
    28.10.2019-20:39 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    28.10.2019-20:39 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/subdomain.mydomain.com.vhost
    28.10.2019-20:39 - DEBUG - Processed datalog_id 1520
    28.10.2019-20:39 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    28.10.2019-20:39 - DEBUG - Restarting httpd: systemctl reload apache2.service
    28.10.2019-20:39 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    28.10.2019-20:40 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    28.10.2019-20:40 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    28.10.2019-20:41 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    28.10.2019-20:41 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You have the migration mode enabled which disables the creation of LE certs. Disable migration mode under System > server config.
     
  3. ganewbie

    ganewbie Member HowtoForge Supporter

    Thanks Till, it seems we are progressing but still cannot get LE to work. here is the debug after disabling the migration mode.
    Code:
    29.10.2019-06:44 - DEBUG - Found 1 changes, starting update process.
    29.10.2019-06:44 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    29.10.2019-06:44 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    29.10.2019-06:44 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client7/web18' - return code: 0
    29.10.2019-06:44 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client7/web18' - return code: 0
    29.10.2019-06:44 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client7/web18'|awk 'END{print $2,$NF}' - return code: 0
    29.10.2019-06:44 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
    29.10.2019-06:44 - DEBUG - safe_exec cmd: setquota -u 'web18' '0' '0' 0 0 -a &> /dev/null - return code: 0
    29.10.2019-06:44 - DEBUG - safe_exec cmd: setquota -T -u 'web18' 604800 604800 -a &> /dev/null - return code: 0
    29.10.2019-06:44 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client7/web18' - return code: 0
    29.10.2019-06:44 - DEBUG - Create Let's Encrypt SSL Cert for: subdomain.domain.com
    29.10.2019-06:44 - DEBUG - Let's Encrypt SSL Cert domains:  --domains subdomain.domain.com --domains www.subdomain.domain.com
    29.10.2019-06:44 - DEBUG - LE version is 0.39.0, so using certificates command
    29.10.2019-06:44 - DEBUG - exec: /opt/eff.org/certbot/venv/bin/certbot certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v02.api.letse
    ncrypt.org/directory --rsa-key-size 4096 --email [email protected] --webroot-map '{"subdomain.domain.com":"\/usr\/local\/ispconfig\/interface\/acme","www.subdomain
    .domain.com":"\/usr\/local\/ispconfig\/interface\/acme"}'
    29.10.2019-06:44 - DEBUG - LE CERT OUTPUT: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    29.10.2019-06:44 - DEBUG - LE CERT OUTPUT: Found the following matching certs:
    29.10.2019-06:44 - DEBUG - LE CERT OUTPUT: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    29.10.2019-06:44 - DEBUG - LE CERT OUTPUT:
    29.10.2019-06:44 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    29.10.2019-06:44 - WARNING - Let's Encrypt SSL Cert for: subdomain.domain.com could not be issued.
    29.10.2019-06:44 - WARNING - /opt/eff.org/certbot/venv/bin/certbot certificates  --domains subdomain.domain.com --domains www.subdomain.domain.com
    29.10.2019-06:44 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    29.10.2019-06:44 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/subdomain.domain.com.vhost
    29.10.2019-06:44 - DEBUG - Processed datalog_id 1674
    29.10.2019-06:44 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    29.10.2019-06:44 - DEBUG - Restarting httpd: systemctl reload apache2.service
    29.10.2019-06:44 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    
    Code:
    less /etc/letsencrypt/renewal/subdomain.domain.com.conf 
    ...
    [[webroot_map]]
    subdomain.domain.com = /usr/local/ispconfig/interface/acme
    
    Thanks in advance
     
    Last edited: Oct 29, 2019
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Do you really want to use a domain www.subdomain.domain.com? I guess you want to use subdomain.domain.com? If yes, then disable auto subdomain www in the website settings.
     
    ganewbie likes this.
  5. ganewbie

    ganewbie Member HowtoForge Supporter

    Agreed, we do not need the www.
    After disabling it still cannot generate the certificate.
    Code:
    29.10.2019-09:53 - WARNING - Let's Encrypt SSL Cert for: subdomain.domain.com could not be issued.
    29.10.2019-09:53 - WARNING - /opt/eff.org/certbot/venv/bin/certbot certificates  --domains subdomain.domain.com
    29.10.2019-09:53 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Take a look into the letsencrypt.log file to find out why.
     
  7. ganewbie

    ganewbie Member HowtoForge Supporter

    Code:
    2019-10-29 10:04:05,827:DEBUG:certbot.main:certbot version: 0.39.0
    2019-10-29 10:04:05,828:DEBUG:certbot.main:Arguments: ['--domains', 'subdomain.domain.com']
    2019-10-29 10:04:05,828:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2019-10-29 10:04:05,852:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. The letsencrypt client has also been renamed to Certbot. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
    2019-10-29 10:04:05,852:DEBUG:certbot.cli:Deprecation warning circumstances: /opt/eff.org/certbot/venv/bin/certbot / {'LANG': 'en_US.UTF-8', 'SHELL': '/bin/sh', 'SHLVL': '1', 'OLDPWD': '/root', 'PWD': '/usr/local/ispconfig/server', 'LOGNAME': 'root', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'HOME': '/root', '_': '/opt/eff.org/certbot/venv/bin/certbot'}
    2019-10-29 10:04:05,888:DEBUG:certbot.log:Root logging level set at 20
    2019-10-29 10:04:05,889:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    No other errors in that log?
     
  9. ganewbie

    ganewbie Member HowtoForge Supporter

    Is there a way to run the update for ISPCONFIG3 although it is up to date?
    I am thinking maybe the migration tool broke something.
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    You can do that, select git-stable as update source. But I don't think that this will change anything as the Migration tool does not alter the setup, so there is nothing broken by the tool. Check the letsencrypt.log again, there should be more inside than what you posted.

    What you might check though is if letsencrypt has more than one account now in /etc/letsencrypt accounts, if that#s the case then it would get mentioned in the log, that#s why I asked you to seaxh for errors in the log, but you can also check it manually. There should be just one account.
     
  11. ganewbie

    ganewbie Member HowtoForge Supporter

    Thank you,
    I did git-stable update but nothing changed.
    i checked again but let's encrypt.log has only the below.
    Code:
    [email protected]:/var/log/letsencrypt# less letsencrypt.log
    
    2019-10-29 14:24:04,880:DEBUG:certbot.main:certbot version: 0.39.0
    2019-10-29 14:24:04,881:DEBUG:certbot.main:Arguments: ['--domains', 'subdomain.mydomain.com']
    2019-10-29 14:24:04,881:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2019-10-29 14:24:04,901:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. The letsencrypt client has also been renamed to Certbot. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
    2019-10-29 14:24:04,902:DEBUG:certbot.cli:Deprecation warning circumstances: /opt/eff.org/certbot/venv/bin/certbot / {'LANG': 'en_US.UTF-8', 'SHELL': '/bin/sh', 'SHLVL': '1', 'OLDPWD': '/root', 'PWD': '/usr/local/ispconfig/server', 'LOGNAME': 'root', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'HOME': '/root', '_': '/opt/eff.org/certbot/venv/bin/certbot'}
    2019-10-29 14:24:04,927:DEBUG:certbot.log:Root logging level set at 20
    2019-10-29 14:24:04,928:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    (END)
    
    Also, I found two accounts inside /etc/letsencrypt accounts like below. however the second folder "acme-v02" has only a link to the first one. i tried to keep the first account only by moving the second to /tmp but it didn't help.
    Code:
    [email protected]:/etc/letsencrypt/accounts# ls -l
    total 8
    drwx------ 3 root root 4096 Oct 29 14:11 acme-v01.api.letsencrypt.org
    drwx------ 2 root root 4096 Oct 29 14:07 acme-v02.api.letsencrypt.org
    [email protected]:/etc/letsencrypt/accounts#
    
    Also, i have to confess :) that before we disable the migration mode, i tried to reinstall certbot again and i don't know if that caused any issues!
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    The account should be ok, it's just one. Please check in /etc/letsencrypt folders if there is a certificate already for this subdomain.
     
  13. ganewbie

    ganewbie Member HowtoForge Supporter

    Thanks for the quick reply, no I could not find anything for this subdomain in live, renew or archive.
    running the below while in /etc/letsencrypt
    Code:
    grep -R subdomain.domain.com
    got nothing
     
    Last edited: Oct 30, 2019
  14. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Have you tried disabling the "LE check" in the server settings?
    The LE checks tries to access the domain but if the local access is handled different than the remote access done by LE it might be that a domain is excluded although it could be verified.
     
  15. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    I just see that LE is called so this is not the cause.

    Have you updated certbot to the latest version already? I had difficulties with a earlier version although it was only a few weeks old.
     
  16. elmacus

    elmacus Member HowtoForge Supporter

  17. ganewbie

    ganewbie Member HowtoForge Supporter

    I have tried to test the site under.
    https://letsdebug.net/
    The results came green. and says OK.
    It looks like we are coming to the conclusion that we may need to uninstall certbot and install it again.
    I do not want to miss up this setup more than what we have, so I need help on
    1- what is the proper way to remove certbot and install the latest?
    2- Any thoughts of python-certbot-apache ? Do we need to install it? In certbot website, they said it is highly recommended which means you may run without it. So I am not sure if we have it or not?
     
    Last edited: Oct 30, 2019
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    I have not uninstalled it yet on a system, so not 100% sure. Did you install it as package from the Linux distribution or did you download it from certbot website and instaleld it by using certbot-auto?

    That's not needed. Its the part which automatically modifies apache config files and that's exactly what should not happen as certbot duplicates existing config which then causes issues, so you don't need that package. It does not hurt when you installed it though unless you would actually use it.
     
  19. elmacus

    elmacus Member HowtoForge Supporter

    So, read the link i sent, worked for me:
    >First, I’d try running sudo rm -rf /opt/eff.org and running letsencrypt-auto again.
    After that, follow howto guide for install again:
    https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/

    11 Install Let's Encrypt
    ISPConfig 3.1 has support for the free SSL Certificate authority Let's encrypt. The Let's Encrypt function allows you to create free SSL certificates for your website from within ISPConfig.

    Now we will add support for Let's encrypt.

    cd /usr/local/bin
    wget https://dl.eff.org/certbot-auto
    chmod a+x certbot-auto
    ./certbot-auto --install-only
    There are no further steps required than installing LE. The website SSL certificates are created by ISPConfig when you add the web sites.

    After that, try as root: certbot-auto renew
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, in that case I would try this:

    1) Rename or remove and backup /etc/letsencrypt folder
    2) Rename or remove /usr/local/bin/certbot-auto
    3) Remove and backup or rename /opt/eff.org folder.
    4) Reinstall by using the procedure from the tutorial.
     

Share This Page