Ssl Certificate

Discussion in 'Installation/Configuration' started by Z3r0h0ur, Mar 1, 2019.

Tags:
  1. Z3r0h0ur

    Z3r0h0ur New Member

    Hello, all!
    I have a problem installing ssl certificate on a ispconfig site.
    Checking SSL snd Let's Encrypt SSL checkboxes does not work.
    I obtained certs via certbot and added them manually in SSL tab in site configuration but it's not working either.
    I observed that ISPConfig is not adding <VirtualHost myip:443> directive in mysite.vhost. It somehow fails.
    How can I debug that. Any suggestions would be much appreciated. Thanks
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

  3. Z3r0h0ur

    Z3r0h0ur New Member

    Thank you till as always!
    Well, I set the debuging level of the logs and I got this error
    Code:
     "You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. The letsencrypt client has also been renamed to Certbot. We recommend upgrading to the latest certbot-auto script, or using native OS packages."
    Now, how do I update it ? Also, I have a newer version of certbot installed under /opt/certbot/ Can I tell ispconfig to use that one ?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig uses the one from opt automatically. But maybe you have a second one installed in a system directory. If that's the case, remove the old copy. But normally the above message is not causing any issues, so the problem you have is most likely not related to this message.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    To get the reason for your problem, enable debug log level in ispconfig as described in the faqforge article, comment out the ispconfig root cronjob, enable the ssl and lets encrypt checkbox and run the server.sh script as root user on the shell and post the output. It will show the details why SSL could not be enabled with Let's encrypt for that website.
     
  6. Z3r0h0ur

    Z3r0h0ur New Member

    I guess I found the issue :
    Code:
    2019-03-01 18:20:02,777:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
      File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
        sys.exit(main())
      File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1365, in main
        return config.func(config, plugins)
      File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1234, in certonly
        le_client = _init_le_client(config, auth, installer)
      File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 605, in _init_le_client
        acc, acme = _determine_account(config)
      File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 513, in _determine_account
        acc = display_ops.choose_account(accounts)
      File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/display/ops.py", line 86, in choose_account
        "Please choose an account", labels, force_interactive=True)
      File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/display/util.py", line 507, in menu
        self._interaction_fail(message, cli_flag, "Choices: " + repr(choices))
      File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/display/util.py", line 469, in _interaction_fail
        raise errors.MissingCommandlineFlag(msg)
    MissingCommandlineFlag: Missing command line flag or config entry for this setting:
    Please choose an account
    Choices: ['[email protected]:40:16Z (d3sd3)', '[email protected]:23:42Z (32asf3)']
    I somehow have 2 LE accounts and the script has no instruction to choose one. Is it safe to remove the old one ? or is there another option to fix that ?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, you have to remove one of the accounts. Remove the one that is not in use, if you used both accounts, then you will have to modify the renewal config files of the ssl certs manually to just use one account before you delete the other one. Otherwise renewals will fail for certs that use the removed account.
     
  8. Z3r0h0ur

    Z3r0h0ur New Member

    ok. Thank you , till !
     
  9. Z3r0h0ur

    Z3r0h0ur New Member

    So, I removed one of the 2 accounts and solved the problem with getting the certs from letsencrypt.
    Now i'm facing another problem, regarding setting the cert for a subdomain.
    What I have:
    a domain example.com
    and a subdomain sub.example.com
    I created the subdomain as a new domain with sub.example.com filled in "domain" field
    In DNS records I added A record for sub.example.com and www.sub.example.com
    No problems with reaching the domain and subdomain
    Set the debug level for the server
    The letsencrypt log says: Congratulations! Your certificate and chain have been saved
    The only problem is that ispconfig does not trigger editing the sub.example.com.conf and it is missing the <VirtualHost myip:443> section.
    WHat could be the problem ? Thanks
     
  10. Z3r0h0ur

    Z3r0h0ur New Member

    Maybe this could clear a bit my situation:
    I successfully set the cert for example.com
    I successfully set the cert for subdomain first.example.com
    I can not set the cert for subdomain second.example.com

    This is the output of the server.sh script for example.com
    Code:
    20.03.2019-09:07 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    20.03.2019-09:07 - DEBUG - Found 1 changes, starting update process.
    20.03.2019-09:07 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    20.03.2019-09:07 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    20.03.2019-09:07 - DEBUG - Create Let's Encrypt SSL Cert for: example.com
    20.03.2019-09:07 - DEBUG - Let's Encrypt SSL Cert domains:  --domains example.com --domains www.example.com
    20.03.2019-09:07 - DEBUG - exec: /root/.local/share/letsencrypt/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected]  --domains example.com --domains www.example.com --webroot-path /usr/local/ispconfig/interface/acme
    You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. The letsencrypt client has also been renamed to Certbot. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for example.com
    http-01 challenge for www.example.com
    Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
    Waiting for verification...
    Cleaning up challenges
    20.03.2019-09:07 - DEBUG - Let's Encrypt Cert config path is: /etc/letsencrypt/renewal/example.com.conf.
    20.03.2019-09:07 - DEBUG - Let's Encrypt Cert file: /etc/letsencrypt/live/example.com/fullchain.pem exists.
    20.03.2019-09:07 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web22/.php-fcgi-starter
    20.03.2019-09:07 - DEBUG - Enable SSL for: example.com
    20.03.2019-09:07 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/example.com.vhost
    20.03.2019-09:07 - DEBUG - Apache status is: running
    20.03.2019-09:07 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    20.03.2019-09:07 - DEBUG - Restarting httpd: systemctl restart apache2.service
    20.03.2019-09:07 - DEBUG - Apache restart return value is: 0
    20.03.2019-09:07 - DEBUG - Apache online status after restart is: running
    20.03.2019-09:07 - DEBUG - Processed datalog_id 2858
    20.03.2019-09:07 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished.
    
    The output for first.example.com is quite the same
    This is the output of the server.sh script for subdomain second.example.com
    Code:
    20.03.2019-09:34 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    20.03.2019-09:34 - DEBUG - Found 1 changes, starting update process.
    20.03.2019-09:34 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    20.03.2019-09:34 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    20.03.2019-09:34 - DEBUG - Create Let's Encrypt SSL Cert for: second.example.com
    20.03.2019-09:34 - DEBUG - Let's Encrypt SSL Cert domains:  --domains second.example.com --domains www.second.example.com
    20.03.2019-09:34 - DEBUG - exec: /root/.local/share/letsencrypt/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected]  --domains second.example.com --domains www.second.example.com --webroot-path /usr/local/ispconfig/interface/acme
    You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. The letsencrypt client has also been renamed to Certbot. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    20.03.2019-09:34 - DEBUG - Let's Encrypt Cert file:  does not exist.
    20.03.2019-09:34 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web153/.php-fcgi-starter
    20.03.2019-09:34 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/second.example.com.vhost
    20.03.2019-09:34 - DEBUG - Apache status is: running
    20.03.2019-09:34 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    20.03.2019-09:34 - DEBUG - Restarting httpd: systemctl restart apache2.service
    20.03.2019-09:34 - DEBUG - Apache restart return value is: 0
    20.03.2019-09:34 - DEBUG - Apache online status after restart is: running
    20.03.2019-09:34 - DEBUG - Processed datalog_id 2863
    20.03.2019-09:34 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished.
    
    The first script knows the location for Let's Encrypt Cert config and Let's Encrypt Cert file, while second script prompts Let's Encrypt Cert file: does not exist.
    This is what I digged so far..
    Before execution, directories /etc/letsencrypt/{archive,live,renew}/{example.com,second.example.com} were clean
    Maybe I should remove specific pems from keys and csr directory also, but, as those files do not contain site name in their file name I just can't. Also, letsencrypt.log does not show any errors.
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Check if the renewal config file for the second ssl cert in /etc/letsencrypt/renewal/.... contains the second domain name after webroot map in the same way the domains are listed in the first cert renewal file.
     
  12. Z3r0h0ur

    Z3r0h0ur New Member

    Yes, the cert for the second site is missing lines after [[webroot_map]]
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Add them in the same way they exist for the other cert, then enable the letsencrypt checkbox again and it should stay active. Certbot seems to miss adding this sometimes on some servers, we were not able to reproduce that on any of our servers yet but added some code in git-stable which hopefully works around this new issue in certbot.
     
  14. MarkMarkMark

    MarkMarkMark New Member

    I'm having a similar problem and sorry (Till & Z3roh0ur) it appears related so I'm posting into this thread.
    I am not an expert so please excuse my inaccuracies. (also as I am new to posting I am barred from posting links until
    {For this Forum, before you can create content with links, you must first meet the minimum requirements

    The number of posts you have created must exceed: 2 (Yours: 0)
    The number of Likes you've received must exceed: -1 (Yours: 0)
    The Like:post Ratio must exceed: -1% (Yours: 0%)
    The number of days you have been registered must exceed: -1 (Yours: 0)}

    , So links are modified spaces and with a ! instead of a .

    My current website setup is from: The Perfect Server - Ubuntu 14.04 (Apache2, PHP, MySQL, PureFTPD, BIND, Dovecot, ISPConfig 3)
    and is working perfectly from the same IP. Now very old and requires updating, has no SSL.
    During the following all open ports were redirected to the new internal IP address.

    I followed:

    How to Install Ubuntu 18.04 LTS (Bionic Beaver) Minimal Server
    ht tps://w ww!howtoforge!com/tutorial/ubuntu-lts-minimal-server/

    I installed Ispconfig using: The Perfect Server - Ubuntu 18.04 (Nginx, MySQL, PHP, Postfix, BIND, Dovecot, Pure-FTPD and ISPConfig 3.1)

    I set up user, site, and DNS and FTP all worked and tested to (virtual server)w ww!whatever!com!au (from physical server w ww!whateverhost!com!au)
    So http worked perfectly.

    I tried to tick SSL and LetsEncrypt checkboxes, waited for red light to go away.
    Browsing to ht tps://w ww!whatever!com!au gave an error.
    I checked DNS etc, the check boxes for the site both SSL and LetsEncrypt were unchecked. (Tried again 2x)

    I started again from scratch in case I missed anything.

    This time with Apache: (in case Ngnix was a problem)
    ht tps://w ww!howtoforge!com/tutorial/perfect-server-ubuntu-18.04-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig/

    With the same results as above.

    I started again:
    ht tps://w ww!howtoforge!com/tutorial/perfect-server-ubuntu-18.04-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig/

    This time using - ISPConfig autoinstaller and setup from ht tps://github!com/servisys/ispconfig_setup (to speed things up and reduce potential typing errors)

    With the same results after trying to enable SSL and LetsEncrypt, no SSL site.

    So:

    I updated this installation :-

    ispconfig_update.sh to the Dev version (As I notice lots of LetsEncrypt changes in GitHub)

    Ticked the SSL checkbox, awaited update
    then ticked LetsEncrypt, awaited update
    This time the SSL box remained ticked but LetsEncrypt checkbox did not.

    The error from Firefox is like RX certificate too long/big and Firefox denies access to ht tps://w ww.whatever!com!au site, w ww!whatever!com!au worked fine.

    There is a new DNS entry that did not appear before in the above prior to Dev version update (that I can remember)
    CAA w ww!whatever!com!au 0 issue "letsencrypt!org" 3600

    I cannot see any entries being created in the /etc/letsencrypt/live/ directory for any website.
    I assume its still trying to use my self generated certificate and generates this SSL error in Firefox.
    I'm guessing that the SSL entries into the Apache virtual server are not being populated in the /etc/apache2/sites-enabled for this website.
    And that the certificates are not being created (or at least not put in the /etc/letsencrypt/live/... directory.
    And also that autorenewal probably isnt being setup as well.

    I can manually create these certificates into /etc/letsencrypt/live/ using certbot on the command line, so its installed and functional.

    I would encourage you to try a new install to replicate the issue (it takes only 30min from scratch using the script above on a fresh Ubuntu server)


    I notice from Z3r0h0ur post 21 Mar that in his debug that "letsencrypt certonly -n......" but my install is using certbot.

    I will try the Debug thing as mentioned tonight.
    Any ideas so far that would help are welcomed.
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    @MarkMarkMark See here to find out why the cert was not issued, I posted the link already above:

    https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
    https://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/

    You did not post the ISPConfig dug log which shows why you did not got a LE cert.

    This breaks the site so you will not be able to use ISPConfig to manage that site anymore and you will not be able to use LE with ISPConfig for that domain anymore, so further debugging with that domain is useless on this setup unless you wiped out the site and all remnants of this cert in /etc/letsencrypt.
     
  16. Z3r0h0ur

    Z3r0h0ur New Member

    Adding those missing lines after [[webroot_map]] fixed my problem. I can now manage certs from ISPconfig.
    Waiting for a new update from certbot.
    Thanks @till a lot! )
     
  17. Jesse Norell

    Jesse Norell Well-Known Member

    @MarkMarkMark, can you clarify/confirm here - you are running the latest Dev version (git-stable), and the domain was still not added to [[webroot_map]]? There is a fix for that issue in the latest git-stable, but per @till's comment yesterday the dev's were not able to reproduce the issue, so perhaps the fix does not work.
     
    till likes this.
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    The fix will not re-add the lines, it just uses additional parameters which will hopefully persuade certbot to add the lines on all systems again, so if the cert was created before the git-stable update was made, then it will have no effect on this cert. So it really matters which version was installed when and when the cert was created the first time.
     
  19. MarkMarkMark

    MarkMarkMark New Member

    Thank-you for the suggestions, I will have to leave this thread until I get a new modem and confirm this. Why?
    It appears that this modem and its custom firmware setup by my ISP might be answering port 80 and 443 (ssl) on behalf of my network I guess like a proxy in the way that it forwards ports. (I'm not a Techie so my apologises if I've used the wrong terms.)
    The Modem is a:- • HUAWEI Home Gateway • HG659
    I guess this is so they can remotely set-up and update firmware for newbies (maybe even access the network!!).

    Your connection is not secure The owner of w ww.whatever!com.au has configured their website improperly.
    To protect your information from being stolen, Firefox has not connected to this website. Learn more…
    Report errors like this to help Mozilla identify and block malicious sites w ww!whatever!com!au uses an invalid security certificate.
    The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. The certificate is only valid for the following names:
    mediarouter.home, mediarouter1.home, mediarouter2.home, mediarouter3.home
    Error code: SEC_ERROR_UNKNOWN_ISSUER


    It was helped by a post here:
    ht tps://community!tpg!com!au/t5/Modems-and-Devices/How-do-I-upgrade-firmware-on-Huawei-HG659/td-p/7046/page/17

    I will get back to this thread and confirm this later, again thank-you for your help on this what appears to be unrelated issue to the original thread my apologies to Till and Z3r0h0ur for poluting this thread, I hope that It helps someone else one-day.
    Mark.

     
  20. MarkMarkMark

    MarkMarkMark New Member

    Getting back to this thread. (An interesting side note is that the ISP fixed this issue recently for the Hawaui Modem for someone else in the forums without a firmware update,, or explanation of how or why, magic...)
    Replacing the modem with a Fritz!box and disabling the media centre got ISP Config3 to Issue and retain SSL for all 4 websites:)
    On a small note however in ISPconfig3 the SYSTEM :- Server setting : I notice that the server IP address is incorrect 0.0.0.0 and the DNS appear to be set to 8.8.8.8. Should these not have been gathered from
    /etc/netplan/01-netcfg.yaml when I set a static IP?
    as I use 1.1.1.1 and 1.0.0.1 and used them in the minimal server tut.
    (I did use the setup script listed above from ht tps://github!com/servisys/ispconfig_setup, but do not see how this would have mattered)

    MarkMarkMark
     
    Last edited: Apr 6, 2019

Share This Page