Internal error 500 lets encrypt

Discussion in 'Installation/Configuration' started by geegz, Dec 28, 2016.

  1. geegz

    geegz New Member

    Bare with me, I'm pretty green at this.

    I'm running the latest ISPConfig (git-stable), debian wheezy, nginx
    I've tried editing the vhost file of my site (till posted this in a previous post, cant find link right now) which didnt work so I reverted the changes (ended up using git-stable after reading about this in another post, also didnt help).

    I think the issue might be that lets encrypt cannot access the challenge dir/file for some reason...


    Here's the error log from /var/www/mysite.como/log/error.log
    Code:
    2016/12/27 18:27:03 [error] 15080#15080: *4868 access forbidden by rule, client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/0DQaCXSw$
    2016/12/27 18:27:03 [error] 15080#15080: *4868 open() "/var/www/mysite.com/web/error/403.html" failed (2: No such file or directory), client: 66.133.109.36, server: s$
    2016/12/27 18:27:03 [error] 15080#15080: *4868 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: s$
    2016/12/27 18:27:03 [error] 15080#15080: *4868 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: s$
    2016/12/27 18:27:03 [error] 15080#15080: *4868 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: s$
    2016/12/27 18:27:03 [error] 15080#15080: *4868 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: s$
    2016/12/27 18:27:03 [error] 15080#15080: *4868 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: s$
    2016/12/27 18:27:03 [error] 15080#15080: *4868 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: s$
    2016/12/27 18:27:03 [error] 15080#15080: *4868 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: s$
    2016/12/27 18:27:03 [error] 15080#15080: *4868 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: s$
    2016/12/27 18:27:03 [error] 15080#15080: *4868 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: s$
    2016/12/27 18:27:03 [error] 15080#15080: *4868 rewrite or internal redirection cycle while internally redirecting to "/error/404.html", client: 66.133.109.36, server: $
    


    And here's the log for lets encrypt
    /var/log/letsencrypt/letsencrypt.log
    Code:
    2016-12-27 23:17:06,698:INFO:certbot.reporter:Reporting to user: The following errors were reported by the server:
    
    Domain: mysite.com
    Type:   unauthorized
    Detail: Invalid response from http://mysite.com/.well-known/acme-challenge/nnzPGBPZDpJUffNMHfB20Y1dNWfBbN2HeQGpLkM199g: "<html>
    <head><title>500 Internal Server Error</title></head>
    <body bgcolor="white">
    <center><h1>500 Internal Server Error</h1"
    
    To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
    2016-12-27 23:17:06,699:INFO:certbot.auth_handler:Cleaning up challenges
    2016-12-27 23:17:06,699:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/nnzPGBPZDpJUffNMHfB20Y1dNWfBbN2HeQGpLkM19$
    2016-12-27 23:17:06,699:INFO:certbot.plugins.webroot:Unable to clean up challenge directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    2016-12-27 23:17:06,699:DEBUG:certbot.plugins.webroot:Error was: [Errno 39] Directory not empty: '/usr/local/ispconfig/interface/acme/.well-known/acme-challenge'
    2016-12-27 23:17:06,700:DEBUG:certbot.main:Exiting abnormally:
    
    I'm a little confused because one log says error 500 and another says 404....
    Not really sure where to begin with this one

    Thanks for reading!
     
    thinhtk41 likes this.
  2. cbj4074

    cbj4074 Member

    Hello!

    Basically, with regard to Let's Encrypt in ISPConfig, you shouldn't have to do anything manually (and it sounds as though Till already explained that in the other thread).

    I can confirm that Let's Encrypt works as expected in the latest release (ISPConfig 3.1.1p1), with a default configuration (although, I am using Ubuntu 16.04).

    If you examine your site's vhost config file, you will find the following (at the bottom):

    Code:
    location ~ /\.well-known/acme-challenge/ {
        root /usr/local/ispconfig/interface/acme/;
        index index.html index.htm;
        try_files $uri =404;
    }
    
    ISPConfig controls which files exist in the "/usr/local/ispconfig/interface/acme/" directory at any given time. When you check the "Let's Encrypt SSL" box in the GUI, ISPConfig generates the appropriate challenge-response files and makes them accessible for the the duration needed for Let's Encrypt to retrieve them.

    With regard to the conflicting HTTP response codes, it's difficult to determine exactly what is happening, because, as the timestamps show, those log entries are not from the same attempt.

    If you can post log entries with matching timestamps, we may have a better picture of what's happening here...
     
  3. cbj4074

    cbj4074 Member

    Actually, you know what... I just tested this one more time, to be sure, and I had the same problem!

    Upon cursory analysis, it seems that there is a file in that directory, named "empty.dir" (presumably, this is intended to serve the same purpose as the more conventional ".gitignore"), and that seems to be what is causing the problem!

    I thought to check this because of this error in the Let's Encrypt log file:

    Code:
    017-01-04 19:31:06,719:DEBUG:certbot.plugins.webroot:Error was: [Errno 39] Directory not empty: '/usr/local/ispconfig/interface/acme/.well-known/acme-challenge'
    
    I simply removed the file, and then unchecking/re-checking the "Let's Encrypt SSL" causes the certificate to be issued successfully:

    Code:
    $ sudo rm /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/empty.dir
    
    Finally, I had to "hard-refresh" the browser (e.g., Ctrl + F5) for the new certificate to be displayed.

    Can you let us know if this fixes the issue for you? This seems like a legitimate bug.
     
    geegz likes this.
  4. geegz

    geegz New Member



    Trying this out right now! will report back
     
  5. geegz

    geegz New Member

    No go...

    /var/www/mysite.como/log/error.log
    Code:
    2017/01/04 14:53:06 [error] 15082#15082: *10702 access forbidden by rule, client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/QDo5lCJ_ONPlyRIYBWMA34F9AMGDOeVIvaE4O7Kz0tU HTTP/1.1", host: "mysite.com"
    2017/01/04 14:53:06 [error] 15082#15082: *10702 open() "/var/www/mysite.com/web/error/403.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/QDo5lCJ_ONPlyRIYBWMA34F9AMGDOeVIvaE4O7Kz0tU HTTP/1.1", host: "mysite.com"
    2017/01/04 14:53:06 [error] 15082#15082: *10702 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/QDo5lCJ_ONPlyRIYBWMA34F9AMGDOeVIvaE4O7Kz0tU HTTP/1.1", host: "mysite.com"
    2017/01/04 14:53:06 [error] 15082#15082: *10702 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/QDo5lCJ_ONPlyRIYBWMA34F9AMGDOeVIvaE4O7Kz0tU HTTP/1.1", host: "mysite.com"
    2017/01/04 14:53:06 [error] 15082#15082: *10702 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/QDo5lCJ_ONPlyRIYBWMA34F9AMGDOeVIvaE4O7Kz0tU HTTP/1.1", host: "mysite.com"
    2017/01/04 14:53:06 [error] 15082#15082: *10702 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/QDo5lCJ_ONPlyRIYBWMA34F9AMGDOeVIvaE4O7Kz0tU HTTP/1.1", host: "mysite.com"
    2017/01/04 14:53:06 [error] 15082#15082: *10702 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/QDo5lCJ_ONPlyRIYBWMA34F9AMGDOeVIvaE4O7Kz0tU HTTP/1.1", host: "mysite.com"
    2017/01/04 14:53:06 [error] 15082#15082: *10702 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/QDo5lCJ_ONPlyRIYBWMA34F9AMGDOeVIvaE4O7Kz0tU HTTP/1.1", host: "mysite.com"
    2017/01/04 14:53:06 [error] 15082#15082: *10702 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/QDo5lCJ_ONPlyRIYBWMA34F9AMGDOeVIvaE4O7Kz0tU HTTP/1.1", host: "mysite.com"
    2017/01/04 14:53:06 [error] 15082#15082: *10702 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/QDo5lCJ_ONPlyRIYBWMA34F9AMGDOeVIvaE4O7Kz0tU HTTP/1.1", host: "mysite.com"
    2017/01/04 14:53:06 [error] 15082#15082: *10702 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/QDo5lCJ_ONPlyRIYBWMA34F9AMGDOeVIvaE4O7Kz0tU HTTP/1.1", host: "mysite.com"
    2017/01/04 14:53:06 [error] 15082#15082: *10702 rewrite or internal redirection cycle while internally redirecting to "/error/404.html", client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/QDo5lCJ_ONPlyRIYBWMA34F9AMGDOeVIvaE4O7Kz0tU HTTP/1.1", host: "mysite.com"
    


    /var/log/letsencrypt/letsencrypt.log
    Code:
    Domain: mysite.com
    Type:   unauthorized
    Detail: Invalid response from http://mysite.com/.well-known/acme-challenge/QDo5lCJ_ONPlyRIYBWMA34F9AMGDOeVIvaE4O7Kz0tU: "<html>
    <head><title>500 Internal Server Error</title></head>
    <body bgcolor="white">
    <center><h1>500 Internal Server Error</h1"
    
    To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
    2017-01-04 19:53:09,581:INFO:certbot.auth_handler:Cleaning up challenges
    2017-01-04 19:53:09,581:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/QDo5lCJ_ONPlyRIYBWMA34F9AMGDOeVIvaE4O7Kz0$
    2017-01-04 19:53:09,582:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    2017-01-04 19:53:09,584:DEBUG:certbot.main:Exiting abnormally:
    Traceback (most recent call last):
      File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
        sys.exit(main())
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 744, in main
        return config.func(config, plugins)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 555, in obtain_cert
        _, action = _auth_from_domains(le_client, config, domains, lineage)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 94, in _auth_from_domains
        lineage = le_client.obtain_and_enroll_certificate(domains)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 276, in obtain_and_enroll_certificate
        certr, chain, key, _ = self.obtain_certificate(domains)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 247, in obtain_certificate
        self.config.allow_subset_of_names)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 74, in get_authorizations
        self._respond(resp, best_effort)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 131, in _respond
        self._poll_challenges(chall_update, best_effort)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 195, in _poll_challenges
        raise errors.FailedChallenges(all_failed_achalls)
    FailedChallenges: Failed authorization procedure. mysite.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response f$
    <head><title>500 Internal Server Error</title></head>
    <body bgcolor="white">
    <center><h1>500 Internal Server Error</h1"
    

    I really appreciate you taking the time to help!
     
  6. cbj4074

    cbj4074 Member

    No problem! Thanks for taking the time to try this again and capture logs from the same attempt.

    Okay, so at least the "directory not empty" error goes away, which leaves the LE directory in a clean state. I think we should still file a bug report about that, but, clearly, it's not the show-stopping issue at hand.

    The entries in "error.log" indicate that something in your nginx config is preventing the LE bot from retrieving the challenge-response:

    Code:
    ... access forbidden by rule ...
    
    This error is distinctly different from a filesystem permission error.

    Have you made and customizations to your site's vhost configuration file?

    Just as an example, the default template includes a location block like this:

    Code:
      location ~ /\.(?!well-known/acme-challenge/) {
      deny all;
      access_log off;
      log_not_found off;
      }
    
    Basically, this denies all requests for URIs that begin with a period (dot), except for those in which the dot is followed by /well-known/acme-challenge/. This is what allows the LE bot to access the response, even though it is inside a "hidden" directory (one that begins with a dot).

    Do you have this block in your vhost configuration file? Because without it, all dot-resources are forbidden (this is a default in nginx).

    It would be helpful to see your vhost configuration in its entirety (sanitize as appropriate, if you post it).

    Also, if you study the first snippet carefully, you will notice that the first error is access denied by a rule, as discussed above, and nginx then redirects to "403.html", but that file doesn't exist (or nginx can't read it), so nginx redirects to "404.html", but that file doesn't exist either, so nginx keeps trying until it fails after so many attempts. (I'm surprised that nginx keeps trying!)

    So, it seems to me like you may have checked the "Own Error-Documents" box (on the first tab of the website) and then either deleted the custom error template files that ISPConfig generates as a result of checking that box, or changed the permissions on them to the extent that nginx can't read them.

    All of that said, I do find it odd that the LE bot request shows a 500 error (and not a 404). I would try to sort-out the error document issue next, and see if that sheds any additional light on the underlying problem.
     
  7. geegz

    geegz New Member

    I honestly might have edited it but I couldnt tell you for certain (I might have done this following one of the dozen tutorials I've gone through in the past)

    Heres the vhost for mysite.com:

    Code:
    server {
            listen *:80;
    
    
            server_name mysite.com *.mysite.com;
    
            root   /var/www/mysite.com/web;
    
    
    
            index index.html index.htm index.php index.cgi index.pl index.xhtml;
    
    
    
            error_page 400 /error/400.html;
            error_page 401 /error/401.html;
            error_page 403 /error/403.html;
            error_page 404 /error/404.html;
            error_page 405 /error/405.html;
            error_page 500 /error/500.html;
            error_page 502 /error/502.html;
            error_page 503 /error/503.html;
            recursive_error_pages on;
            location = /error/400.html {
    
                internal;
            }
            location = /error/401.html {
    
                internal;
            }
            location = /error/403.html {
    
                internal;
            }
            location = /error/404.html {
    
                internal;
            }
            location = /error/405.html {
    
                internal;
            }
            location = /error/500.html {
    
                internal;
            }
            location = /error/502.html {
    
                internal;
            }
            location = /error/503.html {
    
                internal;
            }
    
            error_log /var/log/ispconfig/httpd/mysite.com/error.log;
            access_log /var/log/ispconfig/httpd/mysite.com/access.log combined;
    
            location ~ /\. {
                deny all;
                access_log off;
                log_not_found off;
            }
    
            location = /favicon.ico {
                log_not_found off;
                access_log off;
            }
    
            location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
            }
    
            location /stats/ {
    
                index index.html index.php;
                auth_basic "Members Only";
                auth_basic_user_file /var/www/clients/client1/web1/web/stats/.htpasswd_stats;
            }
    
            location ^~ /awstats-icon {
                alias /usr/share/awstats/icon;
            }
    
            location ~ \.php$ {
                try_files /73206d5c9b05fabd75baea549c71d157.htm @php;
            }
    
            location @php {
                try_files $uri =404;
                include /etc/nginx/fastcgi_params;
                fastcgi_pass unix:/var/lib/php5-fpm/web1.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_intercept_errors on;
            }
    
    
    
    
            location / {
                  try_files $uri $uri/ /index.php?$args;
            }
    
    
    }
    
     
  8. geegz

    geegz New Member

    You are absolutely correct on this! Is this something I should disable?
    Is that specifically used when, lets say, I have my own set of errors or something like that?

    Thanks again for the help, cbj4074!
    You the real MVP
    [​IMG]
     
  9. cbj4074

    cbj4074 Member

    Well, that explains all of the observed behavior. :)

    You're missing several crucial ISPConfig directives, and, conversely, you have a lot of extra "cruft" that should probably be removed.

    The access denied error results for the reason I mentioned in my previous post; nginx's default behavior is to deny access to all dot-files, so without a rule that changes that behavior for the well-known directory, the observed behavior is to be expected.

    The bizarre error-page handling is the result of all those directives (and particularly the "recursive_error_pages on").

    It's important to understand that when using ISPConfig, one should never edit a vhost file manually. ISPConfig overwrites a vhost file any time the website configuration is changed via the graphical interface. In other words, it simply isn't "safe" to edit those files manually. Instead, one should always use the interface; there is a checkbox/option/field for nearly every conceivable customization one could want to make, so definitely ask for help if you're not sure how to do something without editing a vhost file manually. (The same is true for most other configuration files of which ISPConfig is aware; there are a few exceptions, but not many.)

    I would backup your existing vhost file and then regenerate it. You can do this simply by browsing to Tools -> Resync (in left sidebar) -> and check the Websites box, then hit Start. This should forcibly regenerate all vhost configuration files.

    You will need to copy any customizations upon which your site relies into the new configuration. The "proper" way to do this is to paste the snippets into the website's Options -> nginx Directives field. It looks like the only one you have is this:

    Code:
    location / {
    try_files $uri $uri/ /index.php?$args;
    }
    
    After you've done all that, give the Let's Encrypt bit another try. :)
     
  10. cbj4074

    cbj4074 Member

    LOL, thanks!

    That option is useful when you want to customize the error pages that nginx uses. By default, nginx uses the super-basic black-text-on-white-background error pages. You can use that option to jazz them up and customize them to suit your tastes.

    There are better ways to implement custom error pages for PHP apps in nginx, in my opinion, but the built-in method is helpful for basic use-cases.
     
  11. geegz

    geegz New Member

    So I deselected the own error option and retried but got the same thing (I also did the resync thing!)


    Code:
    [\n      2\n    ],\n    [\n      0\n    ],\n    [\n      1\n    ]\n  ]\n}'
    2017-01-04 22:04:08,199:DEBUG:acme.challenges:dns-01 was not recognized, full message:
    
    {u'status': u'pending', u'token': u'D-oQ_Yuit9WbcK7bQctFC3NsA7CVNKWRYDRqLZXo5S8', u'type': u'dns-01', u'uri': u'https://acme-
    
    v01.api.letsencrypt.org/acme/challenge/skU3oWIzJu1efzhOy2_2ilj6QSWmJCuBr9BnEdg2rvo/469613734'}
    2017-01-04 22:04:08,200:INFO:certbot.reporter:Reporting to user: The
    
    following errors were reported by the server:
    
    Domain: mysite.com
    Type:   unauthorized
    Detail: Invalid response from http://mysite.com/.well-known/acme-
    
    challenge/jibTFE6IDSyN11PIM8ddpmSs1mSeOyQNmLLIEypugMU: "<html>
    <head><title>500 Internal Server Error</title></head>
    <body bgcolor="white">
    <center><h1>500 Internal Server Error</h1"
    
    To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain
    
    contain(s) the right IP address.
    2017-01-04 22:04:08,200:INFO:certbot.auth_handler:Cleaning up challenges
    2017-01-04 22:04:08,200:DEBUG:certbot.plugins.webroot:Removing
    
    /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/jibTFE6IDSyN11PIM8ddpmSs1mSeOyQNmLLIEypugMU
    2017-01-04 22:04:08,201:DEBUG:certbot.plugins.webroot:All
    
    challenges cleaned up, removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    2017-01-04 22:04:08,203:DEBUG:certbot.main:Exiting abnormally:
    Traceback
    
    (most recent call last):
      File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
        sys.exit(main())
      File
    
    "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 744, in main
        return config.func(config, plugins)
      File
    
    "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 555, in obtain_cert
        _, action = _auth_from_domains(le_client, config,
    
    domains, lineage)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 94, in _auth_from_domains
        lineage =
    
    le_client.obtain_and_enroll_certificate(domains)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 276, in
    
    obtain_and_enroll_certificate
        certr, chain, key, _ = self.obtain_certificate(domains)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-
    
    packages/certbot/client.py", line 247, in obtain_certificate
        self.config.allow_subset_of_names)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-
    
    packages/certbot/auth_handler.py", line 74, in get_authorizations
        self._respond(resp, best_effort)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-
    
    packages/certbot/auth_handler.py", line 131, in _respond
        self._poll_challenges(chall_update, best_effort)
      File
    
    "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 195, in _poll_challenges
        raise errors.FailedChallenges
    
    (all_failed_achalls)
    FailedChallenges: Failed authorization procedure. mysite.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization ::
    
    Invalid response from http://mysite.com/.well-known/acme-challenge/jibTFE6IDSyN11PIM8ddpmSs1mSeOyQNmLLIEypugMU: "<html>
    <head><title>500 Internal Server Error</title></head>
    <body bgcolor="white">
    <center><h1>500 Internal Server Error</h1"
    
    





    Code:
    *12707 rewrite or internal redirection cycle while internally redirecting to "/error/404.html", client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/jibTFE6IDSyN11PIM8ddpmSs1mSeOyQNmLLIEypugMU HTTP/1.1", host: "mysite.com"
    2017/01/04 17:28:03 [error] 15080#15080: *13243 access forbidden by rule, client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/1A_Y3DgXrIrbUkkGXUCi0W35BfbKinFZB3QQWRKTvuc HTTP/1.1", host: "mysite.com"
    2017/01/04 17:28:03 [error] 15080#15080: *13243 open() "/var/www/mysite.com/web/error/403.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/1A_Y3DgXrIrbUkkGXUCi0W35BfbKinFZB3QQWRKTvuc HTTP/1.1", host: "mysite.com"
    2017/01/04 17:28:03 [error] 15080#15080: *13243 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/1A_Y3DgXrIrbUkkGXUCi0W35BfbKinFZB3QQWRKTvuc HTTP/1.1", host: "mysite.com"
    2017/01/04 17:28:03 [error] 15080#15080: *13243 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/1A_Y3DgXrIrbUkkGXUCi0W35BfbKinFZB3QQWRKTvuc HTTP/1.1", host: "mysite.com"
    2017/01/04 17:28:03 [error] 15080#15080: *13243 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/1A_Y3DgXrIrbUkkGXUCi0W35BfbKinFZB3QQWRKTvuc HTTP/1.1", host: "mysite.com"
    2017/01/04 17:28:03 [error] 15080#15080: *13243 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/1A_Y3DgXrIrbUkkGXUCi0W35BfbKinFZB3QQWRKTvuc HTTP/1.1", host: "mysite.com"
    2017/01/04 17:28:03 [error] 15080#15080: *13243 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/1A_Y3DgXrIrbUkkGXUCi0W35BfbKinFZB3QQWRKTvuc HTTP/1.1", host: "mysite.com"
    2017/01/04 17:28:03 [error] 15080#15080: *13243 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/1A_Y3DgXrIrbUkkGXUCi0W35BfbKinFZB3QQWRKTvuc HTTP/1.1", host: "mysite.com"
    2017/01/04 17:28:03 [error] 15080#15080: *13243 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/1A_Y3DgXrIrbUkkGXUCi0W35BfbKinFZB3QQWRKTvuc HTTP/1.1", host: "mysite.com"
    2017/01/04 17:28:03 [error] 15080#15080: *13243 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/1A_Y3DgXrIrbUkkGXUCi0W35BfbKinFZB3QQWRKTvuc HTTP/1.1", host: "mysite.com"
    2017/01/04 17:28:03 [error] 15080#15080: *13243 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/1A_Y3DgXrIrbUkkGXUCi0W35BfbKinFZB3QQWRKTvuc HTTP/1.1", host: "mysite.com"
    2017/01/04 17:28:03 [error] 15080#15080: *13243 rewrite or internal redirection cycle while internally redirecting to "/error/404.html", client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/1A_Y3DgXrIrbUkkGXUCi0W35BfbKinFZB3QQWRKTvuc HTTP/1.1", host: "mysite.com"
    
     
  12. geegz

    geegz New Member

    Here's the vhost AFTER I did the resync to the website
    Code:
    server {
            listen *:80;
    
    
            server_name mysite.com *.mysite.com;
    
            root   /var/www/mysite.com/web;
    
    
    
            index index.html index.htm index.php index.cgi index.pl index.xhtml;
    
    
    
            error_page 400 /error/400.html;
            error_page 401 /error/401.html;
            error_page 403 /error/403.html;
            error_page 404 /error/404.html;
            error_page 405 /error/405.html;
            error_page 500 /error/500.html;
            error_page 502 /error/502.html;
            error_page 503 /error/503.html;
            recursive_error_pages on;
            location = /error/400.html {
    
                internal;
            }
            location = /error/401.html {
    
                internal;
            }
            location = /error/403.html {
    
                internal;
            }
            location = /error/404.html {
    
                internal;
            }
            location = /error/405.html {
    
                internal;
            }
            location = /error/500.html {
    
                internal;
            }
            location = /error/502.html {
    
                internal;
            }
            location = /error/503.html {
    
                internal;
            }
    
            error_log /var/log/ispconfig/httpd/mysite.com/error.log;
            access_log /var/log/ispconfig/httpd/mysite.com/access.log combined;
    
            location ~ /\. {
                deny all;
                access_log off;
                log_not_found off;
            }
    
            location = /favicon.ico {
                log_not_found off;
                access_log off;
            }
    
            location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
            }
    
            location /stats/ {
    
                index index.html index.php;
                auth_basic "Members Only";
                auth_basic_user_file /var/www/clients/client1/web1/web/stats/.htpasswd_stats;
            }
    
            location ^~ /awstats-icon {
                alias /usr/share/awstats/icon;
            }
    
            location ~ \.php$ {
                try_files /73206d5c9b05fabd75baea549c71d157.htm @php;
            }
    
            location @php {
                try_files $uri =404;
                include /etc/nginx/fastcgi_params;
                fastcgi_pass unix:/var/lib/php5-fpm/web1.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_intercept_errors on;
            }
    
    
    
    
            location / {
                  try_files $uri $uri/ /index.php?$args;
            }
    
    
    }
    



    For some reason it didnt add this bit when I did the resync:
    Im going to try to add it in to the directives section and see what happens
    Code:
      location ~ /\.(?!well-known/acme-challenge/) {
      deny all;
      access_log off;
      log_not_found off;
      }
    UPDATE: I tried adding it as a directive for the site and that didnt work either
     
    Last edited: Jan 5, 2017
  13. cbj4074

    cbj4074 Member

    I don't see any indication that the vhost file is actually being re-written to disk. It appears to be unchanged; all of the custom error document directives are still there, and, as you point-out, none of the Let's Encrypt directives are there.

    That can happen for a number of reasons, the most common of which is that there is a problem with the vhost configuration and ISPConfig refuses to write a broken configuration to disk.

    The first thing I would do is enable debugging; under System -> Server Config -> [the server] -> Loglevel, set the dropdown to Debug.

    Then, try modifying the vhost using the graphical interface. You can make any simple change, as long as it is a change that affects the vhost file (adding a commented line to the nginx Directives field has no effect and won't work for this purpose, just FYI!). An easy one would be to change the Auto-Subdomain menu to none or www, just temporarily.

    Once the "pending change" indicator at the top of the UI disappears, check in /etc/nginx/sites-available to see if there is a file for the vhost in question, but with the extension ".err" added. ISPConfig creates such a file when it detects a problem with the proposed configuration changes. It writes the broken config to this file and then continues to use the working config.

    Please also check the debug log contents. You can review the contents under Monitor -> Show System-Log. Sometimes, the entries can be difficult to read in that format, so you can get the same information directly from the log file:

    Code:
    sudo tail -f /var/log/ispconfig/ispconfig.log
    
    Let us know what you find!
     
    geegz likes this.
  14. geegz

    geegz New Member


    Correct yet again, sir!
    Heres the err file:
    Code:
    server {
            listen MYIPHERE:80;
    
            listen MYIPHERE:443 ssl;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_certificate
    
    /var/www/clients/client1/web1/ssl/mysite.com.crt;
            ssl_certificate_key /var/www/clients/client1/web1/ssl/mysite.com.key;
    
            server_name mysite.com
    
    www.mysite.com;
    
            root   /var/www/mysite.com/web//web/site;
    
    
    
            index index.html index.htm index.php index.cgi index.pl index.xhtml;
    
    
    
            error_log
    
    /var/log/ispconfig/httpd/mysite.com/error.log;
            access_log /var/log/ispconfig/httpd/mysite.com/access.log combined;
    
            location ~ /\.(?!well-known/acme-
    
    challenge/) {
                deny all;
                access_log off;
                log_not_found off;
            }
    
            location = /favicon.ico {
                log_not_found off;
       
    
          access_log off;
            }
    
            location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
            }
    
            location
    
    /stats/ {
                root /var/www/mysite.com/web/;
                index index.html index.php;
                auth_basic "Members Only";
                auth_basic_user_file
    
    /var/www/clients/client1/web1/web/stats/.htpasswd_stats;
            }
    
            location ^~ /awstats-icon {
                alias /usr/share/awstats/icon;
            }
    
            location
    
    ~ \.php$ {
                try_files /28864927032e4e0dd6f360976ef0b0c4.htm @php;
            }
    
            location @php {
                try_files $uri =404;
                include
    
    /etc/nginx/fastcgi_params;
                fastcgi_pass unix:/var/lib/php5-fpm/web1.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME
    
    $document_root$fastcgi_script_name;
                fastcgi_intercept_errors on;
            }
    
    
    
    
            server {
              ....
              location / {
                 expires 1d;
    
          
    
        try_files $uri $uri/ /index.php?$args;
              }
              ....
    
            }
    
    
    location ~ /\.well-known/acme-challenge/ {
           root /usr/local/ispconfig/interface/acme/;
      
    
      index index.html index.htm;
           try_files $uri =404;
    }
    
    
            location / { ##merge##
                    auth_basic "Members Only";
                    auth_basic_user_file
    
    /var/www/clients/client1/web1/web/.htpasswd;
    
                    location ~ \.php$ {
                        try_files /28864927032e4e0dd6f360976ef0b0c4.htm @php;
                 
    
    }
            }
    
    }

    And here's the tail for the ispconfig log:
    Code:
    06.01.2017-11:55 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    06.01.2017-11:55 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    06.01.2017-11:56 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    06.01.2017-11:56 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    06.01.2017-11:57 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    06.01.2017-11:57 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    06.01.2017-11:58 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    06.01.2017-11:58 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    06.01.2017-11:59 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    06.01.2017-11:59 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock

    I also checked out the syslog within ispconfig and saw that this repeated a whole bunch for some reason (idk if thats normal though...:confused:)
    You think maybe I edited my default vhost template (is there such a thing?) and its trying to add that acme directive twice? Idk, I'm shooting blind here...

    EDIT: I mention the acme-challenge thing because I see two references in the vhost err file btw
     
    Last edited: Jan 6, 2017
  15. cbj4074

    cbj4074 Member

    Aha! This is progress!

    I don't recognize that ##merge## syntax, although, it shouldn't cause any problems because it's treated as a comment. We could guess all day as to what's wrong with the .err file, but it's a lot easier to use "nginx -t", which tests the validity of the entire nginx configuration.

    For that to work, you will need to rename the existing/effective vhost file (just add .bak or similar), and then remove the .err from the broken file. Don't try to reload nginx or anything. Just issue "nginx -t" on the terminal immediately after renaming those files. nginx should pinpoint the offending directive(s).

    Regarding the debug log content, I'm surprised not to see any mention of nginx in there. But let's not worry about that for now... just figure out what is wrong with the .err file first.

    Edit to Add:

    Sorry, I forgot to address your other questions.

    It is normal for there to be two references to the acme-challenge bit. They serve different purposes. If you look closely, you will see that the two blocks are different.

    And, yes, it is possible that you edited ISPConfig's default nginx configuration template (tsk, tsk!). If you did, you would have had to edit /usr/local/ispconfig/server/conf/nginx_vhost.conf.master. This is, of course, the "wrong way" to change the default configuration template, because ISPConfig will overwrite it upon upgrade.

    The correct way to do this would be to add a new file by the same name in /usr/local/ispconfig/server/conf-custom. ISPConfig will detect this file's presence and use it instead. But I would advise you not to override this template unless you have some very compelling reason! I say this mostly because it's all too easy to upgrade ISPConfig and forget that you overrode the template at some point in the past. Consequently, new features or changes in ISPConfig are not effective, because your template override is still being used, and this very type of issue arises. :)
     
    Last edited: Jan 6, 2017
  16. geegz

    geegz New Member

    LOL I can actually vaguely remember there was a point when I first started playing with ISPConfig where I actually did go in there and edited that file directly...

    And looks like I got an error when I ran that command!
    Code:
    nginx: [emerg] "server" directive is not allowed here in /etc/nginx/sites-enabled/100-mysite.com.vhost:66
    I opened up the vhost file found in sites-enabled and i think this is the directive its talking about:
    Code:
            server {
              ....
              location / {
                 expires 1d;
    
                 try_files $uri $uri/ /index.php?$args;
              }
              ....
    
            }
    I'm guessing maybe I went into this file and edited it manually also? Wow, I really made a mess!

    EDIT: gonna make a copy and remove that bit to see what happens...
     
    Last edited: Jan 6, 2017
  17. cbj4074

    cbj4074 Member

    LOL, yes indeed, you appear to have mucked things up pretty good! We all do it, at one time or another, in our ISPConfig careers. :D

    If you can't think of a good reason for not doing it, I would reinstall ISPConfig, over top of the existing installation, to ensure that your source files are unmodified. Otherwise, you could end-up chasing your tail for quite some time!

    I haven't had to do it in a while, but I'm pretty sure that you can just download, unpack, and run the ISPConfig installer again. I don't think it'll complain about an existing installation.
     
  18. geegz

    geegz New Member

    Ok so I manually removed that directive, resync'd, changed the auto domain back to none and tried again but lets encrypt is still not showing as enabled

    Here's the vhost:

    Code:
    server {
            listen MYIPHERE:80;
    
            listen MYIPHERE:443 ssl;
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_certificate /var/www/clients/client1/web1/ssl/mysite.com.crt;
            ssl_certificate_key /var/www/clients/client1/web1/ssl/mysite.com.key;
    
            server_name mysite.com www.mysite.com;
    
            root   /var/www/mysite.com/web//web/site;
    
    
    
            index index.html index.htm index.php index.cgi index.pl index.xhtml;
    
    
    
            error_log /var/log/ispconfig/httpd/mysite.com/error.log;
            access_log /var/log/ispconfig/httpd/mysite.com/access.log combined;
    
            location ~ /\.(?!well-known/acme-challenge/) {
                deny all;
                access_log off;
                log_not_found off;
            }
    
            location = /favicon.ico {
                log_not_found off;
                access_log off;
            }
    
            location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
            }
    
            location /stats/ {
                root /var/www/mysite.com/web/;
                index index.html index.php;
                auth_basic "Members Only";
                auth_basic_user_file /var/www/clients/client1/web1/web/stats/.htpasswd_stats;
            }
    
            location ^~ /awstats-icon {
                alias /usr/share/awstats/icon;
            }
    
            location ~ \.php$ {
                try_files /28864927032e4e0dd6f360976ef0b0c4.htm @php;
            }
    
            location @php {
                try_files $uri =404;
                include /etc/nginx/fastcgi_params;
                fastcgi_pass unix:/var/lib/php5-fpm/web1.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_intercept_errors on;
            }
    
    
    
    
            location ~ /\.well-known/acme-challenge/ {
           root /usr/local/ispconfig/interface/acme/;
           index index.html index.htm;
           try_files $uri =404;
    }
    
    
            location / { ##merge##
                    auth_basic "Members Only";
                    auth_basic_user_file /var/www/clients/client1/web1/web/.htpasswd;
    
                    location ~ \.php$ {
                        try_files /28864927032e4e0dd6f360976ef0b0c4.htm @php;
                    }
            }
    
    }
    Here's the error.log:

    Code:
    2017/01/06 13:39:03 [error] 15080#15080: *18298 access forbidden by rule, client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/oZOsyjFMC8PoGKCStZnKQI5JzfBqrNOcu31dMqL6QOY HTTP/1.1", host: "mysite.com"
    2017/01/06 13:39:03 [error] 15080#15080: *18298 open() "/var/www/mysite.com/web/error/403.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/oZOsyjFMC8PoGKCStZnKQI5JzfBqrNOcu31dMqL6QOY HTTP/1.1", host: "mysite.com"
    2017/01/06 13:39:03 [error] 15080#15080: *18298 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/oZOsyjFMC8PoGKCStZnKQI5JzfBqrNOcu31dMqL6QOY HTTP/1.1", host: "mysite.com"
    2017/01/06 13:39:03 [error] 15080#15080: *18298 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/oZOsyjFMC8PoGKCStZnKQI5JzfBqrNOcu31dMqL6QOY HTTP/1.1", host: "mysite.com"
    2017/01/06 13:39:03 [error] 15080#15080: *18298 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/oZOsyjFMC8PoGKCStZnKQI5JzfBqrNOcu31dMqL6QOY HTTP/1.1", host: "mysite.com"
    2017/01/06 13:39:03 [error] 15080#15080: *18298 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/oZOsyjFMC8PoGKCStZnKQI5JzfBqrNOcu31dMqL6QOY HTTP/1.1", host: "mysite.com"
    2017/01/06 13:39:03 [error] 15080#15080: *18298 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/oZOsyjFMC8PoGKCStZnKQI5JzfBqrNOcu31dMqL6QOY HTTP/1.1", host: "mysite.com"
    2017/01/06 13:39:03 [error] 15080#15080: *18298 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/oZOsyjFMC8PoGKCStZnKQI5JzfBqrNOcu31dMqL6QOY HTTP/1.1", host: "mysite.com"
    2017/01/06 13:39:03 [error] 15080#15080: *18298 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/oZOsyjFMC8PoGKCStZnKQI5JzfBqrNOcu31dMqL6QOY HTTP/1.1", host: "mysite.com"
    2017/01/06 13:39:03 [error] 15080#15080: *18298 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/oZOsyjFMC8PoGKCStZnKQI5JzfBqrNOcu31dMqL6QOY HTTP/1.1", host: "mysite.com"
    2017/01/06 13:39:03 [error] 15080#15080: *18298 open() "/var/www/mysite.com/web/error/404.html" failed (2: No such file or directory), client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/oZOsyjFMC8PoGKCStZnKQI5JzfBqrNOcu31dMqL6QOY HTTP/1.1", host: "mysite.com"
    2017/01/06 13:39:03 [error] 15080#15080: *18298 rewrite or internal redirection cycle while internally redirecting to "/error/404.html", client: 66.133.109.36, server: mysite.com, request: "GET /.well-known/acme-challenge/oZOsyjFMC8PoGKCStZnKQI5JzfBqrNOcu31dMqL6QOY HTTP/1.1", host: "mysite.com"
    

    Lets encrypt log:
    Code:
    01",\n      "status": "pending",\n      "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/CnZAbd6G4RHUIFQ4Ugt_ZOgdRnmVRIh-CUhWLDIqJuM/475730951",\n      "token": "CHW9uc92LB_iOKaOe3uZsHUDxWGO0suizjY9y_vThWs"\n    }\n  ],\n  "combinations": [\n    [\n      0\n    ],\n    [\n      1\n    ],\n    [\n      2\n    ]\n  ]\n}'
    2017-01-06 18:39:06,406:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'hdw3ecTK28aM1bmolxtaqBNM5n92CdIq4uV6DDejk9E', u'type': u'dns-01', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/CnZAbd6G4RHUIFQ4Ugt_ZOgdRnmVRIh-CUhWLDIqJuM/475730949'}
    2017-01-06 18:39:06,407:INFO:certbot.reporter:Reporting to user: The following errors were reported by the server:
    
    Domain: mysite.com
    Type:   unauthorized
    Detail: Invalid response from http://mysite.com/.well-known/acme-challenge/oZOsyjFMC8PoGKCStZnKQI5JzfBqrNOcu31dMqL6QOY: "<html>
    <head><title>500 Internal Server Error</title></head>
    <body bgcolor="white">
    <center><h1>500 Internal Server Error</h1"
    
    To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
    2017-01-06 18:39:06,407:INFO:certbot.auth_handler:Cleaning up challenges
    2017-01-06 18:39:06,407:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/oZOsyjFMC8PoGKCStZnKQI5JzfBqrNOcu31dMqL6QOY
    2017-01-06 18:39:06,408:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    2017-01-06 18:39:06,409:DEBUG:certbot.main:Exiting abnormally:
    Traceback (most recent call last):
      File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
        sys.exit(main())
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 744, in main
        return config.func(config, plugins)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 555, in obtain_cert
        _, action = _auth_from_domains(le_client, config, domains, lineage)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 94, in _auth_from_domains
        lineage = le_client.obtain_and_enroll_certificate(domains)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 276, in obtain_and_enroll_certificate
        certr, chain, key, _ = self.obtain_certificate(domains)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 247, in obtain_certificate
        self.config.allow_subset_of_names)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 74, in get_authorizations
        self._respond(resp, best_effort)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 131, in _respond
        self._poll_challenges(chall_update, best_effort)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 195, in _poll_challenges
        raise errors.FailedChallenges(all_failed_achalls)
    FailedChallenges: Failed authorization procedure. mysite.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mysite.com/.well-known/acme-challenge/oZOsyjFMC8PoGKCStZnKQI5JzfBqrNOcu31dMqL6QOY: "<html>
    <head><title>500 Internal Server Error</title></head>
    <body bgcolor="white">
    <center><h1>500 Internal Server Error</h1"
    
    
     
  19. geegz

    geegz New Member

    For sure! I really kind of just enjoy king it and seeing what happens when I do lol

    Then I get frustrated and dont touch the project for a while, then come back to it and try to figure out where I was...

    Not the best way to do things :)
    Yeah I was about to ask if I should just do this.
    Will this delete my existing emails?
     
  20. cbj4074

    cbj4074 Member

    I don't see any indication that the nginx vhost config you posted is actually effective. I say this because the Let's Encrypt errors are exactly the same as they were when you first posted. They indicate that the custom error pages are still being used, and that you are missing the rule that allows Let's Encrypt validation requests.

    Can you try issuing the the "service nginx restart" command, manually, and see if that changes the behavior?

    ISPConfig should reload nginx when it makes any change to a vhost file, but that doesn't seem to be happening as it should.

    And no, reinstalling ISPConfig shouldn't touch your email. It will only overwrite all of its own source files and "reconfigure services" -- that is, it will rewrite certain services' config files and reload said services. This is important to understand if you have modified other services' config files, like Postfix or Dovecot (which, again, you should not do when using ISPConfig!).
     

Share This Page