Letsencrypt not working anymore

Discussion in 'Installation/Configuration' started by Thomas Schachtner, May 16, 2018.

  1. Thomas Schachtner

    Thomas Schachtner New Member

    Hi there,
    I don't exactly since when, but since some weeks, the autmated generation of Letsencrypt certificates via ISPConfig does not work anymore. When a certificate is due to renewal, the following lines are generated by the server.sh script:

    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for test1.example.com
    http-01 challenge for test1.example2.com
    http-01 challenge for test1.example3.com
    Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
    Waiting for verification...
    Cleaning up challenges
    Unable to clean up challenge directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    Failed authorization procedure. test1.example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http:/ / test1.example.com/.well-known/acme-challenge/y3bguedb9zfaHOssW1Q23he37T4HJ2Eot5ycj7kzPwQ: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p", test1.example2.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http:/ / test1.example2.com/.well-known/acme-challenge/eY7zN4_TA_FAKm-OkLKigtMBr960xdFZkXD4v7NpS7M: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>404 Not Found</title>
    </head><body>
    <h1>Not Found</h1>
    <p"
    finished.

    (I've modified the links above to be able to post this message...)
    Does anyone know, why that may occur?
    Is there any way to debug it further?
    Is there any way to get test certificates instead of live certs, as I'm constantly reaching Letsencrypt's rate limits during my tests?

    I'm really stuck at the moment. Any hint would be very welcome.
    I already searched the web, but did not find a solution which fixes this issue on my server.​
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    To test this, run:

    touch /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/hello.txt

    on the shell to create a hello.txt file. You must be able to reach this then under the url:

    http://test1.example.com/.well-known/acme-challenge/hello.txt

    If not, check if dns for the domain is ok and next, check rewrite rules of that website, maybe you redirect that request to a different location.
     
  3. Thomas Schachtner

    Thomas Schachtner New Member

    This part is working fine.
    I can access the file but cert renewal still doesn't work.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    When this works now, then renewal must work too.
     
  5. Thomas Schachtner

    Thomas Schachtner New Member

    Unfortunately, it does not.
    I already tried that. The same error messages appear.
    Could it be that the http challenge cannot be created for some reason?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Quite unlikely as this is run as root. But you should take a look into the letsencyrpt.log file and you might want to update certbot, just to be sure that there is no error in certbot. and you can try to access hello.txt from outside as well e.g. with a browser from your desktop.
     

Share This Page