Installing LetsEncrypt SSL for management console

Discussion in 'Installation/Configuration' started by Slimat, Jul 25, 2021.

  1. Slimat

    Slimat New Member

    Hi Guys

    I know this is going to be simple - but need someone to point me in the right direction.

    I have installed IPSc 3.2.5 on a new Ubuntu 20.04 server - but hadnt set the subdomain CNAME record before letting the autoinstaller run, so the SSL certificate didnt get created. I could trash the server and run the install again, now the CNAME record exists, but assume that there must be a way to for a renew from the console - or at the CLI on the server... can anyone help?

    Many thanks & sorry for being such a noob!
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Use command
    Code:
    ispconfig_update.sh --force
    and let it create certificate when the script asks for it.
     
  3. Slimat

    Slimat New Member

    Perfect - many thanks :)
     
  4. Slimat

    Slimat New Member

    OK, so even though I hate to admit it, I still have a problem... but before I trash my Ubuntu VM and start again I thought I'd eat some humble pie first as @Taleman was so so helpful.

    So, to recap what I have done... I started with a fresh install of Ubuntu 20.04, then followed the setup instructions.

    I edited the /etc/hosts file to look like this;

    Code:
    127.0.0.1 localhost.localdomain localhost
    127.0.1.1 ispconfig.mydomain.com ispconfig
    
    # The following lines are desirable for IPv6 capable hosts
    ::1     ip6-localhost ip6-loopback
    fe00::0 ip6-localnet
    ff00::0 ip6-mcastprefix
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    On my router, I have forwarded the following TCP ports to the installation:
    20,21,22,25,80,443,40110-40210,110,143,465,587,993,995,53,8080,8081
    And the following UDP ports:
    53

    As I mentioned in my original post I hadnt created CNAME / A records for the domain so obviously it failed... but I have added the following DNS records;

    upload_2021-7-26_14-59-54.png

    After running the force update it seemed to work and, as instructed, I told it to install a new SSL cert... but the ISPConfig installation at either mydomain (8080) or ispconfig.mydomain (8080) shows as insecure. I cant put a proper link as being such a noob I cant post links ;-)

    Anyway, as I am using it for a few personal sites for friends I thought 'OK I can live with the SSL error', but when I tick the SSL box on my test website, it too shows as insecure... so I am guessing that the fact the installation isnt signed that any websites hosted on it will fail too?

    I am close to deleting and starting again - but if there are any thoughts on how to fix this before starting again I would be very grateful.

    Thanks
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    That's not the case, each SSL cert is separate and if LE refuses to create an SSL cert for one domain e.g. because you don't have a DNS A-Record for it pointing to the server, then this does not mean that you won't get an SSL cert for another domain which has a valid SSL record. I've noticed that you are using cname records, try replacing them with a-records. And there is a detailed FAQ on how to FIX Let's encrypt errors: https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
     
  6. Slimat

    Slimat New Member

    Thanks @till - I'll try now and let you know.
     
  7. Slimat

    Slimat New Member

    OK, a quick update... I had a friend who is very skilled in Ubuntu take a look and he managed to sort the issue out. He said that acme.sh had tried to create the SSL for ispconfig.mydomain.com and when it failed, rather than delete the attempt, it just kept failing every time. So, we created a new A Record - ispconfig2.mydomain.com and re-ran the update script and it worked first time! Sorry I cant provide any more details, but fixing this was beyond me - but hopefully this snippet may help someone who finds this post!

    Thanks for the help
     
  8. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    How many times did you try to run the installer/cert generation, LE has a low cap (5 I think) on failures for a host. Not sure if the failure rate for a domain exists. In any case its possible that your attempts after failed because of the cap.

    Anyway, the logs at /var/log/letsencrypt will tell you why they failed, if it was the cap reached then that lifts after a a few days (not sure ont he exact number but its in their docs)
     
  9. Slimat

    Slimat New Member

    Thanks @Chris_UK - I know that LE has a finite number of attempts because I have fallen foul of that on other projects previously. I am pretty certain this wasnt the issue as I had attempted about 3 times... after my friend had a look he did trigger an error saying that the number had been exceeded.

    The error message once it tripped the "too many attempts" changed to;

    Code:
    acme.sh is installed, overriding certificate path to use /root/.acme.sh/ispconfig.mydomain.com
    [Mon Jul 26 22:51:08 UTC 2021] Create new order error. Le_OrderFinalize not found. {
      "type": "urn:ietf:params:acme:error:rateLimited",
      "detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/",
      "status": 429
    I did run a test on another virgin server, to see if it failed too, by creating a new A-record for the domain and re-running the ISPConfig autoinstaller before the A-record was pointing at the correct IP caused exactly the same issue, which we were unable to remedy.

    But thanks for the input ;-)
     

Share This Page