Hi, So yesterday I was playing around with Subdomains. I've added one. Then after an hour or so I've deleted it. Today I've noticed that the cert is invalid for the domain. Okay, i've run the renew code and all went okay, cert created and then I've received an email from Google that the certificate doesn't match. I've checked and certificate is set without www prefix. I have www prefix for my site and as far as I can remember, certificate domain was set with www in it. ISPConfig: latest version. OS: Debian 8.9, all up to date. Code: root@server:/etc/letsencrypt/renewal# ls -lha total 28K drwxr-xr-x 2 root root 4,0K Jul 31 18:11 . drwxr-xr-x 9 root root 4,0K Aug 1 16:40 .. -rw-r--r-- 1 root root 597 Jul 9 03:00 bugs.DOMAIN.com.conf -rw-r--r-- 1 root root 567 Jun 18 03:01 DOMAIN.com.conf -rw-r--r-- 1 root root 511 Jun 11 03:00 server.DOMAIN.com.conf -rw-r--r-- 1 root root 778 Jul 31 18:11 www.DOMAIN.com-0001.conf -rw-r--r-- 1 root root 813 Aug 1 16:40 www.DOMAIN.com.conf DOMAIN.com.conf Code: # renew_before_expiry = 30 days version = 0.15.0 cert = /etc/letsencrypt/live/DOMAIN.com/cert.pem privkey = /etc/letsencrypt/live/DOMAIN.com/privkey.pem chain = /etc/letsencrypt/live/DOMAIN.com/chain.pem fullchain = /etc/letsencrypt/live/DOMAIN.com/fullchain.pem archive_dir = /etc/letsencrypt/archive/DOMAIN.com # Options used in the renewal process [renewalparams] account = XXXXXXXXXXXXXXXXX authenticator = webroot rsa_key_size = 4096 installer = None [[webroot_map]] DOMAIN.com = /usr/local/ispconfig/interface/acme www.DOMAIN.com-0001.conf Code: # renew_before_expiry = 30 days version = 0.16.0 cert = /etc/letsencrypt/live/www.DOMAIN.com-0001/cert.pem privkey = /etc/letsencrypt/live/www.DOMAIN.com-0001/privkey.pem chain = /etc/letsencrypt/live/www.DOMAIN.com-0001/chain.pem fullchain = /etc/letsencrypt/live/www.DOMAIN.com-0001/fullchain.pem archive_dir = /etc/letsencrypt/archive/www.DOMAIN.com-0001 # Options used in the renewal process [renewalparams] account = XXXXXXXXXXXXXXXXX authenticator = webroot rsa_key_size = 4096 installer = None server = https://acme-v01.api.letsencrypt.org/directory webroot_path = /usr/local/ispconfig/interface/acme, [[webroot_map]] www.DOMAIN.com = /usr/local/ispconfig/interface/acme DOMAIN.com = /usr/local/ispconfig/interface/acme www.DOMAIN.com.conf Code: # renew_before_expiry = 30 days cert = /etc/letsencrypt/live/www.DOMAIN.com/cert.pem privkey = /etc/letsencrypt/live/www.DOMAIN.com/privkey.pem chain = /etc/letsencrypt/live/www.DOMAIN.com/chain.pem fullchain = /etc/letsencrypt/live/www.DOMAIN.com/fullchain.pem version = 0.16.0 archive_dir = /etc/letsencrypt/archive/www.DOMAIN.com # Options used in the renewal process [renewalparams] account = XXXXXXXXXXXXXXXXXx authenticator = webroot rsa_key_size = 4096 installer = None server = https://acme-v01.api.letsencrypt.org/directory webroot_path = /usr/local/ispconfig/interface/acme, [[webroot_map]] www.DOMAIN.com = /usr/local/ispconfig/interface/acme DOMAIN.com = /usr/local/ispconfig/interface/acme apps.DOMAIN.com = /usr/local/ispconfig/interface/acme Why is the "apps" subdomain still in the list? I've removed it from the ISPConfig. Or does it get removed by LE after some time? Code: root@server:/var/www/clients/client0/DOMAIN.com/ssl# ls -lha total 172K drwxr-xr-x 2 root root 4,0K Aug 1 08:49 . drwxr-xr-x 11 web1 client0 4,0K Aug 20 2015 .. lrwxrwxrwx 1 root root 56 Aug 1 08:49 DOMAIN.com-le.bundle -> /etc/letsencrypt/live/www.DOMAIN.com-0001/chain.pem -r-------- 1 root root 1,7K Dec 19 2016 DOMAIN.com-le.bundle.old.20161219125102 -r-------- 1 root root 1,7K Dec 19 2016 DOMAIN.com-le.bundle.old.20161219131208 -r-------- 1 root root 1,7K Dec 19 2016 DOMAIN.com-le.bundle.old.20161219131502 -r-------- 1 root root 1,7K Jul 31 18:04 DOMAIN.com-le.bundle.old.20170731180413 -r-------- 1 root root 1,7K Jul 31 18:04 DOMAIN.com-le.bundle.old.20170731180419 -r-------- 1 root root 1,7K Jul 31 18:07 DOMAIN.com-le.bundle.old.20170731180702 -r-------- 1 root root 1,7K Jul 31 18:09 DOMAIN.com-le.bundle.old.20170731180902 -r-------- 1 root root 1,7K Jul 31 18:11 DOMAIN.com-le.bundle.old.20170731181111 -r-------- 1 root root 1,7K Jul 31 18:28 DOMAIN.com-le.bundle.old.20170731182802 -r-------- 1 root root 1,7K Aug 1 08:49 DOMAIN.com-le.bundle.old.20170801084902 lrwxrwxrwx 1 root root 60 Aug 1 08:49 DOMAIN.com-le.crt -> /etc/letsencrypt/live/www.DOMAIN.com-0001/fullchain.pem -r-------- 1 root root 2,1K Dec 19 2016 DOMAIN.com-le.crt.old.20161219125102 -r-------- 1 root root 2,1K Dec 19 2016 DOMAIN.com-le.crt.old.20161219131208 -r-------- 1 root root 2,1K Dec 19 2016 DOMAIN.com-le.crt.old.20161219131502 -r-------- 1 root root 2,1K Jul 31 18:04 DOMAIN.com-le.crt.old.20170731180413 -r-------- 1 root root 2,1K Jul 31 18:04 DOMAIN.com-le.crt.old.20170731180419 -r-------- 1 root root 2,1K Jul 31 18:07 DOMAIN.com-le.crt.old.20170731180702 -r-------- 1 root root 2,1K Jul 31 18:09 DOMAIN.com-le.crt.old.20170731180902 -r-------- 1 root root 2,1K Jul 31 18:11 DOMAIN.com-le.crt.old.20170731181111 -r-------- 1 root root 2,1K Jul 31 18:28 DOMAIN.com-le.crt.old.20170731182802 -r-------- 1 root root 2,1K Aug 1 08:49 DOMAIN.com-le.crt.old.20170801084902 lrwxrwxrwx 1 root root 58 Aug 1 08:49 DOMAIN.com-le.key -> /etc/letsencrypt/live/www.DOMAIN.com-0001/privkey.pem -r-------- 1 root root 3,2K Dec 19 2016 DOMAIN.com-le.key.old.20161219125102 -r-------- 1 root root 3,2K Dec 19 2016 DOMAIN.com-le.key.old.20161219131208 -r-------- 1 root root 3,2K Dec 19 2016 DOMAIN.com-le.key.old.20161219131502 -r-------- 1 root root 3,2K Jul 31 18:04 DOMAIN.com-le.key.old.20170731180413 -r-------- 1 root root 3,2K Jul 31 18:04 DOMAIN.com-le.key.old.20170731180419 -r-------- 1 root root 3,2K Jul 31 18:07 DOMAIN.com-le.key.old.20170731180702 -r-------- 1 root root 3,2K Jul 31 18:09 DOMAIN.com-le.key.old.20170731180902 -r-------- 1 root root 3,2K Jul 31 18:11 DOMAIN.com-le.key.old.20170731181111 -r-------- 1 root root 3,2K Jul 31 18:28 DOMAIN.com-le.key.old.20170731182802 -r-------- 1 root root 3,2K Aug 1 08:49 DOMAIN.com-le.key.old.20170801084902 lrwxrwxrwx 1 root root 51 May 10 2016 www.DOMAIN.com.bundle -> /etc/letsencrypt/live/www.DOMAIN.com/chain.pem -r-------- 1 root root 1,7K May 10 2016 www.DOMAIN.com.bundle.old.20160510201502 lrwxrwxrwx 1 root root 50 May 10 2016 www.DOMAIN.com.crt -> /etc/letsencrypt/live/www.DOMAIN.com/cert.pem -r-------- 1 root root 1,4K May 10 2016 www.DOMAIN.com.crt.old.20160510201210 -r-------- 1 root root 2,2K May 10 2016 www.DOMAIN.com.crt.old.20160510201502 -rw-r--r-- 1 root root 1,1K May 10 2016 www.DOMAIN.com.csr lrwxrwxrwx 1 root root 53 May 10 2016 www.DOMAIN.com.key -> /etc/letsencrypt/live/www.DOMAIN.com/privkey.pem -rw-r--r-- 1 root root 1,7K May 10 2016 www.DOMAIN.com.key.old20160510201210 -rw-r--r-- 1 root root 3,2K May 10 2016 www.DOMAIN.com.key.old20160510201502 -r-------- 1 root root 1,8K May 10 2016 www.DOMAIN.com.key.org lrwxrwxrwx 1 root root 51 Dec 19 2016 www.DOMAIN.com-le.bundle -> /etc/letsencrypt/live/www.DOMAIN.com/chain.pem -r-------- 1 root root 1,7K Dec 19 2016 www.DOMAIN.com-le.bundle.old.20161219124309 lrwxrwxrwx 1 root root 50 Dec 19 2016 www.DOMAIN.com-le.crt -> /etc/letsencrypt/live/www.DOMAIN.com/cert.pem -r-------- 1 root root 2,2K Dec 19 2016 www.DOMAIN.com-le.crt.old.20161219124309 lrwxrwxrwx 1 root root 53 Dec 19 2016 www.DOMAIN.com-le.key -> /etc/letsencrypt/live/www.DOMAIN.com/privkey.pem -r-------- 1 root root 3,2K Dec 19 2016 www.DOMAIN.com-le.key.old.20161219124309 Site config has not changed at all, auto subdomain is still set to "www.". All the cert files that are linked above do exist. Am I crazy here that the cert should have www. prefix in it? Any ideas?
use the debug mode in ISPConfig to see what exactly happens when ispconfig requests the cert from LE. That a subdomain is not added happens normally just in case it is unreachable.
Subdomain works just fine else the site would not work at all. Looks like other people have some similar problems with mkdir failed: Code: 07.08.2017-16:14 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 07.08.2017-16:14 - DEBUG - Found 1 changes, starting update process. 07.08.2017-16:14 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 07.08.2017-16:14 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 07.08.2017-16:14 - DEBUG - mkdir failed: /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/ 07.08.2017-16:14 - DEBUG - Verified domain lessthanweb.com should be reachable for letsencrypt. 07.08.2017-16:14 - DEBUG - Verified domain www.lessthanweb.com should be reachable for letsencrypt. 07.08.2017-16:14 - DEBUG - Create Let's Encrypt SSL Cert for: lessthanweb.com 07.08.2017-16:14 - DEBUG - Let's Encrypt SSL Cert domains: --domains lessthanweb.com --domains www.lessthanweb.com 07.08.2017-16:14 - DEBUG - exec: /root/.local/share/letsencrypt/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --domains lessthanweb.com --domains www.lessthanweb.com --webroot-path /usr/local/ispconfig/interface/acme You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages. Saving debug log to /var/log/letsencrypt/letsencrypt.log Cert not yet due for renewal Keeping the existing certificate 07.08.2017-16:14 - DEBUG - Let's Encrypt Cert config path is: /etc/letsencrypt/renewal/www.lessthanweb.com-0001.conf. 07.08.2017-16:14 - DEBUG - Let's Encrypt Cert file: /etc/letsencrypt/live/www.lessthanweb.com-0001/fullchain.pem exists. 07.08.2017-16:14 - DEBUG - Enable SSL for: lessthanweb.com 07.08.2017-16:14 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/lessthanweb.com.vhost 07.08.2017-16:14 - DEBUG - Writing the PHP-FPM config file: /etc/php5/fpm/pool.d/web1.conf 07.08.2017-16:14 - DEBUG - Calling function 'restartPHP_FPM' from module 'web_module'. 07.08.2017-16:14 - DEBUG - Restarting php-fpm: systemctl reload php5-fpm.service 07.08.2017-16:14 - DEBUG - Apache status is: running 07.08.2017-16:14 - DEBUG - Calling function 'restartHttpd' from module 'web_module'. 07.08.2017-16:14 - DEBUG - Restarting httpd: systemctl restart apache2.service 07.08.2017-16:14 - DEBUG - Apache restart return value is: 0 07.08.2017-16:14 - DEBUG - Apache online status after restart is: running 07.08.2017-16:14 - DEBUG - Processed datalog_id 565 07.08.2017-16:14 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock finished. In the /etc/apache2/sites-available/lessthanweb.com.vhost it points to non-www SSL certs. Should not this point to www certificate? Code: SSLCertificateFile /var/www/clients/client0/web1/ssl/lessthanweb.com-le.crt SSLCertificateKeyFile /var/www/clients/client0/web1/ssl/lessthanweb.com-le.key SSLCertificateChainFile /var/www/clients/client0/web1/ssl/lessthanweb.com-le.bundle SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off The mkdir failed, there are no symlinks, all looks okay. Like I said, I have NOT changed any of the settings for this specific site apart from adding new subdomains via the Subdomain menu, just updated to the latest version and then got Google email that the cert does not match. Any ideas?
No. This is a symlink, the name does not matter and is no indication of what's inside the SSL cert. run: ls -la /var/www/clients/client0/web1/ssl/lessthanweb.com-le.crt to see to which LE cert it points. According to the log, it points to the cert /etc/letsencrypt/live/www.lessthanweb.com-0001/fullchain.pem The mkdir failed error has been fixed in the stable-3.1 branch already. But it should not matter for your problem.
But according to the log, the website has just the domain itself plus a www subdomain and no other alias or subdomains. are you sure that you added more domains to that site (and I don't mean vhost alias or subdomain as they don't belong to this website.
Hey, Sorry for late reply and thanks for replying. Code: lrwxrwxrwx 1 root root 60 Aug 7 16:14 /var/www/clients/client0/web1/ssl/lessthanweb.com-le.crt -> /etc/letsencrypt/live/www.lessthanweb.com-0001/fullchain.pem This is baffling me.. Yes, there are no subdomains or anything as I've added it and then removed it like 5 minutes after adding it so that is correct that there are none. The problem here is with the domain and "www." and wrong certificate being served. Or has always been like that and I just had an imagination that there was "www."? Just checked on another server which again has the same set up and again the LE domain name is without "www.". So identical situation and the site setup in ISPConfig is identical to mine. I have 3.1.6 and get that error.. Just letting you know.
Just to add my 5 cents: After being happy that "Skip Lets Encrypt Check" under SYSTEM --> SERVER CONFIG --> WEB --> SSL Settings solved my problems behind NAT, again the same problem arises. But going to DEBUG and examining the ISPConfig logs pushed me into right direction: It was subdomain.domain.com having problems, because LE was trying to issue certificate for www.subdomain.domain.com and subdomain.domain.com. But "www" was not configured under DNS, thus not pointing towards my server. Once I added A-record for "www.subdomain" into DNS, LE worked out of the box. BTW...The DEBUG message mkdir failed: /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/ seems not causing any problems.
It's not really the same problem, you just added a non existing domain to the site. Without LE check, you have to ensure yourself to add existing domains only to websites and as @HSorgYves pointed out, you probably have set auto subdomain to www and not to none, so the www subdomain must exist in DNS. Set auto subdomain to none, disable le and then enable it again or add the www subdomain as you did now.
