(Let's encrypt) SSL for external domain

Discussion in 'Installation/Configuration' started by Manisch, Dec 24, 2020.

  1. Manisch

    Manisch New Member HowtoForge Supporter

    Hi there,

    I still have a Christmas-Question for you :D

    So, I have an external domain that should be forwarded to this Server on which Ubuntu 20.04 and ISPConfig runs. It mostly seems to be working fine, just the SSL doesn't work yet > at least for this website/the external domain. The Selver itself seems to be fine. When I log into ISPConfig, the browser shows me the little lock :)

    Just to be sure: When I create a Website, which domain do I have to enter there?
    I entered the external domain and the Site itself works as it was intended (just without SSL).
    The browser shows the URL I want to show and the "page content" is also correct.

    If I check the SSL and Let's Encrypt checkbox at the bottom of the Website settings in ISP and click on save, they won't stay checked.
    If I only check SSL (without Let's Encrypt), it at least stays this way.

    Since this is an external domain, do I have to do something different?
    Like "transferring" the certificate or make some external adjustments?

    As far as I can see, no log is mentioning any specific errors. Even more: The Let's Encrypt log is not even mentioning that something happened after I clicked on "save" after checking the checkbox. The last log entry was created hours ago :D
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  3. Manisch

    Manisch New Member HowtoForge Supporter

    Thanks, but I'm afraid this doesn't really help.

    Some of the stuff seems outdated, Let's Encrypt seems to work in general and the log doesn't really show anything.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Go again through each step of the FAQ incl the last step about debugging. The FAQ contains all steps that need to be done to track down all possible LE problems for all ISPConfig versions.

    If you used LE manually, then it must fail in ISPConfig for that website you used it for.
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    What do you mean by an 'external' domain, the public ip address is actually a cdn or other server that proxies connections to your server in the background?
     
  6. Manisch

    Manisch New Member HowtoForge Supporter

    - Check that you have Let’s Encrypt (certbot) installed. ISPConfig 3.1.16 and newer will also support acme.sh as client.
    -- It is installed

    - Check that the Let's encrypt client 'certbot' is updated (when using certbot).
    -- It's the latest version

    - Check that you run the latest ISPConfig version.
    -- It's updated

    - When your server is behind a NAT router so that the server itself can not reach the hosted domains, then enable the option "Skip Letsencrypt check" under System > Server config > web.
    -- It's not behind a NAT

    - Check that all domain names (icl auto subdomain www etc), subdomains and aliasdomains really point to the right website and are working. Open one after another in your browser and test that.
    -- That's one of the things where I'm not sure about the external domain.
    Visiting this domain shows me the right page and the browser's address-bar also shows the right address, so it seems fine to me.
    But I don't know how to access this page "originally" without the external domain.
    It's forwarded to an IP address. If I visit this IP directly, I see the Apache2 Ubuntu Default Page, which is not the content it's supposed to show.

    - If you still use Apache 2.2, then update your ispconfig to git-stable branch with the ispconfig_update.sh script to get an updated vhost template. After you did that, use Tools > resync to apply the new template to all sites or apply it to a single site by altering a value in the site settings and press save, before you try to activate Let’s Encrypt again. This is only necessary on apache 2.2 systems, newer apache 2.4 or nginx systems are not affected.
    -- It's Apache 2.4.41

    - If you updated to ISPConfig 3.1 and deselected the "reconfigure services" option during update (which is selected by default), then Let’s Encrypt will fail as your server is missing the Let’s Encrypt configuration in the ispconfig apache configuration files. Redo the update and chose to reconfigure services in that case.
    -- It's a fresh install, so I didn't update

    - You can find the log files here: /var/log/letsencrypt
    -- Like I said above, the log doesn't really show anything. There are no new entries after clicking the LE Checkbox and saving it.

    -What if the above steps don't help? Then use the ISPConfig debug mode to find out what the reason for the failure is:
    -- I guess I don't know how this works. After entering the command /usr/local/ispconfig/server/server.sh nothing happens.
    If I go to (ISP) Monitor > System State > System Log, it's empty, too.
    Log Files > System Log shows some stuff, but nothing that seems connected to LE. Mostly some "connect" and "disconnect" stuff.

    I mean that I haven't set up any DNS settings on my own server and just forwarded a domain that I already had in a Webhosting package somewhere else.
     
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Did you point the A (and eventual AAAA) DNS records for the domain(s) and eventual sub(domains) to your server?

    and did you use the certbot command manually for this domain? because as said, that would break the use of ISPConfig for it.
     
  8. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Most likely your issue(s) is(are) in how you forward this, and what the remote server is doing with the letsencrypt verification requests; apparently it's not passing the requests to your server. And that might be fine, there's no "right answer" as to what should happen; perhaps the remote end should be used to request a certificate so your public ip address is using the certificate. What you're doing is trying to request a certificate for your ISPConfig server, which is largely irrelevant if actual web clients all connect to a different server.

    Is this 'external' domain setup intended to be permanent? If not, I wouldn't spend another moment on it, just set up a real domain and likely everything on your server is already working. If it is your long term setup, you'll have to figure out what happens on the remote server, and what you actually want to happen, at least enough that you could also explain why you want that. :)
     
  9. Manisch

    Manisch New Member HowtoForge Supporter

    Yes, just the A record. I could add the AAAA, as well, if that helps.

    Hmm, can we go the other way around: Is there a tutorial that shows how it should be done? I could better tell you whether or not I did it this way :D

    It's the first time I'm working with my own server and ISPConfig, so a lot of stuff is still quite new to me. I was told, if I'm only hosting one page/domain, there is no need to go through the DNS creation. Just forwarding a domain I already have somewhere else, should be fine.

    But I wouldn't mind setting this up in a way where everything is "under one roof". There is just some stuff that felt....to complex for the moment :D

    I know I would have to create a DNS Zone in ISP
    - What domain do I add there?
    -- If I already own this domain (at my "old" provider), do I have to cancel it over there first?

    - What Nameservers (NS1 + NS2) do I have to enter there? Can I just enter whatever I want?

    - Which email do I have to enter? Just an email that has nothing to do with the actual domain, so I can be..."contacted"?

    - And what comes then? Do I just have to wait 24/48h? :D
     
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    If your domain has nameservers from a different DNS provider, there is no need to set up a DNS zone in ISPConfig, I would even say it's not wise as you will start to confuse things.

    What do you exactly mean with "forwarding" it?

    Did you run a certbot command from the cli?
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    The faq contains a link that explains step by step what to do to use the debug mode. I've copied that link again for you:

    https://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/

    You say you did not get any debug output, this means that you missed enabling debug mode. So here again:

    1) Enable debug log mode.
    2) Disable server.sh cronjob.
    3) Enable SSL and let's encrypt checkbox of the website where you want to have a Let's encrypt SSL cert for.
    4) Run server.sh and post the complete output that you get.

    A tutorial to tick 2 checkboxes? All you have to do is to tick the Let's encrypt checkbox and the SSL checkbox, that's all. If you did something else like running certbot manually, then the site might be locked and can not be managed from ispconfig anymore.
     
  12. Manisch

    Manisch New Member HowtoForge Supporter

    Hmm, I guess I was too impatient with those "wait 1-2 minutes". After letting it sit for a while, something was displayed:

    It says:
    Warning Let's Encrypt SSL Cert for: blablabla.de could not be issued.
    Warning Could not verify domain blablabla.de, so excluding it from letsencrypt request.

    I'm sorry, like I said: I'm new to all this, so I can't tell yet whether or not something you mention is a big thing or just two checkboxes.

    But in this case: I tried a few things. At first, I was only clicking those checkboxes. After that didn't work, I went to the SSL tab and selected "create certificate" at the bottom.

    Logging in to the domain provider, going to it's DNS settings and replacing the A record IP with the one of the new server

    I'm not sure, is this the checkbox thing?
     
  13. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Check with a site like dns.google.com the A record for blablabla.de, and see if it lists the correct IP of your server where you issue the cert.
    Alright, you should undo that - it's not the reason for your current issue but will cause other issues. Go to the SSL tab, select "Delete certificate" and save.

    No, the cli is the command line, where you run commands manually.
     
  14. Manisch

    Manisch New Member HowtoForge Supporter

    Here the complete log:

    Code:
    2020-12-25 12:13 blabla.server.de Debug Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    2020-12-25 12:13 blabla.server.de Debug Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    2020-12-25 12:13 blabla.server.de Debug Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    2020-12-25 12:13 blabla.server.de Debug Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    2020-12-25 12:12 blabla.server.de Debug Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    2020-12-25 12:12 blabla.server.de Debug Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    2020-12-25 12:11 blabla.server.de Debug Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    2020-12-25 12:11 blabla.server.de Debug Calling function 'restartPostfix' from module 'mail_module'.
    2020-12-25 12:11 blabla.server.de Debug Restarting httpd: systemctl restart apache2.service
    2020-12-25 12:11 blabla.server.de Debug Calling function 'restartHttpd' from module 'web_module'.
    2020-12-25 12:11 blabla.server.de Debug Processed datalog_id 75
    2020-12-25 12:11 blabla.server.de Debug Calling function 'server_update' from plugin 'webserver_plugin' raised by event 'server_update'.
    2020-12-25 12:11 blabla.server.de Debug Calling function 'update' from plugin 'server_services_plugin' raised by event 'server_update'.
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: which 'dovecot' 2> /dev/null - return code: 0
    2020-12-25 12:11 blabla.server.de Debug Calling function 'update' from plugin 'postfix_server_plugin' raised by event 'server_update'.
    2020-12-25 12:11 blabla.server.de Debug Network configuration disabled in server settings.
    2020-12-25 12:11 blabla.server.de Debug Calling function 'update' from plugin 'network_settings_plugin' raised by event 'server_update'.
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    2020-12-25 12:11 blabla.server.de Debug Calling function 'update' from plugin 'apps_vhost_plugin' raised by event 'server_update'.
    2020-12-25 12:11 blabla.server.de Debug Writing the conf file: /etc/apache2/sites-available/ispconfig.conf
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    2020-12-25 12:11 blabla.server.de Debug Calling function 'server_ip' from plugin 'apache2_plugin' raised by event 'server_update'.
    2020-12-25 12:11 blabla.server.de Debug Processed datalog_id 74
    2020-12-25 12:11 blabla.server.de Debug Calling function 'server_update' from plugin 'webserver_plugin' raised by event 'server_update'.
    2020-12-25 12:11 blabla.server.de Debug Calling function 'update' from plugin 'server_services_plugin' raised by event 'server_update'.
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: which 'dovecot' 2> /dev/null - return code: 0
    2020-12-25 12:11 blabla.server.de Debug Calling function 'update' from plugin 'postfix_server_plugin' raised by event 'server_update'.
    2020-12-25 12:11 blabla.server.de Debug Network configuration disabled in server settings.
    2020-12-25 12:11 blabla.server.de Debug Calling function 'update' from plugin 'network_settings_plugin' raised by event 'server_update'.
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    2020-12-25 12:11 blabla.server.de Debug Calling function 'update' from plugin 'apps_vhost_plugin' raised by event 'server_update'.
    2020-12-25 12:11 blabla.server.de Debug Writing the conf file: /etc/apache2/sites-available/ispconfig.conf
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    2020-12-25 12:11 blabla.server.de Debug Calling function 'server_ip' from plugin 'apache2_plugin' raised by event 'server_update'.
    2020-12-25 12:11 blabla.server.de Debug Processed datalog_id 73
    2020-12-25 12:11 blabla.server.de Debug Apache online status after restart is: running
    2020-12-25 12:11 blabla.server.de Debug Apache restart return value is: 0
    2020-12-25 12:11 blabla.server.de Debug Restarting httpd: systemctl restart apache2.service
    2020-12-25 12:11 blabla.server.de Debug Calling function 'restartHttpd' from module 'web_module'.
    2020-12-25 12:11 blabla.server.de Debug Apache status is: running
    2020-12-25 12:11 blabla.server.de Debug Writing the vhost file: /etc/apache2/sites-available/blabla.de.vhost
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: chattr +i '/var/www/php-fcgi-scripts/web1/.php-fcgi-starter' - return code: 0
    2020-12-25 12:11 blabla.server.de Debug Creating fastcgi starter script: /var/www/php-fcgi-scripts/web1/.php-fcgi-starter
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: chattr -i '/var/www/php-fcgi-scripts/web1/.php-fcgi-starter' - return code: 0
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    2020-12-25 12:11 blabla.server.de Warning
    2020-12-25 12:11 blabla.server.de Debug NON-String given in escape function! (boolean)
    2020-12-25 12:11 blabla.server.de Warning Let's Encrypt SSL Cert for: blabla.de could not be issued.
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    2020-12-25 12:11 blabla.server.de Warning Could not verify domain www.blabla.de, so excluding it from letsencrypt request.
    2020-12-25 12:11 blabla.server.de Warning Could not verify domain blabla.de, so excluding it from letsencrypt request.
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: setquota -T -u 'web1' 604800 604800 -a &> /dev/null - return code: 0
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: setquota -u 'web1' '0' '0' 0 0 -a &> /dev/null - return code: 0
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: df -T '/var/www/clients/client1/web1'|awk 'END{print $2,$NF}' - return code: 0
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: chattr -i '/var/www/clients/client1/web1' - return code: 0
    2020-12-25 12:11 blabla.server.de Debug Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    2020-12-25 12:11 blabla.server.de Debug Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    2020-12-25 12:11 blabla.server.de Debug Processed datalog_id 72
    2020-12-25 12:11 blabla.server.de Debug Apache online status after restart is: running
    2020-12-25 12:11 blabla.server.de Debug Apache restart return value is: 0
    2020-12-25 12:11 blabla.server.de Debug Restarting httpd: systemctl restart apache2.service
    2020-12-25 12:11 blabla.server.de Debug Calling function 'restartHttpd' from module 'web_module'.
    2020-12-25 12:11 blabla.server.de Debug Apache status is: running
    2020-12-25 12:11 blabla.server.de Debug Writing the vhost file: /etc/apache2/sites-available/blabla.de.vhost
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: chattr +i '/var/www/php-fcgi-scripts/web1/.php-fcgi-starter' - return code: 0
    2020-12-25 12:11 blabla.server.de Debug Creating fastcgi starter script: /var/www/php-fcgi-scripts/web1/.php-fcgi-starter
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: chattr -i '/var/www/php-fcgi-scripts/web1/.php-fcgi-starter' - return code: 0
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: setquota -T -u 'web1' 604800 604800 -a &> /dev/null - return code: 0
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: setquota -u 'web1' '0' '0' 0 0 -a &> /dev/null - return code: 0
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: df -T '/var/www/clients/client1/web1'|awk 'END{print $2,$NF}' - return code: 0
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
    2020-12-25 12:11 blabla.server.de Debug safe_exec cmd: chattr -i '/var/www/clients/client1/web1' - return code: 0
    2020-12-25 12:11 blabla.server.de Debug Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    2020-12-25 12:11 blabla.server.de Debug Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    2020-12-25 12:11 blabla.server.de Debug Found 4 changes, starting update process.
    2020-12-25 12:11 blabla.server.de Debug Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'
     
  15. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Please put logs and code within code tags (in the editor: insert -> code)
     
  16. Manisch

    Manisch New Member HowtoForge Supporter

    Google says:

    "Status": 0,
    "TC": false,
    "RD": true,
    "RA": true,
    "AD": false,
    "CD": false,
    "Question": [
    {
    "name": "blablabla.de.",
    "type": 1
    }
    ],
    "Answer": [
    {
    "name": "blablabla.de.",
    "type": 1,
    "TTL": 21599,
    "data": "*yes, this is the new Server's IP"
    }
    ],
     
  17. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Have you opened port 80 and 443 on your server?
     
  18. Manisch

    Manisch New Member HowtoForge Supporter

    Well, not intentionally :D

    I have to leave now for some Christmas-stuff. But thanks everyone for helping me out so far!
     
  19. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  20. till

    till Super Moderator Staff Member ISPConfig Developer

    The problem is that the domain name can not be reached from the server. Is the server in a data center and has an 'official' IP address assigned directly, or do you host it at home or in office behind a router? And the FAQ tells you to try to disable the LE check if the system is behind a router, did you tried that?
     

Share This Page