Problem with letsencrypt

Discussion in 'ISPConfig 3 Priority Support' started by pawan, Feb 10, 2017.

  1. pawan

    pawan Member HowtoForge Supporter

    I have done a fresh install of ISPCONFIG on Ubuntu 16.04 following this guide - The Perfect Server - Ubuntu 16.04 (Xenial Xerus) with Apache, PHP, MySQL, PureFTPD, BIND, Postfix, Dovecot and ISPConfig 3.1 - which includes
    Code:
    apt-get -y install letsencrypt
    Now activate the SSL I select the letsencrypt checkbox in ISPCONFIG - and save it. when opening website page in the checkbox shows as not selected.
    The error log of letsencrypt is like this:
    Code:
    2017-02-10 15:22:06,294:DEBUG:letsencrypt.cli:Root logging level set at 30
    2017-02-10 15:22:06,295:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2017-02-10 15:22:06,295:DEBUG:letsencrypt.cli:letsencrypt version: 0.4.1
    2017-02-10 15:22:06,295:DEBUG:letsencrypt.cli:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v01.api.letsencrypt$
    2017-02-10 15:22:06,296:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standa$
    2017-02-10 15:22:06,296:DEBUG:letsencrypt.cli:Requested authenticator webroot and installer None
    2017-02-10 15:22:06,296:DEBUG:letsencrypt.plugins.disco:Other error:(PluginEntryPoint#webroot): Missing parts of webroot configuration; please set either --webroot-path and --d$
    Traceback (most recent call last):
      File "/usr/lib/python2.7/dist-packages/letsencrypt/plugins/disco.py", line 103, in prepare
        self._initialized.prepare()
      File "/usr/lib/python2.7/dist-packages/letsencrypt/plugins/webroot.py", line 56, in prepare
        "Missing parts of webroot configuration; please set either "
    PluginError: Missing parts of webroot configuration; please set either --webroot-path and --domains, or --webroot-map. Run with  --help webroot for examples.
    2017-02-10 15:22:06,296:DEBUG:letsencrypt.display.ops:No candidate plugin
    2017-02-10 15:22:06,296:DEBUG:letsencrypt.cli:Selected authenticator None and installer None
    2017-02-10 15:22:06,296:INFO:letsencrypt.cli:Could not choose appropriate plugin: The webroot plugin is not working; there may be problems with your existing configuration.
    The error was: PluginError('Missing parts of webroot configuration; please set either --webroot-path and --domains, or --webroot-map. Run with  --help webroot for examples.',)
    2017-02-10 15:22:06,297:DEBUG:letsencrypt.cli:Exiting abnormally:
    Traceback (most recent call last):
      File "/usr/bin/letsencrypt", line 9, in <module>
        load_entry_point('letsencrypt==0.4.1', 'console_scripts', 'letsencrypt')()
      File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 1986, in main
        return config.func(config, plugins)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 683, in obtain_cert
        installer, authenticator = choose_configurator_plugins(config, plugins, "certonly")
      File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 635, in choose_configurator_plugins
        diagnose_configurator_problem("authenticator", req_auth, plugins)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 536, in diagnose_configurator_problem
        raise errors.PluginSelectionError(msg)
    PluginSelectionError: The webroot plugin is not working; there may be problems with your existing configuration.
    The error was: PluginError('Missing parts of webroot configuration; please set either --webroot-path and --domains, or --webroot-map. Run with  --help webroot for examples.',)
    
     
  2. sjau

    sjau Local Meanie Moderator

    you need to run letsencrypt once from the root cli, it will pull dependencies and stuff. But do not let it configure anything.
     
  3. pawan

    pawan Member HowtoForge Supporter

    how to run letsenrypt from cli. Just typing letsencrypt and enter will do.
    Again how I will skip configure.
     
  4. sjau

    sjau Local Meanie Moderator

    that should all be in the perfect howto that you followed
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Btw you can use the ispconfig debug mode to see why a LE cert could not be created.
     
  6. pawan

    pawan Member HowtoForge Supporter

    okay in the ISPCONFIG admin after enabling debug:
    I am getting in this order:
    Code:
    Create Let's Encrypt SSL Cert for: megashopping.dk
    Let's Encrypt SSL Cert domains:
    exec: /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@megashopping.dk --webroot-path /usr/local/ispconfig/interface/acme
    Let's Encrypt SSL Cert for: megashopping.dk could not be issued.
    Writing the vhost file: /etc/apache2/sites-available/megashopping.dk.vhost
    Writing the PHP-FPM config file: /etc/php/7.0/fpm/pool.d/web1.conf
    Calling function 'restartPHP_FPM' from module 'web_module'.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Please try to run this command as root on the shell:

    /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@megashopping.dk --webroot-path /usr/local/ispconfig/interface/acme

    Which error message do you get and which error is logged in the letsencrypt log file?
     
  8. pawan

    pawan Member HowtoForge Supporter

    Ok I run the command in the terminal and I get
    The webroot plugin is not working; there may be problems with your existing conf iguration.
    The error was: PluginError('Missing parts of webroot configuration; please set e ither --webroot-path and --domains, or --webroot-map. Run with --help webroot f or examples.',)
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Hmm, strange, the --domains switch is missing indeed. Are you using ISPConfig 3.1.2?
     
  10. pawan

    pawan Member HowtoForge Supporter

    it is showing in help -version - ISPConfig Version: 3.1dev
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    That's one of the development releases, download ispconfig 3.1.2 from ispconfig.org, unpack the tar.gz file and then run the update.php script in the install folder to update your system to the 3.1.2 stable release.
     
  12. pawan

    pawan Member HowtoForge Supporter

    update the Ispconfig to 3.1.2
    Run the command again in the terminal
    Code:
    usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@megashopping.dk --webroot-path /usr/local/ispconfig/interface/acme
    The webroot plugin is not working; there may be problems with your existing configuration.
    The error was: PluginError('Missing parts of webroot configuration; please set either --webroot-path and --domains, or --webroot-map. Run with  --help webroot for examples.',)
    
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Login to ispconfig and enable letsencrypt, the command is from the other ispconfig version, so not relevant for 3.1.2.
     
  14. pawan

    pawan Member HowtoForge Supporter

    I already did that, just skipped to mention that.
    I get the similar error as mentioned
    Code:
    Let's Encrypt SSL Cert for: megashopping.dk could not be issued.
    exec: /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@megashopping.dk --domains megashopping.dk --domains www.megashopping.dk --webroot-path /usr/local/ispconfig/interface/acme
    This is the letsencrypt log
    Code:
    2017-02-15 10:51:01,784:DEBUG:letsencrypt.cli:Root logging level set at 30
    2017-02-15 10:51:01,784:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2017-02-15 10:51:01,785:DEBUG:letsencrypt.cli:letsencrypt version: 0.4.1
    2017-02-15 10:51:01,785:DEBUG:letsencrypt.cli:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v01.api.letsencrypt$
    2017-02-15 10:51:01,785:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standa$
    2017-02-15 10:51:01,786:DEBUG:letsencrypt.cli:Requested authenticator webroot and installer None
    2017-02-15 10:51:01,786:DEBUG:letsencrypt.plugins.webroot:Creating root challenges validation dir at /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    2017-02-15 10:51:01,786:DEBUG:letsencrypt.plugins.webroot:Creating root challenges validation dir at /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    2017-02-15 10:51:01,786:DEBUG:letsencrypt.display.ops:Single candidate plugin: * webroot
    Description: Webroot Authenticator
    Interfaces: IAuthenticator, IPlugin
    Entry point: webroot = letsencrypt.plugins.webroot:Authenticator
    Initialized: <letsencrypt.plugins.webroot.Authenticator object at 0x7feca97a4150>
    Prep: True
    2017-02-15 10:51:01,787:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt.plugins.webroot.Authenticator object at 0x7feca97a4150> and installer None
    2017-02-15 10:51:01,812:DEBUG:letsencrypt.cli:Picked account: <Account(7329a5253b0d8f448f5f1c3c7cd2cb66)>
    2017-02-15 10:51:01,817:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
    2017-02-15 10:51:01,824:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    2017-02-15 10:51:02,026:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 280
    2017-02-15 10:51:02,028:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '280', 'Expires': 'Wed, 15 Feb 2017 10:51:02 GMT', 'Boulder-Request-Id': 'EZU9qNXyd8Cj$
    2017-02-15 10:51:02,028:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '280', 'Expires': 'Wed, 15 Feb 2017 10:51:02 GMT', 'Boulder-Request-Id$
    2017-02-15 10:51:02,243:INFO:letsencrypt.crypto_util:Generating key (4096 bits): /etc/letsencrypt/keys/0001_key-letsencrypt.pem
    2017-02-15 10:51:02,254:INFO:letsencrypt.crypto_util:Creating CSR: /etc/letsencrypt/csr/0001_csr-letsencrypt.pem
    2017-02-15 10:51:02,255:DEBUG:letsencrypt.client:CSR: CSR(file='/etc/letsencrypt/csr/0001_csr-letsencrypt.pem', data='0\x82\x04\xa10\x82\x02\x89\x02\x01\x020\x1a1\x180\x16\x06\$
    2017-02-15 10:51:02,256:DEBUG:root:Requesting fresh nonce
    2017-02-15 10:51:02,256:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
    2017-02-15 10:51:02,257:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    2017-02-15 10:51:02,447:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
    2017-02-15 10:51:02,449:DEBUG:root:Received <Response [405]>. Headers: {'Content-Length': '91', 'Pragma': 'no-cache', 'Boulder-Request-Id': 'kS7N5qwv4CSnIoA8w3HE1zQ6J_26Uwp1VAj$
    2017-02-15 10:51:02,449:DEBUG:acme.client:Storing nonce: "\x11!p\xae\x02M=\xd4w-\x1d\xbe\xc6\x01\xdc'\x95\xd8\xbev\x02>U\x0e\xdc:\xb1Ob\xdd\xf3\xf8"
    2017-02-15 10:51:02,449:DEBUG:acme.jose.json_util:Omitted empty fields: challenges=None, combinations=None, status=None, expires=None
    2017-02-15 10:51:02,450:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "megashopping.dk"}, "resource": "new-authz"}
    2017-02-15 10:51:02,452:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), x5tS256=None, cty=None, jku=None, x5u=None, x5t=None, crit=(), kid=None, alg=None, jwk=None, typ$
    2017-02-15 10:51:02,461:DEBUG:acme.jose.json_util:Omitted empty fields: jku=None, x5tS256=None, cty=None, x5c=(), x5u=None, x5t=None, crit=(), nonce=None, kid=None, typ=None
    2017-02-15 10:51:02,461:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {$
    2017-02-15 10:51:02,462:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    2017-02-15 10:51:02,723:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 1000
    2017-02-15 10:51:02,725:DEBUG:root:Received <Response [201]>. Headers: {'Content-Length': '1000', 'Expires': 'Wed, 15 Feb 2017 10:51:02 GMT', 'Boulder-Request-Id': 'qS6c0ta4MCx$
    2017-02-15 10:51:02,725:DEBUG:acme.client:Storing nonce: '\xb6Gd\r&\xdbN>\xf9\xfe\x06\x142@A\xd6\x80Cc\x16\x8d\x12N\xd6<\xf2\x9bAE7\xb82'
    2017-02-15 10:51:02,725:DEBUG:acme.client:Received response <Response [201]> (headers: {'Content-Length': '1000', 'Expires': 'Wed, 15 Feb 2017 10:51:02 GMT', 'Boulder-Request-I$
    2017-02-15 10:51:02,726:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'veCPtLJ7bRVNvX9_fsAlTOGe3slj-SvYN2U8gzZCXKs', u'type'$
    2017-02-15 10:51:02,726:DEBUG:acme.jose.json_util:Omitted empty fields: challenges=None, combinations=None, status=None, expires=None
    2017-02-15 10:51:02,726:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "www.megashopping.dk"}, "resource": "new-authz"}
    2017-02-15 10:51:02,729:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), x5tS256=None, cty=None, jku=None, x5u=None, x5t=None, crit=(), kid=None, alg=None, jwk=None, typ$
    2017-02-15 10:51:02,738:DEBUG:acme.jose.json_util:Omitted empty fields: jku=None, x5tS256=None, cty=None, x5c=(), x5u=None, x5t=None, crit=(), nonce=None, kid=None, typ=None
    2017-02-15 10:51:02,738:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {$
    2017-02-15 10:51:02,739:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    
    Note:
    I would like to mention here that A record for the domain megashopping.dk doesn't point the IP of this server at present.
    Can this cause the error/
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, this explains the problem. Letsenycrpyt will only issue an SSL cert when it can reach a token trough all domain names that it created on this server in real-time, so when a domain points to another server, the LE can not issue that SSL cert. This also explains why the --domain switch was not there in the dev version as the dev version removes all domains from LE command that are not reachable on this server and as no domains of this site point to this system, all domains had been removed.
     
    pawan likes this.
  16. sjau

    sjau Local Meanie Moderator

    Another option would be to use DNS-01 challenge. It will not check the domain itself whether you can provide a challenge file but it will query the zone file whether you can add a TXT record.
    If you host the DNS for that domain with a ISPC 3.1 installation, then the acme.sh client can be used for that.
     
    Last edited: Feb 17, 2017
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    We will most likely switch to acme.sh in one of the next releases to be able to provide the DNS-01 challenge as option.
     
  18. sjau

    sjau Local Meanie Moderator

    acme.sh - being a pure shell script without all that python stuff - just seems a lot less hassle for me :)

    The only drawback I noticed with DNS-01 is that it takes a bit longer to issue a cert. I made a 120s timeout between TXT added to the zone in ISPC and asking the LE servers to check updated zone file.
     

Share This Page