RESOLVED - Lets Encrypt installs crt but uses self-signed

Discussion in 'ISPConfig 3 Priority Support' started by paka, Mar 25, 2023.

  1. paka

    paka Member

    Read the Lets Encrypt FAQ and followed most steps; didn't go into debug mode. Here's why ...

    acme.sh creates the Lets Encrypt certificates and appears to install them properly. The Lets Encrypt tick box remains ticked in ISPconfig. The problem is when accessing the domain via https the only certificate offered is the self signed one (not the generated & install Lets Encrypt one).

    As a last chance, forced a reinstall of ISPconfig. No change.

    Rebooted server and even my wife's desktop. ;) Apache2 still using only self-signed cert.
    Lets Encrypt works for all the other nine domain on the server.

    Debian 11 with ISPconfig installed via the corresponding install document.
    Here's what I'm seeing:
    Forced update for Lets Encrypt
    Code:
    root@mail:~/.acme.sh# ./acme.sh -f -r -d writeworks.uk
    [Sat 25 Mar 2023 11:38:57 AM GMT] Renew: 'writeworks.uk'
    [Sat 25 Mar 2023 11:38:57 AM GMT] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
    [Sat 25 Mar 2023 11:38:58 AM GMT] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Sat 25 Mar 2023 11:38:58 AM GMT] Using pre generated key: /root/.acme.sh/writeworks.uk/writeworks.uk.key.next
    [Sat 25 Mar 2023 11:38:58 AM GMT] Generate next pre-generate key.
    [Sat 25 Mar 2023 11:38:59 AM GMT] Multi domain='DNS:writeworks.uk,DNS:www.writeworks.uk,DNS:Plume.writeworks.uk'
    [Sat 25 Mar 2023 11:38:59 AM GMT] Getting domain auth token for each domain
    [Sat 25 Mar 2023 11:39:02 AM GMT] Getting webroot for domain='writeworks.uk'
    [Sat 25 Mar 2023 11:39:02 AM GMT] Getting webroot for domain='www.writeworks.uk'
    [Sat 25 Mar 2023 11:39:03 AM GMT] Getting webroot for domain='plume.writeworks.uk'
    [Sat 25 Mar 2023 11:39:03 AM GMT] writeworks.uk is already verified, skip http-01.
    [Sat 25 Mar 2023 11:39:03 AM GMT] www.writeworks.uk is already verified, skip http-01.
    [Sat 25 Mar 2023 11:39:03 AM GMT] plume.writeworks.uk is already verified, skip http-01.
    [Sat 25 Mar 2023 11:39:03 AM GMT] Verify finished, start to sign.
    [Sat 25 Mar 2023 11:39:03 AM GMT] Lets finalize the order.
    [Sat 25 Mar 2023 11:39:03 AM GMT] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/749524277/172192305857'
    [Sat 25 Mar 2023 11:39:04 AM GMT] Downloading cert.
    [Sat 25 Mar 2023 11:39:04 AM GMT] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/0373dd0250a61da54506b1b5510d864ad0a2'
    [Sat 25 Mar 2023 11:39:05 AM GMT] Cert success.
    -----BEGIN CERTIFICATE-----
    [..]
    -----END CERTIFICATE-----
    [Sat 25 Mar 2023 11:39:05 AM GMT] Your cert is in: /root/.acme.sh/writeworks.uk/writeworks.uk.cer
    [Sat 25 Mar 2023 11:39:05 AM GMT] Your cert key is in: /root/.acme.sh/writeworks.uk/writeworks.uk.key
    [Sat 25 Mar 2023 11:39:05 AM GMT] The intermediate CA cert is in: /root/.acme.sh/writeworks.uk/ca.cer
    [Sat 25 Mar 2023 11:39:05 AM GMT] And the full chain certs is there: /root/.acme.sh/writeworks.uk/fullchain.cer
    [Sat 25 Mar 2023 11:39:05 AM GMT] Your pre-generated next key for future cert key change is in: /root/.acme.sh/writeworks.uk/writeworks.uk.key.next
    [Sat 25 Mar 2023 11:39:05 AM GMT] Installing key to: /var/www/clients/client1/web1/ssl/writeworks.uk-le.key
    [Sat 25 Mar 2023 11:39:05 AM GMT] Installing full chain to: /var/www/clients/client1/web1/ssl/writeworks.uk-le.crt
    [Sat 25 Mar 2023 11:39:05 AM GMT] Run reload cmd: systemctl force-reload apache2.service
    [Sat 25 Mar 2023 11:39:06 AM GMT] Reload success
    Directory certificates were installed to:
    Code:
    root@mail:/var/www/clients/client1/web1/ssl# ls -la
    total 56
    drwxr-xr-x  2 root root 4096 Mar 25 11:29 .
    drwxr-xr-x 11 root root 4096 Sep 27 01:57 ..
    -rw-r--r--  1 root root 1947 Mar 25 11:29 writeworks.uk.crt
    -rw-r--r--  1 root root 1915 Mar 25 11:29 writeworks.uk.crt~
    -rw-r--r--  1 root root 1869 Mar 25 01:50 writeworks.uk.crt.bak
    -rw-r--r--  1 root root 1728 Mar 25 11:29 writeworks.uk.csr
    -rw-r--r--  1 root root 1700 Mar 25 11:29 writeworks.uk.csr~
    -rw-r--r--  1 root root 1690 Mar 25 01:50 writeworks.uk.csr.bak
    -r--------  1 root root 3324 Mar 25 11:29 writeworks.uk.key
    -r--------  1 root root 3272 Mar 25 11:29 writeworks.uk.key~
    -r--------  1 root root 3324 Mar 25 01:50 writeworks.uk.key.bak
    -rw-r--r--  1 root root 5991 Mar 25 11:39 writeworks.uk-le.crt
    -rw-------  1 root root 3243 Mar 25 11:39 writeworks.uk-le.key
    How would it be best to proceed for troubleshooting?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    It would have really helped to save you and our time if you posted the debug mode output right away, as it shows way more details on what is important for that topic, like if SSL has been activated for the site and if apache accepted the changes in config etc. That's why everyone who likes to get help in regard to a LE topic is requested to post that output.

    So let#s do it manually instead. Check in the apache sites-availale folder to see if there is a vhost file with .err file ending for this website.
     
    paka likes this.
  3. paka

    paka Member

    I do apologist for skipping the debug mode. I honestly should know by now when you state something that one should really just do it.

    No .err file there:
    Code:
    root@mail:/etc/apache2/sites-available# ls -la
    total 200
    drwxr-xr-x 2 root root  4096 Mar 25 11:29 .
    drwxr-xr-x 8 root root  4096 Mar 21 06:13 ..
    -rw-r--r-- 1 root root  1332 Jun  9  2022 000-default.conf
    -rw-r--r-- 1 root root   310 Mar 25 01:56 acme.conf
    -rw-r--r-- 1 root root  3339 Mar 25 02:22 apps.vhost
    -rw-r--r-- 1 root root  6338 Jun  9  2022 default-ssl.conf
    -rw-r--r-- 1 root root  9074 Jan 26 19:00 gppixelworks.com.vhost
    -rw-r--r-- 1 root root  8252 Oct 19 09:21 gppixelworks.co.uk.vhost
    -rw-r--r-- 1 root root  2322 Mar 25 02:22 ispconfig.conf
    -rw-r--r-- 1 root root  3572 Mar 25 01:57 ispconfig.vhost
    -rw-r--r-- 1 root root  8757 Oct 13 11:37 knowledgelighthouse.co.uk.vhost
    -rw-r--r-- 1 root root 10070 Feb  3 02:39 lansbury.me.uk.vhost
    -rw-r--r-- 1 root root  9534 Oct 31 02:37 lansbury.me.uk.vhost.ORIG
    -rw-r--r-- 1 root root  9024 Feb  3 02:47 me.selfhost.uk.vhost
    -rw-r--r-- 1 root root 10146 Feb  3 02:45 ormisher.co.uk.vhost
    -rw-r--r-- 1 root root  8661 Dec  2 00:03 q2a.selfhost.uk.vhost
    -rw-r--r-- 1 root root  8810 Oct 13 17:12 responsiblebystander.co.uk.vhost
    -rw-r--r-- 1 root root  9116 Feb  3 02:44 top-dogs-names.com.vhost
    -rw-r--r-- 1 root root  9494 Mar 25 11:47 writeworks.uk.vhost
    -rw-r--r-- 1 root root  9041 Mar 23 13:10 writeworks.uk.vhost.No.Plume
    -rw-r--r-- 1 root root  8109 Oct 28 01:04 writeworks.uk.vhost.ORIG
    -rw-r--r-- 1 root root  9494 Mar 25 01:47 writeworks.uk.vhost.plume
    
    Based on your reply I've an idea of the problem. For the domain in question it's sole purpose is running a Federated publishing/blogging platform, Plume.

    Plume had been running at a different VPS with ISPconfig with no problems. Moving servers as the original VPS rates doubled.

    Plume requires some edits to the .vhost file. One of which is the addition of a reverse proxy:
    Code:
    # Added for Plume
    
            ProxyPreserveHost On
            RequestHeader set X-Forwarded-Proto "https"
    
            ProxyPass / http://127.0.0.1:7878/
            ProxyPassReverse / http://127.0.0.1:7878/
    
    # End added for Plume   
    Thus I have the *.vhost.plume file to copy over *.vhost on system boots. Awkward but it was the first solution I found.

    So I'm guessing the .vhost is being editing by acme.sh followed by my mistake of blindly overwriting the fresh, required additions.

    FWIW, here's the additional required edits to the .vhost file that is required for Plume to run. In
    <VirtualHost *:80> section:
    Code:
    # Added for Plume
                    ServerAlias plume.writeworks.uk
                    ServerAlias www.writeworks.uk
                    ServerAdmin [email protected]
    
    # Added for Plume
    Balance of edits in <VirtualHost *:443> section:
    Code:
    # Added for Plume
                    ServerAlias plume.writeworks.uk
                    ServerAlias www.writeworks.uk
                    ServerAdmin [email protected]
    Code:
    # Added for Plume
    
    <Directory "/plume">
        Header always set Referrer-Policy "strict-origin-when-cross-origin"
        Header always set Strict-Transport-Security "max-age=31536000; preload"
    </Directory>
        SSLEngine on
    # End added for Plume
    Code:
    # Added for Plume
    
        SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
        SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
        SSLHonorCipherOrder On
        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
        Header always set X-Frame-Options DENY
        Header always set X-Content-Type-Options nosniff
        SSLCompression off
        SSLUseStapling on
    
        # Requires Apache >= 2.4.11
        SSLSessionTickets Off
    
        # Disable http/1.0
        # Requires Apache >= 2.4.17
        Protocols h2 http/1.1
    
    # End added for Plume
     
  4. paka

    paka Member

    Till,
    Many thanks for pointing out what should have been obvious.
    The sole error was mine; I was overwriting the .vhost file manually with edits which were required for Plume to run.

    In order to retain the .vhost settings for Plume, am I correct in understanding one can use directive snippets to retain those settings when rebooting or ISPconfig needs to make a change to the .vhost file?
     
    till and Th0m like this.
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Exactly.
     
    paka likes this.

Share This Page