Let's Encrypt during setup of 3.2

Discussion in 'ISPConfig 3 Priority Support' started by OwnYourOwn, Mar 15, 2021.

  1. OwnYourOwn

    OwnYourOwn Member HowtoForge Supporter

    Tried enabling Let's Encrypt during setup of ISPConfig 3.2 - Debian 10, and NGINX . - 1st. attempt:

    "Checking / creating certificate for net.mysite.com
    Using certificate path /etc/letsencrypt/live/net.mysite.com
    Server's public ip(s) (12.34.567.890, 3002:ipv6:edef) not found in A/AAAA records for net.mysite.com:
    Ignore DNS check and continue to request certificate? (y,n) [n]: y

    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus (2 primes)"

    >>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

    2nd. attempt: Setup DNS 'A' & 'AAAA' Records for net.mysite.com.

    On net.mysite.com, setup site nginx config file for net.mysite.com in /etc/nginx/sites-available. Created sym link in /etc/nginx/sites-enabled.

    Put a test html in /var/www/html - Browser successfully displayed test index.html

    Installed ISPConfig 3.2 - letsencrypt found: 'A' & 'AAAA' Records but not: /usr/local/ispconfig/interface/acme/.well-known/acme-challenge

    "Could not issue letsencrypt certificate, falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus (2 primes)"

    Gave up and did what I've done on Apache installs:

    Setup site and DNS for net.mysite.com per 'Securing ISPConfig 3.1 With a Free Let's Encrypt SSL Certificate' tutorial. (because install of 3.2 created sym links, did not do postfix or pure-ftpd)

    Now able to utilize SSL on https://net.mysite.com:8080

    'Add New Site' mysite.com (because I want to use it)

    [email protected]:~$ sudo nginx -t

    nginx: [warn] conflicting server name "net.mysite.com" on 0.0.0.0:80, ignored
    nginx: [warn] conflicting server name "net.mysite.com" on [::]:80, ignored
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

    Also nginx error.log, an enormous amount of:

    2021/03/13 18:50:11 [warn] 6527#6527: conflicting server name "net.mysite.com" on 0.0.0.0:80, ignored
    2021/03/13 18:50:11 [warn] 6527#6527: conflicting server name "net.mysite.com" on [::]:80, ignored

    So I deleted Site & DNS for 'net.mysite.com'

    Added 'A' record 'net' in DNS of mysite.com

    Added Subdomain for website: host: net - No redirect

    Did: ln -s /var/www/clients/client1/web2/ssl/mysite.com-le.crt ispserver.crt (And the rest of it)

    Now able to utilize SSL on https://net.mysite.com:8080 using mysite.com

    But still:

    [email protected]:~$ sudo nginx -t

    nginx: [warn] conflicting server name "net.mysite.com" on 0.0.0.0:80, ignored
    nginx: [warn] conflicting server name "net.mysite.com" on [::]:80, ignored
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok

    And errors in nginx error.log

    Question 1: How to setup ISPConfig 3.2 and utilize Let's Encrypt during setup as it attempts to do?

    Question 2: Solve 'conflicting server name' errors and still use site 'mysite.com'

    Thanks - Your help would be appreciated.
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Please read the (whole) read before posting: https://www.howtoforge.com/community/threads/please-read-before-posting.58408/

    Your current post is not very readable because you missed using CODE tags for code.

    From what I understand, you created a vhost manually instead of letting ISPConfig do this. This will cause errors.

    There was a bug in versions prior to 3.2.3 which broke the issuance of certificates on install, this is fixed in 3.2.3.
     
  3. OwnYourOwn

    OwnYourOwn Member HowtoForge Supporter

    Thanks for your reply.

    OS: Debian 10 - php7.3
    Ispconfig: 3.2.3

    Problem:
    Let's Encrypt does not install for server at the end of ISPConfig 3.2.3 setup.

    Got the following error from ISPConfig setup:

    "Checking / creating certificate for net.mysite.com
    Using certificate path /etc/letsencrypt/live/net.mysite.com
    Server's public ip(s) (12.34.567.890, 3002:ipv6:edef) not found in A/AAAA records for net.mysite.com:
    Ignore DNS check and continue to request certificate? (y,n) [n]: y

    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus (2 primes)"

    After install of ISPConfig 3.2.3 Everything is functional, including Let's Encrypt.

    AS requested:

    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] OS version is Debian GNU/Linux 10 (buster)
    [INFO] uptime: 14:18:52 up 5:33, 1 user, load average: 0.00, 0.02, 0.04
    [INFO] memory:
    total used free shared buff/cache available
    Mem: 3.9Gi 1.6Gi 1.1Gi 90Mi 1.2Gi 1.9Gi
    Swap: 0B 0B 0B
    [INFO] systemd failed services status:
    0 loaded units listed. Pass --all to see loaded but inactive units, too.
    To show all installed unit files use 'systemctl list-unit-files'.
    [INFO] ISPConfig is installed.

    ##### ISPCONFIG #####
    ISPConfig version is 3.2.3

    UNIT FILE STATE
    proc-sys-fs-binfmt_misc.automount static
    -.mount generated
    dev-hugepages.mount static
    dev-mqueue.mount static
    media-cdrom0.mount generated
    proc-sys-fs-binfmt_misc.mount static
    sys-fs-fuse-connections.mount static
    sys-kernel-config.mount static
    sys-kernel-debug.mount static
    var-www-clients-client1-web2-log.mount generated
    var-www-clients-client1-web4-log.mount generated
    var-www-clients-client2-web3-log.mount generated
    systemd-ask-password-console.path static
    systemd-ask-password-wall.path static
    session-12.scope transient
    session-387.scope transient
    session-87.scope transient
    amavis-mc.service generated
    amavis-snmp-subagent.service generated
    amavis.service generated
    amavisd-new.service generated
    amavisd-snmp-subagent.service generated
    apparmor.service enabled
    apt-daily-upgrade.service static
    apt-daily.service masked
    [email protected] enabled
    bind9-pkcs11.service disabled
    bind9-resolvconf.service disabled
    bind9.service enabled
    bootlogd.service masked
    bootlogs.service masked
    bootmisc.service masked
    checkfs.service masked
    checkroot-bootclean.service masked
    checkroot.service masked
    clamav-daemon.service enabled
    clamav-freshclam.service enabled
    console-getty.service disabled
    console-setup.service enabled
    [email protected] static
    cron.service enabled
    cryptdisks-early.service masked
    cryptdisks.service masked
    dbus-org.freedesktop.hostname1.service static
    dbus-org.freedesktop.locale1.service static

    Thanks for your help.
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Again, please put such output in CODE tags as described in the read before posting.
    Have you created the DNS records for your hostname, at your nameservers?
     
  5. OwnYourOwn

    OwnYourOwn Member HowtoForge Supporter

    Yes, because it said:

    Code:
    Server's public ip(s) (12.34.567.890, 3002:ipv6:edef) not found in A/AAAA records for net.mysite.com:
    I created DNS 'A' & 'AAAA' records for ip 12.34.567.890 - 'net.mysite.com' on another nameserver I have. Then to make sure they would resolve. I created the necessary nginx config files on net.mysite.com. I checked it out in a browser and it all worked. (got page: index.html from 'net.mysite.com')

    I reinstalled ISPConfig and at the end of installation instead of getting:
    "Server's public ip(s) (12.34.567.890, 3002:ipv6:edef) not found in A/AAAA records for net.mysite.com:"

    I got a statement saying that the A & AAAA records were found, but could not find '/usr/local/ispconfig/interface/acme/.well-known/acme-challenge'

    Thanks again
     
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Yes, because you created that vhost. Remove that and then run the script.
     
  7. OwnYourOwn

    OwnYourOwn Member HowtoForge Supporter

    I tried it again using Godaddy Name Server. Waited overnight to make sure DNS had resolved.
    Checked DNS - OK - Did not create any vhost. Pinged IP, Server FQDN, AAAA IPv6 - All OK
    Also disabled firewall.

    [​IMG]
    Got the same result:

    Code:
    Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: y
    
    Checking / creating certificate for net.mydomain.com
    Using certificate path /etc/letsencrypt/live/net.mydomain.com
    Server's public ip(s) (123.456.78.910, 2001:00: ipv6 :00:fe3f:cfc7) not found in A/AAAA records for net.mydomain.com:
    Ignore DNS check and continue to request certificate? (y,n) [n]: n
    
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus (2 primes)
    .................................++++
    
    Server is up with ISPConfig - Everything is OK - Won't generate server Let's Encrypt Cert at setup.
    Again, Thanks for your help.
     
  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Can you share the real hostname?
     
  9. OwnYourOwn

    OwnYourOwn Member HowtoForge Supporter

    cloud.bumfuggled.com
    I have restarted the server with VULTR control panel, rebooted with ssh.
    Will shutdown, wait, and restart.
    Thanks
     
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    And what are your public IP's (the ones the installer tells you)?
     
  11. OwnYourOwn

    OwnYourOwn Member HowtoForge Supporter

    Yes from VULTR who tells you to update /etc/network/interfaces (iface ens3 inet static) with IP, netmask, gateway also has: 'dns-nameservers 108.61.10.10' in file? (don't know if this might cause problem) I also setup /etc/hosts & /etc/hostname per your tutorial.
    I can revert /etc/network/interfaces back to it's original content:
    Code:
    auto lo
    iface lo inet loopback
    
    allow-hotplug ens3
    iface ens3 inet dhcp
    iface ens3 inet6 auto
    If you think it might fix it.

    Did not mention that I did an install on DigitalOcean of Ubuntu 20.04 - Apache and had the same problem with Cert creation on setup.
    They don't suggest any update of /etc/network/interfaces.
    Thanks again
     
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    But what are your public IPs?
     
  13. OwnYourOwn

    OwnYourOwn Member HowtoForge Supporter

    One IP: 137.220.58.164
     
  14. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Have you tried answering "y" on "Ignore DNS check and continue to request certificate? (y,n)"?
     
  15. OwnYourOwn

    OwnYourOwn Member HowtoForge Supporter

    Yes, it just starts the self-signed process.
     
  16. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    My guess is you have auto subdomain www on, and have not created name service record for www.
    Code:
    $ host bumfuggled.com
    bumfuggled.com has address 137.220.58.164
    bumfuggled.com has IPv6 address 2001:19f0:5c01:1822:5400:3ff:fe3f:cfc7
    [email protected] ~
    $ host www.bumfuggled.com
    Host www.bumfuggled.com not found: 3(NXDOMAI
     
  17. OwnYourOwn

    OwnYourOwn Member HowtoForge Supporter

    Thanks for your reply.
    Because the error is for cloud.bumfuggled.com, I did not include a CNAME for www.
    Not sure about auto subdomain www because ther isn't any sites setup in ispconfig.
    Per your sugestion I added CNAME www, and just for the heck of it added A record: cloud.bumfuggled.com
    [​IMG]
    I ran ISPConfig setup again and it worked! How wonderful! Great improvement from 3.1
    I think it might have been adding the A record 'cloud.bumfuggled.com' I thought it would pick up the server fqdn from 'cname cloud' but I don't know if that was the problem or cname www.
    New problem is I usualy setup server ip host names and the server domain for ns records. I don't know if I do this and use ns1.bumfuggled.com & ns2.bumfuggled.com will that screw up the server cert?
    If I don't, I assume I'll have to use ns31 & 32.domaincontrol.com when setting up any sites.
    Thanks for all your help in getting this working.
     
  18. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    DNS does not use SSL certs, so there can't be a SSL mismatch.
     
  19. OwnYourOwn

    OwnYourOwn Member HowtoForge Supporter

    Thanks for that answer - won't worry about it.
    Love your product!
     

Share This Page