Let's Encrypt, cert without www prefix.

Discussion in 'Installation/Configuration' started by TheRudy, Aug 1, 2017.

  1. TheRudy

    TheRudy ISPConfig Developer ISPConfig Developer

    Hi,

    So yesterday I was playing around with Subdomains. I've added one. Then after an hour or so I've deleted it.

    Today I've noticed that the cert is invalid for the domain. Okay, i've run the renew code and all went okay, cert created and then I've received an email from Google that the certificate doesn't match. I've checked and certificate is set without www prefix.

    I have www prefix for my site and as far as I can remember, certificate domain was set with www in it.

    ISPConfig: latest version.
    OS: Debian 8.9, all up to date.

    Code:
    root@server:/etc/letsencrypt/renewal# ls -lha
    total 28K
    drwxr-xr-x 2 root root 4,0K Jul 31 18:11 .
    drwxr-xr-x 9 root root 4,0K Aug  1 16:40 ..
    -rw-r--r-- 1 root root  597 Jul  9 03:00 bugs.DOMAIN.com.conf
    -rw-r--r-- 1 root root  567 Jun 18 03:01 DOMAIN.com.conf
    -rw-r--r-- 1 root root  511 Jun 11 03:00 server.DOMAIN.com.conf
    -rw-r--r-- 1 root root  778 Jul 31 18:11 www.DOMAIN.com-0001.conf
    -rw-r--r-- 1 root root  813 Aug  1 16:40 www.DOMAIN.com.conf
    
    DOMAIN.com.conf
    Code:
    # renew_before_expiry = 30 days
    version = 0.15.0
    cert = /etc/letsencrypt/live/DOMAIN.com/cert.pem
    privkey = /etc/letsencrypt/live/DOMAIN.com/privkey.pem
    chain = /etc/letsencrypt/live/DOMAIN.com/chain.pem
    fullchain = /etc/letsencrypt/live/DOMAIN.com/fullchain.pem
    archive_dir = /etc/letsencrypt/archive/DOMAIN.com
    
    # Options used in the renewal process
    [renewalparams]
    account = XXXXXXXXXXXXXXXXX
    authenticator = webroot
    rsa_key_size = 4096
    installer = None
    [[webroot_map]]
    DOMAIN.com = /usr/local/ispconfig/interface/acme
    
    www.DOMAIN.com-0001.conf
    Code:
    # renew_before_expiry = 30 days
    version = 0.16.0
    cert = /etc/letsencrypt/live/www.DOMAIN.com-0001/cert.pem
    privkey = /etc/letsencrypt/live/www.DOMAIN.com-0001/privkey.pem
    chain = /etc/letsencrypt/live/www.DOMAIN.com-0001/chain.pem
    fullchain = /etc/letsencrypt/live/www.DOMAIN.com-0001/fullchain.pem
    archive_dir = /etc/letsencrypt/archive/www.DOMAIN.com-0001
    
    # Options used in the renewal process
    [renewalparams]
    account = XXXXXXXXXXXXXXXXX
    authenticator = webroot
    rsa_key_size = 4096
    installer = None
    server = https://acme-v01.api.letsencrypt.org/directory
    webroot_path = /usr/local/ispconfig/interface/acme,
    [[webroot_map]]
    www.DOMAIN.com = /usr/local/ispconfig/interface/acme
    DOMAIN.com = /usr/local/ispconfig/interface/acme
    
    www.DOMAIN.com.conf
    Code:
    # renew_before_expiry = 30 days
    cert = /etc/letsencrypt/live/www.DOMAIN.com/cert.pem
    privkey = /etc/letsencrypt/live/www.DOMAIN.com/privkey.pem
    chain = /etc/letsencrypt/live/www.DOMAIN.com/chain.pem
    fullchain = /etc/letsencrypt/live/www.DOMAIN.com/fullchain.pem
    version = 0.16.0
    archive_dir = /etc/letsencrypt/archive/www.DOMAIN.com
    
    # Options used in the renewal process
    [renewalparams]
    account = XXXXXXXXXXXXXXXXXx
    authenticator = webroot
    rsa_key_size = 4096
    installer = None
    server = https://acme-v01.api.letsencrypt.org/directory
    webroot_path = /usr/local/ispconfig/interface/acme,
    [[webroot_map]]
    www.DOMAIN.com = /usr/local/ispconfig/interface/acme
    DOMAIN.com = /usr/local/ispconfig/interface/acme
    apps.DOMAIN.com = /usr/local/ispconfig/interface/acme
    
    Why is the "apps" subdomain still in the list? I've removed it from the ISPConfig. Or does it get removed by LE after some time?

    Code:
    root@server:/var/www/clients/client0/DOMAIN.com/ssl# ls -lha
    total 172K
    drwxr-xr-x  2 root root    4,0K Aug  1 08:49 .
    drwxr-xr-x 11 web1 client0 4,0K Aug 20  2015 ..
    lrwxrwxrwx  1 root root      56 Aug  1 08:49 DOMAIN.com-le.bundle -> /etc/letsencrypt/live/www.DOMAIN.com-0001/chain.pem
    -r--------  1 root root    1,7K Dec 19  2016 DOMAIN.com-le.bundle.old.20161219125102
    -r--------  1 root root    1,7K Dec 19  2016 DOMAIN.com-le.bundle.old.20161219131208
    -r--------  1 root root    1,7K Dec 19  2016 DOMAIN.com-le.bundle.old.20161219131502
    -r--------  1 root root    1,7K Jul 31 18:04 DOMAIN.com-le.bundle.old.20170731180413
    -r--------  1 root root    1,7K Jul 31 18:04 DOMAIN.com-le.bundle.old.20170731180419
    -r--------  1 root root    1,7K Jul 31 18:07 DOMAIN.com-le.bundle.old.20170731180702
    -r--------  1 root root    1,7K Jul 31 18:09 DOMAIN.com-le.bundle.old.20170731180902
    -r--------  1 root root    1,7K Jul 31 18:11 DOMAIN.com-le.bundle.old.20170731181111
    -r--------  1 root root    1,7K Jul 31 18:28 DOMAIN.com-le.bundle.old.20170731182802
    -r--------  1 root root    1,7K Aug  1 08:49 DOMAIN.com-le.bundle.old.20170801084902
    lrwxrwxrwx  1 root root      60 Aug  1 08:49 DOMAIN.com-le.crt -> /etc/letsencrypt/live/www.DOMAIN.com-0001/fullchain.pem
    -r--------  1 root root    2,1K Dec 19  2016 DOMAIN.com-le.crt.old.20161219125102
    -r--------  1 root root    2,1K Dec 19  2016 DOMAIN.com-le.crt.old.20161219131208
    -r--------  1 root root    2,1K Dec 19  2016 DOMAIN.com-le.crt.old.20161219131502
    -r--------  1 root root    2,1K Jul 31 18:04 DOMAIN.com-le.crt.old.20170731180413
    -r--------  1 root root    2,1K Jul 31 18:04 DOMAIN.com-le.crt.old.20170731180419
    -r--------  1 root root    2,1K Jul 31 18:07 DOMAIN.com-le.crt.old.20170731180702
    -r--------  1 root root    2,1K Jul 31 18:09 DOMAIN.com-le.crt.old.20170731180902
    -r--------  1 root root    2,1K Jul 31 18:11 DOMAIN.com-le.crt.old.20170731181111
    -r--------  1 root root    2,1K Jul 31 18:28 DOMAIN.com-le.crt.old.20170731182802
    -r--------  1 root root    2,1K Aug  1 08:49 DOMAIN.com-le.crt.old.20170801084902
    lrwxrwxrwx  1 root root      58 Aug  1 08:49 DOMAIN.com-le.key -> /etc/letsencrypt/live/www.DOMAIN.com-0001/privkey.pem
    -r--------  1 root root    3,2K Dec 19  2016 DOMAIN.com-le.key.old.20161219125102
    -r--------  1 root root    3,2K Dec 19  2016 DOMAIN.com-le.key.old.20161219131208
    -r--------  1 root root    3,2K Dec 19  2016 DOMAIN.com-le.key.old.20161219131502
    -r--------  1 root root    3,2K Jul 31 18:04 DOMAIN.com-le.key.old.20170731180413
    -r--------  1 root root    3,2K Jul 31 18:04 DOMAIN.com-le.key.old.20170731180419
    -r--------  1 root root    3,2K Jul 31 18:07 DOMAIN.com-le.key.old.20170731180702
    -r--------  1 root root    3,2K Jul 31 18:09 DOMAIN.com-le.key.old.20170731180902
    -r--------  1 root root    3,2K Jul 31 18:11 DOMAIN.com-le.key.old.20170731181111
    -r--------  1 root root    3,2K Jul 31 18:28 DOMAIN.com-le.key.old.20170731182802
    -r--------  1 root root    3,2K Aug  1 08:49 DOMAIN.com-le.key.old.20170801084902
    lrwxrwxrwx  1 root root      51 May 10  2016 www.DOMAIN.com.bundle -> /etc/letsencrypt/live/www.DOMAIN.com/chain.pem
    -r--------  1 root root    1,7K May 10  2016 www.DOMAIN.com.bundle.old.20160510201502
    lrwxrwxrwx  1 root root      50 May 10  2016 www.DOMAIN.com.crt -> /etc/letsencrypt/live/www.DOMAIN.com/cert.pem
    -r--------  1 root root    1,4K May 10  2016 www.DOMAIN.com.crt.old.20160510201210
    -r--------  1 root root    2,2K May 10  2016 www.DOMAIN.com.crt.old.20160510201502
    -rw-r--r--  1 root root    1,1K May 10  2016 www.DOMAIN.com.csr
    lrwxrwxrwx  1 root root      53 May 10  2016 www.DOMAIN.com.key -> /etc/letsencrypt/live/www.DOMAIN.com/privkey.pem
    -rw-r--r--  1 root root    1,7K May 10  2016 www.DOMAIN.com.key.old20160510201210
    -rw-r--r--  1 root root    3,2K May 10  2016 www.DOMAIN.com.key.old20160510201502
    -r--------  1 root root    1,8K May 10  2016 www.DOMAIN.com.key.org
    lrwxrwxrwx  1 root root      51 Dec 19  2016 www.DOMAIN.com-le.bundle -> /etc/letsencrypt/live/www.DOMAIN.com/chain.pem
    -r--------  1 root root    1,7K Dec 19  2016 www.DOMAIN.com-le.bundle.old.20161219124309
    lrwxrwxrwx  1 root root      50 Dec 19  2016 www.DOMAIN.com-le.crt -> /etc/letsencrypt/live/www.DOMAIN.com/cert.pem
    -r--------  1 root root    2,2K Dec 19  2016 www.DOMAIN.com-le.crt.old.20161219124309
    lrwxrwxrwx  1 root root      53 Dec 19  2016 www.DOMAIN.com-le.key -> /etc/letsencrypt/live/www.DOMAIN.com/privkey.pem
    -r--------  1 root root    3,2K Dec 19  2016 www.DOMAIN.com-le.key.old.20161219124309
    
    Site config has not changed at all, auto subdomain is still set to "www.".
    All the cert files that are linked above do exist.
    Am I crazy here that the cert should have www. prefix in it?
    Any ideas?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    use the debug mode in ISPConfig to see what exactly happens when ispconfig requests the cert from LE. That a subdomain is not added happens normally just in case it is unreachable.
     
  3. sjau

    sjau Local Meanie Moderator

    also providing the actual domain name helps to find the problem.
     
  4. TheRudy

    TheRudy ISPConfig Developer ISPConfig Developer

    Subdomain works just fine else the site would not work at all. Looks like other people have some similar problems with mkdir failed:

    Code:
    07.08.2017-16:14 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    07.08.2017-16:14 - DEBUG - Found 1 changes, starting update process.
    07.08.2017-16:14 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    07.08.2017-16:14 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    07.08.2017-16:14 - DEBUG - mkdir failed: /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/
    07.08.2017-16:14 - DEBUG - Verified domain lessthanweb.com should be reachable for letsencrypt.
    07.08.2017-16:14 - DEBUG - Verified domain www.lessthanweb.com should be reachable for letsencrypt.
    07.08.2017-16:14 - DEBUG - Create Let's Encrypt SSL Cert for: lessthanweb.com
    07.08.2017-16:14 - DEBUG - Let's Encrypt SSL Cert domains:  --domains lessthanweb.com --domains www.lessthanweb.com
    07.08.2017-16:14 - DEBUG - exec: /root/.local/share/letsencrypt/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@lessthanweb.com  --domains lessthanweb.com --domains www.lessthanweb.com --webroot-path /usr/local/ispconfig/interface/acme
    You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Cert not yet due for renewal
    Keeping the existing certificate
    07.08.2017-16:14 - DEBUG - Let's Encrypt Cert config path is: /etc/letsencrypt/renewal/www.lessthanweb.com-0001.conf.
    07.08.2017-16:14 - DEBUG - Let's Encrypt Cert file: /etc/letsencrypt/live/www.lessthanweb.com-0001/fullchain.pem exists.
    07.08.2017-16:14 - DEBUG - Enable SSL for: lessthanweb.com
    07.08.2017-16:14 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/lessthanweb.com.vhost
    07.08.2017-16:14 - DEBUG - Writing the PHP-FPM config file: /etc/php5/fpm/pool.d/web1.conf
    07.08.2017-16:14 - DEBUG - Calling function 'restartPHP_FPM' from module 'web_module'.
    07.08.2017-16:14 - DEBUG - Restarting php-fpm: systemctl reload php5-fpm.service
    07.08.2017-16:14 - DEBUG - Apache status is: running
    07.08.2017-16:14 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    07.08.2017-16:14 - DEBUG - Restarting httpd: systemctl restart apache2.service
    07.08.2017-16:14 - DEBUG - Apache restart return value is: 0
    07.08.2017-16:14 - DEBUG - Apache online status after restart is: running
    07.08.2017-16:14 - DEBUG - Processed datalog_id 565
    07.08.2017-16:14 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished.
    
    In the /etc/apache2/sites-available/lessthanweb.com.vhost it points to non-www SSL certs. Should not this point to www certificate?

    Code:
    SSLCertificateFile /var/www/clients/client0/web1/ssl/lessthanweb.com-le.crt
    SSLCertificateKeyFile /var/www/clients/client0/web1/ssl/lessthanweb.com-le.key
    SSLCertificateChainFile /var/www/clients/client0/web1/ssl/lessthanweb.com-le.bundle
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
    
    The mkdir failed, there are no symlinks, all looks okay.

    Like I said, I have NOT changed any of the settings for this specific site apart from adding new subdomains via the Subdomain menu, just updated to the latest version and then got Google email that the cert does not match.

    Any ideas?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    No. This is a symlink, the name does not matter and is no indication of what's inside the SSL cert.

    run:

    ls -la /var/www/clients/client0/web1/ssl/lessthanweb.com-le.crt

    to see to which LE cert it points. According to the log, it points to the cert
    /etc/letsencrypt/live/www.lessthanweb.com-0001/fullchain.pem

    The mkdir failed error has been fixed in the stable-3.1 branch already. But it should not matter for your problem.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    But according to the log, the website has just the domain itself plus a www subdomain and no other alias or subdomains. are you sure that you added more domains to that site (and I don't mean vhost alias or subdomain as they don't belong to this website.
     

Share This Page