LetsEncrypt on Debian Jessie + ISP3.12 - automatic fails, manually succeed

Discussion in 'Installation/Configuration' started by muelli75, Mar 18, 2017.

  1. muelli75

    muelli75 New Member

    Hi out there!

    Im working with ISPConfig 3.12 on Jessie. ISPconfig do its job, but LetsEncrypt isnt working by klicking on the "Lets Encrypt SSL"-Button in the Web Domain-Panel.

    The ISPConfig-Log shows warnings like "Let's Encrypt SSL Cert for: FQDN.at could not be issued." and "Could not verify domain www.FQDN.at, so excluding it from letsencrypt request."

    This warnings are sadly NOT written to /var/log/letsencrypt/letsencrypt.log

    If I try a manual installation of a LE-Certificate by
    certbot certonly --webroot -w /var/www/FQDN.at/web/ -d FQDN.at -d www.FQDN.at
    the verification fails (log is anonymized)

    Failed authorization procedure. www.FQDN.at (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.FQDN.at/.well-known/acme-challenge/dZsMOMyBEg8hOqcnoH2UvpgzEACybcA_m6h_njp2eQE: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"

    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

    <ht", FQDN.at (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://kunststoffschilder.at/.well-known/acme-challenge/UioFNCfZR2DEcnKspuM-b3pTODf1I7SKeYyydFPlIsE: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <ht"

    IMPORTANT NOTES:
    - The following errors were reported by the server:
    Domain: www.FQDN.at
    Type: unauthorized
    Detail: Invalid response from
    http://www.FQDN.at/.well-known/acme-challenge/dZsMOMyBEg8hOqcnoH2UvpgzEACybcA_m6h_njp2eQE:
    "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
    <ht"​

    If I do a manual installation of a LE-Certificate in standalone-mode
    certbot certonly --standalone -d FQDN.at -d www.FQDN.at
    the certifiacte is created without errors.

    I checked if I can reach in a browser
    and I do. As result I get the error "forbidden" (403).

    For some reasons the log-files /var/log/letsencrypt/letsencrypt.log are only written if my manual request fails or succeeded.

    Are there any ideas how to solve this issue?

    Thanks for reading and replys!

    Martin
     
  2. ahrasis

    ahrasis Member

    How did you install your LE/certbot at the first place? Was it before or after installing/updating ISPC?
     
  3. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    ISPConfig tries to connect to each site before getting a cert for the domain. If your could not connect to the domain, this domain will be excluded. It seems, that this not working very well on all systems (we already discussed this).
    I disabled this check on my servers. new:
    Code:
      $le_domains = array();
      foreach($temp_domains as $temp_domain) {
    //  $le_hash_check = trim(@file_get_contents('http://' . $temp_domain . '/.well-known/acme-challenge/' . $le_rnd_file));
    //  if($le_hash_check == $le_rnd_hash) {
      $le_domains[] = $temp_domain;
      $app->log("Verified domain " . $temp_domain . " should be reachable for letsencrypt.", LOGLEVEL_DEBUG);
    //  } else {
    //  $app->log("Could not verify domain " . $temp_domain . ", so excluding it from letsencrypt request.", LOGLEVEL_WARN);
    //  }
      }
    
    old:
    Code:
      $le_domains = array();
      foreach($temp_domains as $temp_domain) {
        $le_hash_check = trim(@file_get_contents('http://' . $temp_domain . '/.well-known/acme-challenge/' . $le_rnd_file));
        if($le_hash_check == $le_rnd_hash) {
      $le_domains[] = $temp_domain;
      $app->log("Verified domain " . $temp_domain . " should be reachable for letsencrypt.", LOGLEVEL_DEBUG);
        } else {
        $app->log("Could not verify domain " . $temp_domain . ", so excluding it from letsencrypt request.", LOGLEVEL_WARN);
        }
      }
    
    lines 1300+ in nginx_plugin.inc.php and lines 1227+ in apache2_plugin.inc.php
     
  4. muelli75

    muelli75 New Member

    Hi!

    Thanks for reply on this thread! I installed LE/certbot after installing ISPconfig.

    @florian030 hints work like a charm. I was able to request a certificate for a webspace/domain by clicking on "Lets Encrypt SSL"-Button in the Web Domain-Panel.

    But ...

    Surfing with Firefox to https://www.FQDN1.at results in an SSL-Error.

    Your connection is not secure

    The owner of www.geruest-FQDN1.at has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website.

    Learn moreā€¦

    Report errors like this to help Mozilla identify and block malicious sites

    www.geruest-FQDN1.at uses an invalid security certificate.

    The certificate is only valid for the following names:
    FQDN2.at, www.FQDN2.at

    Error code: SSL_ERROR_BAD_CERT_DOMAIN
    I requested a manual certificate (standalone) for FQDN2 which was successfull installed.

    Any ideas to solve to this? Thanks for answers!

    Regards, Martin
     
  5. ahrasis

    ahrasis Member

    Check your website vhost files for LE SSL links i.e. whether they exist and are pointing to the right place.
     

Share This Page