ISPonfig is not managing Let's encrypt

Discussion in 'General' started by vassilis3, Feb 11, 2017.

  1. vassilis3

    vassilis3 New Member

    Hello
    I Installed "Let's Encryprt" using debian installation ispconfig 3.1.2 debian 8.0 but I did not get the same screen where to answer Yes or No.
    I got different screens (apply to all domain (1,2,3,4,5,etc enter to all or c to cancel)). I hit enter to apply all and in the second screen (about use both http and https or only https) I chose both. All domains work with http. Https works only with www. (https://www.domain.tld) and not without www. (https://domain.tld). When you type https://domain.tld it redirects to http://www.doamin.tld . In addition, GUI "let's encrypt" is disabled. Nothing happens if it is enabled or disabled.
    How can I make this work properly?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    This disabled all domais for https in ispconfig. You should have choosen no or cancel, depending on your LE version during install. Choosing a domain there instead will disable that domain for SSL use in ispconfig.

    To fix that, delete all domains and certs in letsencrypt, when all have been removed, then you can use ispconfig to get a new ssl cert.
     
  3. vassilis3

    vassilis3 New Member

    Thank you for your prompt reply. How explain how to do that? I tried to do this:
    "Try to rename /etc/letsencrypt directory.
    mv /etc/letsencrypt /etc/letsencrypt_bak
    mkdir /etc/letsencrypt"
    After I did it, I was unable to reach ispconfig GUI panel. Am I doing something wrong?
     
  4. ahrasis

    ahrasis Active Member

    Apache or nginx cannot restart without LE SSL that are specified in the vhost files. Therefore, after whole deletion of LE certs, you have to clean LE SSL code from your vhost files afterwards, since there is no longer any LE ssl certs to refer to.

    For ISPC to work again, you may need to run its update script and recreate its SSL. When you get your ISPC to work again, recreate LE SSL for it using this trick.

    Afterwards you can create LE SSL for other sites as well.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, spo probably LE modified the vhost files itself, in that case you will have to clean them like ahrasis explained above. or you remove the symlinks in sites-enabled folder for all websites but not ispconfig, then you can login to ispconfig and activate le again for them which will also activate the sites again.
     
    ahrasis likes this.
  6. vassilis3

    vassilis3 New Member

    First of all thank you for the quick reply.
    I decided to follow Till's easy way.
    Please tell me if I'm doing something wrong.
    I removed all links domain.tld.vhost.le.ssl.conf and domain.tld.vhost from etc/apache2/site-enabled except 000-apps.vhost 000-ispconfig.conf ooo-ispconfig.vhost
    and rebooted the entire server.
    Ispconfig continued working.
    Without enabling LE in GUI, domains still work under http and https!
    When I enabled LE in GUI the only thing that happens it's to create under etc/apache/site-enabled a link 100-domain.tld.vhost .
    I'm still unable to manage Let's encrypt via GUI.
     
  7. vassilis3

    vassilis3 New Member

    any help?
     
  8. ahrasis

    ahrasis Active Member

    Read your LE log or post it in here. You could already reached its limit, so be a little more patient and wait for its to wear off.
     
  9. vassilis3

    vassilis3 New Member

    Code:
    2017-02-21 10:20:01,830:DEBUG:certbot.main:Root logging level set at 20
    2017-02-21 10:20:01,830:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2017-02-21 10:20:01,831:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or$
    2017-02-21 10:20:01,831:DEBUG:certbot.cli:Deprecation warning circumstances: /root/.local/share/letsencrypt/bin/letsencrypt / {'LANG': 'en_US.UTF-8', 'SHELL': '/bin/sh', 'SHLVL': '3', 'PWD': '/usr/local/ispconfig/server', 'LOGNAME': 'ro$
    2017-02-21 10:20:01,831:DEBUG:certbot.main:certbot version: 0.11.1
    2017-02-21 10:20:01,831:DEBUG:certbot.main:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v01.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', 'postmast$
    2017-02-21 10:20:01,832:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#standalone,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#webroot,PluginEntryPoint#apache,PluginEntryPoint#null)
    2017-02-21 10:20:01,832:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2017-02-21 10:20:01,835:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
    Description: Place files in webroot directory
    Interfaces: IAuthenticator, IPlugin
    Entry point: webroot = certbot.plugins.webroot:Authenticator
    Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f74ce5e0ad0>
    Prep: True
    2017-02-21 10:20:01,836:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f74ce5e0ad0> and installer None
    2017-02-21 10:20:01,840:DEBUG:certbot.main:Picked account: <Account(f481c95a9780018c7ce322704fe40979)>
    2017-02-21 10:20:01,840:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
    2017-02-21 10:20:01,844:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    2017-02-21 10:20:02,371:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 352
    2017-02-21 10:20:02,372:DEBUG:acme.client:Received response:
    HTTP 200
    Server: nginx
    Content-Type: application/json
    Content-Length: 352
    Boulder-Request-Id: YCr9-MfqJgjC8sHjRpshtObEH0zAOQPavGF4N251A7Q
    Replay-Nonce: gzKP3U1kE6XxB_9o7kbQd2gScd9tytlG2vKq1bc0bqU
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    Expires: Tue, 21 Feb 2017 10:20:02 GMT
    Cache-Control: max-age=0, no-cache, no-store
    Pragma: no-cache
    Date: Tue, 21 Feb 2017 10:20:02 GMT
    Connection: keep-alive
    
    {
      "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change",
      "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",
      "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",
      "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",
      "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"
    }
    2017-02-21 10:20:02,380:INFO:certbot.renewal:Cert not yet due for renewal
    2017-02-21 10:20:02,380:INFO:certbot.main:Keeping the existing certificate
     
  10. ahrasis

    ahrasis Active Member

    I guess you didn't follow what Till said or have restored your old LE SSL files created by certbot, since the files are still there and as such ISPC cannot do anything. Unless you are willing to follow the instructions given after doing a proper backup, you might not be able to use ISPC in creating and renewing your LE SSL files.
    The steps are:
    1. Backup the relevant folders.
    2. Delete all LE SSL files folder -
    Code:
    rm -rf /etc/letsencrypt/
    3. Delete all websites symlinks except for ISPC inside /etc/apache2/sites-enabled.
    4. Restart apache2. If can restart, go to your browser. enter your ISPC and reactivate all your websites with SSL and LE options ticked, and save them.
    5. If cannot restart, then try to reconfigure your ISPC via update:
    Code:
    cd /tmp
    wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
    tar xfz ISPConfig-3-stable.tar.gz
    cd ispconfig3_install/install/
    php -q update.php
    
     

Share This Page