SSL Fall Back To Self-Signed Cert on ISPConfig Update to 3.2.4 (Debian 9)

Discussion in 'Installation/Configuration' started by bluethunder82, Apr 20, 2021.

  1. bluethunder82

    bluethunder82 Member

    Hi,
    I'm hoping I'm missing something obvious as I've tried to follow various threads and used the FAQs on this forum.
    Background
    - Running Debian 9 on a VPS.
    - System was upgraded from ISPConfig 3.1.15 to 3.2.3 (now 3.2.4 no change).
    - Found the certbot was installed from ISPCofnig 3.1x. The only cert ever created was for the rspamd procedure when converting from spamassassin to rspamd.

    I upgraded a few weeks ago to 3.2.3 and then again from 3.2.4. In the past I had left the self-signed cert for the main panel and dovecot/postfix. With the release of 3.2.x I was looking forward to moving to the LetsEncrypt cert for the panel and the server services. When performing the upgrade I received the following message:
    Code:
    Checking / creating certificate for server1.example.com
    Using certificate path /etc/letsencrypt/live/server1.example.com
    Using apache for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for server1.example.com
    Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
    Waiting for verification...
    Cleaning up challenges
    Failed authorization procedure. server1.example.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://server1.example.com/.well-known/acme-challenge/DeVI4dWWqO6dN4SOT_9h6J_PoDytVLuyxFojKmk5Gys: Connection refused
    Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus
    Troubleshooting
    - I have run the updated with the --force command - no change
    - I have confirmed the folder acme-challenge is accessible but adding a quick test text file
    - Confirmed acme.sh wasn't installed using apt.
    - /etc/letsencrypt exists and does contain the rspamd domain spammer.example.com (this still works when checking the certificate out in a browser)
    - I disabled the LetsEncrypt SSL option for the rspamd site and then tried the installation again. No change for error message.
    - Checked the version of the manual I have but nothing to help with this issue.
    - server1 does have a valid DNS entry

    Hoping someone can think of some suggestions I can try. Using the self-signed is fine for now as I haven't lost any functionality but the idea of using LetEncrypt will be nice for helping family get their email addresses setup on iOS devices and their way of handling self-signed certs. From my notes I haven't done any other customization to the server. I'm hoping to keep this version going until Debian 11 is released and then move the server to that but that isn't for a while.

    Thanks in advance.
    Jason
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Maybe a firewall or dns issue? Troubleshoot by connecting to your server's hostname on port 80 from an external source, and once you can make the connection, try again.
     
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  4. atnetws

    atnetws New Member

    Hi Folks,
    I can confirm the exact same behaviour. LetsEncrypt tries to connect to my machine but gets a "connection refused".
    As far as I could narrow down, the installation script stops or restarts (?) the apache service during the certificate retrieval.
    I also created the abovementioned test.txt file and can fetch it right before answering "Create new ISPConfig SSL certificate". As soon as the installer tries to obtain it, apache shuts down. This results in a "connection refused".

    Code:
    Create new ISPConfig SSL certificate (yes,no) [no]: yes
    
    Checking / creating certificate for my.hostname.de
    Using certificate path /etc/letsencrypt/live/my.hostname.de
    Using apache for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for my.hostname.de
    Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
    Waiting for verification...
    Challenge failed for domain my.hostname.de
    http-01 challenge for my.hostname.de
    Cleaning up challenges
    Some challenges have failed.
    Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    
    letsencrypt.log:
    Code:
    Detail: Fetching http://my.server.de/.well-known/acme-challenge/iCSkjq13AffUa6mxRYr164AJQQdjp9a3qgUusA8u4KA: Connection refused
    
    This is a mail server. There used to be a single default site that I used to retrieve the LE Certs before V3.2. All sites are deactivated, only the apache2 default site remains.
    All relevant ports are open, it's not a dns or firewall issue. Any ideas?
     
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Do a force update and reconfigure services, then do another force update and try getting a new cert.
     
  6. atnetws

    atnetws New Member

    Hi again,
    as far as I can tell, the installer creates a faulty apps.vhost:
    Code:
    ######################################################
    # This virtual host contains the configuration
    # for the ISPConfig apps vhost
    ######################################################
    
     Listen
    # NameVirtualHost *:
    
    <VirtualHost _default_:>
      ServerAdmin [email protected]
    
    The Listen directive is missing its arguments.
    Apache Log:
    Code:
    Apr 20 16:51:21 xxx apachectl[8700]: AH00526: Syntax error on line 6 of /etc/apache2/sites-enabled/000-apps.vhost:
    Apr 20 16:51:21 xxx apachectl[8700]: Listen requires 1 or 2 arguments.
    Apr 20 16:51:21 xxx apachectl[8700]: Action 'start' failed.
    Apr 20 16:51:21 xxx apachectl[8700]: The Apache error log may have more information.
     
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Have you set the port in the panel? (default 8081) for the apps vhost? Are you using a conf-custom template?
     
  8. atnetws

    atnetws New Member

    I was able to solve it.
    If ISPConfig's web interface used a self signed certificate before, its path (/usr/local/ispconfig/interface/ssl/ispserver.crt) is set in apps.vhost and ispconfig.vhost.
    Maybe the installer deletes / renames the old certs before trying to obtain the new ones? This could be the reason for these log lines:

    Code:
    Apr 20 17:08:22 xxxx apachectl[11869]: AH00526: Syntax error on line 22 of /etc/apache2/sites-enabled/000-apps.vhost:
    Apr 20 17:08:22 xxxx apachectl[11869]: SSLCertificateFile: file '/usr/local/ispconfig/interface/ssl/ispserver.crt' does not exist or is empty
    Apr 20 17:08:22 xxxx apachectl[11869]: Action 'stop' failed.
    
    
    ----
    
    
    Apr 20 17:13:09 xxxx apachectl[12907]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-apps.vhost:9
    Apr 20 17:13:09 xxxx apachectl[12907]: AH00526: Syntax error on line 65 of /etc/apache2/sites-enabled/000-ispconfig.vhost:
    Apr 20 17:13:09 xxxx apachectl[12907]: SSLCertificateFile: file '/usr/local/ispconfig/interface/ssl/ispserver.crt' does not exist or is empty
    Apr 20 17:13:09 xxxx apachectl[12907]: Action 'stop' failed.
    
    ----
    
    
    So the temporary solution was to comment out the SSL config in both VHosts before launching the installer:

    Code:
    # SSL Configuration
    #  SSLEngine On
    #    SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
    #    SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
    #  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
    #  #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
    ...
    ...
    After restarting apache, the certificate was fetched correctly.

    Cheers,
    Marcus
     
    bluethunder82 likes this.
  9. atnetws

    atnetws New Member

    I did that several times, even tried combinations of reconfiguring / not reconfiguring the services. Didn't solve it, unfortunately.
     
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Alright, I think this confirms https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6121 and I have scheduled it to be fixed in 3.2.5.
     
    bluethunder82 and atnetws like this.
  11. atnetws

    atnetws New Member

    Yes, the port was set to 8081 in apps vhost settings.

    No custom configs on this machine:
    Code:
    :/usr/local/ispconfig/server/conf-custom# find
    .
    ./empty.dir
    ./error
    ./error/empty.dir
    ./mail
    ./mail/empty.dir
    ./index
    ./index/empty.dir
    ./install
    ./install/empty.dir
    
     
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Alright, thanks. I hope it will be fixed in 3.2.5.
     
  13. bluethunder82

    bluethunder82 Member

    Hi atnetws - Thanks for backing up my issue. I'm now up and running with the correct LetsEncrypt cert.
    Thom - I used the issue link you posted to solve. Changed the file from rename to copy, ran update, changed back installer and ran update again.

    Thanks for seeing the discussion everyone glad to see ISPConfig continue to develop.

    From what I can tell it is working. I look forward to your permanent fix for those with the same issue.
     
    Th0m likes this.

Share This Page