fail on renew with "No such file or directory: 'usr/local/ispconfig/interface/acme'" message

Discussion in 'Installation/Configuration' started by kmchen, Feb 19, 2020.

  1. kmchen

    kmchen Member

    I'm absolutely shure I didn't uncheck that before. Checking it, the result is nearly similar. Here is the log:
    Code:
    18.03.2020-15:10 - DEBUG - Calling function 'server_ip' from plugin 'apache2_plugin' raised by event 'server_update'.
    18.03.2020-15:10 - DEBUG - Writing the conf file: /etc/apache2/sites-available/ispconfig.conf
    18.03.2020-15:10 - DEBUG - Calling function 'update' from plugin 'apps_vhost_plugin' raised by event 'server_update'.
    18.03.2020-15:10 - DEBUG - Calling function 'update' from plugin 'network_settings_plugin' raised by event 'server_update'.
    18.03.2020-15:10 - DEBUG - Network configuration disabled in server settings.
    18.03.2020-15:10 - DEBUG - Calling function 'update' from plugin 'postfix_server_plugin' raised by event 'server_update'.
    18.03.2020-15:10 - DEBUG - Processed datalog_id 590
    18.03.2020-15:10 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    18.03.2020-15:10 - DEBUG - Restarting httpd: systemctl restart apache2.service
    18.03.2020-15:10 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    
    18.03.2020-15:11 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    18.03.2020-15:11 - DEBUG - Found 1 changes, starting update process.
    18.03.2020-15:11 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    18.03.2020-15:11 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    18.03.2020-15:11 - DEBUG - mkdir failed: //var/www/clients/client1/web17/web/error
    18.03.2020-15:11 - DEBUG - chmod failed: //var/www/clients/client1/web17/web/error : 493
    18.03.2020-15:11 - DEBUG - Create Let's Encrypt SSL Cert for: joomla-development.eu
    18.03.2020-15:11 - DEBUG - Let's Encrypt SSL Cert domains:  --domains joomla-development.eu --domains www.joomla-development.eu
    18.03.2020-15:11 - DEBUG - LE version is 0.31.0, so using certificates command
    18.03.2020-15:11 - DEBUG - exec: /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --webroot-map '{"joomla-development.eu":"\/usr\/local\/ispconfig\/interface\/acme","www.joomla-development.eu":"\/usr\/local\/ispconfig\/interface\/acme"}'
    18.03.2020-15:11 - DEBUG - LE CERT OUTPUT: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    18.03.2020-15:11 - DEBUG - LE CERT OUTPUT: Found the following matching certs:
    18.03.2020-15:11 - DEBUG - LE CERT OUTPUT: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    18.03.2020-15:11 - DEBUG - LE CERT OUTPUT:
    18.03.2020-15:11 - WARNING - Let's Encrypt SSL Cert for: joomla-development.eu could not be issued.
    18.03.2020-15:11 - WARNING - /usr/bin/letsencrypt certificates  --domains joomla-development.eu --domains www.joomla-development.eu
    18.03.2020-15:11 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/joomla-development.eu.vhost
    18.03.2020-15:11 - DEBUG - Writing the PHP-FPM config file: /etc/php/7.3/fpm/pool.d/web17.conf
    18.03.2020-15:11 - DEBUG - Calling function 'restartPHP_FPM' from module 'web_module'.
    18.03.2020-15:11 - DEBUG - Restarting php-fpm: systemctl reload php7.3-fpm.service
    18.03.2020-15:11 - DEBUG - Apache status is: running
    18.03.2020-15:11 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    18.03.2020-15:11 - DEBUG - Restarting httpd: systemctl restart apache2.service
    18.03.2020-15:11 - DEBUG - Apache restart return value is: 0
    18.03.2020-15:11 - DEBUG - Apache online status after restart is: running
    18.03.2020-15:11 - DEBUG - Processed datalog_id 591
    18.03.2020-15:11 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    
     
  2. Jesse Norell

    Jesse Norell Well-Known Member

    Might be worth looking in to? I don't know if that's normal or not.

    Check the letsencrypt.log to see what happened here.

    That doesn't mention enabling the site, and your earlier command showed you do not have a sites-enabled link for joomla-development.eu. While I believe you should still be able to issue a certificate for the domain(s) without a vhost file, you of course will not access the website without one. Maybe go to Tools and resync all websites, and watch the log for errors?
     
  3. kmchen

    kmchen Member

    //var/www/clients/client1/web17/web/ is write protected. this is not related to the problem

    Here is letsencrypt log
    Code:
    2020-03-18 18:28:07,500:DEBUG:certbot.error_handler:Calling registered functions
    2020-03-18 18:28:07,500:INFO:certbot.auth_handler:Cleaning up challenges
    2020-03-18 18:28:07,500:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/Up2jqivNEscIxhREXlWrvqMoFGPB3Bv-Pe0P3yJyOIo
    2020-03-18 18:28:07,501:DEBUG:certbot.plugins.webroot:All challenges cleaned up
    2020-03-18 18:28:07,501:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
      File "/usr/bin/letsencrypt", line 11, in <module>
        load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
        return config.func(config, plugins)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1250, in certonly
        lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
        lineage = le_client.obtain_and_enroll_certificate(domains, certname)
      File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
        cert, chain, key, _ = self.obtain_certificate(domains)
      File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
        orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
      File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
        authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
      File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
        self._respond(aauthzrs, resp, best_effort)
      File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
        self._poll_challenges(aauthzrs, chall_update, best_effort)
      File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
        raise errors.FailedChallenges(all_failed_achalls)
    certbot.errors.FailedChallenges: Failed authorization procedure. www.joomla-development.eu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge "Up2jqivNEscIxhREXlWrvqMoFGPB3Bv-Pe0P3yJyOIo.87u5bDuw6YtnIm6DD3S5ijhMw6D1vK9yeF4zPeOvatE" != "Up2jqivNEscIxhREXlWrvqMoFGPB3Bv-Pe0P3yJyOIo.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8"
    2020-03-18 18:28:07,902:DEBUG:certbot.main:certbot version: 0.31.0
    2020-03-18 18:28:07,902:DEBUG:certbot.main:Arguments: ['--domains', 'joomla-development.eu', '--domains', 'www.joomla-development.eu']
    2020-03-18 18:28:07,903:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2020-03-18 18:28:07,912:DEBUG:certbot.log:Root logging level set at 20
    2020-03-18 18:28:07,912:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
    Yes there is one:
    Code:
    ks307144 sites-available > ll /etc/apache2/sites-enabled/*joomla-dev*
    lrwxrwxrwx 1 root root 56 mars  15 12:09 /etc/apache2/sites-enabled/100-joomla-development.eu -> /etc/apache2/sites-available/joomla-development.eu.vhost
    lrwxrwxrwx 1 root root 56 mars  15 12:34 /etc/apache2/sites-enabled/100-joomla-development.eu.vhost -> /etc/apache2/sites-available/joomla-development.eu.vhost
    lrwxrwxrwx 1 root root 61 mars  16 09:27 /etc/apache2/sites-enabled/100-test.joomla-development.eu.vhost -> /etc/apache2/sites-available/test.joomla-development.eu.vhost
    
    Attempting to resync all websites does not produce more error messages than we've seen yet. I cant show them here as it is too long.
     
  4. Steini86

    Steini86 Active Member

    Why do you have a "ispconfig.conf" and "000-ispconfig.conf" file? Are these actual files or symlinks? Do you have any other files in that directory that do not belong to websites?

    But it could be! Because if apache throws an error during startup, it replaces the vhsot file with the previous one and does not do any changes. So every error can prevent you from doing changes. At least make sure the web has a folder "error" with the error files in it (or go back to global error sites)
     
  5. Jesse Norell

    Jesse Norell Well-Known Member

    Ah, I was incorrect, as it did not show in the previous `grep -R acme-challenge /etc/apache2` output. Comparing with vhost files on a server here, it should have, so the contents of your (apparently multiple) sites-enabled links for that domain are probably not right. Offhand, what does
    /etc/apache2/sites-available/joomla-development.eu.vhost contain, still the same as you posted above? Or did resyncing add lines like:
    Code:
                    RewriteEngine on
                    RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
                    RewriteRule ^ - [END]
    
    This part is normal for an ispconfig server:
    Code:
    # ls -l /etc/apache2/sites-*/*ispconfig.conf                                                                                   
    -rw-r--r-- 1 root root 2090 Feb  5 11:28 /etc/apache2/sites-available/ispconfig.conf
    lrwxrwxrwx 1 root root   43 Jun 29  2016 /etc/apache2/sites-enabled/000-ispconfig.conf -> /etc/apache2/sites-available/ispconfig.conf
    
     
  6. kmchen

    kmchen Member

    Here is the vhost:
    Code:
    ks307144 apache2 > cat /etc/apache2/sites-available/joomla-development.eu.vhost
    
    <Directory /var/www/joomla-development.eu>
                    AllowOverride None
                                    Require all denied
                    </Directory>
    
    <VirtualHost *:80>
    
                                            DocumentRoot /var/www/clients/client1/web17/web
    
                    ServerName joomla-development.eu
                    ServerAlias www.joomla-development.eu
                    ServerAdmin [email protected]
    
    
                    ErrorLog /var/log/ispconfig/httpd/joomla-development.eu/error.log
    
                    Alias /error/ "/var/www/joomla-development.eu/web/error/"
                    ErrorDocument 400 /error/400.html
                    ErrorDocument 401 /error/401.html
                    ErrorDocument 403 /error/403.html
                    ErrorDocument 404 /error/404.html
                    ErrorDocument 405 /error/405.html
                    ErrorDocument 500 /error/500.html
                    ErrorDocument 502 /error/502.html
                    ErrorDocument 503 /error/503.html
    
                    <IfModule mod_ssl.c>
                    </IfModule>
    
                    <Directory /var/www/joomla-development.eu/web>
                                    # Clear PHP settings of this website
                                    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                                    SetHandler None
                                    </FilesMatch>
                                    Options +FollowSymLinks
                                    AllowOverride All
                                                                    Require all granted
                                                    </Directory>
                    <Directory /var/www/clients/client1/web17/web>
                                    # Clear PHP settings of this website
                                    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                                    SetHandler None
                                    </FilesMatch>
                                    Options +FollowSymLinks
                                    AllowOverride All
                                                                    Require all granted
                                                    </Directory>
    
    
    
    
                    # suexec enabled
                    <IfModule mod_suexec.c>
                            SuexecUserGroup web17 client1
                    </IfModule>
                    <IfModule mod_fastcgi.c>
                                    <Directory /var/www/clients/client1/web17/cgi-bin>
                                                                                    Require all granted
                                                                        </Directory>
                                    <Directory /var/www/joomla-development.eu/web>
                                            <FilesMatch "\.php[345]?$">
                                                    SetHandler php-fcgi
                                            </FilesMatch>
                                    </Directory>
                                    <Directory /var/www/clients/client1/web17/web>
                                            <FilesMatch "\.php[345]?$">
                                                    SetHandler php-fcgi
                                            </FilesMatch>
                                    </Directory>
                    Action php-fcgi /php-fcgi virtual
                                    Alias /php-fcgi /var/www/clients/client1/web17/cgi-bin/php-fcgi-*-80-joomla-development.eu
                    FastCgiExternalServer /var/www/clients/client1/web17/cgi-bin/php-fcgi-*-80-joomla-development.eu -idle-timeout 300 -socket /var/lib/php7.0-fpm/web17.sock -pass-header Authorization  -pass-header Content-Type
                    </IfModule>
                    <IfModule mod_proxy_fcgi.c>
                            #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.0-fpm/web17.sock|fcgi://localhost//var/www/clients/client1/web17/web/$1
                            <Directory /var/www/clients/client1/web17/web>
                                    <FilesMatch "\.php[345]?$">
                                                    SetHandler "proxy:unix:/var/lib/php7.0-fpm/web17.sock|fcgi://localhost"
                                    </FilesMatch>
                            </Directory>
                            </IfModule>
    
    
    
                    # add support for apache mpm_itk
                    <IfModule mpm_itk_module>
                            AssignUserId web17 client1
                    </IfModule>
    
                    <IfModule mod_dav_fs.c>
                    # Do not execute PHP files in webdav directory
                            <Directory /var/www/clients/client1/web17/webdav>
                                    <ifModule mod_security2.c>
                                            SecRuleRemoveById 960015
                                            SecRuleRemoveById 960032
                                    </ifModule>
                                    <FilesMatch "\.ph(p3?|tml)$">
                                            SetHandler None
                                    </FilesMatch>
                            </Directory>
                            DavLockDB /var/www/clients/client1/web17/tmp/DavLock
                            # DO NOT REMOVE THE COMMENTS!
                            # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
          # WEBDAV BEGIN
                            # WEBDAV END
                    </IfModule>
    
    
    
    </VirtualHost>
    
    
    and the error directory (as automatically created by ISPCONFIG I guess)
    Code:
    ks307144 apache2 > chown root:root /var/www/joomla-development.eu/web/error/
    ks307144 apache2 > ll /var/www/joomla-development.eu/web/error/
    total 0
    ks307144 apache2 > ll /var/www/joomla-development.eu/web/ |grep error
    drwxr-xr-x  2 root  root     4096 mars  18 18:23 error
    
     
  7. Jesse Norell

    Jesse Norell Well-Known Member

    Looking further, the vhosts which exclude acme-challenge requests are the ones which have rewrites (eg. seo redirect, or http->https), that does not show in other vhost files, so yours looks fine in a cursory look.

    Your previous output shows the correct Alias in /etc/apache2/sites-enabled/000-ispconfig.conf. Maybe check to ensure you have mod_alias enabled?
     
  8. kmchen

    kmchen Member

    No there is only one site enabled link on joomla-development:
    And mod_alias seems to be enabled. Is there test to verify it really works ?
    Code:
    ks307144 ~ > ll /etc/apache2/sites-enabled/ |grep joomla-dev
    lrwxrwxrwx 1 root root 56 mars  15 12:34 100-joomla-development.eu.vhost -> /etc/apache2/sites-available/joomla-development.eu.vhost
    lrwxrwxrwx 1 root root 61 mars  16 09:27 100-test.joomla-development.eu.vhost -> /etc/apache2/sites-available/test.joomla-development.eu.vhost
    ks307144 ~ > apache2ctl -M|grep alias
    AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.vhost:7
     alias_module (shared)
    
    
     
  9. kmchen

    kmchen Member

    OK. How can I completely deactivate ISPCONFIG for letsencrypt certicates and generate them manually with cerbot ?
     
  10. Jesse Norell

    Jesse Norell Well-Known Member

    Curious; above you had 2 showing:
    Did you find that and fix it in the mean time? Or is something else playing around with symlinks there?

    I've not walked through this, but I suspect if you disable the Let's Encrypt checkbox for the site, then delete the letsencrypt certificate (from cli), then dig up the earliest "how to use lets encrypt with ispconfig" articles you can find (circa 2016, before ISPConfig had any support for lets encrypt whatsoever), those instructions would still work. Iirc, you used the SSL tab to generate a self-signed certificate for the site, then after that was present on the filesystem, via cli you removed the certificate files and replaced them with links to the corresponding /etc/letsencrypt/live/* files.
     

Share This Page