Debian 10 Multiserver setup

Discussion in 'Installation/Configuration' started by chief, Mar 22, 2021.

  1. chief

    chief Member HowtoForge Supporter

    I have now re installed and ran the script on each server.
    It does indeed fail when trying to run the 'LETS ENCRYPT' portion of the setup on each server.
    I have set a A record for all the name servers at hosting company, pointing to each IP / hostname. its correct, i checked using "https://dnschecker.org/#A/panel.tlwebservices.co.uk" and for each hostname it all green. so i have as you tutorial shows.. panel, web01, mx1, mx2, ns1, ns2, webmail.
    When the portal installed, its using a self signed cert and not a lets encrypt..
    Other things to note.. states i should have a /var/log/letsencrypt log. i dont. i will follow the debugging ISPConfig 3 now.

    Other issue,
    As you mentioned a BUG, im adding the domain normally and not just the name of the name server?
    And step 2, adding the seconday dns, 2nd box asks NS (IP-address) of the secondary name server? and it also states seperate the multiple IP's, and then last box allow zone transfer to these IP's?... seems like your asking for IP's of both name servers in 2 boxes..
     
  2. chief

    chief Member HowtoForge Supporter

    I checked the logs and letencrypt wasnt installed.
    Now its installed on web01, mx1, mx2, webamil.
    but i cannot install it on panel, i cannot ping google.com. so something is blocking access
     
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Have you checked the ISPConfig installer log?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    That's perfectly fine as current ISPConfig versions do not use certbot (which creates that log) anymore, current versions use acme.sh and the FAQ mentions the acme.sh log as well.
     
  5. chief

    chief Member HowtoForge Supporter

    ok, i ran
    Code:
    ispconfig_update.sh --force
    for panel.tlwebservices.co.uk.. yes to backup, yes to reconfigure permissions in master database, no to mail server, no to dns, yes to reconfigure services.
    then it tries to run acme.sh and errors with this..
    Code:
    [Mon  9 Aug 12:05:27 BST 2021] panel.tlwebservices.co.uk:Verify error:Fetching http://panel.tlwebservices.co.uk/.well-known/acme-challenge/STUFF----------: Connection refused
    then tries to fall back self cert

    =========EDIT
    Do i need an API key?
     
    Last edited: Aug 9, 2021
  6. chief

    chief Member HowtoForge Supporter

    No, there isnt any log files in either locations
     
  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Do you have subdomains activated for panel.tlwebservices.co.uk? Auto subdomain www. for example?
     
  8. chief

    chief Member HowtoForge Supporter

    Hi Taleman,
    thanks for answering
    No, Im still setting them up, i have not got to moving any sites over yet.
    seems the script fails when installing when the acme.sh starts, when i run ispconfig_update.sh --force it still errors
    Code:
    Updating ISPConfig
    ISPConfig Port [8080]:
    
    Create new ISPConfig SSL certificate (yes,no) [no]: yes
    
    Checking / creating certificate for panel.tlwebservices.co.uk
    Using certificate path /root/.acme.sh/panel.tlwebservices.co.uk
    Using apache for certificate validation
    acme.sh is installed, overriding certificate path to use /root/.acme.sh/panel.tlwebservices.co.uk
    [Mon  9 Aug 12:52:28 BST 2021] panel.tlwebservices.co.uk:Verify error:Fetching http://panel.tlwebservices.co.uk/.well-known/acme-challenge/IKFGEHGvNObrUpIU0tf3U0_EdWCx0UgQ2fFAcitwbwo: Connection refused
    [Mon  9 Aug 12:52:28 BST 2021] Please add '--debug' or '--log' to check more details.
    [Mon  9 Aug 12:52:28 BST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
    Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating a RSA private key
    firewall??
     
  9. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Sure could be, or a port forwarding issue if you use nat. The other possibility is the web server isn't running at the time the verification request is made.
     
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I don't think it is firewall issue because the code does check and open that if it is closed.

    Web server failure to start has reported cases last time I checked.

    Behind NAT could be the issue too but this one can be resolved as per the instruction in the LE FAQ unless multiple servers are behind it, then using proxy is better rather than to use port forwarding.
     
  11. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    It can also be an external firewall in the hosting/network.
     
  12. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Yes. That is possible for servers under multi-level firewall system.
     
  13. chief

    chief Member HowtoForge Supporter

    Ok, im not sure it is.
    I can access port 80 and 8080 to the web server, i can edit /var/www/htlm/index.php adding hello world to the top of index.html file.
    I have verified with Draytek and had them dial in to check settings, there was a issue with netmask, and we changed it to - IP Routed Subnet which my other setup uses, this is now identical.
    Am i chasing ghosts here. when installing ISPCONFIG multi server, when script has run should i end up having lets encrypt certificate or a self signed one.
    i enabled the log all 600 lines, fails, heres where it fails...
    Code:
    [Mon  9 Aug 16:52:23 BST 2021] code='200'
    [Mon  9 Aug 16:52:23 BST 2021] original='{
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://panel.tlwebservices.co.uk/.well-known/acme-challenge/crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb8: Connection refused",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/20373779950/E9TlgA",
      "token": "crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb8",
      "validationRecord": [
        {
          "url": "http://panel.tlwebservices.co.uk/.well-known/acme-challenge/crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb8",
          "hostname": "panel.tlwebservices.co.uk",
          "port": "80",
          "addressesResolved": [
            "212.159.153.2"
          ],
          "addressUsed": "212.159.153.2"
        }
      ],
      "validated": "2021-08-09T15:52:21Z"
    }'
    [Mon  9 Aug 16:52:24 BST 2021] _json_decode
    [Mon  9 Aug 16:52:24 BST 2021] _j_str='{
      "type": "http-01",
      "status": "invalid",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "Fetching http://panel.tlwebservices.co.uk/.well-known/acme-challenge/crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb8: Connection refused",
        "status": 400
      },
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/20373779950/E9TlgA",
      "token": "crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb8",
      "validationRecord": [
        {
          "url": "http://panel.tlwebservices.co.uk/.well-known/acme-challenge/crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb8",
          "hostname": "panel.tlwebservices.co.uk",
          "port": "80",
          "addressesResolved": [
            "212.159.153.2"
          ],
          "addressUsed": "212.159.153.2"
        }
      ],
      "validated": "2021-08-09T15:52:21Z"
    }'
    [Mon  9 Aug 16:52:24 BST 2021] response='{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:connection","detail":"Fetching http://panel.tlwebservices.co.uk/.well-known/acme-challenge/crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb8: Connection refused","status": 400},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/20373779950/E9TlgA","token":"crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb8","validationRecord":[{"url":"http://panel.tlwebservices.co.uk/.well-known/acme-challenge/crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb8","hostname":"panel.tlwebservices.co.uk","port":"80","addressesResolved":["212.159.153.2"],"addressUsed":"212.159.153.2"}],"validated":"2021-08-09T15:52:21Z"}'
    [Mon  9 Aug 16:52:24 BST 2021] original='{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:connection","detail":"Fetching http://panel.tlwebservices.co.uk/.well-known/acme-challenge/crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb8: Connection refused","status": 400},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/20373779950/E9TlgA","token":"[email protected]@@
    
    why does it fail, and where is this location on the server so i can check it exists?
    http://panel.tlwebservices.co.uk/.well-known/acme-challenge - .well-known/acme-challenge
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/

    You can test it like this:

    touch /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/test.txt

    you should then be able to reach it (from an external system) with the URL:

    http://panel.tlwebservices.co.uk/.well-known/acme-challenge/test.txt
     
  15. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Try to modify firewall rules and allow incoming IPv6 connections or temporarily disable IPv6 on that server. The former is recommended.
     
  16. chief

    chief Member HowtoForge Supporter

    I did as you suggested, i have also disabled the firewall as well and then run
    Code:
    ispconfig_update.sh
    and again it fails letsencrypt and defaults to self signed.

    Code:
    /etc/default/ufw
    IPV6=yes
    [email protected]:/etc/default# ufw status numbered
    Status: active
    
         To                         Action      From
         --                         ------      ----
    [ 1] 22/tcp                     ALLOW IN    Anywhere               
    [ 2] 80/tcp                     ALLOW IN    Anywhere               
    [ 3] 443/tcp                    ALLOW IN    Anywhere               
    [ 4] 8080/tcp                   ALLOW IN    Anywhere               
    [ 5] 8081/tcp                   ALLOW IN    Anywhere               
    [ 6] 3306/tcp                   ALLOW IN    2.*.*.*/24     
    [ 7] 22/tcp (v6)                ALLOW IN    Anywhere (v6)           
    [ 8] 80/tcp (v6)                ALLOW IN    Anywhere (v6)           
    [ 9] 443/tcp (v6)               ALLOW IN    Anywhere (v6)           
    [10] 8080/tcp (v6)              ALLOW IN    Anywhere (v6)           
    [11] 8081/tcp (v6)              ALLOW IN    Anywhere (v6)
     
    Last edited: Aug 10, 2021
  17. chief

    chief Member HowtoForge Supporter

  18. chief

    chief Member HowtoForge Supporter

    I tailed the log letsencrypt i spotted these 2 lines, the script thinks im running ngix
    Code:
    [Tue 10 Aug 07:19:29 BST 2021] '/usr/local/ispconfig/interface/acme' does not contain 'apache'
    ...
    [Tue 10 Aug 07:19:36 BST 2021] responseHeaders='HTTP/1.1 400 Bad Request
    Server: nginx
    could this be the issue?
     
  19. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I did not mention anything about disabling firewall rather recommending you to allow ipv6 connection in the firewall or disabling the ipv6.

    That could be the issue. Fully remove nginx if your web server is running apache2.
     
  20. chief

    chief Member HowtoForge Supporter

    Ok, will remove nginx and report back
     

Share This Page