letsencrypt isnt working after clean install

Discussion in 'General' started by ariban99, May 24, 2020.

  1. ariban99

    ariban99 Member

    Hi
    i have a clean debian 10 install running ispconfig 3.1 (i followed the tutorial)
    when i click lets encrypt after i click save it unclicks itself, i read i need to click disabled letsecrypt checking in server settings, i did that and it still gives me the same problem
    even worse, now my site reroutes to another site on my server that actually has an SSL on it. and i have no idea how to fix that.
    here are the logs for lets encrypt
    2020-05-24 01:25:02,543:DEBUG:certbot._internal.main:certbot version: 1.3.0
    2020-05-24 01:25:02,543:DEBUG:certbot._internal.main:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v02.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', '[email protected]', '--domains', 'nonichaihealth.com', '--domains', 'www.nonichaihealth.com', '--webroot-path', '/usr/local/ispconfig/interface/acme']
    2020-05-24 01:25:02,543:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2020-05-24 01:25:02,552:DEBUG:certbot._internal.log:Root logging level set at 20
    2020-05-24 01:25:02,552:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2020-05-24 01:25:02,553:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
    2020-05-24 01:25:02,556:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
    Description: Place files in webroot directory
    Interfaces: IAuthenticator, IPlugin
    Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
    Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f6000500490>
    Prep: True
    2020-05-24 01:25:02,557:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f6000500490> and installer None
    2020-05-24 01:25:02,557:INFO:certbot._internal.plugins.selection:plugins selected: Authenticator webroot, Installer None
    2020-05-24 01:25:02,561:DEBUG:certbot._internal.main:picked account: <Account(RegistrationResource(body=Registration(status=None, terms_of_service_agreed=None, agreement=None, only_return_existing=None, contact=(), key=None, external_account_binding=None), uri=u'https://acme-v02.api.letsencrypt.org/acme/acct/85740770', new_authzr_uri=None, terms_of_service=None), 485307fa9ca7a04b6daac210cc817ad2, Meta(creation_host=u'webserver.bhsolutions.com', creation_dt=datetime.datetime(2020, 5, 10, 5, 49, 4, tzinfo=<UTC>)))>
    2020-05-24 01:25:02,561:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
    2020-05-24 01:25:02,563:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
    2020-05-24 01:25:02,667:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
    2020-05-24 01:25:02,667:DEBUG:acme.client:Received response:
    HTTP 200
    Server: nginx
    Date: Sun, 24 May 2020 08:25:02 GMT
    Content-Type: application/json
    Content-Length: 658
    Connection: keep-alive
    Cache-Control: public, max-age=0, no-cache
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800

    {
    "0FgpfBGzw2o": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
    "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
    "meta": {
    "caaIdentities": [
    "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
    },
    "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
    "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
    "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
    "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
    }
    2020-05-24 01:25:02,668:DEBUG:certbot._internal.cert_manager:Renewal conf file /etc/letsencrypt/renewal/nonichaihealth.com.conf is broken. Skipping.
    2020-05-24 01:25:02,669:DEBUG:certbot._internal.cert_manager:Traceback was:
    Traceback (most recent call last):
    File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/cert_manager.py", line 381, in _search_lineages
    candidate_lineage = storage.RenewableCert(renewal_file, cli_config)
    File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/storage.py", line 447, in __init__
    "file reference".format(self.configfile))
    CertStorageError: renewal config file {} is missing a required file reference

    2020-05-24 01:25:02,671:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): ocsp.int-x3.letsencrypt.org:80
    2020-05-24 01:25:02,966:DEBUG:urllib3.connectionpool:http://ocsp.int-x3.letsencrypt.org:80 "POST / HTTP/1.1" 200 527
    2020-05-24 01:25:02,967:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/nonichaihealth.com-0001/cert1.pem is signed by the certificate's issuer.
    2020-05-24 01:25:02,969:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/nonichaihealth.com-0001/cert1.pem is: OCSPCertStatus.GOOD
    2020-05-24 01:25:02,972:INFO:certbot._internal.renewal:Cert not yet due for renewal
    2020-05-24 01:25:02,972:INFO:certbot._internal.main:Keeping the existing certificate
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

  3. ariban99

    ariban99 Member

    under monitor it says Warning
    One or more components needs an update, what is the best way to update, apt-install update from ssh?

    i put it in debug mode and tried to create letsencrypt, i get this error from the logs, but i don't understand what to do to fix my issue

    [email protected]:~# /usr/local/ispconfig/server/server.sh


    24.05.2020-15:18 - DEBUG - Calling function 'check_phpini_changes' from plugin ' webserver_plugin' raised by action 'server_plugins_loaded'.
    24.05.2020-15:18 - DEBUG - Found 1 changes, starting update process.
    24.05.2020-15:18 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' r aised by event 'web_domain_update'.
    24.05.2020-15:18 - DEBUG - Calling function 'update' from plugin 'apache2_plugin ' raised by event 'web_domain_update'.
    24.05.2020-15:18 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client0/we b8' - return code: 0
    24.05.2020-15:18 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client0/we b8' - return code: 0
    24.05.2020-15:18 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client0/web8'| awk 'END{print $2,$NF}' - return code: 0
    24.05.2020-15:18 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
    24.05.2020-15:18 - DEBUG - safe_exec cmd: setquota -u 'web8' '0' '0' 0 0 -a &> / dev/null - return code: 0
    24.05.2020-15:18 - DEBUG - safe_exec cmd: setquota -T -u 'web8' 604800 604800 -a &> /dev/null - return code: 0
    24.05.2020-15:18 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client0/we b8' - return code: 0
    24.05.2020-15:18 - DEBUG - LE version is 1.3.0, so using certificates command
    24.05.2020-15:18 - DEBUG - Create Let's Encrypt SSL Cert for: nonichaihealth.com
    24.05.2020-15:18 - DEBUG - Let's Encrypt SSL Cert domains:
    24.05.2020-15:18 - DEBUG - exec: /opt/eff.org/certbot/venv/bin/certbot certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v02 .api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] aihealth.com --domains nonichaihealth.com --domains www.nonichaihealth.com --we broot-path /usr/local/ispconfig/interface/acme
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Cert not yet due for renewal
    Keeping the existing certificate
    24.05.2020-15:18 - DEBUG - LE CERT OUTPUT:
    24.05.2020-15:18 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - retu rn code: 0
    24.05.2020-15:18 - DEBUG - Let's Encrypt Cert file: does not exist.
    24.05.2020-15:18 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - retu rn code: 0
    24.05.2020-15:18 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/ nonichaihealth.com.vhost
    24.05.2020-15:18 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - retu rn code: 0
    24.05.2020-15:18 - DEBUG - Writing the PHP-FPM config file: /etc/php/7.3/fpm/poo l.d/web8.conf
    24.05.2020-15:18 - DEBUG - Calling function 'restartPHP_FPM' from module 'web_mo dule'.
    24.05.2020-15:18 - DEBUG - Restarting php-fpm: systemctl reload php7.3-fpm.servi ce
    24.05.2020-15:18 - DEBUG - Apache status is: running
    24.05.2020-15:18 - DEBUG - Calling function 'restartHttpd' from module 'web_modu le'.
    24.05.2020-15:18 - DEBUG - Restarting httpd: systemctl restart apache2.service
    24.05.2020-15:18 - DEBUG - Apache restart return value is: 0
    24.05.2020-15:18 - DEBUG - Apache online status after restart is: running
    24.05.2020-15:18 - DEBUG - Processed datalog_id 751
    24.05.2020-15:18 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispcon fig_lock
    finished.
     
  4. ariban99

    ariban99 Member

    also i see this in the monitor system log
    2020-05-24 15:22 webserver.solutions.com Debug Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    2020-05-24 15:22 webserver.solutions.com Debug Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    According to the log, the site should have ssl. Please post the content of the file:

    /etc/apache2/sites-available/nonichaihealth.com.vhost
     
  6. ariban99

    ariban99 Member

    <Directory /var/www/nonichaihealth.com>
    AllowOverride None
    Require all denied
    </Directory>

    <VirtualHost *:80>


    DocumentRoot /var/www/clients/client0/web8/web

    ServerName nonichaihealth.com
    ServerAlias www.nonichaihealth.com
    ServerAdmin [email protected]


    ErrorLog /var/log/ispconfig/httpd/nonichaihealth.com/error.log


    <IfModule mod_ssl.c>
    </IfModule>

    <Directory /var/www/nonichaihealth.com/web>
    # Clear PHP settings of this website
    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler None
    </FilesMatch>
    Options +SymlinksIfOwnerMatch
    AllowOverride All
    Require all granted

    # ssi enabled
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    Options +Includes
    </Directory>
    <Directory /var/www/clients/client0/web8/web>
    # Clear PHP settings of this website
    <FilesMatch ".+\.ph(p[345]?|t|tml)$">
    SetHandler None
    </FilesMatch>
    Options +SymlinksIfOwnerMatch
    AllowOverride All
    Require all granted

    # ssi enabled
    AddType text/html .shtml
    AddOutputFilter INCLUDES .shtml
    Options +Includes
    </Directory>

    <IfModule mod_ruby.c>
    <Directory /var/www/nonichaihealth.com/web>
    Options +ExecCGI
    </Directory>
    RubyRequire apache/ruby-run
    #RubySafeLevel 0
    AddType text/html .rb
    AddType text/html .rbx
    <Files *.rb>
    SetHandler ruby-object
    RubyHandler Apache::RubyRun.instance
    </Files>
    <Files *.rbx>
    SetHandler ruby-object
    RubyHandler Apache::RubyRun.instance
    </Files>
    </IfModule>

    <IfModule mod_perl.c>
    PerlModule ModPerl::Registry
    PerlModule Apache2::Reload
    <Directory /var/www/nonichaihealth.com/web>
    PerlResponseHandler ModPerl::Registry
    PerlOptions +ParseHeaders
    Options +ExecCGI
    </Directory>
    <Directory /var/www/clients/client0/web8/web>
    PerlResponseHandler ModPerl::Registry
    PerlOptions +ParseHeaders
    Options +ExecCGI
    </Directory>
    <Files *.pl>
    SetHandler perl-script
    </Files>
    </IfModule>

    <IfModule mod_python.c>
    <Directory /var/www/nonichaihealth.com/web>
    <FilesMatch "\.py$">
    SetHandler mod_python
    </FilesMatch>
    PythonHandler mod_python.publisher
    PythonDebug On
    </Directory>
    <Directory /var/www/clients/client0/web8/web>
    <FilesMatch "\.py$">
    SetHandler mod_python
    </FilesMatch>
    PythonHandler mod_python.publisher
    PythonDebug On
    </Directory>
    </IfModule>

    # cgi enabled
    <Directory /var/www/clients/client0/web8/cgi-bin>
    AllowOverride All
    Require all granted
    </Directory>
    ScriptAlias /cgi-bin/ /var/www/clients/client0/web8/cgi-bin/
    <FilesMatch "\.(cgi|pl)$">
    SetHandler cgi-script
    </FilesMatch>
    # suexec enabled
    <IfModule mod_suexec.c>
    SuexecUserGroup web8 client0
    </IfModule>
    <IfModule mod_fastcgi.c>
    <Directory /var/www/clients/client0/web8/cgi-bin>
    Require all granted
    </Directory>
    <Directory /var/www/nonichaihealth.com/web>
    <FilesMatch "\.php[345]?$">
    SetHandler php-fcgi
    </FilesMatch>
    </Directory>
    <Directory /var/www/clients/client0/web8/web>
    <FilesMatch "\.php[345]?$">
    SetHandler php-fcgi
    </FilesMatch>
    </Directory>
    Action php-fcgi /php-fcgi virtual
    Alias /php-fcgi /var/www/clients/client0/web8/cgi-bin/php-fcgi-*-80-nonichaihealth.com
    FastCgiExternalServer /var/www/clients/client0/web8/cgi-bin/php-fcgi-*-80-nonichaihealth.com -idle-timeout 300 -socket /var/lib/php7.3-fpm/w$
    </IfModule>
    <IfModule mod_proxy_fcgi.c>
    #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.3-fpm/web8.sock|fcgi://localhost//var/www/clients/client0/web8/web/$1
    <Directory /var/www/clients/client0/web8/web>
    <FilesMatch "\.php[345]?$">
    SetHandler "proxy:unix:/var/lib/php7.3-fpm/web8.sock|fcgi://localhost"
    </FilesMatch>
    </Directory>
    </IfModule>


    RewriteEngine on
    RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
    RewriteRule ^ - [END]
    RewriteCond %{HTTP_HOST} ^www\.nonichaihealth\.com$ [NC]
    RewriteRule ^(.*)$ http://nonichaihealth.com$1 [R=301,NE,L]

    # add support for apache mpm_itk
    <IfModule mpm_itk_module>
    AssignUserId web8 client0
    </IfModule>

    <IfModule mod_dav_fs.c>
    # Do not execute PHP files in webdav directory
    <Directory /var/www/clients/client0/web8/webdav>
    <ifModule mod_security2.c>
    SecRuleRemoveById 960015
    SecRuleRemoveById 960032
    </ifModule>
    <FilesMatch "\.ph(p3?|tml)$">
    SetHandler None
    </FilesMatch>
    </Directory>
    DavLockDB /var/www/clients/client0/web8/tmp/DavLock
    # DO NOT REMOVE THE COMMENTS!
    # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
    # WEBDAV BEGIN
    # WEBDAV END
    </IfModule>




    </VirtualHost>
     
  7. ariban99

    ariban99 Member

    does the above shef any light as to why the letsencrypt is not working?
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    No. Are yiu sure that you enabled the ssl checkbox and the letsencrypt checkbox of the site? Enabling just lets encrypt is not enough, host checkboxes must be enabled. And your ISPConfig version is 3.1.15p3, right? And not an older version.
     
  9. ariban99

    ariban99 Member

    when i clicked letsencrypt, it automatically selects SSL too. there is NOTHING under SSL tab
    yes on the latest version that came with the tutorial for debian 10
     
  10. ariban99

    ariban99 Member

    so i found the issue hoping it can help others.
    being that till said the server is running fine and there is no indication of a server fault. i found in my case i am behind pfsense firewall and i have the dns resolving to my local lan. once i remove that, it now works fine on all domains besides the one domain that i previously tried earlier. i think somehow the files for that one is not correct and i don't know how to remove those files to try again. please let me know
    thank you
     
  11. nhybgtvfr

    nhybgtvfr Active Member

    in /etc/letsencrypt/archive and /etc/letsencrypt/live are folders for that domain, and in /etc/letsencrypt/renewal there's a conf file for that domain.
    you can just delete those and then request a new cert.
    there's probably a better (official) way of doing it though.
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    I think deleting the folder manually should be fine. But the certbot command has also a delete option.
     
  13. ariban99

    ariban99 Member

    thank you i will delete it manually.
     

Share This Page