letsencrypt dont work.

Discussion in 'Installation/Configuration' started by omniware, Oct 10, 2017.

  1. omniware

    omniware New Member

    Hi. I've a ispconfig 3.1.7.p1
    I've try to install ssl cert by letsencrypt, but it don't work.
    It seems all correct.
    How do to check it? Do you know any manual about check and diag it?
     
  2. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    uhm if you enter https://thedomain you should see the informations about the TLS-cert.
    Or on CLI?
    Code:
    echo QUIT | openssl s_client -connect www.yourdomain.tld:443 -status 2> /dev/null | grep -A 17 'OCSP response:' | grep -B 17 'Next Update'
    
    
     
  3. omniware

    omniware New Member

    Here you are the output:
    Code:
    [CODE]OCSP response:
    ======================================
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
        Produced At: Oct  9 12:55:00 2017 GMT
        Responses:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 7EE66AE7729AB3FCF8A220646C16A12D6071085D
          Issuer Key Hash: A84A6A63047DDDBAE6D139B7A64565EFF3A8ECA1
          Serial Number: 0305072AEE8A58C557CA02EF44055E7B71E9
        Cert Status: good
        This Update: Oct  9 12:00:00 2017 GMT
        Next Update: Oct 16 12:00:00 2017 GMT
    
     
  4. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    looks good :) or do you have any issues still?
     
  5. omniware

    omniware New Member

    So it's about ispconfig the problem I think. Yes?
     
  6. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    So, what exactly describes your issue?
    You tried to setup a website with LE SSL or tried to use LE SSL for ISPConfig panel?
    What doesn't work?
     
    omniware likes this.
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    omniware likes this.
  8. omniware

    omniware New Member

    Hi. Thanks about your help
    Really i'm activate lts-encrpyt on ispconfig on web sites.
    I'll check:
    OS: Debian 8
    ISPconfig 3.1.7p1 ans apache 2.4
    Lest-encrypt working on console (see reply 3)
    Server had public IP on VM
    Server and domains is FQDN server.
    I've use default options about update script

    Here the letsencrypt.log
    Code:
    2017-10-10 09:32:41,037:DEBUG:certbot.main:certbot version: 0.19.0
    2017-10-10 09:32:41,038:DEBUG:certbot.main:Arguments: []
    2017-10-10 09:32:41,038:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoi
    nt#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2017-10-10 09:32:41,082:DEBUG:certbot.log:Root logging level set at 20
    2017-10-10 09:32:41,083:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2017-10-10 09:32:41,087:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None
    2017-10-10 09:32:41,685:DEBUG:certbot_apache.configurator:Apache version is 2.4.10
    2017-10-10 09:32:42,992:DEBUG:certbot.plugins.disco:No installation (PluginEntryPoint#nginx):
    Traceback (most recent call last):
      File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/plugins/disco.py", line 130, in prepare
        self._initialized.prepare()
      File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot_nginx/configurator.py", line 150, in prep
    are
        raise errors.NoInstallationError
    NoInstallationError
    2017-10-10 09:32:42,995:DEBUG:certbot.plugins.selection:Single candidate plugin: * apache
    Description: Apache Web Server plugin - Beta
    Interfaces: IAuthenticator, IInstaller, IPlugin
    Entry point: apache = certbot_apache.configurator:ApacheConfigurator
    Initialized: <certbot_apache.configurator.ApacheConfigurator object at 0x7f6d8f1e7450>
    Prep: True
    2017-10-10 09:32:42,996:DEBUG:certbot.plugins.selection:Selected authenticator <certbot_apache.configurator.ApacheCon
    figurator object at 0x7f6d8f1e7450> and installer <certbot_apache.configurator.ApacheConfigurator object at 0x7f6d8f1
    e7450>
    2017-10-10 09:32:42,996:INFO:certbot.plugins.selection:Plugins selected: Authenticator apache, Installer apache
    2017-10-10 09:32:43,008:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=Non
    e, contact=(u'mailto:[email protected]',), agreement=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf
    ', key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f6d8e6c7ed0>
    )>)), uri=u'https://acme-v01.api.letsencrypt.org/acme/reg/22459829', new_authzr_uri=u'https://acme-v01.api.letsencryp
    t.org/acme/new-authz', terms_of_service=u'https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf'), 7de211d
    366899f4c01a734ccd54f94f0, Meta(creation_host=u'hosting01.omniware.es', creation_dt=datetime.datetime(2017, 10, 9, 12
    , 44, 12, tzinfo=<UTC>)))>
    2017-10-10 09:32:43,010:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
    2017-10-10 09:32:43,088:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.ap
    i.letsencrypt.org
    2017-10-10 09:32:43,394:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET
    /directory HTTP/1.1" 200 561
    2017-10-10 09:32:43,395:DEBUG:acme.client:Received response:
    HTTP 200
    
     
  9. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    have you setup some kind of aliasing or other non-basic configuration? If no, please try to Resync your web-configurations at the Tools tab.
    Another issue which might be, have you by chance allowed wildcard for IP adresses (*) ? If so, try again by giving all websites the correct IP and disable wildcard.

    For some reasons your hosting01 sub is using SSL for desarrollo sub domain
     
    omniware likes this.
  10. omniware

    omniware New Member

    I thing none about non-basic configuration.
    Some about execute cerbot-auto can break it?
    I recosincing server by isp all tabs but the cert on website is not green
     
  11. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    usuallycertbot doesn't break things.
    check your /etc/apache2/sites-enabled/100-hosting01-omniware.es.vhost
    You find lines for SSLCertificateFile, SSLCertificateKeyFile, SSLCertificateChainFile with a path behind that.
    check the files are there ( example )
    Code:
    ls -Alah /var/www/clients/client1/web1/ssl/host.ztk.me-le.crt
    lrwxrwxrwx 1 root root 68 Oct  3 23:12 /var/www/clients/client1/web1/ssl/host.ztk.me-le.crt -> /etc/letsencrypt/archive/host.ztk.me/fullchain1.pem
    
    verify the file it links to is present.

    Make sure your apache is using the correct vhost.conf when using your subdomain, currently it looks like there's an issue since it servers SSL for another subdomain.
    This likely is an issue if you use IP wildcard;
    assign your websites the correct IP
    Websites > IP adress > select IP ( don't use * )
    disable System > Server config > Web > Allow IP wildcard
    if it still doesn't work go to Tools > Resync and choose to resync websites.

    certbot log looks good
     
    omniware likes this.
  12. omniware

    omniware New Member

    Thanks a lot.
    So. I haven't 100-hosting01-omniware.es.vhost.
    hosting01 use the default web nad it is use to access only to ispconfig. It is the fqdn of server including reverese ip.
    I need put a site hosting01 on ipsconfig?
    The file link about other domains are on folders links too.
    All sites are the correct IP on web tab, none *
    I'm diabled IP wilcard on server tab and resyncing.
    The site web is yellow.
     
  13. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    no, you dont' need to create hostin01 subdomain as vhost ( however if you want a valid ssl cert for that to be used in ispconfig/postfix/dovecot... then yes ) I probably mixed things trying to understand what your issue is.

    However the TLS is working now, it's yellow because your https site contains non-https elements which are not secure.
     
    omniware likes this.
  14. omniware

    omniware New Member

    Ok Thanks a lot.
     
    ztk.me likes this.

Share This Page