Let's Encrypt fails to issue a certificate for my domains, I upgraded to 3.1 from 3.0.5.4p9, I selected reconfigure services when I upgraded. I did have let's encrypt working on the previous install for one of my domains, but can't seem to get it working now. I've included my debug log from ISPConfig, as well as my log from Let's Encrypt. My domains as well as the www. sub domain both have correct DNS records, the sites display properly when visiting them in the browser. Note that my actual domain has been replaced with domain.com in these logs. ISPConfig Debug: Code: 10.10.2016-03:54 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 10.10.2016-03:54 - DEBUG - Found 1 changes, starting update process. 10.10.2016-03:54 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 10.10.2016-03:54 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 10.10.2016-03:54 - DEBUG - exec: usermod --groups sshusers web1 2>/dev/null 10.10.2016-03:54 - WARNING - Wildcard domains not yet supported by letsencrypt, so changing *.domain.com to domain.com 10.10.2016-03:54 - DEBUG - Create Let's Encrypt SSL Cert for: domain.com 10.10.2016-03:54 - DEBUG - Let's Encrypt SSL Cert domains: domain.com --domains www.domain.com 10.10.2016-03:54 - DEBUG - exec: /usr/local/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --domains domain.com --domains www.domain.com --webroot-path /usr/local/ispconfig/interface/acme Failed authorization procedure. domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.com/.well-known/acme-challenge/JiTIifm9rpiLFQDZWBw7JzHmV30apJ_BXMgwLGti_GA: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <ht", www.domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.domain.com/.well-known/acme-challenge/AJ0vfcnDcpsHkCIY_rRqAczo3FR-VlFzmdtJuiZSW2c: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <ht" 10.10.2016-03:54 - WARNING - Let's Encrypt SSL Cert for: domain.com could not be issued. 10.10.2016-03:54 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/domain.com.vhost 10.10.2016-03:54 - DEBUG - Writing the PHP-FPM config file: /etc/php5/fpm/pool.d/web1.conf 10.10.2016-03:54 - DEBUG - Calling function 'restartPHP_FPM' from module 'web_module'. 10.10.2016-03:54 - DEBUG - Restarting php-fpm: systemctl reload php5-fpm.service 10.10.2016-03:54 - DEBUG - Apache status is: running 10.10.2016-03:54 - DEBUG - Calling function 'restartHttpd' from module 'web_module'. 10.10.2016-03:54 - DEBUG - Restarting httpd: systemctl restart apache2.service 10.10.2016-03:54 - DEBUG - Apache restart return value is: 0 10.10.2016-03:54 - DEBUG - Apache online status after restart is: running 10.10.2016-03:54 - DEBUG - Processed datalog_id 3061 10.10.2016-03:54 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock finished. Let's Encrypt Log: http://pastebin.com/fSq6xqcx I'm a bit stumped as to what could be causing this. Any ideas?
Do you have this config in /etc/apache2/sites-enabled/000-ispconfig.conf: Code: Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge <Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge> Require all granted </Directory> If so check the vhost config for the file, maybe it does a redirect (http->https type thing) without an exception for that acme-challenge location?
I checked the 000-ispconfig.conf file for that, it's in there. There's no http -> https redirect for the domain I'm trying to add. There is however an auto subdomain of www which directs domain.com -> www.domain.com If I try to go to http://www.domain.com/.well-known/acme-challenge/ it should work, right? It's giving me a 503 error.
The request should work; on my server I get a 403 (not 503) error because directory indexing is turned off by default: Code: Forbidden You don't have permission to access /.well-known/acme-challenge/ on this server. Apache/2.4.10 (Debian) Server at www.domain.com Port 443 There is a text file there called empty.dir, so a request to http://www.domain.com/.well-known/acme-challenge/empty.dir should download that file; what happens when you request it? I'm guessing 503 error again. What configuration did you setup for that to work? Maybe that is conflicting with ispconfig's configuration.
A 503 Error happens. It doesn't download the file. It was so long ago that I don't remember exactly what I did. I just got the certificate using certbot, and then bundling everything together as needed by use of the ISPConfig SSL Panel. When I upgraded I thought I removed any instances of the old install (it was still using letsencrypt-auto, if that tells you anything). I shouldn't have to reinstall the OS to get it to work properly. If you run certbot, do any of your domains show up there?
My guess is that some other config is overriding ispconfig's /.well-known/acme-challenge configuration; maybe try searching all web config for that (grep -R acme-challenge /etc/apache2 .. or search /etc/httpd on centos, I believe) and see if you find anything. Not sure what you mean, there isn't a "list" command or any way to list installed domains, is there? I can run certbot from the cli and it works (eg. I setup a certificate for the server's hostname that way), and I specifically supply `--webroot-path /usr/local/ispconfig/interface/acme` (I believe it was .. it's out of command history now).
Cheers Jesse. I found it. I had this in /etc/apache2/mods-available/proxy.conf Code: ProxyPass "/.well-known/acme-challenge/" "http://127.0.0.1:9999/.well-known/acme-challenge/" retry=1 ProxyPassReverse "/.well-known/acme-challenge/" "http://127.0.0.1:9999/.well-known/acme-challenge/" <Location "/.well-known/acme-challenge/"> ProxyPreserveHost On Order allow,deny Allow from all Require all granted </Location> I commented it out, and it now works. Woohoo!
I have a question for the SSL Let's encrypt part in ISPConfig. I recently installed this tutorial: https://www.howtoforge.com/tutorial...l-pureftpd-bind-postfix-doveot-and-ispconfig/ . I added a domain to my server and I am playing with the SSL to get the config working. The issue is when I go to domains -> domain -> ssl -> create it's creating the certificate after 2-3 minutes and when I press Save certificate and from what I understood this will make the SSL available on the website, the apache2 crashes and exits. Any ideas? am I doing something wrong? in the client folder, in ssl, i can see multiple files that are related to SSL. If i delete the certificate and get another one or the same, not clear yet, the files in the ssl folder double by adding .err extension.
Turn on debugging mode in ISPConfig: http://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/ Look in your log files for apache2. Look in your log files for Let's Encrypt. What error(s) do you see there?
apache2 log here -> http://pastebin.com/gtB8fTFU conf-file for testing.com -> http://pastebin.com/31T1ByA4 I just entered IspConfig 3.1 , activated the SSL and Let's Encript. All ok. I clicked the SSL tab on the Create option and save. The next thing, apache will not start before I remove form the config of testing.com the ssl parts. I also get this in the error.log on the domain: [Wed Oct 19 08:26:25.124474 2016] [ssl:emerg] [pid 5705] AH02565: Certificate and private key testing.com:443:0 from /var/www/clients/client1/web2/ssl/testing.com.crt and /var/www/clients/client1/web2/ssl/testing.com.key do not match
And thats the reason why it failed. you enabled letsencrypt which generates an ssl cert automarically as descrbed in the manual and then you created a new cert manually on the sl tab which caused your corrupted ssl setup of non matching ssl key and cert.
So I can delete the content of ssl in the client, remove the ssl and Let's Encrypt from settings and after that just click Let's Encrypt and all should be fine, correct? PS2 i got the manual, where should i look? PS I wanted to buy the manual but if i don't want to make a paypall account i can't pay. If you have other way of payment, only with debit card / credit card then I am your man
So i got the manual ... I did not find the Let's Encrypt part otherwise then the installation part. I tried to configure the ./certbot-auto again and it promted a list of websites to enable the certificates. I choose my regular domain with www (www.testing.com). http://pastebin.com/DcNHVuZg apache2 is dead now ... why am I seeing "php5-fcgi"? I have php7 installed what should i do next? there is nothing in the manual
That's not what we described in the manual, the manual clearly tells you to press cancel and NOT choose a domain there. If you would select a domain, then letsencrypt will stop working in ISPconfig and apache will not start anymore due to broken certs. I'm sorry to say that, but you did not read the manual then or it's not the manual that ispconfig.org and howtoforge are offering. The info about letsencrypt in chapter 4.6.1.1.
To fix your issue, remove the symlink of thsi vhost in the sites-enabled directory, restart apache, login to ispconfig, go to the ssl tab, empty all fields, chose delete certificate as action and press save. Then delete all ssl certs in the ssl folder f the website manually. Wait 2 minues. Login to ispconfig, enable the letsencrypt checkbox and press save. And do nothing else on the ssl tab!
I am looking on the manual for you guys, just bought it. I probably missed this 4.6.1.1 chapter and i apologize for that. For the issue, i deleted the domain, add it again with enable ssl and letsencrypt and nothing happened. I deleted the vhost in sites-enabled and deactivate ssl and letsencrypt. Deleted again the vhost and enable the SSL and letsencrypt and the website in there but in sites-available i have this .err conf. In that file i have also the 443 settings. when i look in the apache2 log I have something like: http://pastebin.com/wQVs1AE6 .
The .err file means that apache could not start with that config, so most likely there is still a wrong ssl cert somewhere from the manual lets encrypt run. Do you have new ssl certs in the ssl folder of this website? If yes, please test if the ssl key and cert belong together. you can find instructions for that e.g. here: https://kb.wisc.edu/middleware/page.php?id=4064 Log: That's not an error from the website where you enabled letsencrypt.
Yes i have them in /var/www/testing.com/ssl openssl x509 -noout -modulus -in testing.com.crt | openssl md5 (stdin)= c39c8c7fd6f6f0d5ca8f12f4dfcc7608 openssl rsa -noout -modulus -in testing.com.key | openssl md5 (stdin)= cfe0a7d1d6a59cde47510904ce6b9b3c so i guess they are different.
@till any news over this issue? Later edit: I have deleted all the certificates in /etc/letsencrypt and in the /sll of the domain and regenerated the certificates. all is working now thank you @till for the advices
