Letsencrypt not working - apache2-issue? (debian 8, ISPC 3.1.2)

Discussion in 'Installation/Configuration' started by muelli75, Mar 4, 2017.

  1. muelli75

    muelli75 New Member

    Hi!

    Im trying to setup a new enviroment (debian jessie) for multidomain-hosting. The base is done, now up for setting up ISPConfig 3.1.2

    The basics are done, but know I try to use LetsEncrypt. And this runs into troubles. The software:

    letsencrypt:all/jessie-backports 0.9.3-1~bpo8+2 uptodate
    letsencrypt.sh:all/jessie-backports 0.3.1-3~bpo8+1 uptodate
    letsencrypt.sh-apache2:all/jessie-backports 0.3.1-3~bpo8+1 uptodate
    certbot:all/jessie-backports 0.9.3-1~bpo8+2 uptodate
    python-certbot:all/jessie-backports 0.9.3-1~bpo8+2 uptodate


    If I try to install a certificate on a domain, it fails. Here the last lines of /var/log/letsencrypt/letsencrypt.log (Domainname is replaced by FQDN, IP is replaced by 0.0.0.0 - both values are correct in the original log; www is replaced by 3timesw because of forumlimitations )
    -------------
    2017-03-04 15:13:07,951:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '1837', 'Expires': 'Sat, 04 Mar 2017 15:13:07 GMT', 'Boulder-Request-Id': '2_L56uXxlksQUmrxwCej2NfIMeaPsx3kV0q9KGIiT2U', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sat, 04 Mar 2017 15:13:07 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': '9K-N1NiCyNcTMpb1P0dEi9RTyP-yQ8qVFzSlJvkf-30'}): '{\n "identifier": {\n "type": "dns",\n "value": "FQDN.at"\n },\n "status": "invalid",\n "expires": "2017-03-11T15:13:03Z",\n "challenges": [\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "acme-v01.api.letsencrypt.org/acme/challenge/Cb17zIdOtkpi7fQNwc0RjAy8D1ZdVgyEwNRkNGod_5I/741490150",\n "token": "JrpnPQ032WsNKv-8SGd5DlWd8-_jGtPyYwTzY1zt_hc"\n },\n {\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "acme-v01.api.letsencrypt.org/acme/challenge/Cb17zIdOtkpi7fQNwc0RjAy8D1ZdVgyEwNRkNGod_5I/741490151",\n "token": "y0kf9J4DnXDbwr0daI49PXUvyVbJ3bb4_X8iBLVc4Ww"\n },\n {\n "type": "http-01",\n "status": "invalid",\n "error": {\n "type": "urn:acme:error:unauthorized",\n "detail": "Invalid response from FQDN.at/.well-known/acme-challenge/Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw: \\"\\u003c!DOCTYPE html PUBLIC \\"-//W3C//DTD XHTML 1.0 Transitional//EN\\"\\n \\"3timesWw3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\\"\\u003e\\n\\u003cht\\"",\n "status": 403\n },\n "uri": "acme-v01.api.letsencrypt.org/acme/challenge/Cb17zIdOtkpi7fQNwc0RjAy8D1ZdVgyEwNRkNGod_5I/741490152",\n "token": "Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw",\n "keyAuthorization": "Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw.fdbOPairyNMFtrUe2okKB8okxfEZoY7ZTF3cfVcJqy8",\n "validationRecord": [\n {\n "url": "FQDN.at/.well-known/acme-challenge/Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw",\n "hostname": "FQDN.at",\n "port": "80",\n "addressesResolved": [\n "0.0.0.0"\n ],\n "addressUsed": "0.0.0.0"\n }\n ]\n }\n ],\n "combinations": [\n [\n 2\n ],\n [\n 0\n ],\n [\n 1\n ]\n ]\n}'
    2017-03-04 15:13:07,952:DEBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

    Domain: 3timesWFQDN.at
    Type: unauthorized
    Detail: Invalid response from 3timesWFQDN.at/.well-known/acme-challenge/aYgYSWx9dHWMS5XUXTqpOWyTZVIejsLWvwZ860igl7M: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "3timesWw3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <ht"

    Domain: FQDN.at
    Type: unauthorized
    Detail: Invalid response from FQDN.at/.well-known/acme-challenge/Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "3timesWw3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <ht"

    To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
    2017-03-04 15:13:07,952:INFO:certbot.auth_handler:Cleaning up challenges
    2017-03-04 15:13:07,952:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw
    2017-03-04 15:13:07,952:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/aYgYSWx9dHWMS5XUXTqpOWyTZVIejsLWvwZ860igl7M
    2017-03-04 15:13:07,953:INFO:certbot.plugins.webroot:Unable to clean up challenge directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    2017-03-04 15:13:07,953:DEBUG:certbot.plugins.webroot:Error was: [Errno 39] Directory not empty: '/usr/local/ispconfig/interface/acme/.well-known/acme-challenge'
    2017-03-04 15:13:07,954:DEBUG:certbot.main:Exiting abnormally:
    Traceback (most recent call last):
    File "/usr/bin/letsencrypt", line 9, in <module>
    load_entry_point('certbot==0.9.3', 'console_scripts', 'certbot')()
    File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 776, in main
    return config.func(config, plugins)
    File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 563, in obtain_cert
    action, _ = _auth_from_domains(le_client, config, domains, lineage)
    File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 100, in _auth_from_domains
    lineage = le_client.obtain_and_enroll_certificate(domains)
    File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 281, in obtain_and_enroll_certificate
    certr, chain, key, _ = self.obtain_certificate(domains)
    File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 253, in obtain_certificate
    self.config.allow_subset_of_names)
    File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 78, in get_authorizations
    self._respond(resp, best_effort)
    File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 135, in _respond
    self._poll_challenges(chall_update, best_effort)
    File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 199, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
    FailedChallenges: Failed authorization procedure. 3timesWFQDN.at (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from 3timesWFQDN.at/.well-known/acme-challenge/aYgYSWx9dHWMS5XUXTqpOWyTZVIejsLWvwZ860igl7M: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "3timesWw3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <ht", FQDN.at (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from FQDN.at/.well-known/acme-challenge/Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "3timesWw3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <ht"
    -------------
    Another strange thing is found in /var/log/apache2/error.log. Maybe this things have somthing in common.
    ---------

    [Sat Mar 04 16:13:09.387850 2017] [:error] [pid 17655] python_init: Python version mismatch, expected '2.7.5+', found '2.7.9'.
    [Sat Mar 04 16:13:09.387899 2017] [:error] [pid 17655] python_init: Python executable found '/usr/bin/python'.
    [Sat Mar 04 16:13:09.387901 2017] [:error] [pid 17655] python_init: Python path being used '/usr/lib/python2.7/:/usr/lib/python2.7/plat-x86_64-linux-gnu:/usr/lib/python2.7/lib-tk:/usr/lib/python2.7/lib-old:/usr/lib/python2.7/lib-dynload'.
    [Sat Mar 04 16:13:09.387911 2017] [:notice] [pid 17655] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
    [Sat Mar 04 16:13:09.387913 2017] [:notice] [pid 17655] mod_python: using mutex_directory /tmp
    [Sat Mar 04 16:13:09.393183 2017] [ssl:warn] [pid 17655] AH01906: monarch.FQDN2.at:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Sat Mar 04 16:13:09.393221 2017] [ssl:error] [pid 17655] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=monarch.FQDN2.at,O=XXX,L=Wiener Neustadt,ST=NOE,C=AT / issuer: CN=monarch.FQDN2.at,O=XXX,L=Wiener Neustadt,ST=NOE,C=AT / serial: A00BCDDD9B2AE815 / notbefore: Feb 26 15:57:41 2017 GMT / notafter: Feb 24 15:57:41 2027 GMT]
    [Sat Mar 04 16:13:09.393223 2017] [ssl:error] [pid 17655] AH02567: Unable to configure certificate monarch.FQDN2.at:8080:0 for stapling
    [Sat Mar 04 16:13:09.395829 2017] [mpm_prefork:notice] [pid 17655] AH00163: Apache/2.4.10 (Debian) mod_fastcgi/mod_fastcgi-SNAP-0910052141 mod_fcgid/2.3.9 Phusion_Passenger/4.0.53 mod_python/3.3.1 Python/2.7.9 OpenSSL/1.0.1t configured -- resuming normal operations
    [Sat Mar 04 16:13:09.395842 2017] [core:notice] [pid 17655] AH00094: Command line: '/usr/sbin/apache2'
    ---
    Thank you for taking time to read this and thanks for all your answers.

    Best regards,
    martin
     
    Last edited: Mar 5, 2017
  2. muelli75

    muelli75 New Member

    Hi!

    Here further informations to this thread:
    If I do
    curl -k https://FQDN.at:443
    from another debian-server, the result ist
    curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

    So I checked http://www.FQDN.at:443 (please not the missing S) in Firefox - and i got the default apache-page (not the default ISPC-Page).
    If I check https://www.FQDN.at, I get as answer "ERR_SSL_PROTOCOL_ERROR" (Chrome) or "SSL_ERROR_RX_RECORD_TOO_LONG" (Firefox). Some hints around the web telling, that apache2 is not listening on Port 443.

    But
    netstat -anp|grep 443
    tcp6 0 0 :::443 :::* LISTEN 30851/apache2
    unix 3 [ ] STREAM CONNECTED 3002443 1756/master​
    says, that apache2 will do.

    If I try to telnet form another machine to FQDN.at I was able to conncet on 443:

    telnet FQDN.at 443
    Trying 136.XXX.9.XXX...
    Connected to FQDN.at.
    Escape character is '^]'.
    connection.info
    HTTP/1.1 400 Bad Request
    Date: Sun, 05 Mar 2017 10:51:29 GMT
    Server: Apache/2.4.10 (Debian)
    Content-Length: 316
    Connection: close
    Content-Type: text/html; charset=iso-8859-1
    <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
    <html><head>
    <title>400 Bad Request</title>
    </head><body>
    <h1>Bad Request</h1>
    <p>Your browser sent a request that this server could not understand.<br />
    </p>
    <hr>
    <address>Apache/2.4.10 (Debian) Server at monarch.XXXX.at Port 80</address>
    </body></html>
    Connection closed by foreign host.​

    Looking in /etc/apache2/error.log, there are some errors:

    [Sun Mar 05 11:17:07.596204 2017] [ssl:warn] [pid 30851] AH01906: monarch.XXX.at:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

    [Sun Mar 05 11:17:07.596240 2017] [ssl:error] [pid 30851] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=monarch.XXXX.at,O=XXXX,L=Wiener Neustadt,ST=NOE,C=AT / issuer: CN=monarch.XXX.at,O=XXXX,L=Wiener Neustadt,ST=NOE,C=AT / serial: A00BCDDD9B2AE815 / notbefore: Feb 26 15:57:41 2017 GMT / notafter: Feb 24 15:57:41 2027 GMT]

    [Sun Mar 05 11:17:07.596243 2017] [ssl:error] [pid 30851] AH02567: Unable to configure certificate monarch.XXXX.at:8080:0 for stapling​

    Any ideas around this SSL-issues? Thanks for any hints!

    Martin
     
    Last edited: Mar 17, 2017
  3. muelli75

    muelli75 New Member

    Ok - it tooks hours, but its so simple:
    apt-get install python-certbot-apache​
    did the job.

    I only installed 'python-certbot' - so some of the LE-scripts did their job but failed finally.
     
  4. Jesse Norell

    Jesse Norell Well-Known Member

    I'm a little curious here .. I don't install python-certbot-apache, only python-certbot, and recommend the same to others. I've not had a problem with that.
     

Share This Page