[SOLVED]ISP Config 3.1.13 broke LetsEncrypt on NginX?

Discussion in 'Installation/Configuration' started by labsy, Aug 31, 2018.

  1. labsy

    labsy Member

    Hi,
    I have ISPConfig on Ubuntu 16.04 with NginX, was working fine until recent update to ISPConfig 3.1.13. Seems like Let'sEncrypt cannot be ENABLED on website anymore. Was working fine ever since recent update.
    From /var/log/letsencrypt/letsencrypt.log I can see the following error:
    Code:
    2018-08-30 22:09:02,698:DEBUG:letsencrypt.cli:Exiting abnormally:
    Traceback (most recent call last):
      File "/usr/bin/letsencrypt", line 9, in <module>
        load_entry_point('letsencrypt==0.4.1', 'console_scripts', 'letsencrypt')()
      File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 1986, in main
        return config.func(config, plugins)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 689, in obtain_cert
        le_client = _init_le_client(config, authenticator, installer)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 206, in _init_le_client
        acc, acme = _determine_account(config)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 191, in _determine_account
        config, account_storage, tos_cb=_tos_cb)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/client.py", line 116, in register
        acme = acme_from_config_key(config, key)
      File "/usr/lib/python2.7/dist-packages/letsencrypt/client.py", line 41, in acme_from_config_key
        return acme_client.Client(config.server, key=key, net=net)
      File "/usr/lib/python2.7/dist-packages/acme/client.py", line 63, in __init__
        self.net.get(directory).json())
      File "/usr/lib/python2.7/dist-packages/acme/messages.py", line 169, in from_json
        raise jose.DeserializationError(str(error))
    DeserializationError: Deserialization error: Wrong directory fields
    
     
  2. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    try to update letsencrypt. this not releated to ispconfig-update. i think, it's a bug on ubuntu.
     
    ahrasis likes this.
  3. labsy

    labsy Member

    Hi Florian,
    I am afraid to mess with letsencrypt install in order to not break existing LE certificates, which are installed and running on existing ISPConfig web sites (configured via ISPCOnfig).
    Any tip on how to proceed with letsencrypt update to not ruin those?

    BTW... this web site, which does not want to cooperate with letsencrypt, has REDIRECT configured from www.website.com to website.com inside Wordpress. Might that be guilty for letsencrypt failure?
     
  4. labsy

    labsy Member

    Should I follow the procedure, described here: https://www.howtoforge.com/community/threads/ubuntu-16-04-letsencrypt-not-working.79568/
    Code:
    apt update
    apt install software-properties-common
    add-apt-repository ppa:certbot/certbot
    apt update
    apt upgrade -y
    apt remove letsencrypt -y
    apt install python-certbot-nginx -y
    What's bothering me is that I do not know, if I have Certbot or not?
    And also if LE will still work for existing sites with ISPConfig after those steps or not?
    Hmmmm....
     
    Last edited: Aug 31, 2018
  5. ahrasis

    ahrasis Well-Known Member

    It's ok to run that since ISPConfig will determine whether you use letsencrypt or certbot via its plugin. ISPConfig will also check whether you are using certbot version 22 or above, so that it will use acme v02 api instead of older v01. Both are using /etc/letsencrypt folder, so, if you unsure, or want to play safe, just backup that folder before running that.
     
  6. labsy

    labsy Member

    SOLVED! by following the previous set of commands. Obviously I had installed letsencrypt and NOT certbot. By following the above mentioned set of commands, I added prerequisites, PPE repository and Python Certbot client while removing letsencrypt client. ISP Config coped with changes just fine and worked without any other actions needed.
    Thank you all for participating :)
     
    ahrasis likes this.
  7. electron79

    electron79 New Member

    Hello, my case is similar:

    2018-12-19 16:30:24,366:DEBUG:certbot.main:Exiting abnormally:
    Traceback (most recent call last):
    File "/usr/bin/letsencrypt", line 11, in <module>
    load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
    File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
    return config.func(config, plugins)
    File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 626, in obtain_cert
    action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
    File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 103, in _auth_from_available
    renewal.renew_cert(config, domains, le_client, lineage)
    File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 296, in renew_cert
    new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
    File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate
    self.config.allow_subset_of_names)
    File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 77, in get_authorizations
    self._respond(resp, best_effort)
    File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 134, in _respond
    self._poll_challenges(chall_update, best_effort)
    File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 178, in _poll_challenges
    domain, chall_update[domain])
    File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 209, in _handle_check
    self.authzr[domain], _ = self.acme.poll(self.authzr[domain])
    File "/usr/lib/python2.7/dist-packages/acme/client.py", line 289, in poll
    response = self.net.get(authzr.uri)
    File "/usr/lib/python2.7/dist-packages/acme/client.py", line 641, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
    File "/usr/lib/python2.7/dist-packages/acme/client.py", line 570, in _check_response
    raise messages.Error.from_json(jobj)
    Error: urn:acme:error:serverInternal :: The server experienced an internal error :: Problem getting authorization

    I am using GNU/Debian 9 with Apache.
    ISPConfig Version: 3.1.13

    Thanks.
     
  8. electron79

    electron79 New Member

    I execute - apt install python-certbot-apache - but:

    2018-12-19 17:02:42,493:DEBUG:certbot.main:Exiting abnormally:
    Traceback (most recent call last):
    File "/usr/bin/letsencrypt", line 11, in <module>
    load_entry_point('certbot==0.10.2', 'console_scripts', 'certbot')()
    File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 849, in main
    return config.func(config, plugins)
    File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 626, in obtain_cert
    action, _ = _auth_from_available(le_client, config, domains, certname, lineage)
    File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 103, in _auth_from_available
    renewal.renew_cert(config, domains, le_client, lineage)
    File "/usr/lib/python2.7/dist-packages/certbot/renewal.py", line 296, in renew_cert
    new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
    File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 262, in obtain_certificate
    self.config.allow_subset_of_names)
    File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 77, in get_authorizations
    self._respond(resp, best_effort)
    File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 134, in _respond
    self._poll_challenges(chall_update, best_effort)
    File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 198, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)

    FailedChallenges: Failed authorization procedure. site.com (http-01): urn:acme:error:dns :: DNS problem: query timed out looking up CAA for site.com

    Thanks...
     
  9. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Does name service resolve your hostame? Try with
    Code:
    host servername.domain.com
    where you replace servername.domain.com with your own real FQDN.
     
  10. electron79

    electron79 New Member

    Thanks for replay, this is in "nano /etc/hostname "??

    Thanks...
     
  11. electron79

    electron79 New Member

    Thanks, the problem was my firewall "ufw", this was blocking the ip of Letsencrypt = 66.133.109.36.

    Resolved ... :):)
     
    till likes this.

Share This Page