Let's Encrypt SSL with ISPConfig 3.1.1 not working

Discussion in 'ISPConfig 3 Priority Support' started by DonMcCoy, Oct 28, 2016.

  1. DonMcCoy

    DonMcCoy New Member HowtoForge Supporter

    Hello, I've tried to setup Let's Encrypt but still failing.

    According to the ISPConfig-Lets Encrypt GitHub page, they say, that letscrypt comes native with ispconfig but for me i couldn't notice that letsencrypt was installed at all.
    when i try to tick letsencrypt in website settings in ispconfig, it won't do anything and when i go back to the website page i see that lets encrypt is ticked out!

    what am i be missing, should i install it the plugin manually from GitHub?
     
  2. oNdsen

    oNdsen New Member HowtoForge Supporter

    Please install it as described on official Tutorial:
    https://www.howtoforge.com/tutorial...ovecot-ispconfig-3-1/2/#-install-lets-encrypt
    Code:
    mkdir /opt/certbot
    cd /opt/certbot
    wget https://dl.eff.org/certbot-auto
    chmod a+x ./certbot-auto
    Code:
    ./certbot-auto
    The command will then tell you that "no names were found in your configuration files" and asks if it shall continue, please chose "no" here as the certs will be created by ISPConfig.
     
    DonMcCoy likes this.
  3. DonMcCoy

    DonMcCoy New Member HowtoForge Supporter

    Hello oNdsen, thanks for your reply,

    However, I have already set it up as it's mentioned in that tutorial, but the problem that i run into is the following:

    the certs are generated correctly in /etc/letsencrypt directory but the symlink that were generated by ISPConfig were misnamed.

    ISPConfig have done the following:
    1. create a symlink from: /etc/letsencrypt to: /var/www/example.com/ssl/example.com-le{.crt, .key}.
    2. declare them in nginx vhost falsely as: /var/www/example.com/ssl/example.com{.crt, .key}.
    you see without the (-le).

    so what you think?
     
  4. oNdsen

    oNdsen New Member HowtoForge Supporter

  5. DonMcCoy

    DonMcCoy New Member HowtoForge Supporter

    thanks for the link, I've also did the same as this hotfix but also got other things broken with nginx, so I reverted the changes and we will wait then.
     
  6. oNdsen

    oNdsen New Member HowtoForge Supporter

    Youre welcome :)
     
    DonMcCoy likes this.
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    DonMcCoy and oNdsen like this.
  8. rob_morin

    rob_morin Member HowtoForge Supporter

    Not sure if i should start a new thread or not?
    But while trying to enable https with a test domain, i get teh following errors in the /var/log/letsencrypt/letsencrypt.log file
    But dns and A record is fine...

    Any ideas?
    Thanks...

    2016-10-28 12:37:08,422:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:
    Domain: www.lumpyjunk.com
    Type: unauthorized
    Detail: Invalid response from http://www.lumpyjunk.com/.well-known/acme-challenge/9b7sC9L1bUCsIFbZispSZLNG7-LbMsmEQLcdSrMEByA: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <ht"

    Domain: lumpyjunk.com
    Type: unauthorized
    Detail: Invalid response from http://lumpyjunk.com/.well-known/acme-challenge/kyA0cdLQA12Itgr7RI2cWvE646S7XpaQ2tsBTiVGukU: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <ht"

    To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
    2016-10-28 12:37:08,422:INFO:certbot.auth_handler:Cleaning up challenges
    2016-10-28 12:37:08,422:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/kyA0cdLQA12Itgr7RI2cWvE646S7XpaQ2tsBTiVGukU
    2016-10-28 12:37:08,423:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/9b7sC9L1bUCsIFbZispSZLNG7-LbMsmEQLcdSrMEByA
    2016-10-28 12:37:08,423:INFO:certbot.plugins.webroot:Unable to clean up challenge directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    2016-10-28 12:37:08,423:DEBUG:certbot.plugins.webroot:Error was: [Errno 39] Directory not empty: '/usr/local/ispconfig/interface/acme/.well-known/acme-challenge'
    2016-10-28 12:37:08,424:DEBUG:certbot.main:Exiting abnormally:
    Traceback (most recent call last):
    File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
    sys.exit(main())
    File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 776, in main
    return config.func(config, plugins)
    File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 563, in obtain_cert
    action, _ = _auth_from_domains(le_client, config, domains, lineage)
    File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 100, in _auth_from_domains
    lineage = le_client.obtain_and_enroll_certificate(domains)
    File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 281, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
    File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 253, in obtain_certificate
    self.config.allow_subset_of_names)
    File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 78, in get_authorizations
    self._respond(resp, best_effort)
    File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 135, in _respond
    self._poll_challenges(chall_update, best_effort)
    File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 199, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
    FailedChallenges: Failed authorization procedure. www.lumpyjunk.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.lumpyjunk.com/.well-known/acme-challenge/9b7sC9L1bUCsIFbZispSZLNG7-LbMsmEQLcdSrMEByA: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <ht", lumpyjunk.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://lumpyjunk.com/.well-known/acme-challenge/kyA0cdLQA12Itgr7RI2cWvE646S7XpaQ2tsBTiVGukU: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
     
  9. oNdsen

    oNdsen New Member HowtoForge Supporter

    Looks like the A-Record of lumpyjunk.com doesnt point to the correct Server.
    Can you please verify that lumpyjunk.com also www.lumpyjunk.com is pointing to the correct Server IP Address?
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

  11. rob_morin

    rob_morin Member HowtoForge Supporter

    lumpyjunk.com and www.lumpyjunk.com both point to the same ip and is resolvable via google dns
    [email protected]:~/.local/share/letsencrypt/bin# nslookup www.lumpyjunk.com 8.8.8.8
    Server: 8.8.8.8
    Address: 8.8.8.8#53

    Non-authoritative answer:
    Name: www.lumpyjunk.com
    Address: 216.252.64.38
     
  12. rob_morin

    rob_morin Member HowtoForge Supporter

    Ok sorry Till
     
  13. DonMcCoy

    DonMcCoy New Member HowtoForge Supporter

    thanks Till, your Hotfix works like charm.
     

Share This Page