Hi, Creating ssl certificate through sites->my domain->SSL->SSL Action create certificate it creates and saves the site settings, after that i'm checking both SSL & Let's Encrypt SSL checkboxes and saving settings. But web site still works on http instead of https, when i go back to site settings both checkboxes are returns to unchecked and web site still boradcasting on http. Tried delete and create new certificate but didn't work. 443 port is open and accessible from outside.
You need to read and follow https://www.howtoforge.com/community/threads/please-read-before-posting.58408/ and https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/ From what you wrote it seems you try to do both self signed certificate and Let's Encrypt. If you use LE the certificate boxses must be empty and vice versa.
When your server is behind a NAT router so that the server itself can not reach the hosted domains, then enable the option "Skip Letsencrypt check" under System -> Server config -> server1.example.com -> Web. did the trick, thanks
Hi again, i'm having same problem with another ispconfig server (at work) but i think this installation have different problem than the server at my home. Before @Taleman ban me for good i want to say i've read & followed instructions step by step but didn't solve the problem. -I have ISPConfig 3.2.7p1 installed on vmcenter and it's behind nat and it uses acme.sh -Skip Letsencrypt check is enabled (because server behind nat) -i have a domain subdomain as "xxx.xxx.com", creating ssl certificate as "Sites->my domain->SSL->SSL Action create certificate" -Waiting to save settings, but when i go back to check site settings Let's encrypt checkbox is no checked and even if i check manually SSL is not activating. - Tried to find out what is the problem through checking logs Monitor->Let's Encrypt Logs : but the system says Unable to read logs. -/var/log/letsencrypt is empty (obviously because my server uses acme.sh but just wanted to share anyway) - /var/log/ispconfig/acme.log is empty -/root/.acme.sh/acme.sh.log is empty -debug mode returns no error Where else should i check?
This option may not be used when you want to get a LE cert. You basically told the system with that action to not create LE cert by creating a self-signed cert. To correct that, go to Sites->my domain->SSL-> and choose delete certificate as action, then press save. After the change has been successfully processed, go to the website settings, enable the SSL and the Let's Encrypt checkbox, and press save.
And regarding your attempt to use debug log, you missed enabling debug mode, so there can be no debug output when debug mode is disabled. Please follow the instructions about enabling debug mode if you want to use the debug mode, you can find the link in the let#s encrypt error FAQ.
you were right i forgot to enable log level to Debug. Now i have debug log as below; Code: 18.03.2022-11:38 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 18.03.2022-11:38 - DEBUG - Found 1 changes, starting update process. 18.03.2022-11:38 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 18.03.2022-11:38 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 18.03.2022-11:38 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client1/web5' - return code: 0 18.03.2022-11:38 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web5' - return code: 0 18.03.2022-11:38 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client1/web5'|awk 'END{print $2,$NF}' - return code: 0 18.03.2022-11:38 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0 18.03.2022-11:38 - DEBUG - safe_exec cmd: setquota -u 'web5' '0' '0' 0 0 -a &> /dev/null - return code: 0 18.03.2022-11:38 - DEBUG - safe_exec cmd: setquota -T -u 'web5' 604800 604800 -a &> /dev/null - return code: 0 18.03.2022-11:38 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web5' - return code: 0 18.03.2022-11:38 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 18.03.2022-11:38 - DEBUG - Trying to use Systemd to restart service 18.03.2022-11:38 - DEBUG - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0 18.03.2022-11:38 - DEBUG - Create Let's Encrypt SSL Cert for: troy2.mydomain.com.tr 18.03.2022-11:38 - DEBUG - Let's Encrypt SSL Cert domains: 18.03.2022-11:38 - DEBUG - exec: R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue -d troy2.mydomain.com.tr -d www.troy2.mydomain.com.tr -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [[ $R -eq 0 || $R -eq 2 ]] ; then /root/.acme.sh/acme.sh --install-cert -d troy2.mydomain.com.tr -d www.troy2.mydomain.com.tr --key-file '/var/www/clients/client1/web5/ssl/troy2.mydomain.com.tr-le.key' --fullchain-file '/var/www/clients/client1/web5/ssl/troy2.mydomain.com.tr-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [[ $C -eq 0 ]] ; then exit $R ; else exit $C ; fi 18.03.2022-11:38 - WARNING - Let's Encrypt SSL Cert for: troy2.mydomain.com.tr could not be issued. 18 Mar 2022 11:38 www.troy2.mydomain.com.tr:Verify error:CAA record for www.troy2.mydomain.com.tr prevents issuance 18 Mar 2022 11:38 Please add '--debug' or '--log' to check more details. 18 Mar 2022 11:38 See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh 18.03.2022-11:38 - WARNING - R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue -d troy2.mydomain.com.tr -d www.troy2.mydomain.com.tr -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [[ $R -eq 0 || $R -eq 2 ]] ; then /root/.acme.sh/acme.sh --install-cert -d troy2.mydomain.com.tr -d www.troy2.mydomain.com.tr --key-file '/var/www/clients/client1/web5/ssl/troy2.mydomain.com.tr-le.key' --fullchain-file '/var/www/clients/client1/web5/ssl/troy2.mydomain.com.tr-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [[ $C -eq 0 ]] ; then exit $R ; else exit $C ; fi 18.03.2022-11:38 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 18.03.2022-11:38 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/troy2.mydomain.com.tr.vhost 18.03.2022-11:38 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 18.03.2022-11:38 - DEBUG - Writing the PHP-FPM config file: /etc/php/7.4/fpm/pool.d/web5.conf 18.03.2022-11:38 - DEBUG - Calling function 'restartPHP_FPM' from module 'web_module'. 18.03.2022-11:38 - DEBUG - Trying to use Systemd to restart service 18.03.2022-11:38 - DEBUG - safe_exec cmd: systemctl is-enabled 'php7.4-fpm' 2>&1 - return code: 0 18.03.2022-11:38 - DEBUG - Restarting php-fpm: systemctl reload php7.4-fpm.service 18.03.2022-11:38 - DEBUG - Apache status is: running 18.03.2022-11:38 - DEBUG - Calling function 'restartHttpd' from module 'web_module'. 18.03.2022-11:38 - DEBUG - Trying to use Systemd to restart service 18.03.2022-11:38 - DEBUG - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0 18.03.2022-11:38 - DEBUG - Restarting httpd: systemctl restart apache2.service 18.03.2022-11:38 - DEBUG - Apache restart return value is: 0 18.03.2022-11:38 - DEBUG - Apache online status after restart is: running 18.03.2022-11:38 - DEBUG - Processed datalog_id 202 18.03.2022-11:38 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock finished server.php. i think main issue is this "www.troy2.mydomain.com.tr:Verify error:CAA record for www.troy2.mydomain.com.tr prevents issuance" i believe that i have right records on dns but couldn't understand why it doesn't like it. Frankly speaking troy2 was an old service and we have removed but it was working on https and most of the users favorited as https, so i'll not publish any website under this domain, i'm going to forward all requests to another website but i need to do it over https protocol so users shouldn't get error when they try to reach troy2.mydomain.com.tr from their bookmarks, if there is a trick for that i can use that too.
CAA records are records that define which SSL authorities may issue certs for this domain and your domain seems to have CAA records that disallow certs from Let's encrypt. Either correct the CAA record to allow let#s Encrypt SSL authority, or remove the CAA record.
is there any way to owerrite https i mean can i convert https://troy2.mydomain.com.tr request to http://troy2.mydomain.com.tr through ispconfig gui
you know what, this confuses me because when i create SSL certificate for a domain and if server can create certificate without any problem, after changes are applied when i check site settings those two checkboxes are shows as checked automatically and https over http checkbox is enabling under redirection.
Checkboxes yes. I meant in website SSL tab the boxes for SSL Key:, SSL Request: etc.. If you fill those, then Let's Encrypt fails.
oh i see now, thanks. Here is my dilemma about this subject, when i delete CAA records acme.sh says "there is no CA record for troy2.mydomain.com.tr domain DNS servers may failing (something like that as far as i remember)". So deleting CAA records wasn't solve my problem. But on the other hand i have right CAA record according to tests (please see attached screenshots). But somehow acme.sh returns 403 error when try to issue certificate for this domain.
Let's Encrypt does not require CAA Records, so deleting them is fine and will likely solve your issue. the error message you cited is that there is no A-Record, not CAA record. A and CAA records are completely different records. An A-Record must exist of course if you want to get an SSL cert from let's encrypt for that name (see let's encrypt FAQ, it is mentioned there that the domain/subdomain must exist and point to your server).
there is A record for both troy2 and www.troy2 but main domain is hosting on azure, troy2 on ispconfig server, main domain's ip address and subdomain's ip address are different can this cause this problem?
Also instead of deleting your CAA records, you can (should? it would be better to?) just fix them. Add another CAA for "letsencrypt.org" if you need both old and new, or just replace the old record entirely if you only intend to use letsencrypt going forward.
fixing instead of deleting is always better for sure, i already have CAA - 0 - issue - "letsencrypt.org" & CAA - 0 - issuewild - "letsencrypt.org" when i call troy2.mydomaincom.tr from browser getting default ispconfig page as well, my A record pointing to ispconfig server's ip address, it should work this way.
i have no idea why but it worked when i changed CAA record from this : CAA - 0 - issue - "letsencrypt.org" & CAA - 0 - issuewild - "letsencrypt.org" to this CAA - 0 - issue - letsencrypt.org & CAA - 0 - issuewild - letsencrypt.org
