ispconfig 3.1 letsencrypt second domain breaks apache config

Discussion in 'ISPConfig 3 Priority Support' started by sumawelt, Aug 22, 2016.

  1. sumawelt

    sumawelt New Member

    Hi,
    I have installed a brandnew server with the tutorial for ispconfig 3.1 at https://www.howtoforge.com/tutorial...8-4-jessie-apache-bind-dovecot-ispconfig-3-1/. I set up my first site using ssl with letsencrypt (install Joomla, enable ssl and letsencrypt, select "create certificate" in the ssl-tab) and everything went fine. Then I set up a second site the same way, but then I wasn't able to access my server at all via browser. Checking via ssh, I found that I had a 100-domain.tld.vhost.err. So I deactivated the domain in question (it was the second domain I set up) and I was able to access my ispconfig again, but the ssl-configuration of the domain I set up first, was completely empty and it's ssl-configuration didn't seem to work anymore.
    So I tried to set it up again the way I did it the first time but no joy: Whenever I try to set up ssl with letsencrypt for either one of my domains my apache refuses to start.
    Is there anything I'm missing?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Which exact error message do you get when you restart apache?
     
  3. sumawelt

    sumawelt New Member

    When I restart apache, nothing happens, but the log shows lots of stuff like this:
    Code:
    [ 2016-08-22 13:10:29.3710 27920/7f8a5ffcb780 agents/LoggingAgent/Main.cpp:321 ]: PassengerLoggingAgent online, listening at unix:/tmp/passenger.1.0.27907/generation-0/logging
    [ 2016-08-22 13:10:29.3711 27909/7fb5cead7740 agents/Watchdog/Main.cpp:728 ]: All Phusion Passenger agents started!
    [Mon Aug 22 13:10:29.371942 2016] [ssl:warn] [pid 27907] AH01906: zaphod.xxxxxxxxxxxxxxx.de:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Mon Aug 22 13:10:29.372050 2016] [ssl:error] [pid 27907] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=zaphod.xxxxxxxxxxxxxxx.de,OU=IT,O=xxxxxxxxxxxxxxx,L=Muenchen,ST=BY,C=DE / issuer: CN=zaphod.xxxxxxxxxxxxxxx.de,OU=IT,O=xxxxxxxxxxxxxxx,L=Muenchen,ST=BY,C=DE / serial: F385644A7FA362FD / notbefore: Aug 17 11:21:55 2016 GMT / notafter: Aug 15 11:21:55 2026 GMT]
    [Mon Aug 22 13:10:29.372055 2016] [ssl:error] [pid 27907] AH02567: Unable to configure certificate zaphod.xxxxxxxxxxxxxxx.de:8080:0 for stapling
    [Mon Aug 22 13:10:29.372178 2016] [suexec:notice] [pid 27907] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
    [Mon Aug 22 13:10:29.412038 2016] [auth_digest:notice] [pid 27929] AH01757: generating secret for digest authentication ...
    [Mon Aug 22 13:10:29.415188 2016] [:notice] [pid 27933] FastCGI: process manager initialized (pid 27933)
    [ 2016-08-22 13:10:29.4177 27935/7f7547344740 agents/Watchdog/Main.cpp:538 ]: Options: { 'analytics_log_user' => 'nobody', 'default_group' => 'nogroup', 'default_python' => 'python', 'default_ruby' => '/usr/bin/ruby', 'default_user' => 'nobody', 'log_level' => '0', 'max_pool_size' => '6', 'passenger_root' => '/usr/lib/ruby/vendor_ruby/phusion_passenger/locations.ini', 'passenger_version' => '4.0.53', 'pool_idle_time' => '300', 'temp_dir' => '/tmp', 'union_station_gateway_address' => 'gateway.unionstationapp.com', 'union_station_gateway_port' => '443', 'user_switching' => 'true', 'web_server_passenger_version' => '4.0.53', 'web_server_pid' => '27929', 'web_server_type' => 'apache', 'web_server_worker_gid' => '33', 'web_server_worker_uid' => '33' }
    [ 2016-08-22 13:10:29.4219 27938/7f9038046740 agents/HelperAgent/Main.cpp:650 ]: PassengerHelperAgent online, listening at unix:/tmp/passenger.1.0.27929/generation-0/request
    [ 2016-08-22 13:10:29.4319 27946/7fa9f7b2a780 agents/LoggingAgent/Main.cpp:321 ]: PassengerLoggingAgent online, listening at unix:/tmp/passenger.1.0.27929/generation-0/logging
    [ 2016-08-22 13:10:29.4321 27935/7f7547344740 agents/Watchdog/Main.cpp:728 ]: All Phusion Passenger agents started!
    [Mon Aug 22 13:10:29.477636 2016] [:error] [pid 27929] python_init: Python version mismatch, expected '2.7.5+', found '2.7.9'.
    [Mon Aug 22 13:10:29.477763 2016] [:error] [pid 27929] python_init: Python executable found '/usr/bin/python'.
    [Mon Aug 22 13:10:29.477769 2016] [:error] [pid 27929] python_init: Python path being used '/usr/lib/python2.7/:/usr/lib/python2.7/plat-x86_64-linux-gnu:/usr/lib/python2.7/lib-tk:/usr/lib/python2.7/lib-old:/usr/lib/python2.7/lib-dynload'.
    [Mon Aug 22 13:10:29.477805 2016] [:notice] [pid 27929] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
    [Mon Aug 22 13:10:29.477810 2016] [:notice] [pid 27929] mod_python: using mutex_directory /tmp
    [Mon Aug 22 13:10:29.489993 2016] [ssl:warn] [pid 27929] AH01906: zaphod.xxxxxxxxxxxxxxx.de:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
    [Mon Aug 22 13:10:29.490067 2016] [ssl:error] [pid 27929] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=zaphod.xxxxxxxxxxxxxxx.de,OU=IT,O=xxxxxxxxxxxxxxx,L=Muenchen,ST=BY,C=DE / issuer: CN=zaphod.xxxxxxxxxxxxxxx.de,OU=IT,O=xxxxxxxxxxxxxxx,L=Muenchen,ST=BY,C=DE / serial: F385644A7FA362FD / notbefore: Aug 17 11:21:55 2016 GMT / notafter: Aug 15 11:21:55 2026 GMT]
    [Mon Aug 22 13:10:29.490071 2016] [ssl:error] [pid 27929] AH02567: Unable to configure certificate zaphod.xxxxxxxxxxxxxxx.de:8080:0 for stapling
    [Mon Aug 22 13:10:29.497828 2016] [mpm_prefork:notice] [pid 27929] AH00163: Apache/2.4.10 (Debian) mod_fastcgi/mod_fastcgi-SNAP-0910052141 mod_fcgid/2.3.9 Phusion_Passenger/4.0.53 mod_python/3.3.1 Python/2.7.9 OpenSSL/1.0.1t configured -- resuming normal operations
    [Mon Aug 22 13:10:29.497854 2016] [core:notice] [pid 27929] AH00094: Command line: '/usr/sbin/apache2'
    
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The most likely reason for failures with issuing letsencrypt ssl certificates are wrong or missing dns records for subdomains (all subdomains of a website must exist in dns) and problems can occur when you redirect a domain e.g. by htaccess in a way that letsencrypt is not able to find its token anymore.

    You can use the ispconfig debug mode to see detailed error messages:

    http://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/
     
  5. sumawelt

    sumawelt New Member

    Thanks Till. After lots of trying (without success :confused:) I reset the server to a snapshot I took, before I put any content onto the machine and it's working now. Haven't tried it yet with a second domain though. Lucky me, that I only had two small sites on this server for testing. When creating my letsencrypt certificate I noticed this debug output:
    Code:
    2016-08-23 23:50:22,050:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
    Doing an "aptitude search certbot" gives me:
    Code:
    p   certbot                                          - automatically configure HTTPS using Let's Encrypt
    p   python-certbot                                   - main library for certbot
    p   python-certbot-apache                            - Apache plugin for Certbot
    p   python-certbot-apache-doc                        - Apache plugin documentation for Certbot
    p   python-certbot-doc                               - client documentation for certbot
    
    Is there a way, someone could use this version of certbot? It would then be kept up-to-date whenever I update my server. If there is a way, how would I do this?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    That's just a warning and does not mean that certbot is not up to date or that it is not working correctly, you can ignore that. Certbot provides two interfaces and it warns when the letsencrypt compatibility interface is used.

    Probably you can us ethe certbot package of the OS as well, but I guess it will give you the same waring as the problem is not that certbot is not up to date, they decided to warn always when the compatibility interface is used, even with the latest updated versions. ISPConfig dropped the use of the compatibility interface already, so you probably dont use the latest 3.1dev version on this server.
     
  7. sumawelt

    sumawelt New Member

    OK, then I'll leave certbot alone :).
    ISPConfig just tells me, it's 3.1 dev. Can I update it using the normal update-process by running ispconfig_update.sh?
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes. Just use "git-stable" as source when the updater asks.
     

Share This Page