letsencrypt won't add domain to certificate request

Discussion in 'General' started by nhybgtvfr, May 21, 2019.

  1. nhybgtvfr

    nhybgtvfr Active Member

    I've got a problem I've not come across before, where letscencrypt doesn't seem to be requesting the main domain of a website is added to a certificate.

    I've got the domain/vhost fis.carmarthenshire.gov.wales added as a domain, with fis.carmarthenshire.wales and ggd.sirgar.llyw.cymru added as alias domains.

    they all exist ok in the ispconfig database on that webserver (multiserver config) :
    Code:
    MariaDB [ispconfig_VPS7]> select domain,type from web_domain;
    +-------------------------------+-------+
    | domain                        | type  |
    +-------------------------------+-------+
    | ggd.sirgar.llyw.cymru         | alias |
    | fis.carmarthenshire.wales     | alias |
    | fis.carmarthenshire.gov.wales | vhost |
    +-------------------------------+-------+
    they exist ok in the vhost configuration:

    Code:
    <VirtualHost *:80>
        DocumentRoot /var/www/clients/client567/web2316/web
        ServerName fis.carmarthenshire.gov.wales
        ServerAlias ggd.sirgar.llyw.cymru
        ServerAlias fis.carmarthenshire.wales
        ServerAdmin [email protected]
    but it doesn't add the main domain in letsencrypt:
    Code:
    2019-05-21 11:12:04,390:DEBUG:certbot.main:certbot version: 0.17.0
    2019-05-21 11:12:04,390:DEBUG:certbot.main:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v01.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', '[email protected]', '--domains', 'fis.carmarthenshire.wales', '--domains', 'ggd.sirgar.llyw.cymru', '--webroot-path', '/usr/local/ispconfig/interface/acme']
    2019-05-21 11:12:04,390:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    it successfully gets a certificate, with the aliasdomains on it, but not the main domain:
    certificate hierarchy:
    DST Root CA X3
    Let's Encrypt Authority X3
    fis.carmarthenshire.wales

    Certificate Subject Alt Name
    Not Critical
    DNS Name: fis.carmarthenshire.wales
    DNS Name: ggd.sirgar.llyw.cymru

    yet I can manually request a certificate for the domain:

    Code:
    letsencrypt certonly -d fis.carmarthenshire.gov.wales
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    
    How would you like to authenticate with the ACME CA?
    -------------------------------------------------------------------------------
    1: Spin up a temporary webserver (standalone)
    2: Place files in webroot directory (webroot)
    -------------------------------------------------------------------------------
    Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for fis.carmarthenshire.gov.wales
    
    Select the webroot for fis.carmarthenshire.gov.wales:
    -------------------------------------------------------------------------------
    1: Enter a new webroot
    -------------------------------------------------------------------------------
    Press 1 [enter] to confirm the selection (press 'c' to cancel): 1
    Input the webroot for fis.carmarthenshire.gov.wales: (Enter 'c' to cancel): /usr/local/ispconfig/interface/acme
    Waiting for verification...
    Cleaning up challenges
    Unable to clean up challenge directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    
    IMPORTANT NOTES:
     - Congratulations! Your certificate and chain have been saved at:
       /etc/letsencrypt/live/fis.carmarthenshire.gov.wales/fullchain.pem
       Your key file has been saved at:
       /etc/letsencrypt/live/fis.carmarthenshire.gov.wales/privkey.pem
       Your cert will expire on 2019-08-19. 
    what is going on here? how do I fix this?
    I've not had this problem with any other domain, I thought it might be restricted because it's a gov domain, but then surely I wouldn't be able to request it manually.

    full ispconfig letsencrypt log for the certificate request is in the attached file.
     

    Attached Files:

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You can see in ispconfig debug mode why it got excluded. This normally happens when the domain is unreachable from server itself.
     
  3. nhybgtvfr

    nhybgtvfr Active Member

    do you mean setting ispconfig itself to debug? on the master? or just the affected webserver?

    because I've looked through the letsencrypt debug log, and the main domain simply isn't in the request.

    eg for penwernfach.co.uk, with alias penwern-fach-west-wales-cottages.co.uk, both appear as domains in the initial letsencrypt log:
    Code:
    letsencrypt.log.973:2018-09-10 10:06:02,525:DEBUG:certbot.main:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v01.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', '[email protected]', '--domains', 'penwernfach.co.uk', '--domains', 'www.penwernfach.co.uk', '--domains', 'penwern-fach-west-wales-cottages.co.uk', '--domains', 'www.penwern-fach-west-wales-cottages.co.uk', '--webroot-path', '/usr/local/ispconfig/interface/acme']
    for fis.carmarthenshire.gov.wales with fis.carmarthenshire.wales and ggd.sirgar.llyw.cymru as aliases, fis.carmarthenshire.gov.wales simply isn't included in the initial request.

    Code:
    2019-05-21 11:12:04,390:DEBUG:certbot.main:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v01.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', '[email protected]', '--domains', 'fis.carmarthenshire.wales', '--domains', 'ggd.sirgar.llyw.cymru', '--webroot-path', '/usr/local/ispconfig/interface/acme']
    
    and each domain is reachable from that webserver:

    Code:
    [email protected]:/home/ubuntu# ping fis.carmarthenshire.gov.uk
    PING fis.carmarthenshire.gov.uk (52.209.39.50) 56(84) bytes of data.
    64 bytes from carmarthenshire.gov.uk (52.209.39.50): icmp_seq=1 ttl=63 time=0.373 ms
    
    [email protected]:/home/ubuntu# ping fis.carmarthenshire.wales
    PING fis.carmarthenshire.wales (52.209.39.50) 56(84) bytes of data.
    64 bytes from carmarthenshire.gov.uk (52.209.39.50): icmp_seq=1 ttl=63 time=0.450 ms
    
    [email protected]:/home/ubuntu# ping ggd.sirgar.llyw.cymru
    PING ggd.sirgar.llyw.cymru (52.209.39.50) 56(84) bytes of data.
    64 bytes from carmarthenshire.gov.uk (52.209.39.50): icmp_seq=1 ttl=63 time=0.342 ms
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Right, and to find out why, use debug mode in ispconfig. Enable it on the master for the affected slave, disable server.sh cronjob on the slave, untick letsencrypt checkbox for the site and activate it again and then run server.sh on the slave server and post the output that you get on the shell. If it tells you that the domain was excluded, then the domain could not be reached from that slave.
     

Share This Page