Let's Encrypt problem...

Hi,
I've been using Let's Encrypt for 4 of my websites and it works just fine.
But it's not working for my last one.
I've checked the SSL function and it works but when i check the Let'Encrypt function, i wait for a few second for the task to end and when i verify the function is no more checked.
I don't understand why this particular website can't have its let's encrypt certificate...
The DNS are OK ans pointing to the good IP address.
Where should i watch for the error logs ?
I run ISPConfig 3.1.6 under Ubuntu 16.04 server and i have followed the tutorial : https://www.howtoforge.com/tutorial/perfect-server-ubuntu-with-nginx-and-ispconfig-3/ ... So i run Nginx, not Apache.
Thanx in advance for your advices.

 

Well... i've just activated debug in ISPConfig and was able to see the error message :
Could not verify domain www.mysite.com, so excluding it from letsencrypt request.
I've got the exact same configuration for all my domains and for mysite.com :
mysite.com. 0 A 89.xxx.xxx.xxx
www.mysite.com. 0 CNAME mysite.com.
Any idea ?

 

It's not behind a router... I thought of a firewall problem ... but it all went fine for 4 other websites ! So i don't think it's a firewall problem.
I've got the problem for my last domain only.
The website is ok, the https self-signed is ok too
Here is the entire log (debug) with the real domaine name :
25-07-2017 07:01 groskuik.spacejerk.fr Warning Let's Encrypt SSL Cert for: freetorrent.fr could not be issued.
25-07-2017 07:01 groskuik.spacejerk.fr Warning Could not verify domain www.freetorrent.fr, so excluding it from letsencrypt request.
25-07-2017 07:01 groskuik.spacejerk.fr Warning Could not verify domain freetorrent.fr, so excluding it from letsencrypt request.
25-07-2017 07:01 groskuik.spacejerk.fr Debug mkdir failed: /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/
25-07-2017 07:01 groskuik.spacejerk.fr Debug Calling function 'update' from plugin 'nginx_plugin' raised by event 'web_domain_update'.
25-07-2017 07:01 groskuik.spacejerk.fr Debug Calling function 'ssl' from plugin 'nginx_plugin' raised by event 'web_domain_update'.
SSL Disabled. freetorrent.fr
Restarting php-fpm: systemctl reload php7.0-fpm.service
25-07-2017 07:01 groskuik.spacejerk.fr Debug Calling function 'restartPHP_FPM' from module 'web_module'.
25-07-2017 07:01 groskuik.spacejerk.fr Debug Writing the PHP-FPM config file: /etc/php/7.0/fpm/pool.d/web2.conf
25-07-2017 07:01 groskuik.spacejerk.fr Debug Writing the vhost file: /etc/nginx/sites-available/freetorrent.fr.vhost
Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
25-07-2017 07:01 groskuik.spacejerk.fr Debug Processed datalog_id 167
25-07-2017 07:01 groskuik.spacejerk.fr Debug nginx online status after restart is: running
25-07-2017 07:01 groskuik.spacejerk.fr Debug nginx restart return value is: 0
25-07-2017 07:01 groskuik.spacejerk.fr Debug Restarting httpd: systemctl restart nginx.service
25-07-2017 07:01 groskuik.spacejerk.fr Debug nginx configuration ok!
25-07-2017 07:01 groskuik.spacejerk.fr Debug Checking nginx configuration...
25-07-2017 07:01 groskuik.spacejerk.fr Debug Calling function 'restartHttpd' from module 'web_module'.
25-07-2017 07:01 groskuik.spacejerk.fr Debug nginx status is: running
25-07-2017 07:01 groskuik.spacejerk.fr Debug Restarting php-fpm: systemctl reload php7.0-fpm.service
25-07-2017 07:01 groskuik.spacejerk.fr Debug Calling function 'restartPHP_FPM' from module 'web_module'.

 

Hmmm, this seems to be a tell:

Code:

mkdir failed: /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/ 

Can you check permissions there?

 

root@groskuik:/usr/local/ispconfig/interface/acme# ls -alh
total 12K
drwxr-xr-x 3 ispconfig ispconfig 4,0K juil. 19 14:31 .
drwxr-x--- 9 ispconfig ispconfig 4,0K juil. 19 14:31 ..
drwxr-xr-x 3 ispconfig ispconfig 4,0K juil. 19 14:31 .well-known
root@groskuik:/usr/local/ispconfig/interface/acme# cd .well-known/
root@groskuik:/usr/local/ispconfig/interface/acme/.well-known# ls -alh
total 12K
drwxr-xr-x 3 ispconfig ispconfig 4,0K juil. 19 14:31 .
drwxr-xr-x 3 ispconfig ispconfig 4,0K juil. 19 14:31 ..
drwxr-xr-x 2 ispconfig ispconfig 4,0K juil. 25 13:01 acme-challenge
root@groskuik:/usr/local/ispconfig/interface/acme/.well-known# cd acme-challenge/
root@groskuik:/usr/local/ispconfig/interface/acme/.well-known/acme-challenge# ls -alh
total 12K
drwxr-xr-x 2 ispconfig ispconfig 4,0K juil. 25 13:01 .
drwxr-xr-x 3 ispconfig ispconfig 4,0K juil. 19 14:31 ..
-rwxr-xr-x 1 ispconfig ispconfig 45 juil. 21 13:03 empty.dir

 

Well... did it by hand and it worked like a charm :
#letsencrypt certonly -d www.freetorrent.fr -d freetorrent.fr --agree-tos -m [email protected] --rsa-key-size 4096 --standalone
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.freetorrent.fr/fullchain.pem. Your cert
will expire on 2017-10-23. To obtain a new version of the
certificate in the future, simply run Let's Encrypt again.
- If you like Let's Encrypt, please consider supporting our work by:
Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate

 

I also have permissions issues and can not manually generate the certificate.
mkdir failed: /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/
How can I fix it?

 

Still with my "weird" problem...
I've migrated to another server in the meantime and configured carefully my DNS (still with Ubuntu 16.04 server AMD64).
But i still have the same problem. Maybe Lets Encrypt refuses my demand because there is the word TORRENT in my domain ? (free - LIBRE - torrent only ! )
I repeat that all my other websites are OK with Let's Encrypt ! It works like a charm. The only problem is for my domain freetorrent.fr

Here are more details about the debug and my DNS test :
26-07-2017 11:05 groskuik.freetorrent.fr Debug mkdir failed: /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/
26-07-2017 11:05 groskuik.freetorrent.fr Warning Could not verify domain freetorrent.fr, so excluding it from letsencrypt request.
26-07-2017 11:05 groskuik.freetorrent.fr Warning Could not verify domain www.freetorrent.fr, so excluding it from letsencrypt request.
26-07-2017 11:05 groskuik.freetorrent.fr Warning Let's Encrypt SSL Cert for: freetorrent.fr could not be issued.
26-07-2017 11:05 groskuik.freetorrent.fr Warning
26-07-2017 11:05 groskuik.freetorrent.fr Debug SSL Disabled. freetorrent.fr

dig freetorrent.fr
; <<>> DiG 9.10.3-P4-Ubuntu <<>> freetorrent.fr
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10355
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;freetorrent.fr. IN A

;; ANSWER SECTION:
freetorrent.fr. 52883 IN A 149.91.80.125

;; AUTHORITY SECTION:
freetorrent.fr. 76323 IN NS dns101.ovh.net.
freetorrent.fr. 76323 IN NS ns101.ovh.net.

;; ADDITIONAL SECTION:
dns101.ovh.net. 153 IN A 213.251.188.145
dns101.ovh.net. 200 IN AAAA 2001:41d0:1:4a91::1

;; Query time: 4 msec
;; SERVER: 89.234.180.19#53(89.234.180.19)
;; WHEN: Wed Jul 26 17:12:16 CEST 2017
;; MSG SIZE rcvd: 151

 

I have exactly the same problem on the same setup (Ubuntu 16.04, nginx). After I upgraded to 3.1.6, I receive the same error. The permissions on dirs/files are the same.
Before upgrade letsencrypt worked fine. I have 3 domains successfully setup. The domain in question resolves for at least a month now.
Bug?

 

And I don't use torrent in the name of domain .

I'll try another domain now. I'll first have to wait for the dns to propagate.

 

Umm... another domain works without a glitch, letsencrypt install success! However, mkdir failed... is still in the log so I suppose it has nothing to do with error with domain that failed. Debug log:


26.07.2017-19:12 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
26.07.2017-19:12 - DEBUG - Found 2 changes, starting update process.
26.07.2017-19:12 - DEBUG - Calling function 'ssl' from plugin 'nginx_plugin' raised by event 'web_domain_insert'.
26.07.2017-19:12 - DEBUG - Calling function 'insert' from plugin 'nginx_plugin' raised by event 'web_domain_insert'.
26.07.2017-19:12 - DEBUG - Adding the user: web14
26.07.2017-19:12 - DEBUG - Creating symlink: ln -s /var/www/clients/client2/web14/ /var/www/MYDOMAIN.TLD
26.07.2017-19:12 - DEBUG - Creating symlink: ln -s /var/www/clients/client2/web14/ /var/www/clients/client2/MYDOMAIN.TLD
26.07.2017-19:12 - DEBUG - exec: chown -R web14:client2 /var/www/clients/client2/web14/web/
26.07.2017-19:12 - DEBUG - exec: chown web14:client2 /var/www/clients/client2/web14/web/
26.07.2017-19:12 - DEBUG - exec: usermod --groups sshusers web14 2>/dev/null
26.07.2017-19:12 - DEBUG - SSL Disabled. MYDOMAIN.TLD
26.07.2017-19:12 - DEBUG - Writing the vhost file: /etc/nginx/sites-available/MYDOMAIN.TLD.vhost
26.07.2017-19:12 - DEBUG - Creating symlink: /etc/nginx/sites-enabled/100-MYDOMAIN.TLD.vhost->/etc/nginx/sites-available/MYDOMAIN.TLD.vhost
26.07.2017-19:12 - DEBUG - Created AWStats config file: /etc/awstats/awstats.MYDOMAIN.TLD.conf
26.07.2017-19:12 - DEBUG - Writing the PHP-FPM config file: /etc/php/7.0/fpm/pool.d/web14.conf
26.07.2017-19:12 - DEBUG - Calling function 'restartPHP_FPM' from module 'web_module'.
26.07.2017-19:12 - DEBUG - Restarting php-fpm: systemctl reload php7.0-fpm.service
26.07.2017-19:12 - DEBUG - nginx status is: running
26.07.2017-19:12 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
26.07.2017-19:12 - DEBUG - Checking nginx configuration...
26.07.2017-19:12 - DEBUG - nginx configuration ok!
26.07.2017-19:12 - DEBUG - Restarting httpd: systemctl restart nginx.service
26.07.2017-19:12 - DEBUG - nginx restart return value is: 0
26.07.2017-19:12 - DEBUG - nginx online status after restart is: running
26.07.2017-19:12 - DEBUG - Processed datalog_id 313
26.07.2017-19:12 - DEBUG - Calling function 'ssl' from plugin 'nginx_plugin' raised by event 'web_domain_update'.
26.07.2017-19:12 - DEBUG - Calling function 'update' from plugin 'nginx_plugin' raised by event 'web_domain_update'.
26.07.2017-19:12 - DEBUG - mkdir failed: /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/
26.07.2017-19:12 - DEBUG - Verified domain MYDOMAIN.TLD should be reachable for letsencrypt.
26.07.2017-19:12 - DEBUG - Verified domain www.MYDOMAIN.TLD should be reachable for letsencrypt.
26.07.2017-19:12 - DEBUG - Create Let's Encrypt SSL Cert for: MYDOMAIN.TLD
26.07.2017-19:12 - DEBUG - Let's Encrypt SSL Cert domains: --domains MYDOMAIN.TLD --domains www.MYDOMAIN.TLD
26.07.2017-19:12 - DEBUG - exec: /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --domains MYDOMAIN.TLD --domains www.MYDOMAIN.TLD --webroot-path /usr/local/ispconfig/interface/acme
26.07.2017-19:13 - DEBUG - Let's Encrypt Cert config path is: /etc/letsencrypt/renewal/MYDOMAIN.TLD.conf.
26.07.2017-19:13 - DEBUG - Let's Encrypt Cert file: /etc/letsencrypt/live/MYDOMAIN.TLD/fullchain.pem exists.
26.07.2017-19:13 - DEBUG - Enable SSL for: MYDOMAIN.TLD
26.07.2017-19:13 - DEBUG - Writing the vhost file: /etc/nginx/sites-available/MYDOMAIN.TLD.vhost
26.07.2017-19:13 - DEBUG - Writing the PHP-FPM config file: /etc/php/7.0/fpm/pool.d/web14.conf
26.07.2017-19:13 - DEBUG - Calling function 'restartPHP_FPM' from module 'web_module'.
26.07.2017-19:13 - DEBUG - Restarting php-fpm: systemctl reload php7.0-fpm.service
26.07.2017-19:13 - DEBUG - nginx status is: running
26.07.2017-19:13 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
26.07.2017-19:13 - DEBUG - Checking nginx configuration...
26.07.2017-19:13 - DEBUG - nginx configuration ok!
26.07.2017-19:13 - DEBUG - Restarting httpd: systemctl restart nginx.service
26.07.2017-19:13 - DEBUG - nginx restart return value is: 0
26.07.2017-19:13 - DEBUG - nginx online status after restart is: running
26.07.2017-19:13 - DEBUG - Processed datalog_id 314
26.07.2017-19:13 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
finished.

 

Hi! Today I felt into this issue. Just upgraded ISPConfig to git-stable and now, it fails for a site that was wotking just fine.

If I check the LetsEncript check it gets unchecked after the ISPConfig cron job run, here is the debug log, it states that mkdir failed: /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/ and WARNING - Could not verify domain git.xxxx.com.ar, so excluding it from letsencrypt request.

Complete log...

 

Hi @till ! Reviewing the directory hierachy I found no links and no obvious permission issues.

Code:

ls -la /usr/local
drwxr-xr-x  5 root root 4096 abr 28  2016 ispconfig

ls -la /usr/local/ispconfig/
drwxr-x---  9 ispconfig ispconfig 4096 abr 28  2016 interface

ls -la /usr/local/ispconfig/interface/
drwxr-xr-x  3 ispconfig ispconfig 4096 abr 28  2016 acme

ls -la /usr/local/ispconfig/interface/acme/
drwxr-xr-x 3 ispconfig ispconfig 4096 abr 28  2016 .well-known

ls -la /usr/local/ispconfig/interface/acme/.well-known/
drwxr-xr-x 2 ispconfig ispconfig 4096 ago  3 23:33 acme-challenge

ls -la /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/
-rwxr-xr-x 1 ispconfig ispconfig  45 ago  3 21:10 empty.dir

Regarding the LetsEncrypt check issue I realized that the issue affected a particular site. If I create a new site and make it public through DNS, I got LE certs and the checks remained checked. To solve the issue with that particular site I had to erase all LE data for that site with this command lines. After this, the site got the new LE cert and the LE check remained checked...

Before running those lines I got this in the ispconfig.log file

Take a look at the line 03.08.2017-23:06 - DEBUG - Let's Encrypt Cert file: does not exist. The cert files where in the correct place and linked just fine!

After removing all domain related data from LE folders I got

PS: @till would you please take a look at this thread https://www.howtoforge.com/community/threads/nextcloud-and-php-fpm-as-global-alias-issues.77025/ thanks!

 

I too have the mkdir failed issue. Permissions seem fine:

Code:

root@server:~# ls -ld /usr/local/ispconfig/interface/acme/
drwxr-sr-x 3 ispconfig ispconfig 4096 Aug  4 21:33 /usr/local/ispconfig/interface/acme/