[solved] Lets Encrypt not working anymore

Discussion in 'Installation/Configuration' started by Cris Kolkman, Jun 12, 2017.

  1. Cris Kolkman

    Cris Kolkman Member

    Hello all,

    I recently moved my complete ISPConfig to a new server and most things are working fine (as far as I can tell atm.. :) )
    But I do have a problem with Lets Encrypt, I added a new website in ISPConfig and turned on Lets Encrypt, but nothing happens.
    Strange thing is that I don't see anything apear in the Lets Encrypt logs (I looked in /var/log/letsencrypt/letsencrypt.log).
    Is that the correct file to look for Lets Encrypt errors?

    What could be the issue here?

    Thanks in advance!
     
  2. Cris Kolkman

    Cris Kolkman Member

    I tried Lets Encrypt using cli to see if I get an error, and I did:

    Code:
    root@SERVER:~/.local/share/letsencrypt/bin# ./certbot certonly --webroot -w /var/www/SUB.MYDOMAIN.COM -d SUB.MYDOMAIN.COM
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Enter email address (used for urgent renewal and security notices) (Enter 'c' to
    cancel):info@mydomain.com
    
    -------------------------------------------------------------------------------
    Please read the Terms of Service at
    https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf. You must agree
    in order to register with the ACME server at
    https://acme-v01.api.letsencrypt.org/directory
    -------------------------------------------------------------------------------
    (A)gree/(C)ancel: a
    
    -------------------------------------------------------------------------------
    Would you be willing to share your email address with the Electronic Frontier
    Foundation, a founding partner of the Let's Encrypt project and the non-profit
    organization that develops Certbot? We'd like to send you email about EFF and
    our work to encrypt the web, protect its users and defend digital rights.
    -------------------------------------------------------------------------------
    (Y)es/(N)o: n
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for SUB.MYDOMAIN.COM
    Using the webroot path /var/www/SUB.MYDOMAIN.COM for all unmatched domains.
    Cleaning up challenges
    Encountered exception during recovery
    [Errno 2] No such file or directory: '/var/www/SUB.MYDOMAIN.COM/.well-known/acme-challenge/CBUx_02pbvck39BQsMXMFK3PV_2XWpFmC66qyn4Rxbc'
    Traceback (most recent call last):
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/error_handler.py", line 99, in _call_registered
        self.funcs[-1]()
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 284, in _cleanup_challenges
        self.auth.cleanup(achalls)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/plugins/webroot.py", line 222, in cleanup
        os.remove(validation_path)
    OSError: [Errno 2] No such file or directory: '/var/www/SUB.MYDOMAIN.COM/.well-known/acme-challenge/CBUx_02pbvck39BQsMXMFK3PV_2XWpFmC66qyn4Rxbc'
    ("Couldn't create root for {0} http-01 challenge responses: {1}", u'SUB.MYDOMAIN.COM', OSError(13, 'Permission denied'))
    
    IMPORTANT NOTES:
    - Your account credentials have been saved in your Certbot
       configuration directory at /etc/letsencrypt. You should make a
       secure backup of this folder now. This configuration directory will
       also contain certificates and private keys obtained by Certbot so
       making regular backups of this folder is ideal.
    It seems it cannot create .well-known or something?
    Also when I go to http://sub.mydomain.com/.well-known/acme-challenge/test.html I get an 403 error file not found, while I created the dirs and the test.html




    Edit: This error also shows in the letsencrypt.log when I use the cli to issue a cert, but not when I enable Lets Encrypt in ISPConfig.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Do not use the cli, it conflicts with ISPConfig and will disable this domain for use in ISPConfig. Besides that, you used a wrong path so LE could not find it's token. Back to your original problem: to find out why you can't activate LE in ISPConfig, see ispconfig log and letsencrypt log.
     
  4. Cris Kolkman

    Cris Kolkman Member

    Hello Till,

    Normally I'm not using cli to get a cert but I just wanted to see an error :)

    Both the ispconfig log and the lets encrypt log show nothing.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Please enable debug log level in ISPConfig, then comment out the server.sh cronjob in the root crontab (crontab -e) command. Then enable the LE checkbox in the website again and finally run the server.sh script on the shell and post the output that you get there.
     
  6. Cris Kolkman

    Cris Kolkman Member

    Till,

    Enabling the debug log level made the server stop working :S
    Not reachable on SSH anymore and while apache2 has the status "running", I can't connect to it anymore.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Hmm, the debug level can not cause this. But you said you moved the ispconfig install from another server. Is it possible that you did not change the network settings under system > server config and now by activating the log level, you instructed ispconfig to reconfigure the network card by confirming the old IP address etc. which is on the same form? If this happened, you will have to connect to the server on a rescue console or otherwise directly and change the network settings back to the correct values in the network config file (/etc/network/interfaces on Debian and Ubuntu).
     
    Cris Kolkman likes this.
  8. Cris Kolkman

    Cris Kolkman Member

    Thanks @till that was the problem indeed! :)

    Now I got these errors in the ispconfig.log:

    Code:
    12.06.2017-18:52 - WARNING - Could not verify domain sub.mydomain.com, so excluding it from letsencrypt request.
    12.06.2017-18:52 - WARNING - Let's Encrypt SSL Cert for: sub.mydomain.com could not be issued.
    Which is quite strange because all the DNS records for that domain should be fine.
    Nothing in the Lets Encrypt log though.
     
  9. Cris Kolkman

    Cris Kolkman Member

    Keep getting this error:

    Code:
    13.06.2017-09:35 - WARNING - Could not verify domain sub.domain.com, so excluding it from letsencrypt request.
    13.06.2017-09:35 - WARNING - Let's Encrypt SSL Cert for: sub.domain.com could not be issued.
    
    While I do have an A record in the DNS for this sub domain.
    Nothing appears in the letsencrypt.log when I try to issue a cert, only in the ispconfig.log
     
  10. Cris Kolkman

    Cris Kolkman Member

    Problem seems to be solved by changing internal DNS settings.
    Cert has been created.
     

Share This Page