Lets Encrypt not issued after installation using servisys / ispconfig_setup

Discussion in 'ISPConfig 3 Priority Support' started by DylanPedro, Jan 18, 2021.

  1. DylanPedro

    DylanPedro Member HowtoForge Supporter

    Hi,

    I've just setup a new server using the servisys / ispconfig_setup script on Debian 9. I wanted to use Debian 10 but it looks like some features are not available on Buster (Postgrey, OpenDKIM etc). Is this true?

    Everything seems to have gone smoothly except the Admin has not been protected by a Let's Encrypt certificate automatically even though the option to do so was selected:

    Code:
    Checking / creating certificate for server2.serverdomain.co.uk
    Using certificate path /etc/letsencrypt/live/server2.serverdomain.co.uk
    Using nginx for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for server2.serverdomain.co.uk
    Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
    Waiting for verification...
    Cleaning up challenges
    Failed authorization procedure. server2.serverdomain.co.uk (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://server2.serverdomain.co.uk/.well-known/acme-challenge/XAMjkrLzkPTL59zGovNNpx06-BsBzgIDe3TRkILy4hE: Connection refused
    Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    No, that's not true, see Debian 10 perfect server install guide. As a side note, ISPConfig is not using OpenDkim for mail signing anyway, dkim signing os done by either amavis or rspamd.

    This means that the server hostname is not reachable from outside, so certbot can not issue a LE SSL cert. The server hostname must exist in dns and it must be accessible from the internet on port 80.
     
    ahrasis likes this.
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

  4. DylanPedro

    DylanPedro Member HowtoForge Supporter

    So I used the auto installed and all went smoothly, but have two questions:
    1. Even though Lets Encrypt is installed, the admin is still only protected by a Self Signed Cert. I've made sure I can telnet to server2.serverdomain.co.uk from another server on both 80 and 443 and it works so do not understand why it hasn't worked?
      Code:
      [INFO] Letsencrypt installed.
    2. The script has installed the Apache webserver, how to you get it to install nginx instead? Managed to do this by adding --use-nginx
     
    Last edited: Jan 18, 2021
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Go through the faq linked above for reasons it might fail.
     
  6. DylanPedro

    DylanPedro Member HowtoForge Supporter

    I've looked at the FAQ's and cannot find anything that stands out. My server is at server2.serverdomain.co.uk, I added another domain as server3.serverdomain.co.uk and made sure the A recorded pointed to the same IP as the server in the external DNS records. After requesting SSL and Let's Encrypt in ISPConfig Admin panel, it successfully issued the Let's Encrypt certificate. This shows Let's Encrypt is working but has not protected the installation using the the auto installer?
     
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Correct. The installer will try to issue a certificate for $(hostname -f), ensure dns is correct for that name (check ipv4 and ipv6); if your letsencrypt setup is working for normal websites, there's not a lot left to test (from memory). Run ispconfig_updates.sh --force and answer yes to requesting a certificate and see what happens then, and check letsencrypt.log afterwards (and I'm not 100% positive letsencrypt.log gets updated from the installer, but check that).
     
  8. DylanPedro

    DylanPedro Member HowtoForge Supporter

    So that's strange...
    Typing ispconfig_updates.sh --force gave the following error:
    Code:
    bash: ispconfig_updates.sh: command not found
    So I went down the wget https://ispconfig.org/downloads/ISPConfig-3.2.2.tar.gz route and did it that way and after answering yes to requesting a certificate it worked with the following message:

    Code:
    Create new ISPConfig SSL certificate (yes,no) [no]: yes
    
    Checking / creating certificate for server2.serverdomain.co.uk
    Using certificate path /root/.acme.sh/server2.serverdomain.co.uk
    Using nginx for certificate validation
    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: y
    
    Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: 
    1. Is it correct that the cert acme is stored in the root folder?:
    2. This is a fresh server setup on AWS, setup using the minimal Debian 10 guide, all correct ports are open on the firewall (AWS) and lastly it was setup using the install script, so why would the Let's Encrypt script not work first time round?
    3. Why did it come up with a "bash: ispconfig_updates.sh: command not found" is everything was setup using the guide and auto installer?
     
  9. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    1. Yes
    2. I don't know
    3. Sorry, typo in the name, try ispconfig_update.sh (from memory, I can verify that tomorrow)
     
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    1. Yes.
    2. Domain or subdomain may take some times to properly propagate.
    3. Typo error.
     
  11. DylanPedro

    DylanPedro Member HowtoForge Supporter

    Everything seems fine with the above, only issue now is the following after the auto-script:

    Code:
    Err:5 https://rspamd.com/apt-stable buster InRelease
      The following signatures couldn't be verified because the public key is not available: NO_PUBKEY FFA232EDBF21E25E
    Reading package lists... Done
    W: GPG error: https://rspamd.com/apt-stable buster InRelease: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY FFA232EDBF21E25E
    E: The repository 'http://rspamd.com/apt-stable buster InRelease' is not signed.
    N: Updating from such a repository can't be done securely, and is therefore disabled by default.
    N: See apt-secure(8) manpage for repository creation and user configuration details.
     
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Try
    Code:
    apt-get install -y lsb-release wget # optional
    CODENAME=`lsb_release -c -s`
    wget -O- https://rspamd.com/apt-stable/gpg.key | apt-key add -
    echo "deb [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main" > /etc/apt/sources.list.d/rspamd.list
    echo "deb-src [arch=amd64] http://rspamd.com/apt-stable/ $CODENAME main" >> /etc/apt/sources.list.d/rspamd.list
     
  13. DylanPedro

    DylanPedro Member HowtoForge Supporter

    That worked, now only seeing this message on Debian 10, is this normal?

    Code:
    The following packages have been kept back:
      rspamd
     
  14. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Run
    Code:
    apt install rspamd
     

Share This Page