Let's Encrypt SSL certificate not installing inside ISPConfig during installation - DNS server issue

Discussion in 'Installation/Configuration' started by FX2LTD, Mar 8, 2021.

  1. FX2LTD

    FX2LTD New Member

    Hi, I could not manage to get the Let's Cert SSL certificate to be installed correctly within ISPConfig 3.2, in the end I gave up and I have done it externally (using the instrucions on certbot eff org). So now I have the funny result that the main website (i.e. the frontend of the domain name ISPCOnfig points to) works with an SSL certificate, but all the backend services don't (ispconfig, roundcube, phpmyadmin etc.), and they are using the auto-generated non-verified SSL certificate.
    During my many attempts, I was encountering the error I saw above:
    Server's public ip(s) (***.***.***.***) not found in A/AAAA records for server.example.com: 127.0.1.1
    It's a DNS issue, but in all the tutorials I have found, everybody mention about checking/working on the configuration of the DNS servers, but it's not clear to me which ones. Are they talking about the ISP/Registrar DNS servers, the ISPConfig DNS area, Bind DNS configuration?
    I believe that the ISP DNS servers and my ubuntu server host file are configured correctly, but I don't see why ISPconfig tries to resolve my static public IP address on 127.0.0.1.
    Thanks in advance for the possible reply
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The DNS servers that are authoritative for the domain (zone) that the hostname of your server belongs to. example:

    Your hostname is server1.example.com

    In this case, the zone is 'example.com' and you must now edit the DNS servers that are responsible for the zone example.com and add a A-record for 'server1' that points to the IP address of your server. You can find out which serevrs are the responsible ones at your domain registrar.
     
  3. FX2LTD

    FX2LTD New Member

    Thank you very much for the explanation.
    As far as I know, that has been done correctly, still the procedure fails within ISPConfig. Instead I have done it via certbot, which is a different procedure and it worked. With the funny result now that the website is secured, while all the services that are managed by ISPConfig and ISPConfig control panel itself, are not covered. I assume the certificate is different, and probably it's stored in a different location.
    What I was not understanding, was why, when it failed, it couldn't find the public static IP address; it was reportedly not found by 127.0.0.1, I would have expected the message to mention the registrar's DNS servers. I thought of some issues between the physical server and the router (i.e. some ports not open, or configured correctly). Is there a procedure to work on the certificates, and try until it works, without having to reinstall or update ISPConfig over and over?
    Thanks
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You should never do this, as it will break the integration of ISPConfig with certbot for your website.

    It did not tell you it was not found by 127.0.0.1, it told you that the IP found for your hostname was 127.0.0.1, instead of a public IP.

    No, not if you want to use the features to symlink it.
     
  5. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    if you have anything saying the ip it's found for your hostname is 127.0.1.1 then you don't necessarily have any dns problems.
    * you may still have other dns problems, but this isn't one of them.

    the only place you will find any references to 127.0.1.1 is in your /etc/hosts file.
    if you have this entry in there, (make sure it is really 127.0.1.1 and not 127.0.0.1, you don't want to mess with the 127.0.0.1 entry)
    then you should probably comment it out and create a new entry with your servers local ip address, along with it's hostname and fqdn.

    eg assuming your server is host1 on domain2.com and it's local ip is 123.45.67.89 (it may have another public floating ip that can be re-assigned between hosts, eg 234.12.34.56)

    in this case your /etc/hosts file would go from
    Code:
    127.0.1.1  host1 host1
    127.0.0.1 localhost
    
    to
    Code:
    #127.0.1.1  host1 host1
    127.0.0.1 localhost
    
    123.45.67.89  host1.domain2.com   host1
    
    you would also add other ispconfig hosts on the same local net in here, eg:

    123.45.67.90 host2.domain2.com host2
    123.45.67.91 host3.domain2.com host3

    this would ensure that can all contact each other using the local ip's and no going out through some front-facing firewall/lb and back in again.
    you would then add the public floating ip's as A records in the dns zone. ie:
    234.12.34.56 host1.domain2.com
    234.12.34.57 host2.domain2.com

    so that they can be reached from external locations.
    these public floating ip's are also the ip's you would add to the dns for any websites you host on each parti
     
  6. FX2LTD

    FX2LTD New Member

    ################################################################################
    Thank you both for your reply, this second one is deeper into my curiosity, so I appreciate also the extra lenght in explaining.
    I am going to post here my current host file and the registrar's DNS records, just in case I did not notice anything wrong (i.e. I had not seen the error message was about 127.0.1.1 and I thought it was 127.0.0.1, my bad). I will change some names and IPs just for security reasons:
    /etc/hosts

    127.0.0.1 localhost
    #127.0.1.1 shuttle.shuttle.example.com
    176.16.2.100 shuttle.shuttle.example.com shuttle

    # The following lines are desirable for IPv6 capable hosts
    ::1 localhost ip6-localhost ip6-loopback
    #fe00::0 ip6-localnet
    #ff00::0 ip6-mcastprefix
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters

    Damn! I have just discovered that what was supposed to be shuttle.example.com is, for some reason, listed as shuttle.shuttle.example.com
    I wonder where that comes from, as it's nowhere written like that, and I have never written it like that, nor in the hostfile, or inside ISPConfig!

    DNS Zone:

    DNS ENTRY TYPE PRIORITY TTL DESTINATION/TARGET
    * A xx.xxx.xxx.224
    @ MX 10 shuttle.example.com.
    @ A xx.xxx.xxx.224
    cp A xx.xxx.xxx.224
    ftp A xx.xxx.xxx.224
    shuttle A xx.xxx.xxx.224
    www A xx.xxx.xxx.224

    I will look into what you explained and I will see how to implement it.
    I have also seen that CERTBOT can provide wildcard SSL certificates, I am not sure whether ISPConfig is able to do that or not, as so far I had all the trouble I was talking about, and the result was also a self-generated SSL, which Chrome and Firefox notify me about every time.

    Thanks so far, this is all very helpful

    Regards
     
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    If your hostname is "server1.example.com", the hosts file should be like this:
    Code:
    127.0.0.1       localhost
    127.0.1.1       server1.example.com server1
    The DNS entries look good to me, but as your hostname was incorrect, the installer tried to issue a cert for a non-existing hostname.

    Wilcard LE certs are currently not supported in ISPConfig.
     
  8. barbarab

    barbarab New Member

    Hi, I've exactly the same problem. During installation I got the message: Server's public ip(s) (***.***.***.***) not found in A/AAAA records for server.example.com: 127.0.1.1
    My dns records are ok (checked with mxtools and google dig).
    Hosts file is like the Th0m's one
    I already cleaned the ssl directory (/usr/local/ispconfig/interface/ssl) and re-launched the ispconfig_update.sh.
    I'd like to know if (and how) you solved the problem. Thank you
     
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Do a forced update and let it create a new SSL cert. If it throws this error, answer yes when asked if you want to try anyway.

    ispconfig_update.sh --force
     
  10. barbarab

    barbarab New Member

    Hi Thom,
    I did the force update and then said yes to go on, but I just obtain a self-signen certificate.
    Below the message. Any ideas?
    ---
    Ignore DNS check and continue to request certificate? (y,n) [n]: y
    Using apache for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for bla.bla.com
    Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
    Waiting for verification...
    Challenge failed for domain bla.bla.com
    http-01 challenge for bla.bla.com
    Cleaning up challenges
    Some challenges have failed.
    Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus (2 primes)
    ..........................................................................................................................................................................................++++
    .................++++
    e is 65537 (0x010001)
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:...
     
  11. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Can you share the real hostname and IP?
     
  12. barbarab

    barbarab New Member

    I'd prefer not to share publicly, should I start a conversation? Other ways?
     
  13. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Yes, feel free to send it in a PM.
     
  14. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    What might be the problem is the default vhost. Try
    Code:
    a2dissite 000-default
    and then run a force update.

    (EDIT: I have checked the DNS record, should be OK. But I see the default Apache2 page, which may be the issue)
     
  15. barbarab

    barbarab New Member

    Hi, thank you Thom,
    unfortunately, I disabled the default apache page and then run a force update, but I got the same result: Server's public ip(s) (***.***.***.***) not found in A/AAAA records for server.example.com: 127.0.1.1 and therefore a self-signed certificate
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Check your /etc/hosts file, you probably have a line for the hostname in there which has the local 127.0.... IP address instead of the external one. See posts #5 and #6 in this thread for the solution.
     
  17. barbarab

    barbarab New Member

    Hi Till,
    thank you. So:
    1) I changed the hosts file adding the router public IP
    2) I changed ispconfig port from 8091 to 8080
    3) I opened the 8080 port in the router and the 80 port to the internal machine ip
    4) I cleaned the ssl folder and run again the force update.
    Now it doesn't mention the "Server's public ip(s) (***.***.***.***) not found in A/AAAA records for server.example.com: 127.0.1.1" issue, but still it says: "Challenge failed for domain" and creates a self-signed certificate
     
  18. barbarab

    barbarab New Member

    My provider has ipv6 enabled but not assigned
     
  19. barbarab

    barbarab New Member

    Hi,
    I eventually rebuilt the machine from scratch and everything went smoothly.

    At the first attempt I had two-three problems:
    1) I missed the A record
    2) the port 80 was closed
    3) (maybe) file hosts missing the external IP
    I fixed all the issues afterwards and then run the ispconfig_update.sh (many times), with no result (always "Connection refused" in the log).
    The impression is that after the first failure, the ispconfig force update for some reason couldn't succeed in releasing the certificate.
    https://quickview.cloudapps.cisco.com/quickview/bug/CSCvt34984
    Hope this is helpful to whoever has the same problem.
     
    Last edited: Jun 8, 2021
  20. Aleeekoi

    Aleeekoi New Member

    Hi! I Have the same issue, do you find a solution? :/
     

Share This Page