Lets Encryt Problems again

Discussion in 'ISPConfig 3 Priority Support' started by Dextros, Jan 22, 2018.

  1. Dextros

    Dextros Member

    Hi Guys
    I am having trouble, again on the 3 month renewal.

    The client lacks sufficient authorization :: Invalid response from domain.ltd

    I cannot manually get to the location in a browser.

    I have turned off re-write http to https
    I get a 404 error when i try and access the area.

    I think i may have found the problem. Not only was the server not allowing http, but i think that there is a permission problem

    cd /usr/local/ispconfig/interface/acme/.well-known
    ls -lah
    drwxr-sr-x 2 ispconfig ispconfig 4.0K Jan 22 13:49 acme-challenge

    vim ispconfig.conf
    Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    <Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge>
    Require all granted
    <IfModule mpm_itk_module>
    AssignUserId www-data www-data
    </IfModule>
    </Directory>

    Is the AssignUserID incorrect. Should it be ispconfig ispconfig or should /acme be www-data www-data

    Is there any way to set this up to let me know in advance, so i can fix this in advance?

    KRs

    Lee
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The permissions of the directory are fine. The token is created by certbot as root user, so it can write to that directory and the user www-data is member of the ispconfig group, so Apache can read the token.

    The apache config should be fine as well as www-data user can read the token.

    If it would be a permission problem, then you won't get a 404 error, you would get 403. 404 really means that the token is unreachable (in form of non-existent in this URL). Most likely a rewrite rule or redirect in your website redirects the URL so that it is unreachable.
     
  3. Dextros

    Dextros Member

    Would that be in the individual apache conf files? Ill be honest, i am at a loss.
    Would you be able to point me in the right direction. I tried emailing Florian this morning but nothing back yet.

    Would you be able to take a look at it?

    KRs

    Lee
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Most likely it's a redirect that is set in apache/ nginx directives field of the website or an .htaccess file on an apache server or a global redirect. To test this, add a test file in the folder /usr/local/ispconfig/interface/acme/.well-known/acme-challenge, e.g.:

    touch /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/test.txt

    and then try to fetch it with a browser:

    http://yourdomain.tld/.well-known/acme-challenge/test.txt

    If you get a 404, then take a look into the access.log of the site if you find any additional info on the failed request there.

    I'm sure Florian will contact you, I'm sure he got a load of work over the weekend that he is working on, on Monday.
     
  5. Dextros

    Dextros Member

    Hi Till

    Could I be having this issue on mine.

    "Maybe you have a mix of old and new syntax on your server. When the server is an apache version that uses the new syntax, then remove all old syntax. for ispconfig vhosts, you can do that with tools > resyncm for other apache files you might have to do that manually.
    The reason for this is that you can't mix old and new syntax. E.g. when you deny access globally for /var/www in old syntax, then you can not give access to a subdirectory of /var/www in new syntax. Apache simply ignores the new syntax then. ISPConfig will choose new syntax when the apache version of that server uses new syntax."

    I upgrade from Debian 7 to Debian 8 about 3-4 monmths ago.

    I dont believe I have any special features in the apache files, so a resync could fix this issue?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    You can try a resync, but it will alter only the vhost files, not other apache files.
     
  7. Dextros

    Dextros Member

    Hi Till

    I tried this, but it has made things worse. Everything seems to be forcing redirect to ssl. Do you know where i could look to see where this is happening?

    I cant even bypass the https errors and get
    You cannot visit www.marsdenduncan.co.uk right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

    L
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Seems as if the site currently uses an ssl cert of another site, this happens when the site has no ssl enabled. Is the ssl checkbox and le checkbox of that site enabled at the moment? If not, enable debug mode:
    https://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/
    then enable ssl and le checkboxes, run server.sh, and you will see on the shell in details what's going on.

    If you need help by remote login, then you should consider contacting Florian here http://www.ispconfig.org/get-support/?type=ispconfig and ask him to take a look at your problem directly.
     
  9. Dextros

    Dextros Member

    I have asked Florian to help. This is way out of my league :)
    I will email him again.
    Florian must have already enabled debuging
    They are full of

    06.02.2018-17:58 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    06.02.2018-17:58 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock

    I have re-enabled only SSL tick boxes.
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    This is not the debug output from enabling ssl checkbox. Most likely you did not comment out server.sh in root crontab so the changes had already been processed.
     
  11. Dextros

    Dextros Member

    I got this when I did what you said

    Code:
    06.02.2018-18:59 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 's                                                                                                                        erver_plugins_loaded'.
    06.02.2018-18:59 - DEBUG - Found 1 changes, starting update process.
    06.02.2018-18:59 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    06.02.2018-18:59 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'                                                                                                                        .
    06.02.2018-18:59 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web23/.php-fcgi-starter
    06.02.2018-18:59 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/gklkent.com.vhost
    06.02.2018-18:59 - DEBUG - Apache status is: running
    06.02.2018-18:59 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    06.02.2018-18:59 - DEBUG - Restarting httpd: systemctl restart apache2.service
    06.02.2018-18:59 - DEBUG - Apache restart return value is: 0
    06.02.2018-18:59 - DEBUG - Apache online status after restart is: running
    06.02.2018-18:59 - DEBUG - Processed datalog_id 3311
    06.02.2018-18:59 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    
    I am getting somewhere, when I try and select the LE button under SSL, I now get a vhost.conf.err file.

    This is still pointing to the outdates le cert files created just over three months ago.
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    That debug output is better :) Is your server behind a router? And please check the letsencrypt.log file, it must be there and it should contain the reason why letsencrypt is not able to renew the ssl cert.
     
  13. Dextros

    Dextros Member

    Hi Till

    I dont believe that I am behind a router/firewall, i think i have to pay extra for firewall at OVH.

    Chain INPUT (policy DROP)
    target prot opt source destination
    fail2ban-pureftpd tcp -- anywhere anywhere multiport dports ftp
    fail2ban-dovecot-pop3imap tcp -- anywhere anywhere multiport dports pop3,pop3s,imap2,imaps
    fail2ban-ssh tcp -- anywhere anywhere multiport dports ssh
    DROP tcp -- anywhere loopback/8
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    ACCEPT all -- anywhere anywhere
    DROP all -- base-address.mcast.net/4 anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    PUB_IN all -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain FORWARD (policy DROP)
    target prot opt source destination
    DOCKER-USER all -- anywhere anywhere
    DOCKER-ISOLATION all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
    DOCKER all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere
    ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
    DROP all -- anywhere anywhere

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere
    PUB_OUT all -- anywhere anywhere

    Chain DOCKER (1 references)
    target prot opt source destination
    ACCEPT tcp -- anywhere 172.17.0.2 tcp dpt:9980

    Chain DOCKER-ISOLATION (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain DOCKER-USER (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain INT_IN (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain INT_OUT (0 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere
    ACCEPT all -- anywhere anywhere

    Chain PAROLE (24 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain PUB_IN (6 references)
    target prot opt source destination
    ACCEPT icmp -- anywhere anywhere icmp destination-unreachable
    ACCEPT icmp -- anywhere anywhere icmp echo-reply
    ACCEPT icmp -- anywhere anywhere icmp time-exceeded
    ACCEPT icmp -- anywhere anywhere icmp echo-request
    PAROLE tcp -- anywhere anywhere tcp dpt:ftp-data
    PAROLE tcp -- anywhere anywhere tcp dpt:ftp
    PAROLE tcp -- anywhere anywhere tcp dpt:ssh
    PAROLE tcp -- anywhere anywhere tcp dpt:smtp
    PAROLE tcp -- anywhere anywhere tcp dpt:domain
    PAROLE tcp -- anywhere anywhere tcp dpt:http
    PAROLE tcp -- anywhere anywhere tcp dpt:pop3
    PAROLE tcp -- anywhere anywhere tcp dpt:imap2
    PAROLE tcp -- anywhere anywhere tcp dpt:https
    PAROLE tcp -- anywhere anywhere tcp dpt:urd
    PAROLE tcp -- anywhere anywhere tcp dpt:submission
    PAROLE tcp -- anywhere anywhere tcp dpt:imaps
    PAROLE tcp -- anywhere anywhere tcp dpt:pop3s
    PAROLE tcp -- anywhere anywhere tcp dpt:2812
    PAROLE tcp -- anywhere anywhere tcp dpt:mysql
    PAROLE tcp -- anywhere anywhere tcp dpt:8040
    PAROLE tcp -- anywhere anywhere tcp dpt:8041
    PAROLE tcp -- anywhere anywhere tcp dpt:tproxy
    PAROLE tcp -- anywhere anywhere tcp dpt:8090
    PAROLE tcp -- anywhere anywhere tcp dpt:8888
    PAROLE tcp -- anywhere anywhere tcp dpt:git
    PAROLE tcp -- anywhere anywhere tcp dpt:9980
    PAROLE tcp -- anywhere anywhere tcp dpt:webmin
    PAROLE tcp -- anywhere anywhere tcp dpts:40110:40210
    ACCEPT udp -- anywhere anywhere udp dpt:domain
    ACCEPT udp -- anywhere anywhere udp dpt:mysql
    DROP icmp -- anywhere anywhere
    DROP all -- anywhere anywhere

    Chain PUB_OUT (6 references)
    target prot opt source destination
    ACCEPT all -- anywhere anywhere

    Chain fail2ban-dovecot-pop3imap (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-pureftpd (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Chain fail2ban-ssh (1 references)
    target prot opt source destination
    RETURN all -- anywhere anywhere

    Code:
    2018-02-07 02:01:10,435:DEBUG:certbot.main:Root logging level set at 20
    2018-02-07 02:01:10,436:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2018-02-07 02:01:10,436:DEBUG:certbot.main:certbot version: 0.10.2
    2018-02-07 02:01:10,436:DEBUG:certbot.main:Arguments: ['-n', '--post-hook', "echo '1' > /usr/local/ispconfig/server/le.restart"]
    2018-02-07 02:01:10,437:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
    2018-02-07 02:01:10,438:WARNING:certbot.renewal:renewal config file {} is missing a required file reference
    2018-02-07 02:01:10,438:WARNING:certbot.renewal:Renewal configuration file /etc/letsencrypt/renewal/binarybrothers.tech.conf is broken. Skipping.
    2018-02-07 02:01:10,438:DEBUG:certbot.renewal:Traceback was:
    Traceback (most recent call last):
      File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 59, in _reconstitute
        renewal_candidate = storage.RenewableCert(full_path, config)
      File "/usr/lib/python2.7/dist-packages/certbot/storage.py", line 373, in __init__
        "file reference".format(self.configfile))
    CertStorageError: renewal config file {} is missing a required file reference
    
    2018-02-07 02:01:10,439:DEBUG:certbot.main:Exiting abnormally:
    Traceback (most recent call last):
      File "/usr/bin/letsencrypt", line 11, in <module>
        load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
      File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
        return config.func(config, plugins)
      File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 655, in renew
        renewal.handle_renewal_request(config)
      File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 430, in handle_renewal_request
        len(renew_failures), len(parse_failures)))
    Error: 0 renew failure(s), 1 parse failure(s)
    
    This is what was in tonights log.
    After running certbot from the cmd line on one domain, i get
    Code:
    Select the appropriate numbers separated by commas and/or spaces, or leave input
    blank to select all options shown (Enter 'c' to cancel):27 28
    Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    Obtaining a new certificate
    Performing the following challenges:
    tls-sni-01 challenge for gklkent.com
    tls-sni-01 challenge for www.gklkent.com
    /usr/lib/python2.7/dist-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)
      result_code = _lib.RAND_bytes(result_buffer, num_bytes)
    Waiting for verification...
    Cleaning up challenges
    Generating key (2048 bits): /etc/letsencrypt/keys/0035_key-certbot.pem
    Creating CSR: /etc/letsencrypt/csr/0035_csr-certbot.pem
    archive directory exists for gklkent.com
    
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    The first log file looks as if one of the LE config files is corrupted and this causes LE to fail. Regarding the manual renewal attempt, are you able t activate ssl on that domain now?
     
  15. Dextros

    Dextros Member

    I can activate SSL yes. but I get a sad face with the following text
    This site can’t provide a secure connection
    www.gklkent.com sent an invalid response.



    • Try running Windows Network Diagnostics.
    ERR_SSL_PROTOCOL_ERROR


    I still get the same error from LE. I cannot access acme-challenge
    Can I change anything in apache to force it, albiet with a security risk for testing?

    FailedChallenges: Failed authorization procedure. gklkent.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://gklkent.com/.well-known/acme-challenge/WOKM76Ri9zxKPo2eo-ic8LieIwP5xwqMhQb8mkB8nVQ: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
    <html xmlns="http:", www.gklkent.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.gklkent.com/.well-known/acme-challenge/QFvH15U1egxw7ghj8i98a7cjW1onDJ1c9uCWrNfg_MQ: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    SSL with LE will not work until you fixed the problem that LE can't access its auth token from outside.

    1) Is the domain reachable from the internet? If not, ensure that LE is able to reach it.
    2) Do you use any redirect or rewrite rules, e.g. in a .htaccess file, that redirect requests to that domain to another directory? If yes, you'll have to ensure that requests to the .well-known directory are not redirected.
     
  17. Dextros

    Dextros Member

    OK, temporarily I have made the following change to

    vim /etc/apache2/sites-available/ispconfig.conf
    I commented out the AssignUserID module.
    Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    <Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge>
    Require all granted
    # <IfModule mpm_itk_module>
    # AssignUserId www-data www-data
    #</IfModule>
    </Directory>

    Running Certbot again, how allowed me to generate and use the new cert.

    After it worked on that one, i re did certbot on all sites which caused problems. All the apache files look on

    https://pastebin.com/h41kLDuS

    It looks like the cert has been issued to 23ir.co.uk but all ssl sites points to marsdenduncan.co.uk

    This isi the apache folder.
    [email protected]:~/Certbot# ls -lah /etc/apache2/sites-available/
    total 312K
    drwxr-xr-x 2 root root 4.0K Feb 8 11:35 .
    drwxr-xr-x 9 root root 4.0K Feb 8 11:31 ..
    -rw-r--r-- 1 root root 1.4K Jul 16 2017 000-default.conf
    -rw-r--r-- 1 root root 3.5K Feb 8 11:07 23ir.co.uk.vhost
    -rw-r--r-- 1 root root 7.0K Feb 8 11:30 23ir.co.uk.vhost-le-ssl.conf
    -rw-r--r-- 1 root root 4.0K Feb 8 11:07 3buddhas.co.uk.vhost
    -rw-r--r-- 1 root root 8.0K Feb 8 11:30 3buddhas.co.uk.vhost-le-ssl.conf
    -rw-r--r-- 1 root root 2.3K Feb 8 11:07 7pg.co.uk.vhost
    -rw-r--r-- 1 root root 4.7K Feb 8 11:30 7pg.co.uk.vhost-le-ssl.conf
    -rw-r--r-- 1 root root 1.2K Feb 5 11:55 apps.vhost
    -rw-r--r-- 1 root root 3.4K Feb 7 19:42 binarybrothers.tech.vhost
    -rw-r--r-- 1 root root 3.7K Feb 8 11:07 computing.inspiredsolutionsuk.com.vhost
    -rw-r--r-- 1 root root 7.5K Feb 8 11:30 computing.inspiredsolutionsuk.com.vhost-le-ssl.conf
    -rw-r--r-- 1 root root 3.6K Feb 8 11:07 countyelectrics.com.vhost
    -rw-r--r-- 1 root root 7.2K Feb 8 11:30 countyelectrics.com.vhost-le-ssl.conf
    -rw-r--r-- 1 root root 8.1K Feb 6 16:19 dav.inspiredsolutionsuk.com.vhost
    -rw-r--r-- 1 root root 7.1K Mar 2 2015 default-ssl.conf
    -rw-r--r-- 1 root root 3.8K Feb 8 11:35 gklkent.com.vhost
    -rw-r--r-- 1 root root 12K Feb 8 11:30 gklkent.com.vhost-le-ssl.conf
    -rw-r--r-- 1 root root 2.3K Feb 8 11:07 gkltenants.com.vhost
    -rw-r--r-- 1 root root 4.8K Feb 8 11:30 gkltenants.com.vhost-le-ssl.conf
    -rw-r--r-- 1 root root 3.6K Feb 6 16:19 greenknightlettings.com.vhost
    -rw-r--r-- 1 root root 3.6K Feb 6 16:19 greenknightlettings.co.uk.vhost
    -rw-r--r-- 1 root root 2.4K Feb 8 11:07 huttonsdomain.com.vhost
    -rw-r--r-- 1 root root 4.8K Feb 8 11:30 huttonsdomain.com.vhost-le-ssl.conf
    -rw-r--r-- 1 root root 3.6K Feb 8 11:07 inspiredsolutionsuk.com.vhost
    -rw-r--r-- 1 root root 7.3K Feb 8 11:30 inspiredsolutionsuk.com.vhost-le-ssl.conf
    -rw-r--r-- 1 root root 3.5K Feb 8 11:07 isc.inspiredsolutionsuk.com.vhost
    -rw-r--r-- 1 root root 11K Feb 8 11:30 isc.inspiredsolutionsuk.com.vhost-le-ssl.conf
    -rw-r--r-- 1 root root 2.0K Feb 8 11:27 ispconfig.conf
    -rw-r--r-- 1 root root 3.2K Feb 5 11:56 ispconfig.vhost
    -rw-r--r-- 1 root root 3.3K Feb 6 16:19 kfssltd.co.uk.vhost
    -rw-r--r-- 1 root root 3.3K Feb 6 16:15 krsltd.co.uk.vhost
    -rw-r--r-- 1 root root 8.5K Feb 6 16:15 lahtechnologies.com.vhost
    -rw-r--r-- 1 root root 7.9K Feb 8 11:30 marsdenduncan.co.uk.vhost
    -rw-r--r-- 1 root root 3.6K Feb 8 11:16 marsdenduncan.co.uk.vhost-le-ssl.conf
    -rw-r--r-- 1 root root 2.9K Feb 8 11:07 marsdenduncansolicitors.co.uk.vhost
    -rw-r--r-- 1 root root 5.9K Feb 8 11:30 marsdenduncansolicitors.co.uk.vhost-le-ssl.conf
    -rw-r--r-- 1 root root 4.1K Feb 8 11:07 myreclaimedgardens.co.uk.vhost
    -rw-r--r-- 1 root root 8.2K Feb 8 11:30 myreclaimedgardens.co.uk.vhost-le-ssl.conf
    -rw-r--r-- 1 root root 379 Feb 6 14:26 nextcloud.conf
    -rw-r--r-- 1 root root 10K Feb 6 16:16 office.gklkent.com.vhost
    -rw-r--r-- 1 root root 11K Aug 21 13:12 office.gklkent.com.vhost.err
    -rw-r--r-- 1 root root 3.4K Feb 8 11:07 pgl-uk.org.vhost
    -rw-r--r-- 1 root root 6.8K Feb 8 11:30 pgl-uk.org.vhost-le-ssl.conf
    -rw-r--r-- 1 root root 3.5K Feb 8 11:07 preceptcs.com.vhost
    -rw-r--r-- 1 root root 7.1K Feb 8 11:30 preceptcs.com.vhost-le-ssl.conf
    -rw-r--r-- 1 root root 3.3K Feb 6 16:18 rfskent.co.uk.vhost
    -rw-r--r-- 1 root root 3.0K Sep 17 19:40 roundcube.conf
    -rw-r--r-- 1 root root 3.3K Feb 6 16:18 whitecaps.co.uk.vhost

    I cannot tick the ssl box in the ISP control panel on any site. and all https redirects to marsdenduncan.co.uk

    What have i done!!
     
    Last edited: Feb 8, 2018
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    Using certbot on the shell for websites will cause the whole Apache setup to fail as certbot is not able to create correct apache config files, it simply tries to create copies with -le to filename attached and ispconfig will be unable to do any changes after that. Basically, you will have to remove all these apache config files with -le in the filename from apache sites-enabled folder to get the system back operating. Then login to ispconfig and enable the ssl and le checkbox of the website where you want to turn on LE.
     
  19. Dextros

    Dextros Member

    Hi Till
    I got eveything back to working as it was yesterday :)
    I still cannot authorize well known.

    Should i just create a well known folder in every website under its user and take out the alias in ispconfig.conf

    Also, I actually have a new certificate i think
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Renewal configuration file /etc/letsencrypt/renewal/gklkent.com.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.
    Renewal configuration file /etc/letsencrypt/renewal/binarybrothers.tech.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.
    Renewal configuration file /etc/letsencrypt/renewal/gklkent.com-0001.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.
    Attempting to parse the version 0.21.1 renewal configuration file found at /etc/letsencrypt/renewal/gklkent.com-0002.conf with version 0.10.2 of Certbot. This might not work.

    -------------------------------------------------------------------------------
    Found the following certs:
    Certificate Name: www.marsdenduncan.co.uk
    Domains: www.marsdenduncan.co.uk marsdenduncan.co.uk
    Expiry Date: 2018-05-09 10:16:02+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/www.marsdenduncan.co.uk/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/www.marsdenduncan.co.uk/privkey.pem
    Certificate Name: gklkent.com-0002
    Domains: 23ir.co.uk 3buddhas.co.uk 7pg.co.uk computing.inspiredsolutionsuk.com countyelectrics.com gklkent.com gkltenants.com huttonsdomain.com inspiredsolutionsuk.com isc.inspiredsolutionsuk.com marsdenduncan.co.uk marsdenduncansolicitors.co.uk myreclaimedgardens.co.uk pgl-uk.org preceptcs.com www.23ir.co.uk www.3buddhas.co.uk www.7pg.co.uk www.countyelectrics.com www.gklkent.com www.gkltenants.com www.huttonsdomain.com www.inspiredsolutionsuk.com www.marsdenduncan.co.uk www.marsdenduncansolicitors.co.uk www.myreclaimedgardens.co.uk www.pgl-uk.org www.preceptcs.com
    Expiry Date: 2018-05-09 10:06:26+00:00 (VALID: 89 days)
    Certificate Path: /etc/letsencrypt/live/gklkent.com-0002/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/gklkent.com-0002/privkey.pem

    The following renewal configuration files were invalid:
    /etc/letsencrypt/renewal/gklkent.com.conf
    /etc/letsencrypt/renewal/binarybrothers.tech.conf
    /etc/letsencrypt/renewal/gklkent.com-0001.conf


    Those renewal files are blank and emtpy.
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    No, this won't help as certbot won't find it's token then as the token get's created in the folder /usr/local/ispconfig/interface/acme/.well-known/acme-challenge

    you can try this, run:

    touch /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/test.txt

    you must then be able to reach the test.txt file in a browser by using your domain name:

    http://yourdomain.tld/.well-known/acme-challenge/test.txt

    unless this is working agan, LE will fail.


    Try to move the broken reneal certs to a different flder, maybe certbot will recreate them then.
     

Share This Page