Ispconfig and letsencrypt

Discussion in 'Installation/Configuration' started by Erik Damber, May 19, 2020.

  1. Erik Damber

    Erik Damber New Member

    Hello

    I know this is a very talked about subject but I have a problem even though Ive gone through all the troubleshooting. We couldn't get Lets encrypt to work with haproxy so we rerouted passed that in our firewall and now it works when I test a --dry-run with certbot but I still cant create via ISPconfig control panel. Tried to create a hello.txt in the /.well-known/acme-challenge folder but cant reach it through website I get 403 - forbidden.

    I have also tested all the steps in Lets encrypt FAQ. Still get (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization. But this works:
    certbot certonly --standalone --dry-run -d cluster.kulturhotell.se

    Thanks!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    In which exact path on the server did you create it? The server path of the acme folder is /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/, so if you want to test this, use:

    touch /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/test.txt

    There is a let's encrypt FAQ with detailed steps how to debug this:

    https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
     
  3. Erik Damber

    Erik Damber New Member

  4. Erik Damber

    Erik Damber New Member

    Debug mode gives me the same answers as letsencrypt.log

    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for cluster.kulturhotell.se
    Waiting for verification...
    Cleaning up challenges
    Failed authorization procedure. cluster.kulturhotell.se (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cluster.kulturhotell.se/.wel...e/yQnw8jKKMx2ewU52ByYIaHyRlOWVmcpHRnb0q9pDOXk [80.244.87.143]: "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<ht"
    finished.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    If you can't reach it, then you must have blocked the URL in front of the server somewhere or you added custom rewrite rules in the website vhost that redirect that URL to a different place. When LE can not access it's verification token, then it will not issue a cert.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Another possibility is of course that the requests go to the wrong server. On a multiserver mirror setup, try to make /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/ a shared nfs mount that is shared between all nodes.
     
  7. Erik Damber

    Erik Damber New Member

    Thanks, it's very strange because now we pointed the IP back in our firewall as it was before when we could create Lets encrypt certs and a dry run works with standalone plugin but I get above error via checkboxes in ISPconfig. Even when I close down web-02 and only use master server its still the same error. Which certbot command does it run when you check the lets encrypt boxes on the website settings?

    I've compared all the vhost settings with our old setup that don't use mirror of function where we create sites on individual servers and every file has the same config. Created a new website with dns and same error there.
     
  8. Erik Damber

    Erik Damber New Member

    Think I solved it, chmod 755 on all folder leading to acme-challenge.
     
  9. Erik Damber

    Erik Damber New Member

    Get the original error once we pointed it back in the firewall to use HAproxy. Now I know it works without haproxy atleast. There isn't much content out there to troubleshoot the haproxy+ispconfig combo though. Thanks for all the help! Really like ISPconfig and hoping we can still use it with our server setup, might have to create certs manually directly on HAproxy and let them manage them
     
    ahrasis likes this.
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to create an nfs shared directory as I mentioned above, it might help you with haproxy.
     

Share This Page