Let’s Encrypt Error FAQ

Discussion in 'General' started by till, Oct 5, 2016.

Thread Status:
Not open for further replies.
  1. till

    till Super Moderator Staff Member ISPConfig Developer

    There are many threads that deal with problems to generate SSL certificates with Let’s Encrypt so I start a FAQ here. Please read the whole post when you are having trouble.

    Why does Letsencrypt does not create an SSL cert?
    Let’s Encrypt verifies your server by downloading an individual token from each domain of the website, including auto-subdomains, subdomains, and aliasdomains. If one of these domains and subdomains is unreachable (no DNS, wrong DNS, closed firewall, etc) then Let's Encrypt will refuse to create the SSL cert.

    Why does the Let’s Encrypt in ISPConfig get disabled automatically?
    When the creation of the SSL certificate through Let’s Encrypt fails, the Let’s Encrypt and SSL checkbox get disabled in the settings of your website.

    What can I do if SSL certificate creation with Let’s Encrypt fails?
    - Check that you have a Let’s Encrypt client installed. On servers installed before the release of ISPConfig 3.2, this is most likely certbot. On servers installed after the release, it's most likely acme.sh.
    - Check that the Let's encrypt client 'certbot' is updated (when using certbot).
    - Check that you run the latest ISPConfig version.
    - When your server is behind a NAT router so that the server itself can not reach the hosted domains, then enable the option "Skip Letsencrypt check" under System -> Server config -> server1.example.com -> Web.
    - Check that all domain names (incl. auto subdomain www etc), subdomains and aliasdomains really point to the right website and are working. Open one after another in your browser and test that.
    - If you still use Apache 2.2, then update your ispconfig to the latest version with the ispconfig_update.sh script to get an updated vhost template. After you did that, use Tools > resync to apply the new template to all sites or apply it to a single site by altering a value in the site settings and press save, before you try to activate Let’s Encrypt again. This is only necessary on apache 2.2 systems, newer apache 2.4 or nginx systems are not affected.
    - If you updated from ISPConfig < 3.1 to ISPConfig > 3.1 and deselected the "Reconfigure services" option during update (which is selected by default), then Let’s Encrypt will fail as your server is missing the Let’s Encrypt configuration in the ispconfig apache configuration files. Redo the update and chose to reconfigure services in that case.
    - Check that 'Server Migration Mode' option under System > Server Config is not enabled, as migration mode disables the creation of new Let's encrypt certificates.

    Where do I find detailed error messages?
    You can find the log files here when using certbot: /var/log/letsencrypt
    When using acme.sh, it can be in /var/log/ispconfig/acme.log or /root/.acme.sh/acme.sh.log

    What if the above steps don't help?
    Enable the ISPConfig debug mode by following the steps from this guide:
    https://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/

    After doing so, enable Let's Encrypt for the web and run the server.sh script manually.
    Don't forget to re-enable the server.sh cronjob when your problem is resolved.
     
    Last edited: Sep 23, 2021
    Jemt, yupthatguy, Fire Fox and 9 others like this.
Thread Status:
Not open for further replies.

Share This Page