Let's Encrypt Issues

Discussion in 'Installation/Configuration' started by Nolan, Oct 10, 2016.

  1. Nolan

    Nolan Member

    Let's Encrypt fails to issue a certificate for my domains, I upgraded to 3.1 from 3.0.5.4p9, I selected reconfigure services when I upgraded.
    I did have let's encrypt working on the previous install for one of my domains, but can't seem to get it working now.
    I've included my debug log from ISPConfig, as well as my log from Let's Encrypt.

    My domains as well as the www. sub domain both have correct DNS records, the sites display properly when visiting them in the browser.
    Note that my actual domain has been replaced with domain.com in these logs.
    ISPConfig Debug:
    Code:
    10.10.2016-03:54 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    10.10.2016-03:54 - DEBUG - Found 1 changes, starting update process.
    10.10.2016-03:54 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    10.10.2016-03:54 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    10.10.2016-03:54 - DEBUG - exec: usermod --groups sshusers web1 2>/dev/null
    10.10.2016-03:54 - WARNING - Wildcard domains not yet supported by letsencrypt, so changing *.domain.com to domain.com
    10.10.2016-03:54 - DEBUG - Create Let's Encrypt SSL Cert for: domain.com
    10.10.2016-03:54 - DEBUG - Let's Encrypt SSL Cert domains: domain.com --domains www.domain.com
    10.10.2016-03:54 - DEBUG - exec: /usr/local/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --domains domain.com --domains www.domain.com --webroot-path /usr/local/ispconfig/interface/acme
    Failed authorization procedure. domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.com/.well-known/acme-challenge/JiTIifm9rpiLFQDZWBw7JzHmV30apJ_BXMgwLGti_GA: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
       "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <ht", www.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain.com/.well-known/acme-challenge/AJ0vfcnDcpsHkCIY_rRqAczo3FR-VlFzmdtJuiZSW2c: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
       "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <ht"
    10.10.2016-03:54 - WARNING - Let's Encrypt SSL Cert for: domain.com could not be issued.
    10.10.2016-03:54 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/domain.com.vhost
    10.10.2016-03:54 - DEBUG - Writing the PHP-FPM config file: /etc/php5/fpm/pool.d/web1.conf
    10.10.2016-03:54 - DEBUG - Calling function 'restartPHP_FPM' from module 'web_module'.
    10.10.2016-03:54 - DEBUG - Restarting php-fpm: systemctl reload php5-fpm.service
    10.10.2016-03:54 - DEBUG - Apache status is: running
    10.10.2016-03:54 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    10.10.2016-03:54 - DEBUG - Restarting httpd: systemctl restart apache2.service
    10.10.2016-03:54 - DEBUG - Apache restart return value is: 0
    10.10.2016-03:54 - DEBUG - Apache online status after restart is: running
    10.10.2016-03:54 - DEBUG - Processed datalog_id 3061
    10.10.2016-03:54 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished.
    Let's Encrypt Log:
    http://pastebin.com/fSq6xqcx

    I'm a bit stumped as to what could be causing this. Any ideas?
     
  2. Jesse Norell

    Jesse Norell Active Member

    Do you have this config in /etc/apache2/sites-enabled/000-ispconfig.conf:
    Code:
    Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    <Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge>
                    Require all granted
            </Directory>
    
    If so check the vhost config for the file, maybe it does a redirect (http->https type thing) without an exception for that acme-challenge location?
     
  3. Nolan

    Nolan Member

    I checked the 000-ispconfig.conf file for that, it's in there. There's no http -> https redirect for the domain I'm trying to add.
    There is however an auto subdomain of www which directs domain.com -> www.domain.com

    If I try to go to http://www.domain.com/.well-known/acme-challenge/ it should work, right? It's giving me a 503 error.
     
  4. Jesse Norell

    Jesse Norell Active Member

    The request should work; on my server I get a 403 (not 503) error because directory indexing is turned off by default:
    Code:
    Forbidden
    
    You don't have permission to access /.well-known/acme-challenge/ on this server.
    Apache/2.4.10 (Debian) Server at www.domain.com Port 443
    There is a text file there called empty.dir, so a request to http://www.domain.com/.well-known/acme-challenge/empty.dir should download that file; what happens when you request it? I'm guessing 503 error again.

    What configuration did you setup for that to work? Maybe that is conflicting with ispconfig's configuration.
     
  5. Nolan

    Nolan Member

    A 503 Error happens. It doesn't download the file.

    It was so long ago that I don't remember exactly what I did. I just got the certificate using certbot, and then bundling everything together as needed by use of the ISPConfig SSL Panel.

    When I upgraded I thought I removed any instances of the old install (it was still using letsencrypt-auto, if that tells you anything). I shouldn't have to reinstall the OS to get it to work properly.

    If you run certbot, do any of your domains show up there?
     
    Last edited: Oct 13, 2016
  6. Jesse Norell

    Jesse Norell Active Member

    My guess is that some other config is overriding ispconfig's /.well-known/acme-challenge configuration; maybe try searching all web config for that (grep -R acme-challenge /etc/apache2 .. or search /etc/httpd on centos, I believe) and see if you find anything.
    Not sure what you mean, there isn't a "list" command or any way to list installed domains, is there? I can run certbot from the cli and it works (eg. I setup a certificate for the server's hostname that way), and I specifically supply `--webroot-path /usr/local/ispconfig/interface/acme` (I believe it was .. it's out of command history now).
     
  7. Nolan

    Nolan Member

    Cheers Jesse. I found it. I had this in /etc/apache2/mods-available/proxy.conf
    Code:
    ProxyPass "/.well-known/acme-challenge/" "http://127.0.0.1:9999/.well-known/acme-challenge/" retry=1
    ProxyPassReverse "/.well-known/acme-challenge/" "http://127.0.0.1:9999/.well-known/acme-challenge/"
    <Location "/.well-known/acme-challenge/">
    ProxyPreserveHost On
      Order allow,deny
    Allow from all
    Require all granted
    </Location>
    I commented it out, and it now works. Woohoo!
     
  8. Alecs

    Alecs New Member HowtoForge Supporter

    I have a question for the SSL Let's encrypt part in ISPConfig. I recently installed this tutorial: https://www.howtoforge.com/tutorial...l-pureftpd-bind-postfix-doveot-and-ispconfig/ .
    I added a domain to my server and I am playing with the SSL to get the config working.
    The issue is when I go to domains -> domain -> ssl -> create it's creating the certificate after 2-3 minutes and when I press Save certificate and from what I understood this will make the SSL available on the website, the apache2 crashes and exits.
    Any ideas? am I doing something wrong?
    in the client folder, in ssl, i can see multiple files that are related to SSL. If i delete the certificate and get another one or the same, not clear yet, the files in the ssl folder double by adding .err extension.
     
  9. Nolan

    Nolan Member

    Turn on debugging mode in ISPConfig: http://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/

    Look in your log files for apache2.
    Look in your log files for Let's Encrypt.

    What error(s) do you see there?
     
  10. Alecs

    Alecs New Member HowtoForge Supporter

    apache2 log here -> http://pastebin.com/gtB8fTFU
    conf-file for testing.com -> http://pastebin.com/31T1ByA4

    I just entered IspConfig 3.1 , activated the SSL and Let's Encript. All ok. I clicked the SSL tab on the Create option and save. The next thing, apache will not start before I remove form the config of testing.com the ssl parts.

    I also get this in the error.log on the domain:

    [Wed Oct 19 08:26:25.124474 2016] [ssl:emerg] [pid 5705] AH02565: Certificate and private key testing.com:443:0 from /var/www/clients/client1/web2/ssl/testing.com.crt and /var/www/clients/client1/web2/ssl/testing.com.key do not match
     
    Last edited: Oct 19, 2016
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    And thats the reason why it failed. you enabled letsencrypt which generates an ssl cert automarically as descrbed in the manual and then you created a new cert manually on the sl tab which caused your corrupted ssl setup of non matching ssl key and cert.
     
  12. Alecs

    Alecs New Member HowtoForge Supporter

    So I can delete the content of ssl in the client, remove the ssl and Let's Encrypt from settings and after that just click Let's Encrypt and all should be fine, correct?

    PS2 i got the manual, where should i look?

    PS I wanted to buy the manual but if i don't want to make a paypall account i can't pay. If you have other way of payment, only with debit card / credit card then I am your man :)
     
    Last edited: Oct 19, 2016
  13. Alecs

    Alecs New Member HowtoForge Supporter

    So i got the manual ... I did not find the Let's Encrypt part otherwise then the installation part.
    I tried to configure the ./certbot-auto again and it promted a list of websites to enable the certificates. I choose my regular domain with www (www.testing.com).

    http://pastebin.com/DcNHVuZg
    apache2 is dead now ...

    why am I seeing "php5-fcgi"? I have php7 installed
    what should i do next? there is nothing in the manual
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    That's not what we described in the manual, the manual clearly tells you to press cancel and NOT choose a domain there. If you would select a domain, then letsencrypt will stop working in ISPconfig and apache will not start anymore due to broken certs.

    I'm sorry to say that, but you did not read the manual then or it's not the manual that ispconfig.org and howtoforge are offering. The info about letsencrypt in chapter 4.6.1.1.
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    To fix your issue, remove the symlink of thsi vhost in the sites-enabled directory, restart apache, login to ispconfig, go to the ssl tab, empty all fields, chose delete certificate as action and press save. Then delete all ssl certs in the ssl folder f the website manually. Wait 2 minues. Login to ispconfig, enable the letsencrypt checkbox and press save. And do nothing else on the ssl tab!
     
  16. Alecs

    Alecs New Member HowtoForge Supporter

    I am looking on the manual for you guys, just bought it. I probably missed this 4.6.1.1 chapter and i apologize for that.
    For the issue, i deleted the domain, add it again with enable ssl and letsencrypt and nothing happened. I deleted the vhost in sites-enabled and deactivate ssl and letsencrypt. Deleted again the vhost and enable the SSL and letsencrypt and the website in there but in sites-available i have this .err conf. In that file i have also the 443 settings. when i look in the apache2 log I have something like: http://pastebin.com/wQVs1AE6 .
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    The .err file means that apache could not start with that config, so most likely there is still a wrong ssl cert somewhere from the manual lets encrypt run. Do you have new ssl certs in the ssl folder of this website? If yes, please test if the ssl key and cert belong together. you can find instructions for that e.g. here:

    https://kb.wisc.edu/middleware/page.php?id=4064

    Log: That's not an error from the website where you enabled letsencrypt.
     
  18. Alecs

    Alecs New Member HowtoForge Supporter

    Yes i have them in /var/www/testing.com/ssl

    openssl x509 -noout -modulus -in testing.com.crt | openssl md5
    (stdin)= c39c8c7fd6f6f0d5ca8f12f4dfcc7608
    openssl rsa -noout -modulus -in testing.com.key | openssl md5
    (stdin)= cfe0a7d1d6a59cde47510904ce6b9b3c
    so i guess they are different.
     
  19. Alecs

    Alecs New Member HowtoForge Supporter

    @till any news over this issue?

    Later edit: I have deleted all the certificates in /etc/letsencrypt and in the /sll of the domain and regenerated the certificates. all is working now :) thank you @till for the advices :)
     
    Last edited: Oct 20, 2016

Share This Page