fail on renew with "No such file or directory: 'usr/local/ispconfig/interface/acme'" message

Discussion in 'Installation/Configuration' started by kmchen, Feb 19, 2020.

Page 3 of 3
  1. kmchen

    kmchen Member

    I'm absolutely shure I didn't uncheck that before. Checking it, the result is nearly similar. Here is the log:
    Code:
    18.03.2020-15:10 - DEBUG - Calling function 'server_ip' from plugin 'apache2_plugin' raised by event 'server_update'.
18.03.2020-15:10 - DEBUG - Writing the conf file: /etc/apache2/sites-available/ispconfig.conf
18.03.2020-15:10 - DEBUG - Calling function 'update' from plugin 'apps_vhost_plugin' raised by event 'server_update'.
18.03.2020-15:10 - DEBUG - Calling function 'update' from plugin 'network_settings_plugin' raised by event 'server_update'.
18.03.2020-15:10 - DEBUG - Network configuration disabled in server settings.
18.03.2020-15:10 - DEBUG - Calling function 'update' from plugin 'postfix_server_plugin' raised by event 'server_update'.
18.03.2020-15:10 - DEBUG - Processed datalog_id 590
18.03.2020-15:10 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
18.03.2020-15:10 - DEBUG - Restarting httpd: systemctl restart apache2.service
18.03.2020-15:10 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock

18.03.2020-15:11 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
18.03.2020-15:11 - DEBUG - Found 1 changes, starting update process.
18.03.2020-15:11 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
18.03.2020-15:11 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
18.03.2020-15:11 - DEBUG - mkdir failed: //var/www/clients/client1/web17/web/error
18.03.2020-15:11 - DEBUG - chmod failed: //var/www/clients/client1/web17/web/error : 493
18.03.2020-15:11 - DEBUG - Create Let's Encrypt SSL Cert for: joomla-development.eu
18.03.2020-15:11 - DEBUG - Let's Encrypt SSL Cert domains:  --domains joomla-development.eu --domains www.joomla-development.eu
18.03.2020-15:11 - DEBUG - LE version is 0.31.0, so using certificates command
18.03.2020-15:11 - DEBUG - exec: /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --webroot-map '{"joomla-development.eu":"\/usr\/local\/ispconfig\/interface\/acme","www.joomla-development.eu":"\/usr\/local\/ispconfig\/interface\/acme"}'
18.03.2020-15:11 - DEBUG - LE CERT OUTPUT: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
18.03.2020-15:11 - DEBUG - LE CERT OUTPUT: Found the following matching certs:
18.03.2020-15:11 - DEBUG - LE CERT OUTPUT: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
18.03.2020-15:11 - DEBUG - LE CERT OUTPUT:
18.03.2020-15:11 - WARNING - Let's Encrypt SSL Cert for: joomla-development.eu could not be issued.
18.03.2020-15:11 - WARNING - /usr/bin/letsencrypt certificates  --domains joomla-development.eu --domains www.joomla-development.eu
18.03.2020-15:11 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/joomla-development.eu.vhost
18.03.2020-15:11 - DEBUG - Writing the PHP-FPM config file: /etc/php/7.3/fpm/pool.d/web17.conf
18.03.2020-15:11 - DEBUG - Calling function 'restartPHP_FPM' from module 'web_module'.
18.03.2020-15:11 - DEBUG - Restarting php-fpm: systemctl reload php7.3-fpm.service
18.03.2020-15:11 - DEBUG - Apache status is: running
18.03.2020-15:11 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
18.03.2020-15:11 - DEBUG - Restarting httpd: systemctl restart apache2.service
18.03.2020-15:11 - DEBUG - Apache restart return value is: 0
18.03.2020-15:11 - DEBUG - Apache online status after restart is: running
18.03.2020-15:11 - DEBUG - Processed datalog_id 591
18.03.2020-15:11 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
     
    kmchen, Mar 18, 2020
    #41
  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Might be worth looking in to? I don't know if that's normal or not.

    Check the letsencrypt.log to see what happened here.

    That doesn't mention enabling the site, and your earlier command showed you do not have a sites-enabled link for joomla-development.eu. While I believe you should still be able to issue a certificate for the domain(s) without a vhost file, you of course will not access the website without one. Maybe go to Tools and resync all websites, and watch the log for errors?
     
    Jesse Norell, Mar 18, 2020
    #42
  3. kmchen

    kmchen Member

    //var/www/clients/client1/web17/web/ is write protected. this is not related to the problem

    Here is letsencrypt log
    Code:
    2020-03-18 18:28:07,500:DEBUG:certbot.error_handler:Calling registered functions
2020-03-18 18:28:07,500:INFO:certbot.auth_handler:Cleaning up challenges
2020-03-18 18:28:07,500:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/Up2jqivNEscIxhREXlWrvqMoFGPB3Bv-Pe0P3yJyOIo
2020-03-18 18:28:07,501:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2020-03-18 18:28:07,501:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/letsencrypt", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1250, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 410, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 353, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3/dist-packages/certbot/client.py", line 389, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations
    self._respond(aauthzrs, resp, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 168, in _respond
    self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 239, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
certbot.errors.FailedChallenges: Failed authorization procedure. www.joomla-development.eu (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: The key authorization file from the server did not match this challenge "Up2jqivNEscIxhREXlWrvqMoFGPB3Bv-Pe0P3yJyOIo.87u5bDuw6YtnIm6DD3S5ijhMw6D1vK9yeF4zPeOvatE" != "Up2jqivNEscIxhREXlWrvqMoFGPB3Bv-Pe0P3yJyOIo.4E3VCTFsySjUrqnCg0ooULx-3kbdPBygi0aWkvg5Gd8"
2020-03-18 18:28:07,902:DEBUG:certbot.main:certbot version: 0.31.0
2020-03-18 18:28:07,902:DEBUG:certbot.main:Arguments: ['--domains', 'joomla-development.eu', '--domains', 'www.joomla-development.eu']
2020-03-18 18:28:07,903:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-03-18 18:28:07,912:DEBUG:certbot.log:Root logging level set at 20
2020-03-18 18:28:07,912:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Yes there is one:
    Code:
    ks307144 sites-available > ll /etc/apache2/sites-enabled/*joomla-dev*
lrwxrwxrwx 1 root root 56 mars  15 12:09 /etc/apache2/sites-enabled/100-joomla-development.eu -> /etc/apache2/sites-available/joomla-development.eu.vhost
lrwxrwxrwx 1 root root 56 mars  15 12:34 /etc/apache2/sites-enabled/100-joomla-development.eu.vhost -> /etc/apache2/sites-available/joomla-development.eu.vhost
lrwxrwxrwx 1 root root 61 mars  16 09:27 /etc/apache2/sites-enabled/100-test.joomla-development.eu.vhost -> /etc/apache2/sites-available/test.joomla-development.eu.vhost
    Attempting to resync all websites does not produce more error messages than we've seen yet. I cant show them here as it is too long.
     
    kmchen, Mar 18, 2020
    #43
  4. Steini86

    Steini86 Active Member

    Why do you have a "ispconfig.conf" and "000-ispconfig.conf" file? Are these actual files or symlinks? Do you have any other files in that directory that do not belong to websites?

    But it could be! Because if apache throws an error during startup, it replaces the vhsot file with the previous one and does not do any changes. So every error can prevent you from doing changes. At least make sure the web has a folder "error" with the error files in it (or go back to global error sites)
     
    Steini86, Mar 18, 2020
    #44
  5. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Ah, I was incorrect, as it did not show in the previous `grep -R acme-challenge /etc/apache2` output. Comparing with vhost files on a server here, it should have, so the contents of your (apparently multiple) sites-enabled links for that domain are probably not right. Offhand, what does
    /etc/apache2/sites-available/joomla-development.eu.vhost contain, still the same as you posted above? Or did resyncing add lines like:
    Code:
                    RewriteEngine on
                RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
                RewriteRule ^ - [END]
    This part is normal for an ispconfig server:
    Code:
    # ls -l /etc/apache2/sites-*/*ispconfig.conf                                                                                   
-rw-r--r-- 1 root root 2090 Feb  5 11:28 /etc/apache2/sites-available/ispconfig.conf
lrwxrwxrwx 1 root root   43 Jun 29  2016 /etc/apache2/sites-enabled/000-ispconfig.conf -> /etc/apache2/sites-available/ispconfig.conf
     
    Jesse Norell, Mar 18, 2020
    #45
  6. kmchen

    kmchen Member

    Here is the vhost:
    Code:
    ks307144 apache2 > cat /etc/apache2/sites-available/joomla-development.eu.vhost

<Directory /var/www/joomla-development.eu>
                AllowOverride None
                                Require all denied
                </Directory>

<VirtualHost *:80>

                                        DocumentRoot /var/www/clients/client1/web17/web

                ServerName joomla-development.eu
                ServerAlias www.joomla-development.eu
                ServerAdmin [email protected]


                ErrorLog /var/log/ispconfig/httpd/joomla-development.eu/error.log

                Alias /error/ "/var/www/joomla-development.eu/web/error/"
                ErrorDocument 400 /error/400.html
                ErrorDocument 401 /error/401.html
                ErrorDocument 403 /error/403.html
                ErrorDocument 404 /error/404.html
                ErrorDocument 405 /error/405.html
                ErrorDocument 500 /error/500.html
                ErrorDocument 502 /error/502.html
                ErrorDocument 503 /error/503.html

                <IfModule mod_ssl.c>
                </IfModule>

                <Directory /var/www/joomla-development.eu/web>
                                # Clear PHP settings of this website
                                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                                SetHandler None
                                </FilesMatch>
                                Options +FollowSymLinks
                                AllowOverride All
                                                                Require all granted
                                                </Directory>
                <Directory /var/www/clients/client1/web17/web>
                                # Clear PHP settings of this website
                                <FilesMatch ".+\.ph(p[345]?|t|tml)$">
                                                SetHandler None
                                </FilesMatch>
                                Options +FollowSymLinks
                                AllowOverride All
                                                                Require all granted
                                                </Directory>




                # suexec enabled
                <IfModule mod_suexec.c>
                        SuexecUserGroup web17 client1
                </IfModule>
                <IfModule mod_fastcgi.c>
                                <Directory /var/www/clients/client1/web17/cgi-bin>
                                                                                Require all granted
                                                                    </Directory>
                                <Directory /var/www/joomla-development.eu/web>
                                        <FilesMatch "\.php[345]?$">
                                                SetHandler php-fcgi
                                        </FilesMatch>
                                </Directory>
                                <Directory /var/www/clients/client1/web17/web>
                                        <FilesMatch "\.php[345]?$">
                                                SetHandler php-fcgi
                                        </FilesMatch>
                                </Directory>
                Action php-fcgi /php-fcgi virtual
                                Alias /php-fcgi /var/www/clients/client1/web17/cgi-bin/php-fcgi-*-80-joomla-development.eu
                FastCgiExternalServer /var/www/clients/client1/web17/cgi-bin/php-fcgi-*-80-joomla-development.eu -idle-timeout 300 -socket /var/lib/php7.0-fpm/web17.sock -pass-header Authorization  -pass-header Content-Type
                </IfModule>
                <IfModule mod_proxy_fcgi.c>
                        #ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ unix:///var/lib/php7.0-fpm/web17.sock|fcgi://localhost//var/www/clients/client1/web17/web/$1
                        <Directory /var/www/clients/client1/web17/web>
                                <FilesMatch "\.php[345]?$">
                                                SetHandler "proxy:unix:/var/lib/php7.0-fpm/web17.sock|fcgi://localhost"
                                </FilesMatch>
                        </Directory>
                        </IfModule>



                # add support for apache mpm_itk
                <IfModule mpm_itk_module>
                        AssignUserId web17 client1
                </IfModule>

                <IfModule mod_dav_fs.c>
                # Do not execute PHP files in webdav directory
                        <Directory /var/www/clients/client1/web17/webdav>
                                <ifModule mod_security2.c>
                                        SecRuleRemoveById 960015
                                        SecRuleRemoveById 960032
                                </ifModule>
                                <FilesMatch "\.ph(p3?|tml)$">
                                        SetHandler None
                                </FilesMatch>
                        </Directory>
                        DavLockDB /var/www/clients/client1/web17/tmp/DavLock
                        # DO NOT REMOVE THE COMMENTS!
                        # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
      # WEBDAV BEGIN
                        # WEBDAV END
                </IfModule>



</VirtualHost>
    and the error directory (as automatically created by ISPCONFIG I guess)
    Code:
    ks307144 apache2 > chown root:root /var/www/joomla-development.eu/web/error/
ks307144 apache2 > ll /var/www/joomla-development.eu/web/error/
total 0
ks307144 apache2 > ll /var/www/joomla-development.eu/web/ |grep error
drwxr-xr-x  2 root  root     4096 mars  18 18:23 error
     
    kmchen, Mar 21, 2020
    #46
  7. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Looking further, the vhosts which exclude acme-challenge requests are the ones which have rewrites (eg. seo redirect, or http->https), that does not show in other vhost files, so yours looks fine in a cursory look.

    Your previous output shows the correct Alias in /etc/apache2/sites-enabled/000-ispconfig.conf. Maybe check to ensure you have mod_alias enabled?
     
    Jesse Norell, Mar 23, 2020
    #47
  8. kmchen

    kmchen Member

    No there is only one site enabled link on joomla-development:
    And mod_alias seems to be enabled. Is there test to verify it really works ?
    Code:
    ks307144 ~ > ll /etc/apache2/sites-enabled/ |grep joomla-dev
lrwxrwxrwx 1 root root 56 mars  15 12:34 100-joomla-development.eu.vhost -> /etc/apache2/sites-available/joomla-development.eu.vhost
lrwxrwxrwx 1 root root 61 mars  16 09:27 100-test.joomla-development.eu.vhost -> /etc/apache2/sites-available/test.joomla-development.eu.vhost
ks307144 ~ > apache2ctl -M|grep alias
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.vhost:7
 alias_module (shared)
     
    kmchen, Mar 23, 2020
    #48
  9. kmchen

    kmchen Member

    OK. How can I completely deactivate ISPCONFIG for letsencrypt certicates and generate them manually with cerbot ?
     
    kmchen, Mar 31, 2020
    #49
  10. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Curious; above you had 2 showing:
    Did you find that and fix it in the mean time? Or is something else playing around with symlinks there?

    I've not walked through this, but I suspect if you disable the Let's Encrypt checkbox for the site, then delete the letsencrypt certificate (from cli), then dig up the earliest "how to use lets encrypt with ispconfig" articles you can find (circa 2016, before ISPConfig had any support for lets encrypt whatsoever), those instructions would still work. Iirc, you used the SSL tab to generate a self-signed certificate for the site, then after that was present on the filesystem, via cli you removed the certificate files and replaced them with links to the corresponding /etc/letsencrypt/live/* files.
     
    Jesse Norell, Apr 1, 2020
    #50
Page 3 of 3

Share This Page