Let'scrypt Certificate not activating

Discussion in 'General' started by Sheshman, Mar 11, 2022.

  1. Sheshman

    Sheshman Member

    Hi,
    Creating ssl certificate through sites->my domain->SSL->SSL Action create certificate it creates and saves the site settings, after that i'm checking both SSL & Let's Encrypt SSL checkboxes and saving settings. But web site still works on http instead of https, when i go back to site settings both checkboxes are returns to unchecked and web site still boradcasting on http.

    Tried delete and create new certificate but didn't work. 443 port is open and accessible from outside.
     

    Attached Files:

  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Sheshman likes this.
  3. Sheshman

    Sheshman Member

    1. When your server is behind a NAT router so that the server itself can not reach the hosted domains, then enable the option "Skip Letsencrypt check" under System -> Server config -> server1.example.com -> Web.
    did the trick, thanks
     
  4. Sheshman

    Sheshman Member

    Hi again, i'm having same problem with another ispconfig server (at work) but i think this installation have different problem than the server at my home.
    Before @Taleman ban me for good :) i want to say i've read & followed instructions step by step but didn't solve the problem.
    -I have ISPConfig 3.2.7p1 installed on vmcenter and it's behind nat and it uses acme.sh
    -Skip Letsencrypt check is enabled (because server behind nat)
    -i have a domain subdomain as "xxx.xxx.com", creating ssl certificate as "Sites->my domain->SSL->SSL Action create certificate"
    -Waiting to save settings, but when i go back to check site settings Let's encrypt checkbox is no checked and even if i check manually SSL is not activating.
    - Tried to find out what is the problem through checking logs Monitor->Let's Encrypt Logs : but the system says Unable to read logs.
    -/var/log/letsencrypt is empty (obviously because my server uses acme.sh but just wanted to share anyway)
    - /var/log/ispconfig/acme.log is empty
    -/root/.acme.sh/acme.sh.log is empty
    -debug mode returns no error
    Where else should i check?
     

    Attached Files:

  5. till

    till Super Moderator Staff Member ISPConfig Developer

    This option may not be used when you want to get a LE cert. You basically told the system with that action to not create LE cert by creating a self-signed cert.

    To correct that, go to Sites->my domain->SSL-> and choose delete certificate as action, then press save.
    After the change has been successfully processed, go to the website settings, enable the SSL and the Let's Encrypt checkbox, and press save.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    And regarding your attempt to use debug log, you missed enabling debug mode, so there can be no debug output when debug mode is disabled. Please follow the instructions about enabling debug mode if you want to use the debug mode, you can find the link in the let#s encrypt error FAQ.
     
  7. Sheshman

    Sheshman Member

    you were right i forgot to enable log level to Debug. Now i have debug log as below;
    Code:
    18.03.2022-11:38 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    18.03.2022-11:38 - DEBUG - Found 1 changes, starting update process.
    18.03.2022-11:38 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    18.03.2022-11:38 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    18.03.2022-11:38 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client1/web5' - return code: 0
    18.03.2022-11:38 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web5' - return code: 0
    18.03.2022-11:38 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client1/web5'|awk 'END{print $2,$NF}' - return code: 0
    18.03.2022-11:38 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
    18.03.2022-11:38 - DEBUG - safe_exec cmd: setquota -u 'web5' '0' '0' 0 0 -a &> /dev/null - return code: 0
    18.03.2022-11:38 - DEBUG - safe_exec cmd: setquota -T -u 'web5' 604800 604800 -a &> /dev/null - return code: 0
    18.03.2022-11:38 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web5' - return code: 0
    18.03.2022-11:38 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    18.03.2022-11:38 - DEBUG - Trying to use Systemd to restart service
    18.03.2022-11:38 - DEBUG - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0
    18.03.2022-11:38 - DEBUG - Create Let's Encrypt SSL Cert for: troy2.mydomain.com.tr
    18.03.2022-11:38 - DEBUG - Let's Encrypt SSL Cert domains:
    18.03.2022-11:38 - DEBUG - exec: R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue  -d troy2.mydomain.com.tr -d www.troy2.mydomain.com.tr -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [[ $R -eq 0 || $R -eq 2 ]] ; then /root/.acme.sh/acme.sh --install-cert  -d troy2.mydomain.com.tr -d www.troy2.mydomain.com.tr --key-file '/var/www/clients/client1/web5/ssl/troy2.mydomain.com.tr-le.key' --fullchain-file '/var/www/clients/client1/web5/ssl/troy2.mydomain.com.tr-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [[ $C -eq 0 ]] ; then exit $R ; else exit $C  ; fi
    18.03.2022-11:38 - WARNING - Let's Encrypt SSL Cert for: troy2.mydomain.com.tr could not be issued.
    18 Mar 2022 11:38 www.troy2.mydomain.com.tr:Verify error:CAA record for www.troy2.mydomain.com.tr prevents issuance
    18 Mar 2022 11:38 Please add '--debug' or '--log' to check more details.
    18 Mar 2022 11:38 See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
    18.03.2022-11:38 - WARNING - R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue  -d troy2.mydomain.com.tr -d www.troy2.mydomain.com.tr -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [[ $R -eq 0 || $R -eq 2 ]] ; then /root/.acme.sh/acme.sh --install-cert  -d troy2.mydomain.com.tr -d www.troy2.mydomain.com.tr --key-file '/var/www/clients/client1/web5/ssl/troy2.mydomain.com.tr-le.key' --fullchain-file '/var/www/clients/client1/web5/ssl/troy2.mydomain.com.tr-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [[ $C -eq 0 ]] ; then exit $R ; else exit $C  ; fi
    18.03.2022-11:38 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    18.03.2022-11:38 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/troy2.mydomain.com.tr.vhost
    18.03.2022-11:38 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    18.03.2022-11:38 - DEBUG - Writing the PHP-FPM config file: /etc/php/7.4/fpm/pool.d/web5.conf
    18.03.2022-11:38 - DEBUG - Calling function 'restartPHP_FPM' from module 'web_module'.
    18.03.2022-11:38 - DEBUG - Trying to use Systemd to restart service
    18.03.2022-11:38 - DEBUG - safe_exec cmd: systemctl is-enabled 'php7.4-fpm' 2>&1 - return code: 0
    18.03.2022-11:38 - DEBUG - Restarting php-fpm: systemctl reload php7.4-fpm.service
    18.03.2022-11:38 - DEBUG - Apache status is: running
    18.03.2022-11:38 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    18.03.2022-11:38 - DEBUG - Trying to use Systemd to restart service
    18.03.2022-11:38 - DEBUG - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0
    18.03.2022-11:38 - DEBUG - Restarting httpd: systemctl restart apache2.service
    18.03.2022-11:38 - DEBUG - Apache restart return value is: 0
    18.03.2022-11:38 - DEBUG - Apache online status after restart is: running
    18.03.2022-11:38 - DEBUG - Processed datalog_id 202
    18.03.2022-11:38 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished server.php.
    
    i think main issue is this "www.troy2.mydomain.com.tr:Verify error:CAA record for www.troy2.mydomain.com.tr prevents issuance" i believe that i have right records on dns but couldn't understand why it doesn't like it.
    Frankly speaking troy2 was an old service and we have removed but it was working on https and most of the users favorited as https, so i'll not publish any website under this domain, i'm going to forward all requests to another website but i need to do it over https protocol so users shouldn't get error when they try to reach troy2.mydomain.com.tr from their bookmarks, if there is a trick for that i can use that too.
     
    Last edited: Mar 18, 2022
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    CAA records are records that define which SSL authorities may issue certs for this domain and your domain seems to have CAA records that disallow certs from Let's encrypt. Either correct the CAA record to allow let#s Encrypt SSL authority, or remove the CAA record.
     
  9. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You did not read this part in #2:
     
    Sheshman likes this.
  10. Sheshman

    Sheshman Member

    Last edited: Mar 18, 2022
  11. Sheshman

    Sheshman Member

    you know what, this confuses me because when i create SSL certificate for a domain and if server can create certificate without any problem, after changes are applied when i check site settings those two checkboxes are shows as checked automatically and https over http checkbox is enabling under redirection.
     
  12. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Checkboxes yes. I meant in website SSL tab the boxes for SSL Key:, SSL Request: etc.. If you fill those, then Let's Encrypt fails.
     
    Sheshman likes this.
  13. Sheshman

    Sheshman Member

    oh i see now, thanks.

    Here is my dilemma about this subject, when i delete CAA records acme.sh says "there is no CA record for troy2.mydomain.com.tr domain DNS servers may failing (something like that as far as i remember)". So deleting CAA records wasn't solve my problem.

    But on the other hand i have right CAA record according to tests (please see attached screenshots). But somehow acme.sh returns 403 error when try to issue certificate for this domain.
     

    Attached Files:

    Last edited: Mar 18, 2022
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Let's Encrypt does not require CAA Records, so deleting them is fine and will likely solve your issue. the error message you cited is that there is no A-Record, not CAA record. A and CAA records are completely different records. An A-Record must exist of course if you want to get an SSL cert from let's encrypt for that name (see let's encrypt FAQ, it is mentioned there that the domain/subdomain must exist and point to your server).
     
    Sheshman likes this.
  15. Sheshman

    Sheshman Member

    there is A record for both troy2 and www.troy2 but main domain is hosting on azure, troy2 on ispconfig server, main domain's ip address and subdomain's ip address are different can this cause this problem?
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Only the subdomain of the hostname must point to the Ip address of this server.
     
    Sheshman likes this.
  17. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Also instead of deleting your CAA records, you can (should? it would be better to?) just fix them. Add another CAA for "letsencrypt.org" if you need both old and new, or just replace the old record entirely if you only intend to use letsencrypt going forward.
     
    Sheshman likes this.
  18. Sheshman

    Sheshman Member

    fixing instead of deleting is always better for sure, i already have CAA - 0 - issue - "letsencrypt.org" & CAA - 0 - issuewild - "letsencrypt.org"
    when i call troy2.mydomaincom.tr from browser getting default ispconfig page as well, my A record pointing to ispconfig server's ip address, it should work this way.
     
    Last edited: Mar 18, 2022
  19. Sheshman

    Sheshman Member

    i have no idea why but it worked when i changed CAA record from this :
    CAA - 0 - issue - "letsencrypt.org" & CAA - 0 - issuewild - "letsencrypt.org"
    to this
    CAA - 0 - issue - letsencrypt.org & CAA - 0 - issuewild - letsencrypt.org
     

Share This Page