Few strange problems with ISP

Discussion in 'Installation/Configuration' started by Poliman, Feb 1, 2018.

  1. Poliman

    Poliman Member

    I have few quite annoying problems. On the server is deployed few websites. Each has own LE SSL.
    1. No idea why certs are not renewed automatically. I can put log file I don't see wrong things there.
    2. When some cert for particular website will expire then after enter address of this site in browser I have opened first site added under ISP but without certificate. It's probably, because ISP turn on first added site but under address of domain which has expired cert (of course after click add exception for certificate in browser). When I put in browser address of this first site it has nice green padlock.
    3. Sometimes I have to turn on LE SSL and SSL checboxes then click Save button few times (of course after each I wait for propagate), because for first time both checkboxes are unchecked.

    Really need help from you people. @till, @ahrasis, @Jesse Norell, are you able to answer? I know you know what to do. :)
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You should have a letsencrypt log file, what does it show when a certificate expires?
  3. Poliman

    Poliman Member

    Yea I have it, there are some errors and probably produce by failing renewal process but I am not sure, because log contains many lines. I could put it as some attachement. Attached file contains logs from letsencrypt.log to letsencrypt.log.10 separated by some two lines space between.

    My friend use ISPConfig too and he also has problem with renewing certs. I am not sure it's a problem with configuration. I just install LE as tutorial Perfect Server says. I have my own private server with ISP and LE and soon I will know that certs will or won't renew. ;)

    I see errors:
    1. Here, this website use https://aplikacjaomnibus.pl/ (not http as you can see in log) and works perfectly. Of course has properly configured A record with right IP. Second thing that
    "address" attribute has probably wrong path "/.well-known/acme-challeng" (a typo in acme-challeng[e]).
    Detail: Invalid response from http://aplikacjaomnibus.pl/.well-known/acme-challenge/tiCv0w4xFe9jI6lDAsezryBlzfyYCI5Bzutj2Pps4Vk: "{"error":{"status":404,"name":"","message":"Strona nie istnieje :/","details":[],"data":{},"address":"/.well-known/acme-challeng"
    To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
    2018-01-31 03:00:37,510:INFO:letsencrypt.cli:Cert not yet due for renewal
    2018-01-31 03:00:37,510:DEBUG:letsencrypt.cli:Exiting abnormally:
    Traceback (most recent call last):
      File "/usr/bin/letsencrypt", line 9, in <module>
        load_entry_point('letsencrypt==0.4.1', 'console_scripts', 'letsencrypt')()
      File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 1986, in main
        return config.func(config, plugins)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 1034, in renew
        len(renew_failures), len(parse_failures)))
    Error: 1 renew failure(s), 2 parse failure(s)
    3. It shows in each log file more times than those above.
    2018-01-31 03:00:37,430:INFO:letsencrypt.cli:Cert not yet due for renewal
    2018-01-31 03:00:37,430:WARNING:letsencrypt.cli:Renewal configuration file /etc/letsencrypt/renewal/biodermagame.pl.conf is broken. Skipping.
    2018-01-31 03:00:37,430:DEBUG:letsencrypt.cli:Traceback was:
    Traceback (most recent call last):
      File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 900, in _reconstitute
        full_path, configuration.RenewerConfiguration(config))
      File "/usr/lib/python2.7/dist-packages/letsencrypt/storage.py", line 200, in __init__
        "file reference".format(self.configfile))
    CertStorageError: renewal config file {} is missing a required file reference

    Attached Files:

    Last edited: Feb 8, 2018
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    it's unllikely that certbot has a typo in it's own path, more likely this is just a shortened error message.

    The other log shows that the renewal config file seems to be broken, you might try to fix that or you just remove it and let ispconfig create a new ssl cert.
    sig likes this.
  5. Poliman

    Poliman Member

    About typo - I pasted whole log. ;)
    Yea, they seems to be broken. What I did when my cert not renew? I turned off checkboxes in ISP - LE SSL and SSL and saved settings. After this I opened shell and entered /etc/letsencrypt/. Then in archive, live and renew directories I removed directories and .conf file (in renew directory) related to aplikacjaomnibus.pl. At the end of this I again turned on LE SSL and SSL and after while certs were enabled. BUT it won't help probably, because each of my domain have this problem. It looks like I renew certs manually. :D I really would like to fix it but no idea which thing crash the whole renewal process. I attached to my earlier post the file where is all information which I have about letsencrypt in logs.

    Do you know maybe some script to provide automation to renewing?
    Last edited: Feb 9, 2018
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Renewing works automatically normally, I have several LE certs on my servers, all installed exactly as described in the perfect server guides, and they all renew without issues. The renewal config file which is wiped out on your system is not read or edited by ISPConfig, so I can't tell you which softwar on your server changed it. It might also be that there was a bug in certbot that corrupted it's own files, who knows.

    The only way I know to break this is to use the certbot command manually on the shell to create certs and that's why I always repeat to not do that.
    Last edited: Feb 9, 2018
  7. Poliman

    Poliman Member

    I suppose, there is a bug. I will monitor what will happen with aplikacjaomnibus.pl's certs. Currently I just "renew" manually it - after delete files and turn on checkboxes again - files are properly created in proper directories - live, renew, archive, so I think it's ok. If certs for this app will broken I will know about it after 3 months but if certs from another app will broken I will know about it earlier. I put info here.
    Last edited: Feb 12, 2018

Share This Page