Error using the official Let's Encrypt GIT script

Discussion in 'General' started by MaxT, May 5, 2017.

  1. MaxT

    MaxT Member HowtoForge Supporter

    I cannot install Let's encrypt in a site using the Git Let's Encrypt.:

    Code:
    # ./letsencrypt-auto certonly -a manual -d onesite.com
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for onesite.com
    
    -------------------------------------------------------------------------------
    NOTE: The IP of this machine will be publicly logged as having requested this
    certificate. If you're running certbot in manual mode on a machine that is not
    your server, please ensure you're okay with that.
    
    Are you OK with your IP being logged?
    -------------------------------------------------------------------------------
    (Y)es/(N)o: y
    
    -------------------------------------------------------------------------------
    Make sure your web server displays the following content at
    http://onesite.com/.well-known/acme-challenge/432dsauh43278dfshjn423980fspqierwqpjdwqpofd90sfjjrwq
    
    
    - The following errors were reported by the server:
    
       Domain: onesite.com
       Type:   unauthorized
       Detail: Invalid response from
       http://onesite.com/.well-known/acme-challenge/432dsauh43278dfshjn423980fspqierwqpjdwqpofd90sfjjrwq
    
    
       
    First I have changed the attributes of the directory doing chattr -i /var/www/clients/client2/web6 to be able to create the requested directory and files.
    However, still it's impossible to get the requested URL by Let's Encrypt. Neither with my browser:
    http://onesite.com/.well-known/acme-challenge/432dsauh43278dfshjn423980fspqierwqpjdwqpofd90sfjjrwq

    I believe the problem is the directory /.well-known
    It's possible ISPConfig has some restriction in some place to avoid folders starting with a point (.) ?
    I didn't have an .htaccess in that site but no result.

    thanks for any info.
     
  2. sjau

    sjau Local Meanie Moderator

    ISPConfig 3.1 (and newer) has LE support integrated. Better to use that for getting website certificates.
     
  3. MaxT

    MaxT Member HowtoForge Supporter

    it doesn't work for me. I have an error "Let's Encrypt SSL Cert for: mysite.com could not be issued". And no more info in the logs.

    Please, Do you knows a clear guide to solve this error of the ISPC interface?. There are dozens of threads using different scripts but I cannot find one using the ISPC interface.

    PD: I have found now the error: "Permission denied: access to /.well-known/acme-challenge/.....

    Thanks!
     
    Last edited: May 5, 2017
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Using LE in ISPConfig is quite easy, all you have to do is to enable the letsencrypt checkbox in the website settings and press save. But this can not work anymore after you use letsencrypt-auto for this domain on the shell as the command tries to configure the cert in a wrong way so that it will fail from within ISPConfig. You have to find all config that letsencrypt created for this domain and remove it completely and you have to undo all changes of web directory permissions that you made manually. Beside that, ensure that you use a current ISPConfig version and that you do not use any custom vhost templates which have not been adopted for ISPConfig 3.1.2 and you must have used "reconfigure services = yes" during ISPConfig 3.1.2 update, otherwise your config would be incomplete and LE will fail.
     
  5. MaxT

    MaxT Member HowtoForge Supporter

    ok
    - I restore permissions
    Code:
    chattr +i /var/www/clients/client2/web6
    - I review no any special addition in files of /etc/apache2 and site config file /etc/apache2/sites-available/mysite.com.vhost . It is the same of the rest; no different sentences.
    I do #grep -C 1 -ir "encrypt" /etc/apache2 and I cannot see any let's encrypt code.

    - Also there are not Let's Encrypt files inside /var/www/clients/client2/web6 . There is No .acme.. folder or relate. SSL folder is empty.

    To check the errors of the last attempt I do:

    # less /var/log/letsencrypt/letsencrypt.log
    Code:
    FailedChallenges: Failed authorization procedure. www.mysite.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mysite.com/.well-known/acme-challenge/A1_vZXdsag6h88X2CszoIzBGH8VkidtNrcwUsss3w2: "<!DOCTYPE HTML>
    <html>
    <head>
    <title>Pagina no encontrada - mysite </title>
    <meta name="robots" content="noindex, follow">
    <m", mysite.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mysite.com/.well-known/acme-challenge/xxxx....: "<!DOCTYPE HTML>
    <html>
    <head>
    <title>Page not Found - mysite </title>
    <meta n
    
    Code:
    # grep "encrypt" /var/log/apache2/*.log
    other_vhosts_access.log:mysite.com:80 64.78.149.164 - - [05/May/2017:21:50:13 +0200] "GET /.well-known/acme-challenge/A1_vZXdsag6h88X2CszoIzBGH8VkidtNrcwUsss3w2 HTTP/1.1" 302 598 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
    other_vhosts_access.log:mysite.com:80 64.78.149.164 - - [05/May/2017:21:50:13 +0200] "GET /404.html HTTP/1.1" 404 1961 "http://www.mysite.com/.well-known/acme-challenge/A1_vZXdsag6h88X2CszoIzBGH8VkidtNrcwUsss3w2" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"
    And then I do:
    Code:
    # grep "encrypt" /var/log/ispconfig/*.log
    cron.log:vie may 5 21:50:05 CEST 2017 You are running with an old copy ofupdate that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
    cron.log:vie may 5 21:50:05 CEST 2017 Saving debug log to /var/log/letsencrypt/letsencrypt.log
    there is this old version of Let's Encrypt.

    So I remove all Let's encrypt in the server:
    Code:
    # rm -rf /etc/letsencrypt
    # rm -rf  /var/lib/letsencrypt
    # rm -rf /root/.local/share/letsencrypt
    # rm -rf /var/log/letsencrypt*
    
    # updatedb
    # locate letsencrypt
    /usr/local/ispconfig/server/lib/classes/cron.d/900-letsencrypt.inc.php
    that php script is the only related file in the server. Now the system is clean of any old Let's Encrypt code.

    I'm with Debian 7, ISPC 3.1.2. What are the steps to install it with ISCP?.

    thanks for the clarifications,
     
    Last edited: May 5, 2017
  6. MaxT

    MaxT Member HowtoForge Supporter

    I did not find any good guide for Debian 7. Although finally I have solved the installation following this comment:
    https://www.howtoforge.com/community/threads/lets-encrypt-install-solved.74597/#post-351025

    and this (with the prevention the Let's Encrypt Menu is different):
    https://www.howtoforge.com/tutorial...ovecot-ispconfig-3-1/2/#-install-lets-encrypt

    now the certificates for the site are present in /etc/letsencrypt... and the ISPC shows the site option ON. However, it seems the ISPC has not rewritten the apache site file with the proper config.

    I'm investigating how to implement this. I have found this guide
    https://hblok.net/blog/posts/2016/02/24/lets-encrypt-tls-certificate-setup-for-apache-on-debian-7/

    However, I'm looking for some guide specifically for ISCP so it can be compatible with future changes and updates. This is what really I'm searching. Is there some tutorial?


    thanks!
     
  7. MaxT

    MaxT Member HowtoForge Supporter

    ok it's solved. It seems the problem was a longer delay of ISCP to insert the lines.

    Well, if this can be of interest for somebody, in my case with Debian Wheezy and ISPC 3.1.2 and a previous failed installation of Let's Encrypt, my process to install again Let's Encrypt (to be used in one website) has been:
    1. Searching and deleting any trace of previous letsencrypt in the server as it is show in this thread.
    2. Installing certbot-auto and executing:
      Code:
      # mkdir /opt/certbot
      # cd /opt/certbot
      # wget https://dl.eff.org/certbot-auto
      # chmod a+x ./certbot-auto
      # ./certbot-auto
    3. leaving the certbot domains-menu without choosing any option( https://www.howtoforge.com/tutorial...ovecot-ispconfig-3-1/2/#-install-lets-encrypt <- the menu is different!!)
    4. Going into ISCP interface -> Website -> Domain to activate the Lets Encrypt option for the desired website. After this step the keys appeared installed inside folders of /etc/letsencrypt.
    5. Take some time to allow ISPC insert the code inside /etc/apache2/sites-available/mysite.com.vhost. Go to supermarket or whatever.
    6. A new code finally has been inserted by ISPC. Restart apache.
    7. Then open /etc/apache2/ports.conf to include Listen *:443 inside <IfModule mod_ssl.c>.... (At least in my case it was not present).
    8. Restart apache again and the website finally is working.
     
  8. MaxT

    MaxT Member HowtoForge Supporter

    Now a final problem is:
    - When I go with https to the main URL of the server (https://iscp.myserver.com -or- https://2.2.2.2.2) then it is loaded this only website which has been configured to use Let's encrypt. This is a client website.

    Why the URL's (https://iscp.myserver.com -or- https://2.2.2.2.2) are loading this webiste instead ISCP?
    The main ISPC url ( https://server.myserver.com:8080) still works. However, I don't wish that effect in the ISCP url

    I don't have any special configuration for this consequence :(
    Is this normal?. How it can be avoided?
     
    Last edited: May 8, 2017
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, that's the intended behaviour. ISPConfig is available on the port it is configured to listen on, this is port 8080 by default. So you can reach it only on that port and not on port 443 as this port is used by the SSL websites.
     
    MaxT likes this.
  10. MaxT

    MaxT Member HowtoForge Supporter

    Hi till,

    the problem is that now I can reach phpmyadmin with https://ANYsite.com:8080/phpmyadmin.
    This is strange because I have restrictions based on IP inside /etc/apache2/sites-available/ispconfig.conf for phpmyadmin. Until today these restriction were working but now are not working.
    And now I'm forced to create an .htaccess with these restrictions inside /usr/share/phpmyadmin and other management directories

    - Now https://iscp.myserver.com/ loads https://myletsencryptsite.com
    - All the management URL (phpmyadmin, webmail,...) now can be accesed directly using https://ANYsite.com:8080/phpmyadmin (or webmail or whatever) . With any website!

    Why it happens after configure Let's Encrypt?

    Please, Can you take a look here? I wonder if here it's the problem:

    I have this in /etc/apache2/ports.conf
    Code:
    # NameVirtualHost *:80
    Listen *:80
    <IfModule mod_ssl.c>
      # If you add NameVirtualHost *:443 here, you will also have to change
      # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
      # to <VirtualHost *:443>
      # Server Name Indication for SSL named virtual hosts is currently not
      # supported by MSIE on Windows XP.
    Listen *:8081
    Listen *:443
    </IfModule>
    <IfModule mod_gnutls.c>
    Listen 443
    </IfModule>
    
    and at the end of /etc/apache2/sites-available/ispconfig.conf:
    Code:
    #NameVirtualHost 1.1.1.1:8080
    
    NameVirtualHost *:80
    #NameVirtualHost *:443
    
    NameVirtualHost 1.1.1.1:80
    NameVirtualHost 1.1.1.1:443
    
    NameVirtualHost 2.2.2.2:80
    #NameVirtualHost 2.2.2.2:443
    
    thanks!!
     
  11. MaxT

    MaxT Member HowtoForge Supporter

    the problem is that I cannot limit the websites with access to port 8080.

    When I add a ServerName in /etc/apache2/sites-available/ispconfig.vhost
    Code:
    <VirtualHost _default_:8080>
      ServerName iscp.myserver.com
    still all the customer websites can access to ISCP by means https://websiteX.com:8080/

    And even adding an IP restriction in /etc/apache2/sites-available/ispconfig.vhost under
    Code:
    <Directory /usr/local/ispconfig/interface/web>
      #AllowOverride None
      #Order allow,deny
      order deny,allow
      deny from all
      allow from 1.1.1.1
    
    still it is byspassed from any customer website https://websiteX.com:8080/
    This is insecure, and then I'm forced to create an .htaccess inside /usr/local/ispconfig/interface/web/ to restrict the access to ISCP

    (It would be good also the possibility to restrict access to phpmyadmin or another management URL according customer, although here I imagine it would more complicated.
    )

    How can I restrict the access to ISCP in the Apache configuration?.
    ISCP can manage the use of name servers in <VirtualHost: customer1.com> instead the server IP?
     
  12. Jesse Norell

    Jesse Norell Well-Known Member

    FWIW, I believe that is default behavior, unrelated to your letsencrypt setup; what I use is:

    Code:
    # cat /etc/apache2/conf-enabled/local.conf 
    # local (to this server) config snippets
    
    # This his control-panel-1, phpmyadmin is useful but we restrict access to only admin ip addrs
    # (restrictions are under <Files> because ispconfig grants access in later config file)
    <Directory /usr/share/phpmyadmin>
        <Files '*'>
            <RequireAny>
                Require host myhostname.tld
                Require ip x.y.z.1
                Require ip x.y.z.2
                Require ip x.y.x.3/29
                Require ip x.y.z.4/29
                Require all denied
            </RequireAny>
        </Files>
    </Directory>
    
    To explain my comments there, this server is only the ispconfig control panel, it doesn't host customer web sites, so phpmyadmin is accessible for only our admins; customers are allowed access to phpmyadmin local to their own web server (which are also mysql servers, so phpmyadmin only connects to localhost).

    To restrict access to everything on port 8080 try copying /usr/local/ispconfig/server/conf/apache_ispconfig.conf.master to the conf-custom directory and put your restrictions there, then re-run the ispconfig update.php script and reconfigure services.
     
    MaxT likes this.
  13. MaxT

    MaxT Member HowtoForge Supporter

    I don't have the file /etc/apache2/conf-enabled/local.conf but /etc/apache2/sites-available/ispconfig.conf. I suppose it is the same.
    Because it is only file inside /etc/apache2 in where appears the <Directory /usr/share/phpmyadmin>. And it appears repeated consecutively :

    Code:
    # Except of the following directories that contain website scripts
    <Directory /usr/share/phpmyadmin>
            #Order allow,deny
            #Allow from all
    
           Require iscp.myserver.com
                
            order deny,allow
            deny from all
            allow from 1.1.1.1
            allow from 2.2.2.2
    
            RedirectMatch 404 ".*\/\..*"
      </Directory>
    
    
    <Directory /usr/share/phpmyadmin>
            #Order allow,deny
            #Allow from all
    
            order deny,allow
            deny from all
            allow from 1.1.1.1
            allow from 2.2.2.2
    
            RedirectMatch 404 ".*\/\..*"
      </Directory>
    
    I have added the "Require iscp.myserver.com" in the first one. And then I try an https://website1.com:8080/phpmyadmin.
    But then I receive a 500 error:
    Code:
    ...File does not exist: /var/www/ispconfig/login/dashboard, referer: https://website1.com:8080/login/dashboard/dashboard.php
    ...configuration error:  couldn't perform authentication. AuthType not set!: /phpmyadmin/
    I have tried also the exact format you writes but with the same error.

    Then I have searched and it seems there is no that same use of "Require" for Apache/2.2.22. It works with >2.4 (if I have understood this doc): https://wiki.debian.org/Apache/Pack...ions_compatible_to_both.2C_Apache_2.2_and_2.4

    (Thanks for your message, I didn't know this.)

    Although it should exist some way to force the presence of the hostname (iscp.myserver.com) with Apache 2.2x, in the same way that you writes. This is very close of what I need.

    I think in not restricting all the access but only the main access as you suggest, it would be the best.

    Thanks for the help!
     
    Last edited: May 11, 2017
  14. MaxT

    MaxT Member HowtoForge Supporter

    Finally I have upgrade to Jessie, I think it will be better
     

Share This Page