Impossible to create a valid LE SSL for admin panel during installation

Hi, I have set up many ISPCONFIG server and for the first time I have a problem during installation to create the admin SSL :
Create new ISPConfig SSL certificate (yes,no) [no]: yes

Checking / creating certificate for xxx.xxx.com
Using certificate path /root/.acme.sh/xxx.xxx.com
Using apache for certificate validation
acme.sh is installed, overriding certificate path to use /root/.acme.sh/xxx.xxx.com
[Fri 18 Jun 2021 02:44:03 AM CEST] xxx.xxx.com:Verify error:Fetching http://xxx.xxx.com/.well-known/acme-challenge/E63rJvejYJhKcnX__Yowb50Guo1IK5oSfTAdL6zbE7w: Connection refused
[Fri 18 Jun 2021 02:44:04 AM CEST] Please check log file for more details: /var/log/ispconfig/acme.log
Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
Could not issue letsencrypt certificate, falling back to self-signed.

I try this :
touch /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/test.txt
And http://xxx.xxx.com/.well-known/acme-challenge/test.txt is working fine

In /var/log/ispconfig/acme.log, I have :
[Fri 18 Jun 2021 02:44:03 AM CEST] xxx.xxx.com:Verify error:Fetching http://xxx.xxx.com/.well-known/acme-challenge/E63rJvejYJhKcnX__Yowb50Guo1IK5oSfTAdL6zbE7w: Connection refused

There is no firewall, ...
Any idea what I should look at next ?

What should I check

 

After checking ISPConfig install logs, you should also follow the FAQ especially on LE as will give you more info on how to troubleshoot correctly, I think.

 

Yes It's a freshly installed system on a debian 10 by using this tutorial : https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/
There is no router by default. We have many servers in that datacenter.
Also, I can create a website under ispconfig and I can add a LE SSL on it without any problem.
It's just the admin LE SSL where we have this problem.

I already try to regenerate it with a ispconfig_update.sh --force but it is always he same thing.

 

I have found how to fix it. I created a website with the name of the server xxx.xxx.com under ispconfig and I activated LE SSL. It works.
For the admin, I just do :
ispconfig_update.sh --force
in order to regenerate the LE SSL and then he used the one generated.

 

I am curious on, other then you managed to obtain LE certs, if this method actually fixed the renewal conf for the hostname fqdn, so that other than it created ispserver.pem with extension to all other services that need it, it will also automatically renew the said ispserver.pem.

 

Just for your information ,this is the second time I set up a freshly installed server with ispconfig 3.2.5 and I still have the eact same problem to generate the LE SSL during the installation

 

Understood but simply using a website to get LE certs for the server hostname FQDN will not support automatic creation of ispserver.pem, its recreation, the extension of it or the said LE certs to other services. You may have to do all that and set automatic recreation script manually.

The reason is using a website to obtain the LE certs will end up acme.sh only installing them in the website ssl folder for the website, nothing more.

In my theory re-running ISPConfig update may fix that i.e. may force acme.sh to install to ISPConfig SSL folder instead but this may or may not work and there may be other consequences as this theory was never tested.

The best is still to find the cause(s) why your server failed to get LE certs during install and fix it/them but it is your server so it up to you what you think is best for it

 

Are you installing on a fresh minimal OS server installation?
Have you tried with the autoinstaller? https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/

 

@till, it happens twice with 2 new freshly installed server so I don't think this a DNS record problem.
Each time, I wasn't able to create it with the installation problem but I succeeded to create it when I add a website under ispconfig panel with LE SLL. No DNS change has been made.

 

I am getting this too. Last attempt was using the autoinstaller for 3.2.5 - on a VM that had port forwarding (80, 443, 8080). Using the same FQDN as an alias to a site on the same server did work so proving the DNS was sound and the LE s/w was working. I kept it to just IPv4 'cos I feel I am never quite in control of IPv6.

Not a real problem for me as I can just put in a symbolic link from the ISPConfig interface to the aliased website SSL certificates.

 

When I originally submitted the code to ISPConfig git, I tested ithem from my server at Hetzner and at home, behind router, and both work fine in obtaining LE certs for the server hostname fqdn, and I believed the developers were in agreement with this too.

Ever since it has been merged, various improvement have been made to it, so I am no longer knows which part of the code may cause these problems since most users got the LE certs for the server hostname fqdn just fine.

I guess we need more data on why this is failing to some servers in order to check which part of the code that need to be improvised further.

If only you guys can help us on that, otherwise it will be too general / broad for us to look into, and nobody will be able to look into its solution.

 

Just thinking - if it works for most but not for a few - maybe its the format of the FQDN that could be different. Most will be trios (serverx.example.com) - mine is a quad (serverx.xxxx.co.uk). Could that be truncated for certbot to screw up on?

Yes, I'm grabbing at straws ...