Let's Encrypt, cert without www prefix.

Discussion in 'Installation/Configuration' started by TheRudy, Aug 1, 2017.

  1. TheRudy

    TheRudy ISPConfig Developer ISPConfig Developer

    Hi,

    So yesterday I was playing around with Subdomains. I've added one. Then after an hour or so I've deleted it.

    Today I've noticed that the cert is invalid for the domain. Okay, i've run the renew code and all went okay, cert created and then I've received an email from Google that the certificate doesn't match. I've checked and certificate is set without www prefix.

    I have www prefix for my site and as far as I can remember, certificate domain was set with www in it.

    ISPConfig: latest version.
    OS: Debian 8.9, all up to date.

    Code:
    [email protected]:/etc/letsencrypt/renewal# ls -lha
    total 28K
    drwxr-xr-x 2 root root 4,0K Jul 31 18:11 .
    drwxr-xr-x 9 root root 4,0K Aug  1 16:40 ..
    -rw-r--r-- 1 root root  597 Jul  9 03:00 bugs.DOMAIN.com.conf
    -rw-r--r-- 1 root root  567 Jun 18 03:01 DOMAIN.com.conf
    -rw-r--r-- 1 root root  511 Jun 11 03:00 server.DOMAIN.com.conf
    -rw-r--r-- 1 root root  778 Jul 31 18:11 www.DOMAIN.com-0001.conf
    -rw-r--r-- 1 root root  813 Aug  1 16:40 www.DOMAIN.com.conf
    
    DOMAIN.com.conf
    Code:
    # renew_before_expiry = 30 days
    version = 0.15.0
    cert = /etc/letsencrypt/live/DOMAIN.com/cert.pem
    privkey = /etc/letsencrypt/live/DOMAIN.com/privkey.pem
    chain = /etc/letsencrypt/live/DOMAIN.com/chain.pem
    fullchain = /etc/letsencrypt/live/DOMAIN.com/fullchain.pem
    archive_dir = /etc/letsencrypt/archive/DOMAIN.com
    
    # Options used in the renewal process
    [renewalparams]
    account = XXXXXXXXXXXXXXXXX
    authenticator = webroot
    rsa_key_size = 4096
    installer = None
    [[webroot_map]]
    DOMAIN.com = /usr/local/ispconfig/interface/acme
    
    www.DOMAIN.com-0001.conf
    Code:
    # renew_before_expiry = 30 days
    version = 0.16.0
    cert = /etc/letsencrypt/live/www.DOMAIN.com-0001/cert.pem
    privkey = /etc/letsencrypt/live/www.DOMAIN.com-0001/privkey.pem
    chain = /etc/letsencrypt/live/www.DOMAIN.com-0001/chain.pem
    fullchain = /etc/letsencrypt/live/www.DOMAIN.com-0001/fullchain.pem
    archive_dir = /etc/letsencrypt/archive/www.DOMAIN.com-0001
    
    # Options used in the renewal process
    [renewalparams]
    account = XXXXXXXXXXXXXXXXX
    authenticator = webroot
    rsa_key_size = 4096
    installer = None
    server = https://acme-v01.api.letsencrypt.org/directory
    webroot_path = /usr/local/ispconfig/interface/acme,
    [[webroot_map]]
    www.DOMAIN.com = /usr/local/ispconfig/interface/acme
    DOMAIN.com = /usr/local/ispconfig/interface/acme
    
    www.DOMAIN.com.conf
    Code:
    # renew_before_expiry = 30 days
    cert = /etc/letsencrypt/live/www.DOMAIN.com/cert.pem
    privkey = /etc/letsencrypt/live/www.DOMAIN.com/privkey.pem
    chain = /etc/letsencrypt/live/www.DOMAIN.com/chain.pem
    fullchain = /etc/letsencrypt/live/www.DOMAIN.com/fullchain.pem
    version = 0.16.0
    archive_dir = /etc/letsencrypt/archive/www.DOMAIN.com
    
    # Options used in the renewal process
    [renewalparams]
    account = XXXXXXXXXXXXXXXXXx
    authenticator = webroot
    rsa_key_size = 4096
    installer = None
    server = https://acme-v01.api.letsencrypt.org/directory
    webroot_path = /usr/local/ispconfig/interface/acme,
    [[webroot_map]]
    www.DOMAIN.com = /usr/local/ispconfig/interface/acme
    DOMAIN.com = /usr/local/ispconfig/interface/acme
    apps.DOMAIN.com = /usr/local/ispconfig/interface/acme
    
    Why is the "apps" subdomain still in the list? I've removed it from the ISPConfig. Or does it get removed by LE after some time?

    Code:
    [email protected]:/var/www/clients/client0/DOMAIN.com/ssl# ls -lha
    total 172K
    drwxr-xr-x  2 root root    4,0K Aug  1 08:49 .
    drwxr-xr-x 11 web1 client0 4,0K Aug 20  2015 ..
    lrwxrwxrwx  1 root root      56 Aug  1 08:49 DOMAIN.com-le.bundle -> /etc/letsencrypt/live/www.DOMAIN.com-0001/chain.pem
    -r--------  1 root root    1,7K Dec 19  2016 DOMAIN.com-le.bundle.old.20161219125102
    -r--------  1 root root    1,7K Dec 19  2016 DOMAIN.com-le.bundle.old.20161219131208
    -r--------  1 root root    1,7K Dec 19  2016 DOMAIN.com-le.bundle.old.20161219131502
    -r--------  1 root root    1,7K Jul 31 18:04 DOMAIN.com-le.bundle.old.20170731180413
    -r--------  1 root root    1,7K Jul 31 18:04 DOMAIN.com-le.bundle.old.20170731180419
    -r--------  1 root root    1,7K Jul 31 18:07 DOMAIN.com-le.bundle.old.20170731180702
    -r--------  1 root root    1,7K Jul 31 18:09 DOMAIN.com-le.bundle.old.20170731180902
    -r--------  1 root root    1,7K Jul 31 18:11 DOMAIN.com-le.bundle.old.20170731181111
    -r--------  1 root root    1,7K Jul 31 18:28 DOMAIN.com-le.bundle.old.20170731182802
    -r--------  1 root root    1,7K Aug  1 08:49 DOMAIN.com-le.bundle.old.20170801084902
    lrwxrwxrwx  1 root root      60 Aug  1 08:49 DOMAIN.com-le.crt -> /etc/letsencrypt/live/www.DOMAIN.com-0001/fullchain.pem
    -r--------  1 root root    2,1K Dec 19  2016 DOMAIN.com-le.crt.old.20161219125102
    -r--------  1 root root    2,1K Dec 19  2016 DOMAIN.com-le.crt.old.20161219131208
    -r--------  1 root root    2,1K Dec 19  2016 DOMAIN.com-le.crt.old.20161219131502
    -r--------  1 root root    2,1K Jul 31 18:04 DOMAIN.com-le.crt.old.20170731180413
    -r--------  1 root root    2,1K Jul 31 18:04 DOMAIN.com-le.crt.old.20170731180419
    -r--------  1 root root    2,1K Jul 31 18:07 DOMAIN.com-le.crt.old.20170731180702
    -r--------  1 root root    2,1K Jul 31 18:09 DOMAIN.com-le.crt.old.20170731180902
    -r--------  1 root root    2,1K Jul 31 18:11 DOMAIN.com-le.crt.old.20170731181111
    -r--------  1 root root    2,1K Jul 31 18:28 DOMAIN.com-le.crt.old.20170731182802
    -r--------  1 root root    2,1K Aug  1 08:49 DOMAIN.com-le.crt.old.20170801084902
    lrwxrwxrwx  1 root root      58 Aug  1 08:49 DOMAIN.com-le.key -> /etc/letsencrypt/live/www.DOMAIN.com-0001/privkey.pem
    -r--------  1 root root    3,2K Dec 19  2016 DOMAIN.com-le.key.old.20161219125102
    -r--------  1 root root    3,2K Dec 19  2016 DOMAIN.com-le.key.old.20161219131208
    -r--------  1 root root    3,2K Dec 19  2016 DOMAIN.com-le.key.old.20161219131502
    -r--------  1 root root    3,2K Jul 31 18:04 DOMAIN.com-le.key.old.20170731180413
    -r--------  1 root root    3,2K Jul 31 18:04 DOMAIN.com-le.key.old.20170731180419
    -r--------  1 root root    3,2K Jul 31 18:07 DOMAIN.com-le.key.old.20170731180702
    -r--------  1 root root    3,2K Jul 31 18:09 DOMAIN.com-le.key.old.20170731180902
    -r--------  1 root root    3,2K Jul 31 18:11 DOMAIN.com-le.key.old.20170731181111
    -r--------  1 root root    3,2K Jul 31 18:28 DOMAIN.com-le.key.old.20170731182802
    -r--------  1 root root    3,2K Aug  1 08:49 DOMAIN.com-le.key.old.20170801084902
    lrwxrwxrwx  1 root root      51 May 10  2016 www.DOMAIN.com.bundle -> /etc/letsencrypt/live/www.DOMAIN.com/chain.pem
    -r--------  1 root root    1,7K May 10  2016 www.DOMAIN.com.bundle.old.20160510201502
    lrwxrwxrwx  1 root root      50 May 10  2016 www.DOMAIN.com.crt -> /etc/letsencrypt/live/www.DOMAIN.com/cert.pem
    -r--------  1 root root    1,4K May 10  2016 www.DOMAIN.com.crt.old.20160510201210
    -r--------  1 root root    2,2K May 10  2016 www.DOMAIN.com.crt.old.20160510201502
    -rw-r--r--  1 root root    1,1K May 10  2016 www.DOMAIN.com.csr
    lrwxrwxrwx  1 root root      53 May 10  2016 www.DOMAIN.com.key -> /etc/letsencrypt/live/www.DOMAIN.com/privkey.pem
    -rw-r--r--  1 root root    1,7K May 10  2016 www.DOMAIN.com.key.old20160510201210
    -rw-r--r--  1 root root    3,2K May 10  2016 www.DOMAIN.com.key.old20160510201502
    -r--------  1 root root    1,8K May 10  2016 www.DOMAIN.com.key.org
    lrwxrwxrwx  1 root root      51 Dec 19  2016 www.DOMAIN.com-le.bundle -> /etc/letsencrypt/live/www.DOMAIN.com/chain.pem
    -r--------  1 root root    1,7K Dec 19  2016 www.DOMAIN.com-le.bundle.old.20161219124309
    lrwxrwxrwx  1 root root      50 Dec 19  2016 www.DOMAIN.com-le.crt -> /etc/letsencrypt/live/www.DOMAIN.com/cert.pem
    -r--------  1 root root    2,2K Dec 19  2016 www.DOMAIN.com-le.crt.old.20161219124309
    lrwxrwxrwx  1 root root      53 Dec 19  2016 www.DOMAIN.com-le.key -> /etc/letsencrypt/live/www.DOMAIN.com/privkey.pem
    -r--------  1 root root    3,2K Dec 19  2016 www.DOMAIN.com-le.key.old.20161219124309
    
    Site config has not changed at all, auto subdomain is still set to "www.".
    All the cert files that are linked above do exist.
    Am I crazy here that the cert should have www. prefix in it?
    Any ideas?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    use the debug mode in ISPConfig to see what exactly happens when ispconfig requests the cert from LE. That a subdomain is not added happens normally just in case it is unreachable.
     
  3. sjau

    sjau Local Meanie Moderator

    also providing the actual domain name helps to find the problem.
     
  4. TheRudy

    TheRudy ISPConfig Developer ISPConfig Developer

    Subdomain works just fine else the site would not work at all. Looks like other people have some similar problems with mkdir failed:

    Code:
    07.08.2017-16:14 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    07.08.2017-16:14 - DEBUG - Found 1 changes, starting update process.
    07.08.2017-16:14 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    07.08.2017-16:14 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    07.08.2017-16:14 - DEBUG - mkdir failed: /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/
    07.08.2017-16:14 - DEBUG - Verified domain lessthanweb.com should be reachable for letsencrypt.
    07.08.2017-16:14 - DEBUG - Verified domain www.lessthanweb.com should be reachable for letsencrypt.
    07.08.2017-16:14 - DEBUG - Create Let's Encrypt SSL Cert for: lessthanweb.com
    07.08.2017-16:14 - DEBUG - Let's Encrypt SSL Cert domains:  --domains lessthanweb.com --domains www.lessthanweb.com
    07.08.2017-16:14 - DEBUG - exec: /root/.local/share/letsencrypt/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected]  --domains lessthanweb.com --domains www.lessthanweb.com --webroot-path /usr/local/ispconfig/interface/acme
    You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Cert not yet due for renewal
    Keeping the existing certificate
    07.08.2017-16:14 - DEBUG - Let's Encrypt Cert config path is: /etc/letsencrypt/renewal/www.lessthanweb.com-0001.conf.
    07.08.2017-16:14 - DEBUG - Let's Encrypt Cert file: /etc/letsencrypt/live/www.lessthanweb.com-0001/fullchain.pem exists.
    07.08.2017-16:14 - DEBUG - Enable SSL for: lessthanweb.com
    07.08.2017-16:14 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/lessthanweb.com.vhost
    07.08.2017-16:14 - DEBUG - Writing the PHP-FPM config file: /etc/php5/fpm/pool.d/web1.conf
    07.08.2017-16:14 - DEBUG - Calling function 'restartPHP_FPM' from module 'web_module'.
    07.08.2017-16:14 - DEBUG - Restarting php-fpm: systemctl reload php5-fpm.service
    07.08.2017-16:14 - DEBUG - Apache status is: running
    07.08.2017-16:14 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    07.08.2017-16:14 - DEBUG - Restarting httpd: systemctl restart apache2.service
    07.08.2017-16:14 - DEBUG - Apache restart return value is: 0
    07.08.2017-16:14 - DEBUG - Apache online status after restart is: running
    07.08.2017-16:14 - DEBUG - Processed datalog_id 565
    07.08.2017-16:14 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished.
    
    In the /etc/apache2/sites-available/lessthanweb.com.vhost it points to non-www SSL certs. Should not this point to www certificate?

    Code:
    SSLCertificateFile /var/www/clients/client0/web1/ssl/lessthanweb.com-le.crt
    SSLCertificateKeyFile /var/www/clients/client0/web1/ssl/lessthanweb.com-le.key
    SSLCertificateChainFile /var/www/clients/client0/web1/ssl/lessthanweb.com-le.bundle
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    
    The mkdir failed, there are no symlinks, all looks okay.

    Like I said, I have NOT changed any of the settings for this specific site apart from adding new subdomains via the Subdomain menu, just updated to the latest version and then got Google email that the cert does not match.

    Any ideas?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    No. This is a symlink, the name does not matter and is no indication of what's inside the SSL cert.

    run:

    ls -la /var/www/clients/client0/web1/ssl/lessthanweb.com-le.crt

    to see to which LE cert it points. According to the log, it points to the cert
    /etc/letsencrypt/live/www.lessthanweb.com-0001/fullchain.pem

    The mkdir failed error has been fixed in the stable-3.1 branch already. But it should not matter for your problem.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    But according to the log, the website has just the domain itself plus a www subdomain and no other alias or subdomains. are you sure that you added more domains to that site (and I don't mean vhost alias or subdomain as they don't belong to this website.
     
  7. TheRudy

    TheRudy ISPConfig Developer ISPConfig Developer

    Hey,
    Sorry for late reply and thanks for replying. :)
    Code:
    lrwxrwxrwx 1 root root 60 Aug  7 16:14 /var/www/clients/client0/web1/ssl/lessthanweb.com-le.crt -> /etc/letsencrypt/live/www.lessthanweb.com-0001/fullchain.pem
    This is baffling me..
    Yes, there are no subdomains or anything as I've added it and then removed it like 5 minutes after adding it so that is correct that there are none.
    The problem here is with the domain and "www." and wrong certificate being served. Or has always been like that and I just had an imagination that there was "www."? Just checked on another server which again has the same set up and again the LE domain name is without "www.". So identical situation and the site setup in ISPConfig is identical to mine.
    I have 3.1.6 and get that error.. Just letting you know. :)
     
    Last edited: Aug 31, 2017
  8. labsy

    labsy Member

    Just to add my 5 cents:
    After being happy that "Skip Lets Encrypt Check" under SYSTEM --> SERVER CONFIG --> WEB --> SSL Settings solved my problems behind NAT, again the same problem arises. But going to DEBUG and examining the ISPConfig logs pushed me into right direction:
    It was subdomain.domain.com having problems, because LE was trying to issue certificate for www.subdomain.domain.com and subdomain.domain.com. But "www" was not configured under DNS, thus not pointing towards my server.
    Once I added A-record for "www.subdomain" into DNS, LE worked out of the box.

    BTW...The DEBUG message
    mkdir failed: /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/
    seems not causing any problems.
     
  9. HSorgYves

    HSorgYves Active Member

    @labsy I suppose you have Auto Subdomain for that subdomain set to www, don't you?
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    It's not really the same problem, you just added a non existing domain to the site. Without LE check, you have to ensure yourself to add existing domains only to websites and as @HSorgYves pointed out, you probably have set auto subdomain to www and not to none, so the www subdomain must exist in DNS. Set auto subdomain to none, disable le and then enable it again or add the www subdomain as you did now.
     

Share This Page