Problem with letsencrypt after migration.

Discussion in 'Installation/Configuration' started by Nicram, Feb 3, 2019.

  1. Nicram

    Nicram Member

    I got problem with letsencrypt certificates.
    1st i have noticed, that my dovecot is using wrong cert. Then i checked if links are directing into correct folder inside letsencrypt /etc/. And it did. I didn't want to play with searching where and why things happen like that, so i go directly into ispc to see how about main server domain, and Letsencrypt was not checked (it was migrated with migration tool, and should be checked on).
    I checked it and save, but inside letsencrypt log there is only:
    MissingCommandlineFlag: Missing command line flag or config entry for this setting:
    Please choose an account
    Choices: ['[email protected]:45:14Z (66c0)', '[email protected]:37:13Z (c5e9)'].
    I do not really know what to do next ;s
    Update:
    I removed second domain, but it still asking for it in the end (i removed ssl first, and then delete whole website in ispc), here is the full log;

    Code:
    2019-02-03 12:40:03,065:DEBUG:certbot.main:certbot version: 0.30.0
    2019-02-03 12:40:03,065:DEBUG:certbot.main:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v02
    .api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', '[email protected]', '--domains', 'server.domain.pl', '--webroot-path', '/usr/loc
    al/ispconfig/interface/acme']
    2019-02-03 12:40:03,065:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginE
    ntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2019-02-03 12:40:03,074:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than mor
    e recent versions. The letsencrypt client has also been renamed to Certbot. We recommend upgrading to the latest certbot-auto script, or using native OS pack
    ages.
    2019-02-03 12:40:03,074:DEBUG:certbot.cli:Deprecation warning circumstances: /opt/eff.org/certbot/venv/bin/certbot / {'LANG': 'en_US.UTF-8', 'SHELL': '/bin/s
    h', 'XDG_RUNTIME_DIR': '/run/user/0', 'LOADEDMODULES': '', 'HOME': '/root', 'HOSTNAME': 'server.domain.pl', 'HISTSIZE': '1000', 'HISTCONTROL': 'ignoredups', 'S
    HLVL': '3', 'PWD': '/usr/local/ispconfig/server', 'LOGNAME': 'root', 'USER': 'root', 'MAIL': '/var/spool/mail/root', 'PATH': '/sbin:/usr/sbin:/bin:/usr/bin:/
    usr/local/sbin:/usr/local/bin:/usr/X11R6/bin', 'LESSOPEN': '||/usr/bin/lesspipe.sh %s', 'XDG_SESSION_ID': '9927', 'MODULESHOME': '/usr/share/Modules', '_': '
    /opt/eff.org/certbot/venv/bin/certbot', 'MODULEPATH': '/usr/share/Modules/modulefiles:/etc/modulefiles'}
    2019-02-03 12:40:03,080:DEBUG:certbot.log:Root logging level set at 20
    2019-02-03 12:40:03,080:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2019-02-03 12:40:03,080:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2019-02-03 12:40:03,085:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
    Description: Place files in webroot directory
    Interfaces: IAuthenticator, IPlugin
    Entry point: webroot = certbot.plugins.webroot:Authenticator
    Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f78f3994e90>
    Prep: True
    2019-02-03 12:40:03,085:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f78f3994e90> and installer
     None
    2019-02-03 12:40:03,086:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
    2019-02-03 12:40:03,093:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
      File "/opt/eff.org/certbot/venv/bin/certbot", line 11, in <module>
        sys.exit(main())
      File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 1364, in main
        return config.func(config, plugins)
      File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 1233, in certonly
        le_client = _init_le_client(config, auth, installer)
      File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 604, in _init_le_client
        acc, acme = _determine_account(config)
      File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 513, in _determine_account
        acc = display_ops.choose_account(accounts)
      File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/display/ops.py", line 86, in choose_account
        "Please choose an account", labels, force_interactive=True)
      File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/display/util.py", line 507, in menu
        self._interaction_fail(message, cli_flag, "Choices: " + repr(choices))
      File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/display/util.py", line 469, in _interaction_fail
        raise errors.MissingCommandlineFlag(msg)
    MissingCommandlineFlag: Missing command line flag or config entry for this setting:
    Please choose an account
    Choices: ['[email protected]:45:14Z (66c0)', '[email protected]:37:13Z (c5e9)']
    Update nr 2
    Ok, what i did was the more testing. First, i was thinking that my dovecot cert is wrong, because outlook 2010 told me so. but it looks, like Outlook 2010 is using HTTPS certificate, because checking on other clients, and using openssl is showing correct values.

    # cat /etc/dovecot.conf
    listen = *,[::]
    protocols = imap pop3
    auth_mechanisms = plain login
    disable_plaintext_auth = no
    log_timestamp = "%Y-%m-%d %H:%M:%S "
    mail_privileged_group = vmail
    ssl_cert = </etc/postfix/smtpd.cert
    ssl_key = </etc/postfix/smtpd.key
    ssl_protocols = !SSLv3

    Now from different box in the internet:

    # openssl x509 -in /etc/postfix/smtpd.cert -text -noout
    Certificate:
    Data:
    Version: 3 (0x2)
    Serial Number:
    xxxxxxxxxxxxxxxxxxxxxxxxx
    Signature Algorithm: sha256WithRSAEncryption
    Issuer: C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3
    Validity
    Not Before: Dec 4 02:00:57 2018 GMT
    Not After : Mar 4 02:00:57 2019 GMT
    Subject: CN=server.domain.pl
    Subject Public Key Info:
    Public Key Algorithm: rsaEncryption
    Public-Key: (2048 bit)

    Domain is correct!
    # openssl s_client -connect server.domain.pl:993 -crlf
    CONNECTED(00000003)
    depth=2 O = Digital Signature Trust Co., CN = DST Root CA X3
    verify return:1
    depth=1 C = US, O = Let's Encrypt, CN = Let's Encrypt Authority X3
    verify return:1
    depth=0 CN = server.domain.pl
    verify return:1

    Domain here is also correct! Same for POP3, SMTP, and SMTP with STARTTLS.

    So the only problem now, is on https, it use wrong certificate for the website, that use domain same as server do for ispc panel.
     
    Last edited: Feb 3, 2019
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Probably you have two accounts in /etc/letsencrypt/accounts/.... One from old server and another one from the new server. Backup /etc/letsencrypt folder, just to be sure, and then delete one of the accounts.
     
    Nicram likes this.
  3. Nicram

    Nicram Member

    This is what i did, and it worked. Thank You.
     

Share This Page