Let's Encrypt: Could not verify domain, SSL cert could not be issued

Discussion in 'Installation/Configuration' started by JettB, Jul 14, 2021.

  1. JettB

    JettB New Member

    So I've had to reinstall ISPConfig three times now on my VM, but each time having the same exact issue with Let's Encrypt SSL not verifying my domain. At first I followed this perfect server guide (howtoforge. com/ispconfig-autoinstall-debian-ubuntu) twice (I did --use-nginx on second install), and most recently I did manual config according to this guide (howtoforge. com/tutorial/perfect-server-ubuntu-20.04-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig). I have read the LE FAQ several times, read through numerous forum posts, and even purchased the 3.1 manual, but nothing had fixed my SSL issues.

    Just now I tried enabling "Skip Letsencrypt check" in System > Server Config > [hostname] > Web, and then enabled "Let's Encrypt SSL" for my site, and it is working without errors.

    My questions is why did this work and why wasn't LE working before? Also, what is this "Letsencrypt check" and is it less secure to skip it like this?

    For the first two installations I'm pretty sure my /etc/hosts contained "127.0.1.1 srv1 .myhostname. com srv1", which never felt right to me. I saw this same IP 127.0.1.1 appear when trying to update ISPConfig, saying "Server's public ip(s) (***.***.***.***) not found in A/AAAA records for srv1 .myhostname. com: 127.0.1.1"... see full logs at very bottom.

    On my third installation, I changed it to 192.167.77.100, the local IP of the server in my network. This didn't seem to fix anything either, so I manually changed it to the server's public IP, and below is the current config of /etc/hosts, excluding IPv6 stuff:
    Code:
    127.0.0.1 localhost
    # 192.167.77.100 srv1 .myhostname. com srv1
    ***.***.***.*** srv1 .myhostname. com srv1
    
    Could this be making a difference? Should I reinstall while using the public IP in /etc/hosts? I read through the thread titled "Let's Encrypt SSL certificate not installing inside ISPConfig during installation - DNS server issue" but wasn't sure what was "correct".

    FYI
    I had created an A record on EPIK for srv1 .myhostname. com pointing to ***.***.***.***, my server's public IP...
    I also created an A record on EPIK for jettburns. com, www .jettburns. com, and *.jettburns. com pointing to ***.***.***.***, the same public IP.


    Would appreciate any help and insight!

    Spam filter said I couldn't use links in my post, so I put spaces between the periods...

    System info:
    Code:
    # lsb_release -a
    No LSB modules are available.
    Distributor ID:    Ubuntu
    Description:    Ubuntu 20.04.2 LTS
    Release:    20.04
    Codename:    focal
    
    # php -v
    PHP 7.4.3 (cli) (built: Jul  5 2021 15:13:35) ( NTS )
    Copyright (c) The PHP Group
    Zend Engine v3.4.0, Copyright (c) Zend Technologies
        with Zend OPcache v7.4.3, Copyright (c), by Zend Technologies
    
    # apachectl -v
    Server version: Apache/2.4.41 (Ubuntu)
    Server built:   2021-06-17T18:27:53
    
    # certbot --version
    certbot 0.40.0
    
    LE log in /var/log/letsencrypt/letsencrypt.log before I "skipped LE check":
    Code:
    2021-07-14 03:00:25,190:DEBUG:certbot.main:certbot version: 0.40.0
    2021-07-14 03:00:25,191:DEBUG:certbot.main:Arguments: ['-n', '--post-hook', "echo '1' > /usr/local/ispconfig/server/le.restart"]
    2021-07-14 03:00:25,191:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2021-07-14 03:00:25,203:DEBUG:certbot.log:Root logging level set at 20
    2021-07-14 03:00:25,203:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2021-07-14 03:00:25,206:DEBUG:certbot.renewal:no renewal failures
    
    Debug log when LE SSL used to fail:
    Code:
    # /usr/local/ispconfig/server/server.sh
    14.07.2021-15:25 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    14.07.2021-15:25 - DEBUG - Found 1 changes, starting update process.
    14.07.2021-15:25 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    14.07.2021-15:25 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    14.07.2021-15:25 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client1/web1' - return code: 0
    14.07.2021-15:25 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
    14.07.2021-15:25 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client1/web1'|awk 'END{print $2,$NF}' - return code: 0
    14.07.2021-15:25 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
    14.07.2021-15:25 - DEBUG - safe_exec cmd: setquota -u 'web1' '0' '0' 0 0 -a &> /dev/null - return code: 0
    14.07.2021-15:25 - DEBUG - safe_exec cmd: setquota -T -u 'web1' 604800 604800 -a &> /dev/null - return code: 0
    14.07.2021-15:25 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
    14.07.2021-15:25 - WARNING - Could not verify domain jettburns.com, so excluding it from letsencrypt request.
    14.07.2021-15:25 - WARNING - Could not verify domain www.jettburns.com, so excluding it from letsencrypt request.
    14.07.2021-15:25 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    14.07.2021-15:25 - WARNING - Let's Encrypt SSL Cert for: jettburns.com could not be issued.
    14.07.2021-15:25 - WARNING - 
    14.07.2021-15:25 - DEBUG - NON-String given in escape function! (boolean)
    14.07.2021-15:25 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    14.07.2021-15:25 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    14.07.2021-15:25 - DEBUG - safe_exec cmd: chattr -i '/var/www/php-fcgi-scripts/web1/.php-fcgi-starter' - return code: 0
    14.07.2021-15:25 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web1/.php-fcgi-starter
    14.07.2021-15:25 - DEBUG - safe_exec cmd: chattr +i '/var/www/php-fcgi-scripts/web1/.php-fcgi-starter' - return code: 0
    14.07.2021-15:25 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/jettburns.com.vhost
    14.07.2021-15:25 - DEBUG - Apache status is: running
    14.07.2021-15:25 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    14.07.2021-15:25 - DEBUG - Restarting httpd: systemctl restart apache2.service
    14.07.2021-15:25 - DEBUG - Apache restart return value is: 0
    14.07.2021-15:25 - DEBUG - Apache online status after restart is: running
    14.07.2021-15:25 - DEBUG - Processed datalog_id 47
    14.07.2021-15:25 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished server.php.
    Debug log when LE SSL worked, after "skipping LE check":
    Code:
    # /usr/local/ispconfig/server/server.sh
    14.07.2021-15:32 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    14.07.2021-15:32 - DEBUG - Found 1 changes, starting update process.
    14.07.2021-15:32 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    14.07.2021-15:32 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    14.07.2021-15:32 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client1/web1' - return code: 0
    14.07.2021-15:32 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
    14.07.2021-15:32 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client1/web1'|awk 'END{print $2,$NF}' - return code: 0
    14.07.2021-15:32 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
    14.07.2021-15:32 - DEBUG - safe_exec cmd: setquota -u 'web1' '0' '0' 0 0 -a &> /dev/null - return code: 0
    14.07.2021-15:32 - DEBUG - safe_exec cmd: setquota -T -u 'web1' 604800 604800 -a &> /dev/null - return code: 0
    14.07.2021-15:32 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
    14.07.2021-15:32 - DEBUG - LE version is 0.40.0, so using certificates command and --cert-name instead of --expand
    14.07.2021-15:32 - DEBUG - Create Let's Encrypt SSL Cert for: jettburns.com
    14.07.2021-15:32 - DEBUG - Let's Encrypt SSL Cert domains: 
    14.07.2021-15:32 - DEBUG - exec: /bin/certbot certonly -n --text --agree-tos --cert-name jettburns.com --authenticator webroot --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --webroot-map '{"jettburns.com":"\/usr\/local\/ispconfig\/interface\/acme","www.jettburns.com":"\/usr\/local\/ispconfig\/interface\/acme"}'
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for jettburns.com
    http-01 challenge for www.jettburns.com
    Waiting for verification...
    Cleaning up challenges
    14.07.2021-15:32 - DEBUG - LE CERT OUTPUT: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    14.07.2021-15:32 - DEBUG - LE CERT OUTPUT: Found the following matching certs:
    14.07.2021-15:32 - DEBUG - LE CERT OUTPUT: Certificate Name: jettburns.com
    14.07.2021-15:32 - DEBUG - LE CERT OUTPUT: Domains: jettburns.com www.jettburns.com
    14.07.2021-15:32 - DEBUG - LE CERT OUTPUT: Expiry Date: 2021-10-12 14:32:21+00:00 (VALID: 89 days)
    14.07.2021-15:32 - DEBUG - LE CERT OUTPUT: Certificate Path: /etc/letsencrypt/live/jettburns.com/fullchain.pem
    14.07.2021-15:32 - DEBUG - Found LE path: /etc/letsencrypt/live/jettburns.com/fullchain.pem
    14.07.2021-15:32 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    14.07.2021-15:32 - DEBUG - Let's Encrypt Cert file: /etc/letsencrypt/live/jettburns.com/fullchain.pem exists.
    14.07.2021-15:32 - DEBUG - safe_exec cmd: ln -s '/etc/letsencrypt/live/jettburns.com/privkey.pem' '/var/www/clients/client1/web1/ssl/jettburns.com-le.key' - return code: 0
    14.07.2021-15:32 - DEBUG - safe_exec cmd: ln -s '/etc/letsencrypt/live/jettburns.com/fullchain.pem' '/var/www/clients/client1/web1/ssl/jettburns.com-le.crt' - return code: 0
    14.07.2021-15:32 - DEBUG - safe_exec cmd: ln -s '/etc/letsencrypt/live/jettburns.com/chain.pem' '/var/www/clients/client1/web1/ssl/jettburns.com-le.bundle' - return code: 0
    14.07.2021-15:32 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    14.07.2021-15:32 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    14.07.2021-15:32 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    14.07.2021-15:32 - DEBUG - safe_exec cmd: chattr -i '/var/www/php-fcgi-scripts/web1/.php-fcgi-starter' - return code: 0
    14.07.2021-15:32 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web1/.php-fcgi-starter
    14.07.2021-15:32 - DEBUG - safe_exec cmd: chattr +i '/var/www/php-fcgi-scripts/web1/.php-fcgi-starter' - return code: 0
    14.07.2021-15:32 - DEBUG - Enable SSL for: jettburns.com
    14.07.2021-15:32 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/jettburns.com.vhost
    14.07.2021-15:32 - DEBUG - Apache status is: running
    14.07.2021-15:32 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    14.07.2021-15:32 - DEBUG - Restarting httpd: systemctl restart apache2.service
    14.07.2021-15:32 - DEBUG - Apache restart return value is: 0
    14.07.2021-15:32 - DEBUG - Apache online status after restart is: running
    14.07.2021-15:32 - DEBUG - Processed datalog_id 56
    14.07.2021-15:32 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished server.php.
    
    Here's the output of the "test script":
    Code:
    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] OS version is Ubuntu 20.04.2 LTS
    
    [INFO] uptime:  14:50:20 up 14:22,  1 user,  load average: 0.01, 0.02, 0.00
    
    [INFO] memory:
                  total        used        free      shared  buff/cache   available
    Mem:           30Gi       2.1Gi        26Gi       7.0Mi       2.4Gi        28Gi
    Swap:         8.0Gi          0B       8.0Gi
    
    [INFO] systemd failed services status:
      UNIT LOAD ACTIVE SUB DESCRIPTION
    0 loaded units listed.
    
    [INFO] ISPConfig is installed.
    
    ##### ISPCONFIG #####
    ISPConfig version is 3.2.5
    
    ##### VERSION CHECK #####
    
    [INFO] php (cli) version is 7.4.3
    [INFO] php-cgi (used for cgi php in default vhost!) is version 7.4.3
    
    ##### PORT CHECK #####
    
    ##### MAIL SERVER CHECK #####
    
    [WARN] I found no "submission" entry in your postfix master.cf
    [INFO] this is not critical, but if you want to offer port 587 for smtp connections you have to enable this.
    
    ##### RUNNING SERVER PROCESSES #####
    
    [INFO] I found the following web server(s):
            Apache 2 (PID 253514)
    [INFO] I found the following mail server(s):
            Postfix (PID 122600)
    [INFO] I found the following pop3 server(s):
            Dovecot (PID 122655)
    [INFO] I found the following imap server(s):
            Dovecot (PID 122655)
    [INFO] I found the following ftp server(s):
            PureFTP (PID 122714)
    
    ##### LISTENING PORTS #####
    (only           ()
    Local           (Address)
    [anywhere]:22           (996/sshd:)
    [localhost]:953         (122730/named)
    [anywhere]:25           (122600/master)
    [anywhere]:993          (122655/dovecot)
    [anywhere]:995          (122655/dovecot)
    [localhost]:10023               (31044/postgrey)
    [localhost]:10024               (122636/amavisd-new)
    [localhost]:10025               (122600/master)
    [localhost]:10026               (122636/amavisd-new)
    [localhost]:10027               (122600/master)
    [localhost]:11211               (102818/memcached)
    [anywhere]:110          (122655/dovecot)
    [anywhere]:143          (122655/dovecot)
    [anywhere]:465          (122600/master)
    ***.***.***.***:53              (122730/named)
    [localhost]:53          (122730/named)
    [anywhere]:21           (122714/pure-ftpd)
    ***.***.***.***:53              (921/systemd-resolve)
    *:*:*:*::*:22           (996/sshd:)
    *:*:*:*::*:25           (122600/master)
    *:*:*:*::*:953          (122730/named)
    *:*:*:*::*:443          (253514/apache2)
    *:*:*:*::*:993          (122655/dovecot)
    *:*:*:*::*:995          (122655/dovecot)
    *:*:*:*::*:10024                (122636/amavisd-new)
    *:*:*:*::*:10026                (122636/amavisd-new)
    *:*:*:*::*:3306         (121927/mysqld)
    [localhost]10           (122655/dovecot)
    [localhost]43           (122655/dovecot)
    *:*:*:*::*:8080         (253514/apache2)
    *:*:*:*::*:80           (253514/apache2)
    *:*:*:*::*:8081         (253514/apache2)
    *:*:*:*::*:465          (122600/master)
    *:*:*:*::*5085:dfff:fed7:53             (122730/named)
    *:*:*:*::*:53           (122730/named)
    *:*:*:*::*:21           (122714/pure-ftpd)
    
    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    ##### LET'S ENCRYPT #####
    Certbot is installed in /usr/bin/letsencrypt
    
    On my second installation (I had done --use-nginx during install), I tried updating ISPConfig to fix the SSL:
    Code:
    $ sudo ispconfig_update.sh --force
    
    --------------------------------------------------------------------------------
     _____ ___________   _____              __ _
    |_   _/  ___| ___ \ /  __ \            / _(_)
      | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _
      | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |
     _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| |
     \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, |
                                                  __/ |
                                                 |___/ 
    --------------------------------------------------------------------------------
    
    
    >> Update 
    
    Please choose the update method. For production systems select 'stable'. 
    WARNING: The update from GIT is only for development systems and may break your current setup. Do not use the GIT version on servers that host any live websites!
    Note: On Multiserver systems, enable maintenance mode and update your master server first. Then update all slave servers, and disable maintenance mode when all servers are updated.
    
    Select update method (stable,nightly,git-develop) [stable]: stable
    
    Downloading ISPConfig update.
    Unpacking ISPConfig update.
    
    
    --------------------------------------------------------------------------------
     _____ ___________   _____              __ _         ____
    |_   _/  ___| ___ \ /  __ \            / _(_)       /__  \
      | | \ `--.| |_/ / | /  \/ ___  _ __ | |_ _  __ _    _/ /
      | |  `--. \  __/  | |    / _ \| '_ \|  _| |/ _` |  |_ |
     _| |_/\__/ / |     | \__/\ (_) | | | | | | | (_| | ___\ \
     \___/\____/\_|      \____/\___/|_| |_|_| |_|\__, | \____/
                                                  __/ |
                                                 |___/ 
    --------------------------------------------------------------------------------
    
    
    >> Update 
    
    Operating System: Ubuntu 20.04.2 LTS (Focal Fossa)
    This application will update ISPConfig 3 on your server.
    Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]: no
    Checking ISPConfig database .. OK
    Starting incremental database update.
    Loading SQL patch file: /tmp/update_runner.sh.McNvM0py2g/install/sql/incremental/upd_dev_collection.sql
    Reconfigure Permissions in master database? (yes,no) [no]: yes
    Service 'dns_server' has been detected (currently disabled) do you want to enable and configure it?  (yes,no) [no]: no
    Service 'db_server' has been detected (currently disabled) do you want to enable and configure it?  (yes,no) [no]: no
    Reconfigure Services? (yes,no,selected) [yes]: yes
    Configuring Postfix
    Configuring Dovecot
    Configuring Mailman
    Configuring Spamassassin
    Configuring Rspamd
    Configuring Getmail
    Configuring Pureftpd
    Configuring nginx
    Configuring Apps vhost
    Configuring Jailkit
    Configuring Ubuntu Firewall
    Configuring Database
    Updating ISPConfig
    ISPConfig Port [8080]: 
    Create new ISPConfig SSL certificate (yes,no) [no]: yes
    
    Checking / creating certificate for srv1.myhostname.com
    Using certificate path /etc/letsencrypt/live/srv1.myhostname.com
    Server's public ip(s) (***.***.***.***) not found in A/AAAA records for srv1.myhostname.com: 127.0.1.1
    Ignore DNS check and continue to request certificate? (y,n) [n]: y
    
    Using nginx for certificate validation
    acme.sh is installed, overriding certificate path to use /root/.acme.sh/srv1.myhostname.com
    
    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: 
    Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: 
    
    Reconfigure Crontab? (yes,no) [yes]: 
    
    Updating Crontab
    Restarting services ...
    Update finished.
    
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    When your server is behind a router and this router is configured to block access to the domain name that you try to verify LE SSL for from inside of the network, then skip letsencrypt check must be enabled to avoid this step. The first verification step is that ispconfig tests if it can reach the server under the domain that shall be verified or in other words if the domain points to this server. It is not less secure to disable it, but you will have to be careful without that check that really all domains and subdomains of a website are pointing correctly to the server as issuing the cert will completely fail if a single domain that is included in the cert fails.

    To sum this up, do not reinstall your server if LE fails, the server installation is normally not the cause of such an issue (at least when you used either the official autoinstaller or one of the perfect server guides). Instead, follow the Let's encrypt FAQ step by step to find the reason why no LE cert could be issued and don't leave any steps out:

    https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/

    The FAQ mentions the skip Let's encrypt check option as one of the steps to find out why you don't get a LE cert. And even if you would not have tried that option, you would have seen in the last step 'debug mode', why the LE cert could not be issued as the debug mode shows in that case that the domain was skipped as it could not be reached. From your debug log:

    Code:
    14.07.2021-15:25 - WARNING - Could not verify domain jettburns.com, so excluding it from letsencrypt request.
    14.07.2021-15:25 - WARNING - Could not verify domain www.jettburns.com, so excluding it from letsencrypt request.
     
    JettB likes this.
  3. JettB

    JettB New Member

    Thanks for the clarification Till, that makes sense.

    When you say "access", which ports exactly need to be opened or translated for LE to verify the domain? My firewall already has a NAT policy for just ports 80 and 443, translating my public IP into the server's private IP. I also have the necessary access rules for NTP, DNS, HTTP/S, and SMTP. Is a loopback policy required for any of these ports? I checked your list of ports below and I'm not sure which should be part of the NAT, versus the access rules.

    FYI when I try to load my site jettburns.com or my server's public IP when my laptop is on the same internal network as the server, I get a "refused to connect" message, which is expected behavior for my firewall because there is no loopback policy setup; should I create one to fix the LE SSL?

    faqforge. com/linux/which-ports-are-used-on-a-ispconfig-3-server-and-shall-be-open-in-the-firewall/
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Yes, that's probably the same issue that causes ISPConfig's check to fail; if ISPConfig can connect (should be only on port 80) to the ip address it gets for the website names that's probably sufficient. (I didn't check the code to see, but it would surprise me if we created a test file in the same acme-challenge path to check, I'd guess it's just a connection test.)
     
    JettB likes this.

Share This Page