ISPConfig 3.2 with acme.sh

Discussion in 'Installation/Configuration' started by MSIU, Feb 22, 2021.

  1. MSIU

    MSIU Member

    Hi all,
    I have upgraded Debian 8 servers with ISPConfig 3.1.x to Debian 9 with ISPConfig 3.2.2. That is OK. I would like to move from cerbot to acme.sh, so I manually remove cerbot from /opt directory, /etc/letsencrypt directory and all SSL sites, created with ISPConfig from /etc/apache/sites-enabled, installed acme.sh and disabled and then enabled LE SSL in ISPConfig with succes. Now, I need LE SSL cert for ISPConfig Interface, postfix, pureftp and dovecot, so I do:

    ispconfig_update.sh --force as root and answer yes to create new ssl cert

    It ends with:

    srv1.domain.tld:Verify error:Invalid response from http://srv1.domain.tld/.well-known/acme-challenge/1XeecFzXrLEMudSnhfih93QG5yL1dcbD8xP3T3hwkoc [xx.xxx.xxx.xxx]:
    [Mon Feb 22 00:07:13 CET 2021] Please add '--debug' or '--log' to check more details.
    [Mon Feb 22 00:07:13 CET 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
    Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt

    usr/local/ispconfig/interface/acme/.well-known/acme-challenge/1XeecFzXrLEMudSnhfih93QG5yL1dcbD8xP3T3hwkoc does not created, it contains only challenge from SSL webs in ISConfig and it is the same for all these webs, but different from this one. IT is correct, or must be the same as other webs in ISPConfig?

    I have searched, but no reason with using it with ISPConfig, can anyone please help, how to fix it?
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Create a test text file in /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/ and see if you can access it from the internet via http://srv1.domain.tld/.well-known/acme-challenge/yourfilename.txt.
    Did you do that?
    The directory path is the same for all acme challenges, whether a web site or for the server itself, but the challenge filename will differ for each request.
    See if /root/.acme.sh/acme.sh.log or /usr/local/ispconfig/server/scripts/acme.sh.log exists. If not, I suspect the installer should add a --log flag to the acme.sh call (and whatever is needed for certbot if also missing) so you can catch the full output. If you want to test doing so, I think it's only 3 lines in install/lib/installer_base.lib.php which need adjusted (2984, 2988 and 3000) - try adding "--log /var/log/ispconfig/acme.log" to the options, which looks to be what the server plugin code uses.
     
  4. MSIU

    MSIU Member

    I Created text.txt file, it contains a (like challenge from ISPConfig websites), set the same privilages as existing challenge. Yes it is accesible from browser - i see a.

    /root/.acme.sh/acme.sh.log and /usr/local/ispconfig/server/scripts/acme.sh.log not exists. I have only /var/log/ispconfig/acme.log - I post it.
     
  5. MSIU

    MSIU Member

    [Po úno 22 10:39:33 CET 2021] Running cmd: issue
    [Po úno 22 10:39:33 CET 2021] _main_domain='srv1.domain.tld'
    [Po úno 22 10:39:33 CET 2021] _alt_domains='no'
    [Po úno 22 10:39:33 CET 2021] Using config home:/root/.acme.sh
    [Po úno 22 10:39:33 CET 2021] default_acme_server
    [Po úno 22 10:39:33 CET 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.o
    rg/directory'
    [Po úno 22 10:39:33 CET 2021] DOMAIN_PATH='/root/.acme.sh/srv1.domain.tld'
    [Po úno 22 10:39:33 CET 2021] Using ACME_DIRECTORY: https://acme-v02.api.letsenc
    rypt.org/directory
    [Po úno 22 10:39:33 CET 2021] _init api for server: https://acme-v02.api.letsenc
    rypt.org/directory
    [Po úno 22 10:39:33 CET 2021] GET
    [Po úno 22 10:39:33 CET 2021] url='https://acme-v02.api.letsencrypt.org/director
    y'
    [Po úno 22 10:39:33 CET 2021] timeout=
    [Po úno 22 10:39:33 CET 2021] _CURL='curl --silent --dump-header /root/.acme.sh/
    http.header -L -g '
    [Po úno 22 10:39:34 CET 2021] ret='0'
    [Po úno 22 10:39:34 CET 2021] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.
    org/acme/key-change'
    [Po úno 22 10:39:34 CET 2021] ACME_NEW_AUTHZ
    [Po úno 22 10:39:34 CET 2021] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.o
    rg/acme/new-order'
    [Po úno 22 10:39:34 CET 2021] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt
    .org/acme/new-acct'
    [Po úno 22 10:39:34 CET 2021] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt
    .org/acme/revoke-cert'
    [Po úno 22 10:39:34 CET 2021] ACME_AGREEMENT='https://letsencrypt.org/documents/
    LE-SA-v1.2-November-15-2017.pdf'
    [Po úno 22 10:39:34 CET 2021] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.o
    rg/acme/new-nonce'
    [Po úno 22 10:39:34 CET 2021] ACME_VERSION='2'
    [Po úno 22 10:39:34 CET 2021] Using CA: https://acme-v02.api.letsencrypt.org/dir
    ectory
    [Po úno 22 10:39:34 CET 2021] _on_before_issue
    [Po úno 22 10:39:34 CET 2021] _chk_main_domain='srv1.domain.tld'
    [Po úno 22 10:39:34 CET 2021] _chk_alt_domains
    [Po úno 22 10:39:34 CET 2021] Le_LocalAddress
    [Po úno 22 10:39:34 CET 2021] d='srv1.domain.tld'
    [Po úno 22 10:39:34 CET 2021] Check for domain='srv1.domain.tld'
    [Po úno 22 10:39:34 CET 2021] _currentRoot='/usr/local/ispconfig/interface/acme'
    [Po úno 22 10:39:34 CET 2021] d
    [Po úno 22 10:39:34 CET 2021] _saved_account_key_hash is not changed, skip regis
    ter account.
    [Po úno 22 10:39:34 CET 2021] Read key length:
    [Po úno 22 10:39:34 CET 2021] Creating domain key
    [Po úno 22 10:39:34 CET 2021] Use DEFAULT_DOMAIN_KEY_LENGTH=2048
    [Po úno 22 10:39:34 CET 2021] Using config home:/root/.acme.sh
    [Po úno 22 10:39:34 CET 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.o
    rg/directory'
    [Po úno 22 10:39:34 CET 2021] Use length 2048
    [Po úno 22 10:39:34 CET 2021] Using RSA: 2048
    [Po úno 22 10:39:35 CET 2021] The domain key is here: /root/.acme.sh/srv1.domain.tld.
    cz/srv1.domain.tld.key
    [Po úno 22 10:39:35 CET 2021] _createcsr
    [Po úno 22 10:39:35 CET 2021] Single domain='srv1.domain.tld'
    [Po úno 22 10:39:35 CET 2021] Getting domain auth token for each domain
    [Po úno 22 10:39:35 CET 2021] d
    [Po úno 22 10:39:35 CET 2021] url='https://acme-v02.api.letsencrypt.org/acme/new
    -order'
    [Po úno 22 10:39:35 CET 2021] payload='{"identifiers": [{"type":"dns","value":"s
    rv1.cegan.cz"}]}'
    [Po úno 22 10:39:35 CET 2021] RSA key
    [Po úno 22 10:39:35 CET 2021] HEAD
    [Po úno 22 10:39:35 CET 2021] _post_url='https://acme-v02.api.letsencrypt.org/ac
    me/new-nonce'
    [Po úno 22 10:39:35 CET 2021] _CURL='curl --silent --dump-header /root/.acme.sh/
    http.header -L -g -I '
    [Po úno 22 10:39:35 CET 2021] _ret='0'
    [Po úno 22 10:39:35 CET 2021] POST
    [Po úno 22 10:39:35 CET 2021] _post_url='https://acme-v02.api.letsencrypt.org/ac
    me/new-order'
    [Po úno 22 10:39:35 CET 2021] _CURL='curl --silent --dump-header /root/.acme.sh/
    http.header -L -g '
    [Po úno 22 10:39:36 CET 2021] _ret='0'
    [Po úno 22 10:39:36 CET 2021] code='201'
    [Po úno 22 10:39:36 CET 2021] Le_LinkOrder='https://acme-v02.api.letsencrypt.org
    /acme/order/113506193/8056771437'
    [Po úno 22 10:39:36 CET 2021] Le_OrderFinalize='https://acme-v02.api.letsencrypt
    .org/acme/finalize/113506193/8056771437'
    [Po úno 22 10:39:36 CET 2021] url='https://acme-v02.api.letsencrypt.org/acme/aut
    hz-v3/11063312457'
    [Po úno 22 10:39:36 CET 2021] payload
    [Po úno 22 10:39:36 CET 2021] POST
    [Po úno 22 10:39:36 CET 2021] _post_url='https://acme-v02.api.letsencrypt.org/ac
    me/authz-v3/11063312457'
    [Po úno 22 10:39:36 CET 2021] _CURL='curl --silent --dump-header /root/.acme.sh/
    http.header -L -g '
    [Po úno 22 10:39:37 CET 2021] _ret='0'
    [Po úno 22 10:39:37 CET 2021] code='200'
    [Po úno 22 10:39:37 CET 2021] d='srv1.domain.tld'
    [Po úno 22 10:39:37 CET 2021] Getting webroot for domain='srv1.domain.tld'
    [Po úno 22 10:39:37 CET 2021] _w='/usr/local/ispconfig/interface/acme'
    [Po úno 22 10:39:37 CET 2021] _currentRoot='/usr/local/ispconfig/interface/acme'
    [Po úno 22 10:39:37 CET 2021] entry='"type":"http-01","status":"pending","url":"
    https://acme-v02.api.letsencrypt.org/acme/chall-v3/11063312457/6EltWQ","token":"
    s3IiL5SoOmbHE3aNuWAEB-TmZb20TIiEIt_FJzSYbYw"'
    [Po úno 22 10:39:37 CET 2021] token='s3IiL5SoOmbHE3aNuWAEB-TmZb20TIiEIt_FJzSYbYw
    '
    [Po úno 22 10:39:37 CET 2021] uri='https://acme-v02.api.letsencrypt.org/acme/cha
    ll-v3/11063312457/6EltWQ'
    [Po úno 22 10:39:37 CET 2021] keyauthorization='s3IiL5SoOmbHE3aNuWAEB-TmZb20TIiE
    It_FJzSYbYw.RWP7XmHCwplDqvPLvAkofnSOYHzljVBXzGe7HvVbb_o'
    [Po úno 22 10:39:37 CET 2021] dvlist='srv1.domain.tld#s3IiL5SoOmbHE3aNuWAEB-TmZb20
    TIiEIt_FJzSYbYw.RWP7XmHCwplDqvPLvAkofnSOYHzljVBXzGe7HvVbb_o#https://acme-v02.api
    .letsencrypt.org/acme/chall-v3/11063312457/6EltWQ#http-01#/usr/local/ispconfig/i
    nterface/acme'
    [Po úno 22 10:39:37 CET 2021] d
    [Po úno 22 10:39:37 CET 2021] vlist='srv1.domain.tld#s3IiL5SoOmbHE3aNuWAEB-TmZb20T
    IiEIt_FJzSYbYw.RWP7XmHCwplDqvPLvAkofnSOYHzljVBXzGe7HvVbb_o#https://acme-v02.api.
    letsencrypt.org/acme/chall-v3/11063312457/6EltWQ#http-01#/usr/local/ispconfig/in
    terface/acme,'
    [Po úno 22 10:39:37 CET 2021] d='srv1.domain.tld'
    [Po úno 22 10:39:37 CET 2021] ok, let's start to verify
    [Po úno 22 10:39:37 CET 2021] Verifying: srv1.domain.tld
    [Po úno 22 10:39:37 CET 2021] d='srv1.domain.tld'
    [Po úno 22 10:39:37 CET 2021] keyauthorization='s3IiL5SoOmbHE3aNuWAEB-TmZb20TIiE
    It_FJzSYbYw.RWP7XmHCwplDqvPLvAkofnSOYHzljVBXzGe7HvVbb_o'
    [Po úno 22 10:39:37 CET 2021] uri='https://acme-v02.api.letsencrypt.org/acme/cha
    ll-v3/11063312457/6EltWQ'
    [Po úno 22 10:39:37 CET 2021] _currentRoot='/usr/local/ispconfig/interface/acme'
    [Po úno 22 10:39:37 CET 2021] wellknown_path='/usr/local/ispconfig/interface/acm
    e/.well-known/acme-challenge'
    [Po úno 22 10:39:37 CET 2021] writing token:s3IiL5SoOmbHE3aNuWAEB-TmZb20TIiEIt_F
    JzSYbYw to /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/s3IiL5
    SoOmbHE3aNuWAEB-TmZb20TIiEIt_FJzSYbYw
    [Po úno 22 10:39:37 CET 2021] Changing owner/group of .well-known to ispconfig:i
    spconfig
    [Po úno 22 10:39:37 CET 2021] url='https://acme-v02.api.letsencrypt.org/acme/cha
    ll-v3/11063312457/6EltWQ'
    [Po úno 22 10:39:37 CET 2021] payload='{}'
    [Po úno 22 10:39:37 CET 2021] POST
    [Po úno 22 10:39:37 CET 2021] _post_url='https://acme-v02.api.letsencrypt.org/ac
    me/chall-v3/11063312457/6EltWQ'
    [Po úno 22 10:39:37 CET 2021] _CURL='curl --silent --dump-header /root/.acme.sh/
    http.header -L -g '
    [Po úno 22 10:39:38 CET 2021] _ret='0'
    [Po úno 22 10:39:38 CET 2021] code='200'
    [Po úno 22 10:39:38 CET 2021] trigger validation code: 200
    [Po úno 22 10:39:38 CET 2021] sleep 2 secs to verify
    [Po úno 22 10:39:40 CET 2021] checking
    [Po úno 22 10:39:40 CET 2021] url='https://acme-v02.api.letsencrypt.org/acme/cha
    ll-v3/11063312457/6EltWQ'
    [Po úno 22 10:39:40 CET 2021] payload
    [Po úno 22 10:39:40 CET 2021] POST
    [Po úno 22 10:39:40 CET 2021] _post_url='https://acme-v02.api.letsencrypt.org/ac
    me/chall-v3/11063312457/6EltWQ'
    [Po úno 22 10:39:40 CET 2021] _CURL='curl --silent --dump-header /root/.acme.sh/
    http.header -L -g '
    [Po úno 22 10:39:41 CET 2021] _ret='0'
    [Po úno 22 10:39:41 CET 2021] code='200'
    [Po úno 22 10:39:41 CET 2021] srv1.domain.tld:Verify error:Invalid response from h
    ttp://srv1.domain.tld/.well-known/acme-challenge/s3IiL5SoOmbHE3aNuWAEB-TmZb20TIiEI
    t_FJzSYbYw [87.236.194.218]:
    [Po úno 22 10:39:41 CET 2021] pid
    [Po úno 22 10:39:41 CET 2021] No need to restore nginx, skip.
    [Po úno 22 10:39:41 CET 2021] _clearupdns
    [Po úno 22 10:39:41 CET 2021] dns_entries
    [Po úno 22 10:39:41 CET 2021] skip dns.
    [Po úno 22 10:39:41 CET 2021] _on_issue_err
    [Po úno 22 10:39:41 CET 2021] Please check log file for more details: /var/log/i
    spconfig/acme.log
    [Po úno 22 10:39:41 CET 2021] url='https://acme-v02.api.letsencrypt.org/acme/cha
    ll-v3/11063312457/6EltWQ'
    [Po úno 22 10:39:41 CET 2021] payload='{}'
    [Po úno 22 10:39:41 CET 2021] POST
    [Po úno 22 10:39:41 CET 2021] _post_url='https://acme-v02.api.letsencrypt.org/ac
    me/chall-v3/11063312457/6EltWQ'
    [Po úno 22 10:39:41 CET 2021] _CURL='curl --silent --dump-header /root/.acme.sh/
    http.header -L -g '
    [Po úno 22 10:39:41 CET 2021] _ret='0'
    [Po úno 22 10:39:41 CET 2021] code='400'
     
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Oh yeah, there is a bugfix in the installer related to file permissions; try git-stable or a nightly build. (The bug is actually in acme.sh, but the installer now works around it.)
     
    MSIU, ahrasis and Steini86 like this.
  7. MSIU

    MSIU Member

    Thank you very, very much, you are great.
    This is small, but production, server, so I do not uprade ISPConfig to nightly build and I don´t know, if git-stable is also stable.
    I do this steps, and it works now:
    Remove /root/.acme.sh/srv1.domain.tld directory
    Manually issue certificate for srv1.domain.tld: acme.sh issue -d srv1.domain.tld -w /usr/local/ispconfig/interface/acme
    Run ISPConfig update script: ispconfig_update.sh --force, with stable

    I have 2 servers in cluster, one primary, one slave, both with all the same services with ISPConfig and unison (no load balancer or HA proxy, etc). Is still need to copy /usr/local/ispconfig/interface/lib/config.inc.php and /etc/apache2/sites-available/ispconfig.vhost and create symlink /etc/apache2/sites-enabled/000-ispconfig.vhost to /etc/apache2/sites-available/ispconfig.vhost for ISPConfig 3.2.2 to acces web interface from slave server?
     
  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You can only access the UI on the master server.
     
  9. MSIU

    MSIU Member

    I will have problem, when master goes down. In slave, I will install acme.sh, issue LE cert for srv2.domain.tld and update ISPConfig to use it, for pureftp, dovecot and postfix, if master is unavailable. I think, it is correct, or not?
     
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    No, this is not possible.

    There have been several discussions about this on the forum. If you would want 2 servers to serve the panel, you would need 2 servers mirroring each other exactly, behind a HA proxy. The setup will get so complicated that it could lead to more downtime in the long run.
     
    MSIU likes this.
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    If you want to access the ispconfig interface on a mirrored slave server, then you must reconfigure it to connect to a mirrored version of the master database (dbispconfig1 and not dbispconfig2), but in any case, changes you make on the master gui of the slave server will not be processed until the master is up again. So it is recommended to not run the GUI on a slave as there is only very little benefit but the risk of getting a inconsistent setup.

    The hosted websites on the slave are not affected in any way when the master is down, the only issue during downtime is that you can't add new websites.
     
    MSIU likes this.
  12. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    you could have a separate database server (or cluster) and host your dbispconfig databases on there.
    you'd have to have a different name for each one, eg dbispconfig_web1 (assume in this case, this is the master), dbispconfig_web2. so each ispconfig server has it's own database on there. you'd also have to edit the ispconfig configs on each server so that it looks for the dbispconfig databases on this separate server, rather than on localhost. this way you can install the ispconfig interface on web1 and web2, have the ispconfig servers themselves access the databases dbispconfig_web1 and dbispconfig_web2 on the database server, but have both ispconfig interfaces access the dbispconfig_web1 database on the database server.

    it's definitely not a standard installation, or officially supported, but it will work, it's how i originally configured my systems years ago.
    it also means that no ispconfig instance will continue to work normally if anything happens with it's connection to the database server, (no mail login authentication, no ftp login authentication, no control panel login etc), which is why i switched to the standard configuration soon after.
    so yes, it is possible to run multiple ispconfig interfaces, all accessing a single master database. but i wouldn't recommend it, even if you're just looking at this for the interface servers, and running the client webservers/mailservers etc as normal, with local dbispconfig databases, so they will continue to work normally without a connection to the master. You are still looking at a minimum of 3 servers to run 2 interfaces, with more work to configure them, and more ways for it to stop working than just using a single standalone master ispconfig/interface server.
     
    MSIU likes this.
  13. MSIU

    MSIU Member

    OK, thanks everyone for the explanation. I use master master database replication and I thought that ISPConfig uses a local database, ie localhost - on both the master and slave server, of course except for installation and upgrade, where the database is used on the master server. So I will issue a LE certificate for the slave server and let the update script update and configure the server services and the interface will leave it as the update script configures it and accept that I will not have access to it in case of master server crash, but that other services will run on, of course, with the need to modify the DNS record to make apache, pureftpd and dovecot available. For postfix, this is solved by the MX record.

    Thanks again to everyone for your help and I wish you all the best.
     

Share This Page