HTTPS config errors when using letsencrypt

Discussion in 'ISPConfig 3 Priority Support' started by rob_morin, Oct 20, 2016.

  1. rob_morin

    rob_morin Member HowtoForge Supporter

    Hello all again. We are testing the lets encrypt feature to be able to offer our clients the option to have ssl sites. Sometimes its works and sometimes not, i tried adding ssl to a test domain, however i see an error in the ispconfig cron log
    I then received an email stating....

    20.10.2016-08:37 - WARNING - Let's Encrypt SSL Cert for: lumpyjunk.com could not be issued.
    Am I doing something wrong?
    Thanks

    Thu Oct 20 08:37:02 EDT 2016 Included cronjob_letsencrypt from /usr/local/ispconfig/server/lib/classes/cron.d/900-letsencrypt.inc.php -> will now run job.
    Thu Oct 20 08:37:02 EDT 2016 Called run() for class cronjob_letsencrypt
    Thu Oct 20 08:37:02 EDT 2016 Job has schedule: 0 3 * * *
    Thu Oct 20 08:37:02 EDT 2016 Called onPrepare() for class cronjob_letsencrypt
    Thu Oct 20 08:37:02 EDT 2016 Called onBeforeRun() for class cronjob_letsencrypt
    Thu Oct 20 08:37:02 EDT 2016 Jobs next run is 2016-10-21 03:00:00
    Thu Oct 20 08:37:02 EDT 2016 Date compare of 1477033200 and 1476967021 is -1
    Thu Oct 20 08:37:02 EDT 2016 Called onCompleted() for class cronjob_letsencrypt
    Thu Oct 20 08:37:02 EDT 2016 run job (cronjob_letsencrypt) done.
    Thu Oct 20 08:37:02 EDT 2016 finished.
    Thu Oct 20 08:37:10 EDT 2016 Failed authorization procedure. lumpyjunk.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://lumpyjunk.com/.well-known/acme-challenge/WZooR
    BXB7_o89X4emlrtumg_-pasoObfJUPTjqma6R0: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    Thu Oct 20 08:37:10 EDT 2016 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    Thu Oct 20 08:37:10 EDT 2016 <ht", www.lumpyjunk.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.lumpyjunk.com/.well-known/acme-challenge/UScIYfmbKQEa-xcvSOQldnY
    cOVQVc62OS_dpqcDoE7U: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    Thu Oct 20 08:37:10 EDT 2016 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    Thu Oct 20 08:37:10 EDT 2016 <ht"
    Thu Oct 20 08:37:30 EDT 2016 finished.
     
  2. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    I think you added a domain that does not point to your server (DNS). This is a requirement.
     
  3. rob_morin

    rob_morin Member HowtoForge Supporter

    Ah, yes it was not pointed, as i was just testing, ok i try again and update this post

    Thanks.
     
  4. rob_morin

    rob_morin Member HowtoForge Supporter

    Ok, so now its pointed to my 3 dns serves and entered in ispconfig, and i get same error. What should i check for next?
     
  5. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    I don't think that it propagates this fast to all DNS servers. It's the Letsencrypt DNS servers that need to know the domain->ip until the verification will work. So I would propose to wait at least a few hours.
     
  6. rob_morin

    rob_morin Member HowtoForge Supporter

    I figure if Google's DNS servers have it , everyone should, lol However I will wait a bit longer...
     
  7. rob_morin

    rob_morin Member HowtoForge Supporter

    FYI I tired it with another domain i am not using, and it worked.... both point to same dns server and both work fine form the web via a browser. weird....
     
  8. rob_morin

    rob_morin Member HowtoForge Supporter

  9. till

    till Super Moderator Staff Member ISPConfig Developer

    The installation is described din each of the perfect server guides for ispconfig 3.1 and the ispconfig manual.

    Beside that, you posted already in #7 of this thread that it worked for your other domain, so this implias that you installed it correctly as you wont have got a letsencrypt ssl cert otherwise.
     
  10. rob_morin

    rob_morin Member HowtoForge Supporter

    I reposted because sometimes it works and sometimes no.... i cannot find anything in common so i wanted to make sure about the letsencryypt install procedure, i will check the manual again , for detailed install instructions for letsencrypt, and do more testing and get back to you.

    Thanks,,
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Letsencrypt is installed correctly as you won't get a single cert when it was not installed correctly. So don't mess around with the letsencrypt install if you don't want to break your setup!

    If you get a cert or not for a domain simply depends on the fact if letsencrypt can reach that domain on your server or not and dns changes can take 34 hours, so don't try to activate letsencrypt on a domain where not all dns caches have the new IP yet. You can see the details in the letsencrypt log file.
     

Share This Page