Trouble installing certbot for letsencrypt

Discussion in 'Installation/Configuration' started by Ovidiu, Oct 29, 2016.

  1. Ovidiu

    Ovidiu Active Member

    According to the manual I ran:

    and after the installation I got:
    So this obviously differs from the manual, what now? btw. I am not using apache2 but nginx with the latest Debian8 according to a perfect server setup.
     
  2. Ovidiu

    Ovidiu Active Member

    Just checking the letsencrypt box in ISPCFG3 only ends up in an email:

    Subject: 29.10.2016-12:43 - WARNING - Let's Encrypt SSL Cer...
    29.10.2016-12:43 - WARNING - Let's Encrypt SSL Cert for: domain.tld could not be issued.

    checking the logs I see:
    Code:
    2016-10-29 11:43:02,063:WARNING:certbot.cli:You are running with an old copy of letsencryp
    t-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
    
    2016-10-29 11:43:02,063:DEBUG:certbot.cli:Deprecation warning circumstances: /root/.local/
    share/letsencrypt/bin/letsencrypt / {'LANG': 'en_GB.UTF-8', 'SHELL': '/bin/sh', 'SHLVL': '3', 'PWD': '/usr/local/ispconfig/server', 'LOGNAME': 'root', 'HOME': '/root', 'PATH': '/us
    r/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', '_': '/root/.local/share/letse
    ncrypt/bin/letsencrypt'}
    
    lots of cryptic text
    
    2016-10-29 11:43:03,762:DEBUG:certbot.reporter:Reporting to user: Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates
    
    Domain: www.domain.tld
    Type:   unauthorized
    Detail: Invalid response from http://www.domain.tld/.well-known/acme-challenge/cj
    CWGZSa7ibipS1AzAEcEfPXgjfqutjOYN7VaI9Efs: "<html>
    the lst error let met to check DNS and I had forgotten this domain was protected by CloudFlare so I removed CloudFlare from the equation but nginx is still giving a 403 forbidden error.
     
  3. Ovidiu

    Ovidiu Active Member

    nginx logs were showing:

    Code:
    access forbidden by rule
    so I figured out that I had modified: /usr/local/ispconfig/server/conf-custom/nginx_vhost.conf.master based on a copy of /usr/local/ispconfig/server/conf/nginx_vhost.conf.master but meanwhile a change had happened in the original and
    Code:
            ## Disable .htaccess and other hidden files
            location ~ /\. {
                deny all;
                access_log off;
                log_not_found off;
            }
    had been replaced by
    Code:
            ## Disable .htaccess and other hidden files
            location ~ /\.(?!well-known/acme-challenge/) {
                deny all;
                access_log off;
                log_not_found off;
            }
    so now I am one step further, nginx properly forwards the request but is is caught by Wordpress, reporting: page not found so letsencrypt now says:
    Code:
    <html "
    FailedChallenges: Failed authorization procedure. www.die-kellerkinder.eu (http-01): urn:a
    cme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response fr
    om http://www.domain.tld/.well-known/acme-challenge/JWpwXwnoB2UasdfZStzaN4gWLQi4N
    i8h4ro3V6hI0OE
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Ensure that you do not override or redirect request for letsencrypt in your custom wordpress directives.
     
  5. Ovidiu

    Ovidiu Active Member

    these are the 2 custom nginx directives, do you see any problems here?
    Code:
    location / {
    try_files $uri $uri/ /index.html /index.php?$args;
    }
    
    location ~*  \.(jpg|jpeg|png|gif|ico|pdf|woff|css|js)$ {
       expires 7d;
       add_header Cache-Control public;
    }
    here is the full vhost file on pastebin: http://pastebin.com/b42G6DDX
     
  6. Ovidiu

    Ovidiu Active Member

    also, still having the initial problem with certbot-auto about Failed to find apache2ctl in PATH.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    apache2ctl is not needed as ispconfig does not use any of the certbot auto config features.

    Regarding nginx config, most likely the location / catches the acme request and forwards it to wordpress, you can e.g. try to add an exclude with a if statement.
     
  8. Ovidiu

    Ovidiu Active Member

    I will try and figure out an exclude statement. Do you by any chance have a default location snippet for / that is known to work? I could test it and see if that one also works with Wordpress.

    not sure what to say about apache2ctl, I did exactly the following according to: https://www.howtoforge.com/tutorial...ovecot-ispconfig-3-1/2/#-install-lets-encrypt

    Code:
    [email protected]:/opt/certbot# ls -al
    total 52
    drwxr-xr-x 2 root root  4096 Oct 29 13:37 .
    drwxr-xr-x 4 root root  4096 Oct 29 13:36 ..
    -rwxr-xr-x 1 root root 44442 Oct 15 19:15 certbot-auto
    ./certbot-auto
    Saving debug log to /var/log/letsencrypt/letsencrypt.log             │
            │ Failed to find apache2ctl in PATH:                                   │
            │ /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
    
     
  9. Ovidiu

    Ovidiu Active Member

    I was wondering why the manual says to manually download and install certbot which then in turn complains about it being old when the certbot website: https://certbot.eff.org/#debianjessie-nginx itself suggests:
    Code:
    sudo apt-get install certbot -t jessie-backports
    Code:
    2016-10-29 11:43:02,063:WARNING:certbot.cli:You are running with an old copy of letsencryp
    t-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
    2016-11-01 14:57:07,177:DEBUG:certbot.main:certbot version: 0.9.3
    Also, not making much progress, found a hint that I would need this specific location which I added to my test site which now leads to a nginx 404 error. If I go to /var/www/domain.tld/web/ I cannot find any .well-know directory or symlink, how is this supposed to work?
    Code:
    location ~ /.well-known {
    
    }
     
  10. Ovidiu

    Ovidiu Active Member

    Seems like my /usr/local/ispconfig/server/conf-custom/nginx_vhost.conf.master was heavily outdated. I have now copied the current /usr/local/ispconfig/server/conf/nginx_vhost.conf.master and added my edits to it.

    The missing part was:
    Code:
    location ~ /\.well-known/acme-challenge/ {
               root /usr/local/ispconfig/interface/acme/;
               index index.html index.htm;
               try_files $uri =404;
    }
    Let'sencrypt certificate is installed and working.
    Code:
    2016-11-01 15:38:10,253:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/domain.tld/fullchain.pem. Your cert will expire on 2017-01-30. To obtain a new or tweaked version of this certificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all* of your certificates, run "letsencrypt-auto renew"
    The update does not work btw. looks like letsencrypt is missing!?
    Code:
    letsencrypt-auto renew
    letsencrypt-auto: command not found
    Still my questions above still stand.
     
    Last edited: Nov 1, 2016

Share This Page