Let's encrypt does not issue certificates (Resolved)

Discussion in 'Installation/Configuration' started by AEG-Simply, Mar 6, 2018.

  1. AEG-Simply

    AEG-Simply Member

    Hello, I just mounted a fresh VM following this tutorial : https://www.howtoforge.com/tutorial...-stretch-apache-bind-dovecot-ispconfig-3-1/3/

    Everything went great.

    - Debian 9
    - PHP 7.0
    - Apache2
    - ISPConfig 3.1.11

    This is my issue : When I'm creating a new website with let's encrypt SSL, it doesnt work. I can come back 20s later, and ssl checkboxes are unchecked.

    There is nothing relevant in apache2/error.log or letencrypt.log
    ISPConfig test script show nothing either.

    I had the same problem a year ago with 3.0.x , I was advised to try the beta to resolve a known bug. But after some researches, I doesnt found anyone else with the same bug. So don't know where to go...

    Edit : Certbot seems to work fine, I was able to generate a certificate manually.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    See here:

    https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/

    The ISPConfig debug log shows you in details what is gong on and when the domains on your server are not reachable from the server itself (e.g. because your server is behind a router which blocjks the requests), then youÄll have to disable the LE check.

    This blocks the domain for SSL in ISPConfig now, so don't expect to be able to use LE in ISPConfig until you undone that. The ability to manage this website in ISPConfig (any other settings) might have stopped as well as certbot does often mistakes when editing config files which then blocks further changes.
     
  3. AEG-Simply

    AEG-Simply Member

    First of all, this is not a firewall issue. Everything is redirected on my VM for TCP80/443/8080, and my iptables rules are OK.

    Because of paranoia, I did a snapshot before generating manually the let's encrypt certificate. I rollbacked and tried again, but still the same problem.
    After a reboot I checked the logs again and this is what I got :

    apache2/error.log :
    Code:
    [Wed Mar 07 16:47:02.810172 2018] [ssl:warn] [pid 2139] AH01906: web.mydomain:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Wed Mar 07 16:47:02.810277 2018] [ssl:error] [pid 2139] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=xxx,CN=xxx,OU=IT,O=xx,L=xx,ST=xx,C=xx/ issuer: emailAddress=xx,CN=xxx,OU=IT,O=xx,L=xx,ST=xx,C=xx / serial:xx / notbefore: Feb 27 19:32:54 2018 GMT / notafter: Feb 25 19:32:54 2028 GMT]
    [Wed Mar 07 16:47:02.810285 2018] [ssl:error] [pid 2139] AH02604: Unable to configure certificate web.mydomain:8080:0 for stapling
    [Wed Mar 07 16:47:02.813296 2018] [mpm_prefork:notice] [pid 2139] AH00163: Apache/2.4.25 (Debian) mod_fcgid/2.3.9 Phusion_Passenger/5.0.30 mod_python/3.3.1 Python/2.7.13 OpenSSL/1.0.2l configured -- resuming normal operations
    [Wed Mar 07 16:47:02.813321 2018] [core:notice] [pid 2139] AH00094: Command line: '/usr/sbin/apache2'
    
    letsencrypt/letsencrypt.log :
    Code:
    2018-03-07 15:26:52,302:DEBUG:certbot.main:Root logging level set at 30
    2018-03-07 15:26:52,302:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2018-03-07 15:26:52,303:DEBUG:certbot.main:certbot version: 0.10.2
    2018-03-07 15:26:52,303:DEBUG:certbot.main:Arguments: ['-q']
    2018-03-07 15:26:52,303:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
    2018-03-07 15:26:52,304:DEBUG:certbot.renewal:no renewal failures
    
    Ideas ?

    Edit : I remplaced the cert details by 'xxx' in purpose.
    The subdomain in log is 'web', but I actually tried to create a website using the subdom "webmail".
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

  5. AEG-Simply

    AEG-Simply Member

    Problem resolved. In the end... shame on me, but it was just a dns issue. I miss-edited a cname, et voilà.
    Nethertheless, with debug, I have something else, a minor issue that I would like to understand.
    I got this error :
    Code:
    [INTERFACE]: PHP IDS Alert.Total impact: 5<br/> Affected tags: dt, id, lfi<br/> <br/> Variable: POST.php_open_basedir | Value: /var/www/clients/client1/web7/web:/var/www/clients/client1/web7/private:/var/www/clients/client1/web7/tmp:/var/www/webmail.xxx/web:/srv/www/webmail.xxx/web:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/dev/random:/dev/urandom<br/> Impact: 5 | Tags: dt, id, lfi<br/> Description: Detects specific directory and path traversal | Tags: dt, id, lfi | ID 11<br/> <br/>
    I did not install phpmyadmin, because that thing is a security issue. So, i do not understand this log ? Where does this phpmyadmin thing comes out ? (I double checked with apt-get remove phpmyadmin, and tells me it is not installed).

    And I don't understand this log either :
    Code:
    [Wed Mar 07 16:47:02.810285 2018] [ssl:error] [pid 2139] AH02604: Unable to configure certificate web.mydomain:8080:0 for stapling
    the 'web' subdomain is my subdomain for the ispconfig interface, and it bother me that I can't validate the certificate.
     
  6. AEG-Simply

    AEG-Simply Member

    I seriouly don't understand the matter.
    I got a LE certificate for a first subdomain, and now when i'm adding new sites (that I can reach on http://mydomain), and I check the SSL checkbox, I got theses errors...???

    Let's Encrypt SSL Cert for: wiki.mydom could not be issued.
    Could not verify domain wiki.mydom, so excluding it from letsencrypt request.
    Maybe I just need to wait more, but for some, it has been more than 30 min..
     
  7. AEG-Simply

    AEG-Simply Member

    Well, I'm giving up for now.
    I reinstalled cleanly a new ispconfig.
    There is NO firewall thing.

    I can access to one of my website on :80
    http://xx.mydom.xx

    But when I try to add LE SSL, I have this in debug :
    Code:
    Let's Encrypt SSL Cert for: xx.mydom.xx could not be issued.   
    Warning     Could not verify domain xx.mydom.xx, so excluding it from letsencrypt request.
    And I have no explanations for that.
     
    Last edited: Mar 14, 2018
  8. ahrasis

    ahrasis Active Member

    I can access the domain just fine from here as it shows ISPConfig default welcome page. Have you waited for it to be properly propagated? It most of the time takes about 48 hours to be properly propagated.

    And if your server behind is a router, like @till said above, do try Skip Lets Encrypt Check in Server Config > Web > SSL Settings.

    One more thing, which might not be related, I dig both domain and subdomain but they both have different ip. If it's me, I would ensure the dns server for the root domain is pointing rightly to the intended ISPConfig web server ip address.
     
    Last edited: Mar 15, 2018
  9. AEG-Simply

    AEG-Simply Member

    God, that was it.
    I sincerly apologies for that, I lost my temper. I think I just missed the
    from till.

    For that part, it's completely normal.

    This issue is resolved, thanks again.
     
    Last edited: Mar 14, 2018
    ahrasis likes this.
  10. Poliman

    Poliman Member

    I have something like below:
    Code:
    2018-03-12 03:00:08,461:WARNING:letsencrypt.cli:Renewal configuration file /etc/letsencrypt/renewal/estm-game.pl.conf is broken. Skipping.
    2018-03-12 03:00:08,462:DEBUG:letsencrypt.cli:Traceback was:
    Traceback (most recent call last):
      File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 900, in _reconstitute
        full_path, configuration.RenewerConfiguration(config))
      File "/usr/lib/python2.7/dist-packages/letsencrypt/storage.py", line 200, in __init__
        "file reference".format(self.configfile))
    CertStorageError: renewal config file {} is missing a required file reference
    
    I see in /etc/letsencrypt/renewal that there are:
    Code:
    -rwxr-xr-x 1 root root 1873 Jan 25 09:28 estm-game.pl-0001.conf
    -rwxr-xr-x 1 root root    0 Jan 25 09:26 estm-game.pl.conf
    -rwxr-xr-x 1 root root 1853 Jan 25 08:16 estm-game.pl.conf~backup
    Website still works with green padlock.

    But from another website cert from 12 dec 2017 was expired today around 8:00 and didn't renew, error from letsencrypt.log:
    Code:
    2018-03-12 03:01:27,380:INFO:letsencrypt.reporter:Reporting to user: The following errors were reported by the server:
    
    Domain: kz16.pl
    Type:   unauthorized
    Detail: Invalid response from http://kz16.pl/.well-known/acme-challenge/3RLSB3fmSCSoEU7j4prECNCWeBlTuHgAeor6jZsETDE: "<!doctype html><html lang="en"><head><meta charset="utf-8"><title>Generator identyfikatorów</title><base href="/"><meta name="v"
    and further in log:
    Code:
    To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
    
    Code:
    Traceback (most recent call last):
      File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 1017, in renew
        obtain_cert(lineage_config, plugins, renewal_candidate)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 706, in obtain_cert
        _, action = _auth_from_domains(le_client, config, domains, lineage)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 457, in _auth_from_domains
        new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/client.py", line 252, in obtain_certificate
        return self.obtain_certificate_from_csr(domains, csr) + (key, csr)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/client.py", line 225, in obtain_certificate_from_csr
        authzr = self.auth_handler.get_authorizations(domains)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py", line 84, in get_authorizations
        self._respond(cont_resp, dv_resp, best_effort)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py", line 142, in _respond
        self._poll_challenges(chall_update, best_effort)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py", line 204, in _poll_challenges
        raise errors.FailedChallenges(all_failed_achalls)
    FailedChallenges: <unprintable FailedChallenges object>
    
    and finally at the end of log file:
    Code:
    2018-03-12 03:01:27,429:DEBUG:letsencrypt.cli:Exiting abnormally:
    Traceback (most recent call last):
      File "/usr/bin/letsencrypt", line 9, in <module>
        load_entry_point('letsencrypt==0.4.1', 'console_scripts', 'letsencrypt')()
      File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 1986, in main
        return config.func(config, plugins)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 1034, in renew
        len(renew_failures), len(parse_failures)))
    Error: 3 renew failure(s), 2 parse failure(s)
    
    2018-03-12 03:01:27,431:DEBUG:letsencrypt.cli:Exiting abnormally:
    Traceback (most recent call last):
      File "/usr/lib/python2.7/atexit.py", line 24, in _run_exitfuncs
        func(*targs, **kargs)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/reporter.py", line 66, in atexit_print_messages
        self.print_messages()
      File "/usr/lib/python2.7/dist-packages/letsencrypt/reporter.py", line 97, in print_messages
        next_wrapper.fill(line) for line in lines[1:]))
    UnicodeEncodeError: 'ascii' codec can't encode character u'\xf3' in position 264: ordinal not in range(128)
    
    I can put whole log file to file and attach it.
     
    Last edited: Mar 12, 2018
  11. ahrasis

    ahrasis Active Member

    From what I see there are two group of LE certs issued to the same domain of estm-game.pl. I believe the later is with the 0001 and the original is without it. I am not sure the cause of it but I will normally delete the later totally before applying for new certs again.

    I will run this command (may not be necessary but I'd like to clean any redundancies) "rm -rf /etc/letsencrypt/renewal/estm-game.pl-0001* && rm -rf /etc/letsencrypt/live/estm-game.pl-0001* && rm -rf /etc/letsencrypt/archive/estm-game.pl-0001*".

    I will then "dig estm-game.pl" ensuring it is pointing to its intended web server IP (currently, it doesn't resolve to any IP).

    Then I will check whether the website is accessible by public and access it (even if there is warning as to the SSL certs).

    Lastly, I would untick SSL + save and then retick LE + save in its web settings page.

    The last step should, if everything earlier are correct, cause LE to issue new SSL certs for the original folder estm-game.pl.

    By the way, your issue is quite different from the OP, so next time, try to open a new thread. ;)
     
  12. Poliman

    Poliman Member

    Thank you for answer Ahrasis. This domain was changed on purpose. One time when I put domain on forum I got almost ddos. ;)
    Do you know why some .conf files under /etc/letsencrypt/renewal has chmod 644 but much more has chmod 755? Nobody change it, me neither.
    Moreover size of file "estm-game.pl.conf" is 0 as you can see in my 1st post.
     
  13. ahrasis

    ahrasis Active Member

    The only person who can change normally, unless others have access to your server terminal, is your own self, but whether you did it knowingly or by mistake is some other things. You can view its date and time to determine when it happened and then check who accessed it during that period.
     
  14. Poliman

    Poliman Member

    Ok, thanks God it could be by mistake. Doesn't matter then. What about different chmod's? They are by default mainly 755 but in few examples are 644.
     
  15. ahrasis

    ahrasis Active Member

    I think for that you have to check into the Let's Encrypt / Certbot code because the SSL certs are generated by it. ;)

    Edited: ISPConfig didn't not generate the LE SSL certs but the official client (Let's Encrypt / Certbot) did it on ISPConfig request.
     
    Last edited: Mar 15, 2018
  16. Poliman

    Poliman Member

    It will be too hard at the moment but I am curious why this happens in this way. Maybe @till would know? :D
    Btw estm-game.pl is an alias (vhost). Is it possible that this bring two directories in /etc/letsencrypt/live for estm-game.pl?

    PS
    I would untick LE SSL and SSL. Then remove both estm-game.pl and estm-game.pl-0001. Then check again LE SSL and SSL. :)
    I also found out that estm-game.pl uses cert from estm-game.pl-0001 directory.
     
    Last edited: Mar 14, 2018
  17. Poliman

    Poliman Member

    I still observe the letsencrypt.log file and I see what happens but I don't understand why it happens. I see:
    Code:
    2018-03-15 03:00:40,090:INFO:letsencrypt.reporter:Reporting to user: The following errors were reported by the server:
    
    Domain: derm-in.pl
    Type:   unauthorized
    Detail: Invalid response from http://derm-in.pl/.well-known/acme-challenge/51qNNlFpM-uw88txxVh5W9BuyO32jr_YtA4J6oBWL1s: "<!DOCTYPE html>
    <html ng-app="webApp">
    
    <head>
        <!--<title>DermIN</title>-->
    
    
        <title>Derm-In</title>
        <link rel=""
    
    Domain: www.derm-in.pl
    Type:  unauthorized
    Detail: Invalid response from http://www.derm-in.pl/.well-known/acme-challenge/sLohkfeUI7F5EDHxCPOsKC86aTRi2WtXlCjpS2AtIXE: "<!DOCTYPE html>
    <html ng-app="webApp">
    
    <head>
      <!--<title>DermIN</title>-->
    
    
      <title>Derm-In</title>
      <link rel=""
    
    To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
    
    Code:
    2018-03-15 03:00:40,091:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/derm-in.pl.conf produced an unexpected error: Failed authorization procedure. derm-in.pl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://derm-in.pl/.well-known/acme-challenge/51qNNlFpM-uw88txxVh5W9BuyO32jr_YtA4J6oBWL1s: "<!DOCTYPE html>
    <html ng-app="webApp">
    
    <head>
        <!--<title>DermIN</title>-->
    
    
        <title>Derm-In</title>
        <link rel="", www.derm-in.pl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.derm-in.pl/.well-known/acme-challenge$
    <html ng-app="webApp">
    
    <head>
        <!--<title>DermIN</title>-->
    
    
        <title>Derm-In</title>
        <link rel="". Skipping.
    
    2018-03-15 03:00:40,095:DEBUG:letsencrypt.cli:Traceback was:
    Traceback (most recent call last):
      File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 1017, in renew
        obtain_cert(lineage_config, plugins, renewal_candidate)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 706, in obtain_cert
        _, action = _auth_from_domains(le_client, config, domains, lineage)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 457, in _auth_from_domains
        new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/client.py", line 252, in obtain_certificate
        return self.obtain_certificate_from_csr(domains, csr) + (key, csr)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/client.py", line 225, in obtain_certificate_from_csr
        authzr = self.auth_handler.get_authorizations(domains)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py", line 84, in get_authorizations
        self._respond(cont_resp, dv_resp, best_effort)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py", line 142, in _respond
        self._poll_challenges(chall_update, best_effort)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py", line 204, in _poll_challenges
        raise errors.FailedChallenges(all_failed_achalls)
    
    @ahrasis This time it's real domain. You can see when enter the site that ssl is still working and dns works, points to some ip. I am helpless. Moreover it's not the problem for each from maybe 20 websites but only few.
     
    Last edited: Mar 15, 2018
  18. ahrasis

    ahrasis Active Member

    Why are you so worry about? So far the derm-in.pl domain is concerned (that I can see from here), its https is working with www or without.
     
  19. Poliman

    Poliman Member

    Because there is error in renewing ssl cert logged today and I don't know why it happens. Current cert should expire after 3 days (cert generated 18 Dec 2017). Then I will know all is ok or not. I am afraid that cert will expire and won't be renewed. I had this problem few times. Moreover - if cert will expire on derm-in.pl then each enter this site will produce error about cert expiration but I am able to open this site (after add cert exception in browser) but then another site - first deployed on this server - will open with url of derm-in.pl. It's really strange and this same behavior happens for each website which cert will expire.
     
    Last edited: Mar 15, 2018
  20. ahrasis

    ahrasis Active Member

    I would suggest you check what is the result of "ls -lt /etc/lets*/*/derm-in.pl* && dig derm-in.pl && dig www.derm-in.pl".
     
    Last edited: Mar 15, 2018

Share This Page