ISPconfig 3.1.7 certbot Could not verify domain xxx.xxx.fr, so excluding it from letse

Discussion in 'Installation/Configuration' started by ParnLogik, Oct 5, 2017.

  1. ParnLogik

    ParnLogik New Member

    Hi !
    I see many same post looks like mine but a little different :

    My setup :
    My server is a vm in a dedicate server in OVH datacenter.
    It as is own public ip address

    /etc/debian_version 8.9
    ISPconfig 3.1.7 (the problem occur in 3.1.6 but continue after update to 3.1.7 )
    certbot install from debian backports
    Source: python-certbot
    Version: 0.10.2-1~bpo8+1

    The problem : Sudently le certificat can't be renew. So we start cleanning all trace of the certificate (for domain star-is.tree-learning.fr ):
    -> Uncheck SSL + le'ts encrypt in ISPconfig
    -> Remove fields in section SSL
    -> In SSL : Delete certificat
    -> rm -r every files and folder in /etc/letsencrypt :
    find /etc/letsencrypt -name star-is.tree-learning.fr*
    rm -r /etc/letsencrypt/live/star-is.tree-learning.fr /etc/letsencrypt/archive/star-is.tree-learning.fr /etc/letsencrypt/renewal/star-is.tree-learning.fr.conf
    cd /etc/letsencrypt# cd /var/www/star-is.tree-learning.fr/ssl/ && rm ./* ( !!! Be careful of rm of the death :) )
    -> first create SSL = ok
    -> then activate let's encrypt and have this error in log :

    05.10.2017-10:24 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    05.10.2017-10:24 - DEBUG - Found 1 changes, starting update process.
    05.10.2017-10:24 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    05.10.2017-10:24 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    05.10.2017-10:24 - WARNING - Could not verify domain star-is.tree-learning.fr, so excluding it from letsencrypt request.
    05.10.2017-10:24 - WARNING - Let's Encrypt SSL Cert for: star-is.tree-learning.fr could not be issued.
    05.10.2017-10:24 - WARNING -
    05.10.2017-10:24 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web6/.php-fcgi-starter
    05.10.2017-10:24 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/star-is.tree-learning.fr.vhost
    05.10.2017-10:24 - DEBUG - Apache status is: running
    05.10.2017-10:24 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    05.10.2017-10:25 - DEBUG - Restarting httpd: systemctl restart apache2.service
    05.10.2017-10:25 - DEBUG - Apache restart return value is: 0
    05.10.2017-10:25 - DEBUG - Apache online status after restart is: running
    05.10.2017-10:25 - DEBUG - Processed datalog_id 260
    05.10.2017-10:25 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished.​

    -> the host star-is.tree-learning.fr can be resoled in the server and outside the server
    -> try add to /etc/hosts = KO
    -> try reload service = KO

    The only solution i found was to activate :
    Skip Lets Encrypt Check in = ok and certbot create the certificate :

    05.10.2017-10:26 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    05.10.2017-10:26 - DEBUG - Found 3 changes, starting update process.
    05.10.2017-10:26 - DEBUG - Calling function 'update' from plugin 'apps_vhost_plugin' raised by event 'server_update'.
    05.10.2017-10:26 - DEBUG - Calling function 'update' from plugin 'network_settings_plugin' raised by event 'server_update'.
    05.10.2017-10:26 - DEBUG - Network configuration disabled in server settings.
    05.10.2017-10:26 - DEBUG - Calling function 'update' from plugin 'postfix_server_plugin' raised by event 'server_update'.
    05.10.2017-10:26 - DEBUG - Processed datalog_id 261
    05.10.2017-10:26 - DEBUG - Calling function 'update' from plugin 'apps_vhost_plugin' raised by event 'server_update'.
    05.10.2017-10:26 - DEBUG - Calling function 'update' from plugin 'network_settings_plugin' raised by event 'server_update'.
    05.10.2017-10:26 - DEBUG - Network configuration disabled in server settings.
    05.10.2017-10:26 - DEBUG - Calling function 'update' from plugin 'postfix_server_plugin' raised by event 'server_update'.
    05.10.2017-10:26 - DEBUG - Processed datalog_id 262
    05.10.2017-10:26 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    05.10.2017-10:26 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    05.10.2017-10:26 - DEBUG - Create Let's Encrypt SSL Cert for: star-is.tree-learning.fr
    05.10.2017-10:26 - DEBUG - Let's Encrypt SSL Cert domains: --domains star-is.tree-learning.fr
    05.10.2017-10:26 - DEBUG - exec: /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server http acme-v01.api.letsencrypt /directory --rsa-key-size 4096 --email xxxxx --domains star-is.tree-learning.fr --webroot-path /usr/local/ispconfig/interface/acme
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for star-is.tree-learning.fr
    Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
    Waiting for verification...
    Cleaning up challenges
    Unable to clean up challenge directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    Generating key (4096 bits): /etc/letsencrypt/keys/0011_key-certbot.pem
    Creating CSR: /etc/letsencrypt/csr/0011_csr-certbot.pem
    05.10.2017-10:26 - DEBUG - Let's Encrypt Cert config path is: /etc/letsencrypt/renewal/star-is.tree-learning.fr.conf.
    05.10.2017-10:26 - DEBUG - Let's Encrypt Cert file: /etc/letsencrypt/live/star-is.tree-learning.fr/fullchain.pem exists.
    05.10.2017-10:26 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web6/.php-fcgi-starter
    05.10.2017-10:26 - DEBUG - Enable SSL for: star-is.tree-learning.fr
    05.10.2017-10:26 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/star-is.tree-learning.fr.vhost
    05.10.2017-10:26 - DEBUG - Apache status is: running
    05.10.2017-10:26 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    05.10.2017-10:26 - DEBUG - Restarting httpd: systemctl restart apache2.service
    05.10.2017-10:26 - DEBUG - Apache restart return value is: 0
    05.10.2017-10:26 - DEBUG - Apache online status after restart is: running
    05.10.2017-10:26 - DEBUG - Processed datalog_id 263
    05.10.2017-10:26 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    05.10.2017-10:26 - DEBUG - Restarting httpd: systemctl restart apache2.service
    05.10.2017-10:26 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished.​

    My question is why i have to active 'Skip Lets Encrypt Check' on this server ?
     
    Last edited: Oct 5, 2017
    ParnLogik, Oct 5, 2017
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Probably your server is behind a router or firewall so that the domain cannot be reached from the server itself. In such a case, ISPConfig is not able to check the domain and therefore you have to disable the checks by activating that checkbox.
     
    till, Oct 5, 2017
    #2
  3. ParnLogik

    ParnLogik New Member

    Hi !
    My server is a vm in a dedicate server in OVH datacenter.
    It as is own public ip address
    nslookup return correct value for the web host in the server en outside the server
    Any idea ?
     
    ParnLogik, Oct 5, 2017
    #3
  4. ParnLogik

    ParnLogik New Member

    Question : what is the goal of "Skip Lets Encrypt Check" ?
    What ISPconfig do that it can bloc certbot to perform the certificat ?
     
    ParnLogik, Oct 6, 2017
    #4
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    It disables the LE check.

    You run a router or firewall in front of the server which blocks connections to the domain from the server itself, so not ISPConfig is blocking anything here as ISPConfig is not your router. When your router blocks access to the domain from the server itself, then ISPconfig cannot verify that the domain has been added correctly and in such a special case, you have to disable the LE test. When the test is disabled, then ISPConfig will not do any validity checks anymore and you have to do that manually and ensure that all domains and subdomains are reachable before you tick the LE checkbox.
     
    till, Oct 6, 2017
    #5
  6. ParnLogik

    ParnLogik New Member

    Thank's for your answer.
    I have no firewall ans there is no Nat to this vm with ispconfig.
    But i notice some problems in le DNS configuration. So it could be the source of the problems.
    I correct this and do other test to validate what was the problems.
    Thanks a lot and have a nice day :)
     
    ParnLogik, Oct 9, 2017
    #6

Share This Page