Hi, I've created a site with SSL + Use Letsencrypt without troubles, but now I've created several aliasdomains for that site and when re-creating the certs i'm recieving this error: 05.10.2016-13:20 - WARNING - Let's Encrypt SSL Cert for: *obscured*.es could not be issued. 05.10.2016-13:20 - DEBUG - chmod failed: /var/www/clients/client2/web15/ssl/*obscured*.es.key.old.20161005132026 : 256 All the files in that dir are in the format as debug sais but the keys ones. What I mean? The dir contains that: *obscured*.es.bundle.old.date *obscured*.es.crt.old.date *obscured*.es.key.olddate There is NO DOT between "old" and "date" in the keys but ISPConfig is trying to modify with a dot between old and date. Sorry for my poor english
Check that all the aliasdomains that you added are already active and point to thi server in dns so that you can reach the website.letsencrypt will check all of them, if one is not reachable, the creation of the whole ssl cert is denied.
Seems I didnt explain well. The problem is not with letsencrypt. The problem is at the time of switching an old certificate to a new one. As I wrote, ISPConfig is trying to chmod the site.key.old.date when the file is site.key.olddate (Note the lack of dot between "old" and "date".) I've checked all aliasdomains and all are pointing correctly to the server. Curious is that I have created several certificates and is now having the error.
Ahh ok, I see. Maybe letsencrypt changed their format, their software os not stable yet and things are handled differently with each version. Please report it to the bugtracker and we will change that.
But I didnt updated the certbot or anything and I was able to create certs with ispconfig. Just fyi, I created the site, enabled ssl with letsencrypt and everything ok. 10 Min later, I created 1 aliasdomain and again, everything works perfect. 10 Min later I created 6 more aliasdomains and everything stop working. Now, Im trying to do for another site (the own panel) that is isp1.tvt-datos.es (I created the site) and is not working, but I noticed the --webroot-path is /usr/local/ispconfig/interface/acme for all the domains: 05.10.2016-16:58 - DEBUG - exec: /root/.local/share/letsencrypt/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --domains televisionvegabaja.es --domains www.televisionvegabaja.es --domains televisionvegabaja.com --domains www.televisionvegabaja.com --domains tvvegabaja.com --domains www.tvvegabaja.com --domains tvvegabaja.es --domains www.tvvegabaja.es --domains vegabaja.tv --domains www.vegabaja.tv --domains vegabajatelevision.com --domains www.vegabajatelevision.com --domains vegabajatelevision.es --domains www.vegabajatelevision.es --domains vegabajatv.es --domains www.vegabajatv.es --domains canalvegabajatv.com --domains www.canalvegabajatv.com --domains canalvegabajatv.es --domains www.canalvegabajatv.es --webroot-path /usr/local/ispconfig/interface/acme 05.10.2016-17:17 - DEBUG - exec: /root/.local/share/letsencrypt/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected]-datos.es --domains isp1.tvt-datos.es --webroot-path /usr/local/ispconfig/interface/acme
I've checked all domain/subdomains again. All are pointing to the server. Also, I've created the site isp1.tvt-datos.es, wich is the ISPConfig server itself so I can create a cert for the admin panel. Im very sure is correctly pointing to the server (for obvious reasons) and Im getting the error too. 05.10.2016-17:28 - DEBUG - Create Let's Encrypt SSL Cert for: isp1.tvt-datos.es 05.10.2016-17:28 - DEBUG - Let's Encrypt SSL Cert domains: isp1.tvt-datos.es 05.10.2016-17:28 - DEBUG - exec: /root/.local/share/letsencrypt/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected]-datos.es --domains isp1.tvt-datos.es --webroot-path /usr/local/ispconfig/interface/acme 05.10.2016-17:28 - WARNING - Let's Encrypt SSL Cert for: isp1.tvt-datos.es could not be issued. Is there any way to see what exact error is giving Let's Encrypt? Also, knowing the exact error for the other domain/aliasdomain will give me more info on how to solve it.
Ok, the error is: 2016-10-05 18:03:24,274:INFO:certbot.plugins.webroot:Unable to clean up challenge directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge 2016-10-05 18:03:24,274EBUG:certbot.plugins.webroot:Error was: [Errno 39] Directory not empty: '/usr/local/ispconfig/interface/acme/.well-known/acme-challenge'
That is not an error, that is one INFO and one DEBUG message. The referenced directory is not (supposed to be) empty, and that is ok. There are limits to how many times you can request a certificate for a domain and I think for a server/ip addr, you wouldn't be hitting those would you? There's probably some other error to be found in the log. A somewhat humorous mistake in the title there Should be 'Lets Encrypt Error FAQ'.
I liked the Lets FAQ, but ok.... The error is: 2016-10-06 06:43:08,156:INFO:certbot.reporter:Reporting to user: The following errors were reported by the server: Domain: isp1.tvt-datos.es Type: unauthorized Detail: Invalid response from http://isp1.tvt-datos.es/.well-known/acme-challenge/*obscured*: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>404 Not Found</title> </head><body> <h1>Not Found</h1> <p" But again, I've tested it and have a correct DNS. You can check it in http://isp1.tvt-datos.es . You will see a modified ispconfig default index.html I can send you if you want the full letsencrypt.log
Also, if /usr/local/ispconfig/interface/acme/.well-known/acme-challenge is the webroot for the certs, how is it publicly available for letsencrypt to check the auth file? I've checked on virtualhost file, symlinks, etc and seems that directory is never publicly available so, how can letsencrypt access that file?
Hi all i get this error Domain: www.xxx.xx Type: unauthorized Detail: Invalid response from http://www.xxx.xx/.well-known/acme-challenge/BWMODZrBS9SW7mdQiDU2fddn_5eEXwzrITFMJIqGC6o: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <ht" To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. 2016-10-05 18:15:04,587:INFO:certbot.auth_handler:Cleaning up challenges 2016-10-05 18:15:04,587EBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/U3XIuBjTbMWkLSP9d9vJnBkHL6DELEaZkS6BrZ0gUKU 2016-10-05 18:15:04,587EBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/BWMODZrBS9SW7mdQiDU2fddn_5eEXwzrITFMJIqGC6o 2016-10-05 18:15:04,588:INFO:certbot.plugins.webroot:Unable to clean up challenge directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge 2016-10-05 18:15:04,588EBUG:certbot.plugins.webroot:Error was: [Errno 39] Directory not empty: '/usr/local/ispconfig/interface/acme/.well-known/acme-challenge' 2016-10-05 18:15:04,593EBUG:certbot.main:Exiting abnormally: Traceback (most recent call last): File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module> sys.exit(main()) File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 744, in main return config.func(config, plugins) File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 555, in obtain_cert _, action = _auth_from_domains(le_client, config, domains, lineage) File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 94, in _auth_from_domains lineage = le_client.obtain_and_enroll_certificate(domains) File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 276, in obtain_and_enroll_certificate certr, chain, key, _ = self.obtain_certificate(domains) File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 247, in obtain_certificate self.config.allow_subset_of_names) File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 74, in get_authorizations self._respond(resp, best_effort) File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 131, in _respond self._poll_challenges(chall_update, best_effort) File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 195, in _poll_challenges raise errors.FailedChallenges(all_failed_achalls) FailedChallenges: Failed authorization procedure. xxx.xx (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://xxx.xx/.well-known/acme-challenge/U3XIuBjTbMWkLSP9d9vJnBkHL6DELEaZkS6BrZ0gUKU: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <ht", www.xxx.xx (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.xxx.xx/.well-known/acme-challenge/BWMODZrBS9SW7mdQiDU2fddn_5eEXwzrITFMJIqGC6o: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <ht" not one domein works on that server thanks
Then you might have checked the wrong files. The website vhost of each site contains a redirect which makes this folder available in that site and there is also some config in the ispconfig apache configuration files.
