fail on renew with "No such file or directory: 'usr/local/ispconfig/interface/acme'" message

Discussion in 'Installation/Configuration' started by kmchen, Feb 19, 2020.

  1. kmchen

    kmchen Member

    My certificates did not renew today on Debian Buster / Apache. When I run certbot -n renew manualy I get this error:
    Here are access rights to acme:
    Code:
    ks307144 ~ > ll /usr/local/ispconfig/interface/
    total 32
    drwxr-s---  3 ispconfig ispconfig 4096 janv. 19  2019 acme
    drwxr-s---  2 ispconfig ispconfig 4096 janv. 19  2019 cache
    -rwxr-x---  1 ispconfig ispconfig  169 juil. 26  2019 index.htm
    drwxr-s---  5 ispconfig ispconfig 4096 janv. 19  2019 lib
    drwxr-s---  2 root      root      4096 mars   8  2019 ssl
    drwxr-s---  2 ispconfig ispconfig 4096 janv. 28  2019 temp
    drwxr-s---  2 ispconfig ispconfig 4096 janv. 19  2019 tools
    drwxr-s--- 19 ispconfig ispconfig 4096 janv. 19  2019 web
    
    What's wrong ?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The leading / seems to be missing in the path. check the letsencrypt config file of the affected domain to see if the path is correct in that file.
     
  3. kmchen

    kmchen Member

    Thanks. Now I get another error:

    Code:
    ks307144 www > certbot -n renew
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /etc/letsencrypt/renewal/joomla-development.eu.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Cert is due for renewal, auto-renewing...
    Plugins selected: Authenticator webroot, Installer None
    Renewing an existing certificate
    Performing the following challenges:
    http-01 challenge for joomla-development.eu
    http-01 challenge for mail.joomla-development.eu
    http-01 challenge for www.joomla-development.eu
    Waiting for verification...
    Cleaning up challenges
    Attempting to renew cert (joomla-development.eu) from /etc/letsencrypt/renewal/joomla-development.eu.conf produced an unexpected error: Failed authorization procedure. www.joomla-development.eu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.joomla-development.eu/.well-known/acme-challenge/RxiaYqMnjjyi-lssaPrCW2bbQmIMWVLFR8ZvM2ztUYI [94.23.227.123]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p", joomla-development.eu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://joomla-development.eu/.well-known/acme-challenge/yBU1ESqA8H5MjkYgrqbualdm1uN01gzq4CftYHTlhcM [94.23.227.123]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p", mail.joomla-development.eu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mail.joomla-development.eu/.well-known/acme-challenge/wtoyJwXfnP4QiEd2nTIxbPUeTQn4RVwz3lpssf-NKdI [94.23.227.123]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>404 Not Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p". Skipping.                                                                                                                                                           
    
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Processing /etc/letsencrypt/renewal/ks307144.kimsufi.com.conf
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Cert is due for renewal, auto-renewing...
    Plugins selected: Authenticator standalone, Installer None
    Renewing an existing certificate
    Performing the following challenges:
    http-01 challenge for ks307144.kimsufi.com
    Cleaning up challenges
    Attempting to renew cert (ks307144.kimsufi.com) from /etc/letsencrypt/renewal/ks307144.kimsufi.com.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Your cert tries to use the standalone authenticator, so it must be an SSL cert that was not generated from ispconfig as standalone is never used and standalone can not work as you run already a web server and standalone tries to start another web server. If you want to use Lets encrypt ssl in ispconfig for this subdomain, login to ispconfig, disable ssl and le checkbox in the website settings and save, then delete your current cert for the subdomain using certbot on the shell, then login to ispconfig and enable the ssl and LE checkbox for that website.
     
  5. kmchen

    kmchen Member

    I did what you said, disablling SSL and LE in ISPCONFIG, deleting certifcates (certbot delete) and re-enable SSL and LE
    Now Apache can'restart:
     
  6. Steini86

    Steini86 Active Member

    seems like you have deleted your cert, which you used for ispc web interface ;)
    Delete the symlinks and replace them with your backup certificates
    Code:
    cd /usr/local/ispconfig/interface/ssl
    rm ispserver.key
    rm ispserver.crt
    mv ispserver.crt-190121155214.bak ispserver.crt
    mv ispserver.key-190121155214.bak ispserver.key
    
    Then restart apache, configure letsencrypt and follow https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ again if needed
     
  7. kmchen

    kmchen Member

    How do I verify the current cert is deleted ? I used certbot delete and I don't see any joomla-development.eu cert anymore in /etc/letsecnrypt
    But checking SSL and LETSENCRYPT in joomla-development.eu ispconfig site unchecks the boxes and I see this in ispconfig.log:
    Code:
    26.02.2020-16:00 - WARNING - Could not verify domain joomla-development.eu, so excluding it from letsencrypt request.
    26.02.2020-16:00 - WARNING - Could not verify domain www.joomla-development.eu, so excluding it from letsencrypt request.
    26.02.2020-16:00 - WARNING - Could not verify domain mail.joomla-development.eu, so excluding it from letsencrypt request.
    26.02.2020-16:00 - WARNING - Let's Encrypt SSL Cert for: joomla-development.eu could not be issued.
    
    And now I see another website that did not renew properly.

    So if I use ispconfig I can not use certbot renew in the shell ?
     
    Last edited: Feb 26, 2020
  8. Th0m

    Th0m Active Member HowtoForge Supporter

    Did you set up your DNS correctly?
     
    Last edited: Feb 26, 2020
  9. Jesse Norell

    Jesse Norell Well-Known Member

    Actually you can, though it's not necessary as ISPConfig has it's own cron job for that. The issue you have is how you requested your certificate originally, not how renew is called - re-read @till's comment above.
     
  10. kmchen

    kmchen Member

    I did. It seems I don't know how to delete old certificates properly (please see my #7 post) or there is a bug somewhere
    DNS were configured and working since monthes. The problem arised at certificates renewal time.
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Is your server located behind a router or do you use some kind of cloud proxy service inf front of it that blocks access to the let's encrypt verification path?
     
  12. Jesse Norell

    Jesse Norell Well-Known Member

    The problem earlier with renewal was your certificate was issued using the standalone authenticator; after having deleted the certificate, do you by chance still have a /etc/letsencrypt/renewal/joomla-development.eu.conf file that specifies standalone? If you have ensured there are no files related to the domain at all under /etc/letsencrypt (which you may have, per your above comments), I'd check the .vhost file to ensure there is an alias for the acme-challenge path, and if so follow the letsencrypt troubleshooting faq step by step.
     
  13. kmchen

    kmchen Member

    No proxy. What is the lets encrypt verification path when using ispconfig ?

    Code:
    ks307144 ~ > find /etc/letsencrypt/ -iname *joomla-development.eu*
    ks307144 ~ >
    ks307144 ~ > grep acme /etc/apache2/sites-enabled/100-joomla-development.eu.vhost
                    RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
    
    
     
    Last edited: Feb 26, 2020
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    This is not in the vhost, it's a global alias. At least for recent apache versions (apache 2.4 or newer).

    It is .well-known/acme-challenge/ for all software which uses let's encrypt and the grep you posted shows the required rewrite rule that ensures that this path does not get rewritten.

    You can test the verification like this:

    touch /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/mytest.txt

    then try to open this url in a browser:

    http://joomla-development.eu/.well-known/acme-challenge/mytest.txt

    if you get a blank page, then verification works. If you get a 404 error or any other page that is not blank, then verification failed.
     
  15. kmchen

    kmchen Member

  16. till

    till Super Moderator Staff Member ISPConfig Developer

    And that's the reason why you can't get a LE SSL cert.


    It's a global apache alias in the file /etc/apache2/sites-available/ispconfig.conf, the line is:

    Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
     
  17. kmchen

    kmchen Member

    Well, no proxy, no messages in apache logs nor site logs, nor ispconfig.log, ... any idea to find out what's wrong ?
     
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    You must see the request either in the access.log of the website or in the global apache access.log. If its in none of these logs, then the request must be either blocked before it reaches the server or the domain points to a different server at all.
     
  19. kmchen

    kmchen Member

    website access.log is unaccessible and apache acces.log is empty:
    Code:
    ks307144 ~ > tail -f /var/log/apache2/access.log -f /var/log/ispconfig/httpd/joomla-development.eu/access.log
    ==> /var/log/apache2/access.log <==
    tail: impossible d'ouvrir '/var/log/ispconfig/httpd/joomla-development.eu/access.log' en lecture: Aucun fichier ou dossier de ce type
    ks307144 ~ > ll /var/log/ispconfig/httpd/joomla-development.eu/
    total 44
    lrwxrwxrwx 1 root root   19 août  15  2019 access.log -> 20190815-access.log
    -rw-r--r-- 1 root root    0 févr. 27 00:03 error.log
    -rw-r--r-- 1 root root 1365 févr. 18 00:03 error.log.10.gz
    -rw-r--r-- 1 root root  996 févr. 17 00:03 error.log.11.gz
    -rw-r--r-- 1 root root   30 févr. 27 00:03 error.log.1.gz
    -rw-r--r-- 1 root root   30 févr. 26 00:03 error.log.2.gz
    -rw-r--r-- 1 root root   30 févr. 25 00:03 error.log.3.gz
    -rw-r--r-- 1 root root   30 févr. 24 00:03 error.log.4.gz
    -rw-r--r-- 1 root root   30 févr. 23 00:03 error.log.5.gz
    -rw-r--r-- 1 root root   30 févr. 22 00:03 error.log.6.gz
    -rw-r--r-- 1 root root  531 févr. 21 00:03 error.log.7.gz
    -rw-r--r-- 1 root root  679 févr. 20 00:03 error.log.8.gz
    -rw-r--r-- 1 root root  694 févr. 19 00:03 error.log.9.gz
    lrwxrwxrwx 1 root root   53 août  16  2019 yesterday-access.log -> /var/www/clients/client1/web4/log/20190815-access.log
    ks307144 ~ > ll /var/log/apache2/access.log
    -rw-r----- 1 root adm 0 mars  25  2019 /var/log/apache2/access.log
    
    
    Is that the normal way ISPCONFIG manages access.log files ?!
     
    Last edited: Feb 28, 2020
  20. kmchen

    kmchen Member

    About logs, how do I control access.log with ISPCONFIG ? (I don't see any customLog directives in vhosts generated).
    --
    http://joomla-development.eu is redirected to https://joomla-development.eu whitch shows the contents of another website hosted on the same server (mon-voyage-a-cuba.com) !
    The domain points on the right server:
    Code:
    [email protected]:~$ nslookup joomla-development.eu
    Server:         212.166.211.4
    Address:        212.166.211.4#53
    
    Non-authoritative answer:
    Name:   joomla-development.eu
    Address: 94.23.227.123
    
    If I stop apache joomla-development.eu do not work anymore. If I restart apache after manually disable joomla-development.eu, joomla-development.eu is not defined anymore but it still works and is redirected on mon-voyage-a-cuba.com:
    Code:
    ks307144 sites-available > rm ../sites-enabled/100-joomla-development.eu.vhost
    ks307144 sites-available > rgrep joomla-development ../sites-enabled/*
    ks307144 sites-available >
    ks307144 sites-available > systemctl reload apache2
    So there is a conf in apache that applies to the domain joomla-development.eu and leads to mon-voyage-a-cuba.com ?!
     
    Last edited: Mar 2, 2020

Share This Page