ispconfig 3 let's encrypt trouble details provided.

Discussion in 'General' started by midihipi, Mar 4, 2022.

  1. midihipi

    midihipi New Member HowtoForge Supporter

    Good Day,
    I have a fresh install of Debian 11 which was configured with the ispconfig auto install script and I am having issues with SSL. I am not getting a cert for the server itself or any domain I add to the machine. I have followed the troubleshooting procedure disabling the cronjob and running the server looking for errors. I don't see any. I am hoping someone can assist.

    Here are the server particulars:

    Code:
    [email protected]:~# hostname
    dinero-1-us-southeast
    [email protected]:~# hostname -f
    dinero-1-us-southeast.acmealliedllc.com
    [email protected]:~#
    
    [email protected]:~# ifconfig
    eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
            inet 170.187.155.15  netmask 255.255.255.0  broadcast 170.187.155.255
            inet6 fe80::f03c:93ff:fef1:f8c8  prefixlen 64  scopeid 0x20<link>
            inet6 2600:3c02::f03c:93ff:fef1:f8c8  prefixlen 64  scopeid 0x0<global>
    Code:
    [email protected]:~# cat htf_report.txt | more
    
    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] OS version is Debian GNU/Linux 11 (bullseye)
    
    [INFO] uptime:  08:51:52 up 16 min,  1 user,  load average: 0.07, 0.58, 0.59
    
    [INFO] memory:
                   total        used        free      shared  buff/cache   available
    Mem:           976Mi       267Mi       315Mi        29Mi       393Mi       536Mi
    Swap:          511Mi       275Mi       236Mi
    
    [INFO] systemd failed services status:
      UNIT                  LOAD   ACTIVE SUB    DESCRIPTION
    ● clamav-daemon.service loaded failed failed Clam AntiVirus userspace daemon
    
    LOAD   = Reflects whether the unit definition was properly loaded.
    ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
    SUB    = The low-level unit activation state, values depend on unit type.
    1 loaded units listed.
    
    [INFO] ISPConfig is installed.
    
    ##### ISPCONFIG #####
    ISPConfig version is 3.2.7p1
    
    
    ##### VERSION CHECK #####
    
    [INFO] php (cli) version is 7.4.28
    [INFO] php-cgi (used for cgi php in default vhost!) is version 7.4.28
    
    ##### PORT CHECK #####
    
    
    ##### MAIL SERVER CHECK #####
    
    
    ##### RUNNING SERVER PROCESSES #####
    
    [INFO] I found the following web server(s):
            Apache 2 (PID 176285)
    [INFO] I found the following mail server(s):
            Postfix (PID 176225)
    [INFO] I found the following pop3 server(s):
            Dovecot (PID 176243)
    [INFO] I found the following imap server(s):
            Dovecot (PID 176243)
    [INFO] I found the following ftp server(s):
            PureFTP (PID 176445)
    
    ##### LISTENING PORTS #####
    (only           ()
    Local           (Address)
    [anywhere]:993          (176243/dovecot)
    [anywhere]:995          (176243/dovecot)
    [localhost]:11332               (176232/rspamd:)
    [localhost]:11333               (176232/rspamd:)
    [localhost]:11334               (176232/rspamd:)
    [localhost]:10023               (34427/postgrey)
    [anywhere]:587          (176225/master)
    [localhost]:11211               (140306/memcached)
    [localhost]:6379                (34183/redis-server)
    [anywhere]:110          (176243/dovecot)
    [anywhere]:143          (176243/dovecot)
    [anywhere]:465          (176225/master)
    ***.***.***.***:53              (176452/named)
    [localhost]:53          (176452/named)
    [anywhere]:21           (176445/pure-ftpd)
    [anywhere]:22           (454/sshd:)
    [localhost]:953         (176452/named)
    [anywhere]:25           (176225/master)
    [anywhere]:4190         (176243/dovecot)
    *:*:*:*::*:993          (176243/dovecot)
    *:*:*:*::*:995          (176243/dovecot)
    *:*:*:*::*:11332                (176232/rspamd:)
    *:*:*:*::*:11333                (176232/rspamd:)
    *:*:*:*::*:11334                (176232/rspamd:)
    *:*:*:*::*:10023                (34427/postgrey)
    *:*:*:*::*:3306         (175584/mariadbd)
    *:*:*:*::*:587          (176225/master)
    *:*:*:*::*:6379         (34183/redis-server)
    [localhost]10           (176243/dovecot)
    [localhost]43           (176243/dovecot)
    *:*:*:*::*:8080         (176285/apache2)
    *:*:*:*::*:80           (176285/apache2)
    *:*:*:*::*:8081         (176285/apache2)
    *:*:*:*::*:465          (176225/master)
    *:*:*:*::*:21           (176445/pure-ftpd)
    *:*:*:*::*:53           (176452/named)
    *:*:*:*::*f03c:93ff:53          (176452/named)
    *:*:*:*::*f03c:93ff:fef1:53             (176452/named)
    *:*:*:*::*:22           (454/sshd:)
    *:*:*:*::*:25           (176225/master)
    *:*:*:*::*:953          (176452/named)
    *:*:*:*::*:443          (176285/apache2)
    *:*:*:*::*:4190         (176243/dovecot)
    
    
    
    
    ##### IPTABLES #####
    Chain INPUT (policy DROP)
    target     prot opt source               destination
    f2b-sshd   tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 22
    ufw-before-logging-input  all  --  [anywhere]/0            [anywhere]/0
    ufw-before-input  all  --  [anywhere]/0            [anywhere]/0
    ufw-after-input  all  --  [anywhere]/0            [anywhere]/0
    ufw-after-logging-input  all  --  [anywhere]/0            [anywhere]/0
    ufw-reject-input  all  --  [anywhere]/0            [anywhere]/0
    ufw-track-input  all  --  [anywhere]/0            [anywhere]/0
    
    Chain FORWARD (policy DROP)
    target     prot opt source               destination
    ufw-before-logging-forward  all  --  [anywhere]/0            [anywhere]/0
    ufw-before-forward  all  --  [anywhere]/0            [anywhere]/0
    ufw-after-forward  all  --  [anywhere]/0            [anywhere]/0
    ufw-after-logging-forward  all  --  [anywhere]/0            [anywhere]/0
    ufw-reject-forward  all  --  [anywhere]/0            [anywhere]/0
    ufw-track-forward  all  --  [anywhere]/0            [anywhere]/0
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    ufw-before-logging-output  all  --  [anywhere]/0            [anywhere]/0
    ufw-before-output  all  --  [anywhere]/0            [anywhere]/0
    ufw-after-output  all  --  [anywhere]/0            [anywhere]/0
    ufw-after-logging-output  all  --  [anywhere]/0            [anywhere]/0
    ufw-reject-output  all  --  [anywhere]/0            [anywhere]/0
    ufw-track-output  all  --  [anywhere]/0            [anywhere]/0
    
    Chain f2b-sshd (1 references)
    target     prot opt source               destination
    REJECT     all  --  ***.***.***.***        [anywhere]/0            reject-with icmp-port-unr
    eachable
    RETURN     all  --  [anywhere]/0            [anywhere]/0
    
    Chain ufw-after-forward (1 references)
    target     prot opt source               destination
    
    Chain ufw-after-input (1 references)
    target     prot opt source               destination
    ufw-skip-to-policy-input  udp  --  [anywhere]/0            [anywhere]/0            udp dpt:1
    37
    ufw-skip-to-policy-input  udp  --  [anywhere]/0            [anywhere]/0            udp dpt:1
    38
    ufw-skip-to-policy-input  tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:1
    39
    ufw-skip-to-policy-input  tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:4
    45
    ufw-skip-to-policy-input  udp  --  [anywhere]/0            [anywhere]/0            udp dpt:6
    7
    ufw-skip-to-policy-input  udp  --  [anywhere]/0            [anywhere]/0            udp dpt:6
    8
    ufw-skip-to-policy-input  all  --  [anywhere]/0            [anywhere]/0            ADDRTYPE
    match dst-type BROADCAST
    
    Chain ufw-after-logging-forward (1 references)
    target     prot opt source               destination
    LOG        all  --  [anywhere]/0            [anywhere]/0            limit: avg 3/min burst 1
    0 LOG flags 0 level 4 prefix "[UFW BLOCK] "
    
    Chain ufw-after-logging-input (1 references)
    target     prot opt source               destination
    LOG        all  --  [anywhere]/0            [anywhere]/0            limit: avg 3/min burst 1
    0 LOG flags 0 level 4 prefix "[UFW BLOCK] "
    
    Chain ufw-after-logging-output (1 references)
    target     prot opt source               destination
    
    Chain ufw-after-output (1 references)
    target     prot opt source               destination
    
    Chain ufw-before-forward (1 references)
    target     prot opt source               destination
    ACCEPT     all  --  [anywhere]/0            [anywhere]/0            ctstate RELATED,ESTABLIS
    HED
    ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 3
    ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 11
    ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 12
    ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 8
    ufw-user-forward  all  --  [anywhere]/0            [anywhere]/0
    
    Chain ufw-before-input (1 references)
    target     prot opt source               destination
    ACCEPT     all  --  [anywhere]/0            [anywhere]/0
    ACCEPT     all  --  [anywhere]/0            [anywhere]/0            ctstate RELATED,ESTABLIS
    HED
    ufw-logging-deny  all  --  [anywhere]/0            [anywhere]/0            ctstate INVALID
    DROP       all  --  [anywhere]/0            [anywhere]/0            ctstate INVALID
    ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 3
    ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 11
    ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 12
    ACCEPT     icmp --  [anywhere]/0            [anywhere]/0            icmptype 8
    ACCEPT     udp  --  [anywhere]/0            [anywhere]/0            udp spt:67 dpt:68
    ufw-not-local  all  --  [anywhere]/0            [anywhere]/0
    ACCEPT     udp  --  [anywhere]/0            ***.***.***.***          udp dpt:5353
    ACCEPT     udp  --  [anywhere]/0            ***.***.***.***      udp dpt:1900
    ufw-user-input  all  --  [anywhere]/0            [anywhere]/0
    
    Chain ufw-before-logging-forward (1 references)
    target     prot opt source               destination
    
    Chain ufw-before-logging-input (1 references)
    target     prot opt source               destination
    
    Chain ufw-before-logging-output (1 references)
    target     prot opt source               destination
    
    Chain ufw-before-output (1 references)
    target     prot opt source               destination
    ACCEPT     all  --  [anywhere]/0            [anywhere]/0
    ACCEPT     all  --  [anywhere]/0            [anywhere]/0            ctstate RELATED,ESTABLIS
    HED
    ufw-user-output  all  --  [anywhere]/0            [anywhere]/0
    
    Chain ufw-logging-allow (0 references)
    target     prot opt source               destination
    LOG        all  --  [anywhere]/0            [anywhere]/0            limit: avg 3/min burst 1
    0 LOG flags 0 level 4 prefix "[UFW ALLOW] "
    
    Chain ufw-logging-deny (2 references)
    target     prot opt source               destination
    RETURN     all  --  [anywhere]/0            [anywhere]/0            ctstate INVALID limit: a
    vg 3/min burst 10
    LOG        all  --  [anywhere]/0            [anywhere]/0            limit: avg 3/min burst 1
    0 LOG flags 0 level 4 prefix "[UFW BLOCK] "
    
    Chain ufw-not-local (1 references)
    target     prot opt source               destination
    RETURN     all  --  [anywhere]/0            [anywhere]/0            ADDRTYPE match dst-type
    LOCAL
    RETURN     all  --  [anywhere]/0            [anywhere]/0            ADDRTYPE match dst-type
    MULTICAST
    RETURN     all  --  [anywhere]/0            [anywhere]/0            ADDRTYPE match dst-type
    BROADCAST
    ufw-logging-deny  all  --  [anywhere]/0            [anywhere]/0            limit: avg 3/min
    burst 10
    DROP       all  --  [anywhere]/0            [anywhere]/0
    
    Chain ufw-reject-forward (1 references)
    target     prot opt source               destination
    
    Chain ufw-reject-input (1 references)
    target     prot opt source               destination
    
    Chain ufw-reject-output (1 references)
    target     prot opt source               destination
    
    Chain ufw-skip-to-policy-forward (0 references)
    target     prot opt source               destination
    DROP       all  --  [anywhere]/0            [anywhere]/0
    
    Chain ufw-skip-to-policy-input (7 references)
    target     prot opt source               destination
    DROP       all  --  [anywhere]/0            [anywhere]/0
    
    Chain ufw-skip-to-policy-output (0 references)
    target     prot opt source               destination
    ACCEPT     all  --  [anywhere]/0            [anywhere]/0
    
    Chain ufw-track-forward (1 references)
    target     prot opt source               destination
    
    Chain ufw-track-input (1 references)
    target     prot opt source               destination
    
    Chain ufw-track-output (1 references)
    target     prot opt source               destination
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            ctstate NEW
    ACCEPT     udp  --  [anywhere]/0            [anywhere]/0            ctstate NEW
    
    Chain ufw-user-forward (1 references)
    target     prot opt source               destination
    
    Chain ufw-user-input (1 references)
    target     prot opt source               destination
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:21
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:22
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:25
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:53
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:80
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:110
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:143
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:443
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:465
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:587
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:993
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:995
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:3306
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:4190
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:8080
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            tcp dpt:8081
    ACCEPT     tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 40110:4
    0210
    ACCEPT     udp  --  [anywhere]/0            [anywhere]/0            udp dpt:53
    
    Chain ufw-user-limit (0 references)
    target     prot opt source               destination
    LOG        all  --  [anywhere]/0            [anywhere]/0            limit: avg 3/min burst 5
     LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] "
    REJECT     all  --  [anywhere]/0            [anywhere]/0            reject-with icmp-port-un
    reachable
    
    Chain ufw-user-limit-accept (0 references)
    target     prot opt source               destination
    ACCEPT     all  --  [anywhere]/0            [anywhere]/0
    
    Chain ufw-user-logging-forward (0 references)
    target     prot opt source               destination
    
    Chain ufw-user-logging-input (0 references)
    target     prot opt source               destination
    
    Chain ufw-user-logging-output (0 references)
    target     prot opt source               destination
    
    Chain ufw-user-output (1 references)
    target     prot opt source               destination
    
    
    
    
    ##### LET'S ENCRYPT #####
    acme.sh is installed in /root/.acme.sh/acme.sh
     
  2. midihipi

    midihipi New Member HowtoForge Supporter

    Also the let's encrypt log looks like:
    Code:
    [Fri 04 Mar 2022 09:06:13 AM UTC] Lets find script dir.
    [Fri 04 Mar 2022 09:06:13 AM UTC] _SCRIPT_='/root/.acme.sh/acme.sh'
    [Fri 04 Mar 2022 09:06:13 AM UTC] _script='/root/.acme.sh/acme.sh'
    [Fri 04 Mar 2022 09:06:13 AM UTC] _script_home='/root/.acme.sh'
    [Fri 04 Mar 2022 09:06:13 AM UTC] Using default home:/root/.acme.sh
    [Fri 04 Mar 2022 09:06:13 AM UTC] Using config home:/root/.acme.sh
    [Fri 04 Mar 2022 09:06:13 AM UTC] Running cmd: installcert
    [Fri 04 Mar 2022 09:06:13 AM UTC] Using config home:/root/.acme.sh
    [Fri 04 Mar 2022 09:06:13 AM UTC] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
    [Fri 04 Mar 2022 09:06:13 AM UTC] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Fri 04 Mar 2022 09:06:13 AM UTC] DOMAIN_PATH='/root/.acme.sh/acmealliedllc.com'
    [Fri 04 Mar 2022 09:06:13 AM UTC] Installing key to: /var/www/clients/client1/web1/ssl/acmealliedllc.com-le.key
    [Fri 04 Mar 2022 09:06:13 AM UTC] Installing full chain to: /var/www/clients/client1/web1/ssl/acmealliedllc.com-le.crt
    [Fri 04 Mar 2022 09:06:13 AM UTC] Run reload cmd: systemctl force-reload apache2.service
    [Fri 04 Mar 2022 09:06:13 AM UTC] Reload success
     
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Your acme log shows a certificate was obtained for a website acmealliedllc.com, by chance did you add the server's hostname (dinero-1-us-southeast.acmealliedllc.com) as a subdomain there? If so, remove the symlinks in /usr/local/ispconfig/ssl/ and recreate them pointing to the files in /var/www/clients/client1/web1/ssl/.
     
  4. midihipi

    midihipi New Member HowtoForge Supporter

    The instructions for the installation script call for the addition of the fqdn of the server to the hosts file. I assume that is how it knows how to get a cert for that domain? After the install I added the website for that domain as well as dns.
    I haven't a clue how to symlink anything but I'll root around for a method. Thanks.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The hostname of a server must be a subdomain, something like server1.yourdomain.tld. Do not use just the domain name, e.g. yourdomain.tld, as server hostname. If you would use just the domain, SSL for ISPConfig and even mail delivery will fail.
     
  6. midihipi

    midihipi New Member HowtoForge Supporter

    Hi Till thanks for the reply. Here is how I have it set up:
    Code:
    [email protected]:~# hostname
    dinero-1-us-southeast
    [email protected]:~# hostname -f
    dinero-1-us-southeast.acmealliedllc.com
     
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    There is no A record dinero-1-us-southeast.acmealliedllc.com, so creating a certificate is not possible.
     
  8. midihipi

    midihipi New Member HowtoForge Supporter

    Hey Thom,
    Thanks for pointing that out. Seems obvious now that I look at it. It solved the problem for any sites I add to the ispconfig. But I can't use ssl to get to https:acmealliedllc.com:8080. I am happy with this success however thanks again. I have reissued the cert manually with acme.sh but It has not solved the last little problem.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    If your server hostname is dinero-1-us-southeast.acmealliedllc.com, then ISPConfig is accessed through that hostname only and not acmealliedllc.com. using acmealliedllc.com must return an SSL error as its the wrong URL to access ISPConfig.
     
  10. midihipi

    midihipi New Member HowtoForge Supporter

    I can not get the ssl to work for port 8080 on acmealliedllc but all other is working fine now.
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig should not be accessed through acmealliedllc.com, so this SSL error must occur when you use a wrong URL. The only URL that should be used to access ISPConfig is the server hostname.
     
  12. midihipi

    midihipi New Member HowtoForge Supporter

    ok got it. thanks.
     

Share This Page