SSL Fall Back To Self-Signed Cert on ISPConfig Update to 3.2.4 (Debian 9)

Hi,
I'm hoping I'm missing something obvious as I've tried to follow various threads and used the FAQs on this forum.
Background
- Running Debian 9 on a VPS.
- System was upgraded from ISPConfig 3.1.15 to 3.2.3 (now 3.2.4 no change).
- Found the certbot was installed from ISPCofnig 3.1x. The only cert ever created was for the rspamd procedure when converting from spamassassin to rspamd.

I upgraded a few weeks ago to 3.2.3 and then again from 3.2.4. In the past I had left the self-signed cert for the main panel and dovecot/postfix. With the release of 3.2.x I was looking forward to moving to the LetsEncrypt cert for the panel and the server services. When performing the upgrade I received the following message:

Code:

Checking / creating certificate for server1.example.com
Using certificate path /etc/letsencrypt/live/server1.example.com
Using apache for certificate validation
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for server1.example.com
Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. server1.example.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://server1.example.com/.well-known/acme-challenge/DeVI4dWWqO6dN4SOT_9h6J_PoDytVLuyxFojKmk5Gys: Connection refused
Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
Could not issue letsencrypt certificate, falling back to self-signed.
Generating RSA private key, 4096 bit long modulus

Troubleshooting
- I have run the updated with the --force command - no change
- I have confirmed the folder acme-challenge is accessible but adding a quick test text file
- Confirmed acme.sh wasn't installed using apt.
- /etc/letsencrypt exists and does contain the rspamd domain spammer.example.com (this still works when checking the certificate out in a browser)
- I disabled the LetsEncrypt SSL option for the rspamd site and then tried the installation again. No change for error message.
- Checked the version of the manual I have but nothing to help with this issue.
- server1 does have a valid DNS entry

Hoping someone can think of some suggestions I can try. Using the self-signed is fine for now as I haven't lost any functionality but the idea of using LetEncrypt will be nice for helping family get their email addresses setup on iOS devices and their way of handling self-signed certs. From my notes I haven't done any other customization to the server. I'm hoping to keep this version going until Debian 11 is released and then move the server to that but that isn't for a while.

Thanks in advance.
Jason

 

Hi Folks,
I can confirm the exact same behaviour. LetsEncrypt tries to connect to my machine but gets a "connection refused".
As far as I could narrow down, the installation script stops or restarts (?) the apache service during the certificate retrieval.
I also created the abovementioned test.txt file and can fetch it right before answering "Create new ISPConfig SSL certificate". As soon as the installer tries to obtain it, apache shuts down. This results in a "connection refused".

Code:

Create new ISPConfig SSL certificate (yes,no) [no]: yes

Checking / creating certificate for my.hostname.de
Using certificate path /etc/letsencrypt/live/my.hostname.de
Using apache for certificate validation
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for my.hostname.de
Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
Waiting for verification...
Challenge failed for domain my.hostname.de
http-01 challenge for my.hostname.de
Cleaning up challenges
Some challenges have failed.
Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
Could not issue letsencrypt certificate, falling back to self-signed.

letsencrypt.log:

Code:

Detail: Fetching http://my.server.de/.well-known/acme-challenge/iCSkjq13AffUa6mxRYr164AJQQdjp9a3qgUusA8u4KA: Connection refused

This is a mail server. There used to be a single default site that I used to retrieve the LE Certs before V3.2. All sites are deactivated, only the apache2 default site remains.
All relevant ports are open, it's not a dns or firewall issue. Any ideas?

 

Hi again,
as far as I can tell, the installer creates a faulty apps.vhost:

Code:

######################################################
# This virtual host contains the configuration
# for the ISPConfig apps vhost
######################################################

 Listen
# NameVirtualHost *:

<VirtualHost _default_:>
  ServerAdmin webmaster@localhost

The Listen directive is missing its arguments.
Apache Log:

Code:

Apr 20 16:51:21 xxx apachectl[8700]: AH00526: Syntax error on line 6 of /etc/apache2/sites-enabled/000-apps.vhost:
Apr 20 16:51:21 xxx apachectl[8700]: Listen requires 1 or 2 arguments.
Apr 20 16:51:21 xxx apachectl[8700]: Action 'start' failed.
Apr 20 16:51:21 xxx apachectl[8700]: The Apache error log may have more information.

 

I was able to solve it.
If ISPConfig's web interface used a self signed certificate before, its path (/usr/local/ispconfig/interface/ssl/ispserver.crt) is set in apps.vhost and ispconfig.vhost.
Maybe the installer deletes / renames the old certs before trying to obtain the new ones? This could be the reason for these log lines:

Code:

Apr 20 17:08:22 xxxx apachectl[11869]: AH00526: Syntax error on line 22 of /etc/apache2/sites-enabled/000-apps.vhost:
Apr 20 17:08:22 xxxx apachectl[11869]: SSLCertificateFile: file '/usr/local/ispconfig/interface/ssl/ispserver.crt' does not exist or is empty
Apr 20 17:08:22 xxxx apachectl[11869]: Action 'stop' failed.


----


Apr 20 17:13:09 xxxx apachectl[12907]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-apps.vhost:9
Apr 20 17:13:09 xxxx apachectl[12907]: AH00526: Syntax error on line 65 of /etc/apache2/sites-enabled/000-ispconfig.vhost:
Apr 20 17:13:09 xxxx apachectl[12907]: SSLCertificateFile: file '/usr/local/ispconfig/interface/ssl/ispserver.crt' does not exist or is empty
Apr 20 17:13:09 xxxx apachectl[12907]: Action 'stop' failed.

----

So the temporary solution was to comment out the SSL config in both VHosts before launching the installer:

Code:

# SSL Configuration
#  SSLEngine On
#    SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
#    SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
#  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
#  #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
...
...

After restarting apache, the certificate was fetched correctly.

Cheers,
Marcus

 

I did that several times, even tried combinations of reconfiguring / not reconfiguring the services. Didn't solve it, unfortunately.

 

Yes, the port was set to 8081 in apps vhost settings.

No custom configs on this machine:

Code:

:/usr/local/ispconfig/server/conf-custom# find
.
./empty.dir
./error
./error/empty.dir
./mail
./mail/empty.dir
./index
./index/empty.dir
./install
./install/empty.dir

 

Hi atnetws - Thanks for backing up my issue. I'm now up and running with the correct LetsEncrypt cert.
Thom - I used the issue link you posted to solve. Changed the file from rename to copy, ran update, changed back installer and ran update again.

Thanks for seeing the discussion everyone glad to see ISPConfig continue to develop.

From what I can tell it is working. I look forward to your permanent fix for those with the same issue.

 

I just did a fresh install of ISPconfig on Debian 10 and I have a similar issue... at first ispconfig got installed with a self-signed cert and now I only get a connection refused when I try to optain one with "ispconfig_update.sh --force" but I open a testfile located in the acme-challenge folder without a problem....
I get this error in the logs:

Code:

AH00526: Syntax error on line 20 of /etc/apache2/sites-enabled/000-apps.vhost:
SSLCertificateFile: file '/usr/local/ispconfig/interface/ssl/ispserver.crt' does not exist or is empty

edit:
it seems the installer downloaded by ispconfig_update (... ISPConfig-3-stable.tar.gz) does not (yet) contain the fix mentioned above?

 

thanks! using nightly with ispconfig_update.sh seems to work