ok this is weird. I'm setting up a new server (Rocky 8). I have a nice automated script I wrote - and it does EVERYTHING in perfect server centos 8 (with mods for rocky 8 and the remi php 7.4). All works and I get to where I'm installing ispconfig. But now letsencrypt is installed as part of the ispconfig install. servername is ns11.cdbsystems.com. it pings, but no websites are up (its before ispconfig is installed remember). during the ispconfig sript I get this output: Create new ISPConfig SSL certificate (yes,no) [no]: yes Checking / creating certificate for ns11.cdbsystems.com Using certificate path /root/.acme.sh/ns11.cdbsystems.com /usr/bin/which: no certbot in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin) /usr/bin/which: no letsencrypt in (/root/.local/share/letsencrypt/bin) /usr/bin/which: no certbot in (/opt/eff.org/certbot/venv/bin) /usr/bin/which: no letsencrypt in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin) /usr/bin/which: no acme.sh in (/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin) /usr/bin/which: no acme.sh in (/usr/local/ispconfig/server/scripts) Using apache for certificate validation acme.sh is installed, overriding certificate path to use /root/.acme.sh/ns11.cdbsystems.com [Sun Sep 10 09:54:50 EDT 2023] Invalid status, ns11.cdbsystems.com:Verify error detail:108.18.202.58: Invalid response from http://ns11.cdbsystems.com/.well-known/acme-challenge/PULIOyjVLem7xmp4N2tgQuS3I8FCsG7sbQH4nV7srsg: 404 [Sun Sep 10 09:54:50 EDT 2023] Please check log file for more details: /var/log/ispconfig/acme.log Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt Could not issue letsencrypt certificate, falling back to self-signed. now we can ping ns11.cdbsystems.com, but acme.sh does a POST to the address and GETs the above file. naturally, it cannot post since apache is not serving the above as a site above so the get always returns 404. so letsencrypt install fails! and ns11.cdbsystems has proper DNS records. catch22. the hostname is not really a website (though it pulls up the default ispconfig 'welcome to your website' page.) how to get around this and get proper LE cert for ispconfig?
There is no site needed for that as this URL is not about a site for the hostname, it's a global alias in Apache for /.well-known/acme-challenge/ that points to /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/ Double check IPv4 and if exist IPv6 records as well. E.g. if an IPv6 record exists but IPv6 network connections to your server fail, LE will fail. The hostname should not be a website. You can test LE verification manually like this: 1) Create a test file like, in this example test.txt touch /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/test.txt 2) You must now be able to access the file via http: http://ns11.cdbsystems.com/.well-known/acme-challenge/test.txt also you can rerun the slsl cert creation by using the command: ispconfig_update.sh --force Choose to reconfigure services and let the updater create a new SSL cert when it asks for that.
Btw, the config for that is in acme.conf file: Code: root@server1:/etc/apache2/sites-available# cat acme.conf Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge <Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge> Require all granted <IfModule mpm_itk_module> AssignUserId ispconfig ispconfig </IfModule> </Directory> This is from a Debian system, on CentOS the path is a bit different.
nice to hear from you till I created test.txt as above. it clearly exists in this folder. but the link above returns 404. [root@ns11 acme-challenge]# ls -al trwxr-x--- 1 ispconfig ispconfig 45 Sep 9 14:23 empty.dir -rw-r--r-- 1 root root 0 Sep 10 11:06 test.txt [root@ns11 acme-challenge]# the link in your message returns 404. the acme file: Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge <Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge> Require all granted <IfModule mpm_itk_module> AssignUserId ispconfig ispconfig </IfModule> </Directory> test.txt exists in that folder and is world-readable. so why cant apache see it? just noticed ipv6 as sest to automatic. I ran nmtui to change that to disable and then hmml ran deactivate to restart the network. I was ...embarassed... sshing in at the time on that connection so I wont know till tomorrow. my server is down. However this IS my birthday so I guess I wont worry about it. LOL
Please check in the sites-enabled folder for a symlink to the acme.sh file which is in sites-available. Maybe the file is there but not enabled in the config.
ipv6 is disabled. however error persists! and the sites-enabled folder doese have a 999-acme.conf that points to acme.conf under sites-available.
Maybe you have some conflicting config that overrides it. Search for e.g. acme-challenge: grep -r acme-challenge /etc/httpd to see if it is defined somewhere else too.
here is the result: [root@ns11 etc]# grep -r acme-challenge /etc/httpd /etc/httpd/conf/sites-available/acme.conf:Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge /etc/httpd/conf/sites-available/acme.conf:<Directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge> checked permissions and ownership and its ispconfig:ispconfig all the way down to test.txt any other ideas? rather annoying!
I went back to doublecheck ipv6 disabled: [root@ns11 ssh]# sysctl -a | grep disable_ipv6 net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 net.ipv6.conf.eno1.disable_ipv6 = 1 net.ipv6.conf.eno2.disable_ipv6 = 1 net.ipv6.conf.eno3.disable_ipv6 = 1 net.ipv6.conf.eno4.disable_ipv6 = 1 net.ipv6.conf.lo.disable_ipv6 = 1 so no ipv6 yet error persists.
Maybe you should contact @Th0m from ISPConfig business support to check that on your system directly. https://www.ispconfig.org/get-support/?type=ispconfig
hmm noticed something ... actually two things. /etc/httpd/conf.d/ssl.conf had a 'default' virtualhost that was missing on another server and this was deleted. I also noticed the following: in the sites-enabled (or available?) -rw------- 1 root root 310 Sep 14 15:43 acme.conf -rw-r--r-- 1 root root 3140 Sep 14 15:43 apps.vhost -rw-r--r-- 1 root root 2322 Sep 14 15:43 ispconfig.conf -rw-r--r-- 1 root root 3572 Sep 14 15:44 ispconfig.vhost acme.conf is not readble by anyone other than root. on another server its chmod value is 644 like the others here. changed, restarted httpd. still no joy
ENLIGHTENMENT - you would NEVER have guessed this. neither would Th0m well maybe you would have. if I had given full information! Feel like an idiot. I have a very nice peplink dual-wan router handling both the ip addresses, and port forwarding each address to the appropriate server behind the router. I had port 80 on BOTH wan ports - mapping to the same (old) server, rather than wan1 to server 1 and wan2 to the new server. so when acme.sh went to ns11 to post - it was actually posting to the old server not the new one. so naturally the script running on the new server could not see the file! reconfigure port forwarding and voila - cert no problem. Apologies for wasting your bandwidth for this one!
Good to hear that you were able to find the solution! And thank you for posting it as this helps others in a similar situation.
yes, dual wan routers are not uncommon. you might update the LE troubleshooting page with some notes about this. I never suspected a router issue until - you know what twigged it for me? I was playing that that url on ns10 (old server) and I put some text in the file, and I ACCIDENTALLY typed ns11.cdbsystems.com/.well-known etc. - and UP POPPED MY TEXT FILE. I had just put on ns10! Hmm I says how could ns11 respond with the file I just created on ns10 ... and suddenly all was clear.
