Let's Encrypt SSL certificate not installing inside ISPConfig during installation - DNS server issue

Discussion in 'Installation/Configuration' started by FX2LTD, Mar 8, 2021.

  1. FX2LTD

    FX2LTD New Member

    Hi, I could not manage to get the Let's Cert SSL certificate to be installed correctly within ISPConfig 3.2, in the end I gave up and I have done it externally (using the instrucions on certbot eff org). So now I have the funny result that the main website (i.e. the frontend of the domain name ISPCOnfig points to) works with an SSL certificate, but all the backend services don't (ispconfig, roundcube, phpmyadmin etc.), and they are using the auto-generated non-verified SSL certificate.
    During my many attempts, I was encountering the error I saw above:
    Server's public ip(s) (***.***.***.***) not found in A/AAAA records for server.example.com: 127.0.1.1
    It's a DNS issue, but in all the tutorials I have found, everybody mention about checking/working on the configuration of the DNS servers, but it's not clear to me which ones. Are they talking about the ISP/Registrar DNS servers, the ISPConfig DNS area, Bind DNS configuration?
    I believe that the ISP DNS servers and my ubuntu server host file are configured correctly, but I don't see why ISPconfig tries to resolve my static public IP address on 127.0.0.1.
    Thanks in advance for the possible reply
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The DNS servers that are authoritative for the domain (zone) that the hostname of your server belongs to. example:

    Your hostname is server1.example.com

    In this case, the zone is 'example.com' and you must now edit the DNS servers that are responsible for the zone example.com and add a A-record for 'server1' that points to the IP address of your server. You can find out which serevrs are the responsible ones at your domain registrar.
     
  3. FX2LTD

    FX2LTD New Member

    Thank you very much for the explanation.
    As far as I know, that has been done correctly, still the procedure fails within ISPConfig. Instead I have done it via certbot, which is a different procedure and it worked. With the funny result now that the website is secured, while all the services that are managed by ISPConfig and ISPConfig control panel itself, are not covered. I assume the certificate is different, and probably it's stored in a different location.
    What I was not understanding, was why, when it failed, it couldn't find the public static IP address; it was reportedly not found by 127.0.0.1, I would have expected the message to mention the registrar's DNS servers. I thought of some issues between the physical server and the router (i.e. some ports not open, or configured correctly). Is there a procedure to work on the certificates, and try until it works, without having to reinstall or update ISPConfig over and over?
    Thanks
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You should never do this, as it will break the integration of ISPConfig with certbot for your website.

    It did not tell you it was not found by 127.0.0.1, it told you that the IP found for your hostname was 127.0.0.1, instead of a public IP.

    No, not if you want to use the features to symlink it.
     
  5. nhybgtvfr

    nhybgtvfr Active Member

    if you have anything saying the ip it's found for your hostname is 127.0.1.1 then you don't necessarily have any dns problems.
    * you may still have other dns problems, but this isn't one of them.

    the only place you will find any references to 127.0.1.1 is in your /etc/hosts file.
    if you have this entry in there, (make sure it is really 127.0.1.1 and not 127.0.0.1, you don't want to mess with the 127.0.0.1 entry)
    then you should probably comment it out and create a new entry with your servers local ip address, along with it's hostname and fqdn.

    eg assuming your server is host1 on domain2.com and it's local ip is 123.45.67.89 (it may have another public floating ip that can be re-assigned between hosts, eg 234.12.34.56)

    in this case your /etc/hosts file would go from
    Code:
    127.0.1.1  host1 host1
    127.0.0.1 localhost
    
    to
    Code:
    #127.0.1.1  host1 host1
    127.0.0.1 localhost
    
    123.45.67.89  host1.domain2.com   host1
    
    you would also add other ispconfig hosts on the same local net in here, eg:

    123.45.67.90 host2.domain2.com host2
    123.45.67.91 host3.domain2.com host3

    this would ensure that can all contact each other using the local ip's and no going out through some front-facing firewall/lb and back in again.
    you would then add the public floating ip's as A records in the dns zone. ie:
    234.12.34.56 host1.domain2.com
    234.12.34.57 host2.domain2.com

    so that they can be reached from external locations.
    these public floating ip's are also the ip's you would add to the dns for any websites you host on each parti
     
  6. FX2LTD

    FX2LTD New Member

    ################################################################################
    Thank you both for your reply, this second one is deeper into my curiosity, so I appreciate also the extra lenght in explaining.
    I am going to post here my current host file and the registrar's DNS records, just in case I did not notice anything wrong (i.e. I had not seen the error message was about 127.0.1.1 and I thought it was 127.0.0.1, my bad). I will change some names and IPs just for security reasons:
    /etc/hosts

    127.0.0.1 localhost
    #127.0.1.1 shuttle.shuttle.example.com
    176.16.2.100 shuttle.shuttle.example.com shuttle

    # The following lines are desirable for IPv6 capable hosts
    ::1 localhost ip6-localhost ip6-loopback
    #fe00::0 ip6-localnet
    #ff00::0 ip6-mcastprefix
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters

    Damn! I have just discovered that what was supposed to be shuttle.example.com is, for some reason, listed as shuttle.shuttle.example.com
    I wonder where that comes from, as it's nowhere written like that, and I have never written it like that, nor in the hostfile, or inside ISPConfig!

    DNS Zone:

    DNS ENTRY TYPE PRIORITY TTL DESTINATION/TARGET
    * A xx.xxx.xxx.224
    @ MX 10 shuttle.example.com.
    @ A xx.xxx.xxx.224
    cp A xx.xxx.xxx.224
    ftp A xx.xxx.xxx.224
    shuttle A xx.xxx.xxx.224
    www A xx.xxx.xxx.224

    I will look into what you explained and I will see how to implement it.
    I have also seen that CERTBOT can provide wildcard SSL certificates, I am not sure whether ISPConfig is able to do that or not, as so far I had all the trouble I was talking about, and the result was also a self-generated SSL, which Chrome and Firefox notify me about every time.

    Thanks so far, this is all very helpful

    Regards
     
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    If your hostname is "server1.example.com", the hosts file should be like this:
    Code:
    127.0.0.1       localhost
    127.0.1.1       server1.example.com server1
    The DNS entries look good to me, but as your hostname was incorrect, the installer tried to issue a cert for a non-existing hostname.

    Wilcard LE certs are currently not supported in ISPConfig.
     

Share This Page