Let's encrypt

Discussion in 'Installation/Configuration' started by Bocki, Nov 5, 2017.

  1. Bocki

    Bocki New Member HowtoForge Supporter

    Hi,
    I'm currently activating Let's encrypt for various already configured websites. This process does not run totally smooth with my installation, therefore I've got one/maybe some questions.
    First of all: I activated Let's Encrypt for my website domain1.de. This worked fine, I can access the site via HTTPS. In the browser I see that the cert was issued today and is valid until February 3rd.
    But having a look in /etc/letsencrypt/archive/domain1.de I do not see any key/cert/chain. Where are these files saved to? I would like to use the cert elsewhere too (actually for accessing ISPConfig itself, Postfix, Dovecot...).
    Thanks!
     
  2. Bocki

    Bocki New Member HowtoForge Supporter

    I should have figured out that myself:
    Look in /etc/apache2/sites-enabled/100-domain1.de.vhost for the SSL configuration (SSLCertificateFile). There you find a path like /var/www/clients/client1/web1/ssl/domain1.de-le.crt. This is a file/symlink to something like /etc/letsencrypt/live/domain2.de/fullchain.pem.
    Et voila, that's the file and directory you look for.
    I wasn't aware that Let's Encrypt supports and ISPConfig uses SAN-certificates. Therefore I just had a look in the domain1.de directory. Sorry to have bothered you!
     
  3. Bocki

    Bocki New Member HowtoForge Supporter

    Well, but now, I hope, a serious question:

    As I wrote here I had to update some machines (Debian 8 to 9, ISPConfig 3.0.x to 3.1.7p1). I did that now and the process went smooth in general. But some little issues arise here due to the fact that I had manually added Let's Encrypt support in ISPConfig 3.0 following this procedure: https://github.com/alexalouit/ISPConfig-letsencrypt.

    I have now the official Debian "certbot" package installed, as described in the "perfect server" tutorial for Debian 9. Nevertheless under /root/.local/share/letsencrypt and /root/letsencrypt there are the remains of the old certbot installation. What is more in /var/spool/cron/crontabs/root there is the following:
    Code:
    30 02 * * * /root/.local/share/letsencrypt/bin/letsencrypt-renewer >> /var/log/ispconfig/cron.log; done
    But /root/.local/share/letsencrypt/ would not be there wouln't it be for the old install?!

    In /etc/cron.d/certbot there is:
    Code:
    0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew
    This seems correct as it comes from the Debian package.

    What is more, there is /etc/apache2/conf-enabled/letsencrypt.conf with:
    Code:
      <IfModule mod_headers.c>
        <LocationMatch "/.well-known/acme-challenge/*">
          Header set Content-Type "text/plain"
        </LocationMatch>
      </IfModule>
    Some websites do work with the Let's Encrypt certificate but I tried to issue another one for another website domain5.de and this one fails.

    The log output (as described in "Debugging of ISPConfig 3 server actions in case of a failure"):
    Code:
    [email protected]:~# /usr/local/ispconfig/server/server.sh
    06.11.2017-08:43 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    06.11.2017-08:43 - DEBUG - Found 1 changes, starting update process.
    06.11.2017-08:43 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    06.11.2017-08:43 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    06.11.2017-08:44 - WARNING - Could not verify domain domain5.de, so excluding it from letsencrypt request.
    06.11.2017-08:45 - WARNING - Could not verify domain www.domain5.de, so excluding it from letsencrypt request.    
    06.11.2017-08:46 - WARNING - Could not verify domain domain6.de, so excluding it from letsencrypt request.      
    06.11.2017-08:47 - WARNING - Could not verify domain www.domain6.de, so excluding it from letsencrypt request.  
    06.11.2017-08:48 - WARNING - Could not verify domain domain7.de, so excluding it from letsencrypt request. 
    06.11.2017-08:49 - WARNING - Could not verify domain www.domain7.de, so excluding it from letsencrypt request. 
    06.11.2017-08:49 - WARNING - Let's Encrypt SSL Cert for: domain5.de could not be issued.                                                            
    06.11.2017-08:49 - WARNING -                                                                                                                          
    06.11.2017-08:49 - DEBUG - Add server alias: domain6.de                                                                                               
    06.11.2017-08:49 - DEBUG - Add server alias: domain7.de                                                                                              
    06.11.2017-08:49 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web9/.php-fcgi-starter
    06.11.2017-08:49 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/domain5.de.vhost                                                    
    06.11.2017-08:49 - DEBUG - Apache status is: running                                                                                                  
    06.11.2017-08:49 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.                                                                  
    06.11.2017-08:49 - DEBUG - Restarting httpd: systemctl restart apache2.service                                                                        
    06.11.2017-08:49 - DEBUG - Apache restart return value is: 0                                                                                          
    06.11.2017-08:49 - DEBUG - Apache online status after restart is: running                                                                             
    06.11.2017-08:49 - DEBUG - Processed datalog_id 623                                                                                                   
    06.11.2017-08:49 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock                                                              
    finished.
    Thanks in advance for your help!
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Both cronjobs are not from ISPConfig and can be removed. ISPConfig takes care on renewing the certs itself.

    The log output means that some domains are unreachable from the server, ISPConfig adds a test token in the same way LE is doing it and tries to connect to it by http, when this fails, then the domain is excluded from the SSL cert. Check the DNS settings of the domains. When your server is behind a router so that domains can not be reached from the server itself, then disable the LE check under System > server config > web.
     
  5. Bocki

    Bocki New Member HowtoForge Supporter

    Ok, then I will delete both cron-entries. As one of them gets installed automatically by the Debian package, maybe the "perfect server" tutorial should/could be edited to reflect the deactivation?
    What about the file /etc/apache2/conf-enabled/letsencrypt.conf? Is this needed or maybe a problem?
    Besides I'm going to wait somewhat longer - maybe there is a problem with DNS distribution (as the entries are the same for the non-working domains as for the working ones). At the latest tomorrow all the changes should be propagated to every server.
     
  6. Bocki

    Bocki New Member HowtoForge Supporter

    Sorry to bother you again: is my statement in the previous post correct? And what about /etc/apache2/conf-enabled/letsencrypt.conf?
    The issuing problems where probably related to some DNS problem. After waiting some more it worked like a charm. Thanks!
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    I'll take a look at the perfect server guide. But it's not an issue when the cronjob exists, it's just a duplicate of what ISPConfig does.
    That should be fine.
     

Share This Page