acme.sh not issuing certificates for servers after fresh install

Discussion in 'Installation/Configuration' started by Milen Karaganski, Feb 23, 2022.

  1. Milen Karaganski

    Milen Karaganski New Member

    Hello.

    I've followed the perfect multiserver guide for Ubuntu 20.04 (https://www.howtoforge.com/tutorial/ispconfig-multiserver-setup-debian-ubuntu)

    However, I'm able to create certificates for websites but not for the ISPconfig itself on all servers.

    My setup:
    panel.domain.com
    web01.domain.com
    mx1.domain.com
    ns1.domain.com

    In /etc/hosts (for all servers)
    Code:
    127.0.1.1 panel.domain.com panel //different in each one
    192.168.0.xxx panel.domain.com panel
    192.168.0.xxx web01.domain.com web01
    192.168.0.xxx mx1.domain.com mx1
    192.168.0.xxx ns1.domain.com ns1
    Router configuration:
    Port 53 is forwarded to the internal IP of ns1.domain.com
    Port 20,21,80 and 443 are forwarded to the internal IP web01.domain.com
    Port 8080 is forwarded to the internal IP panel.domain.com
    All mail ports are forwarded to the internal IP of mx1.domain.com

    Tried 2 ways:
    1. During install
    2. I've created a website on panel.domain.com, and then checked SSL and Let's Encrypt SSL

    In any of the above 2, I get the following error:
    Code:
    Checking / creating certificate for panel.domain.com
    Using certificate path /etc/letsencrypt/live/panel.domain.com
    Using apache for certificate validation
    acme.sh is installed, overriding certificate path to use /root/.acme.sh/panel.blacktiehost.com
    [Wed 23 Feb 2022 05:40:08 PM EET] panel.blacktiehost.com:Verify error:Invalid response from http://panel.domain.com/.well-known/acme-challenge/LZF8ryXK-tK6xb822AFBkZdTLE4fquwwjSFBs2x7z6s [my external IP here]:
    [Wed 23 Feb 2022 05:40:08 PM EET] Please check log file for more details: /var/log/ispconfig/acme.log
    Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
    
    Log file has record for the same message as above.

    In my DNS zone, I have:
    - A record for my primary domain pointing to my external IP
    - Separate A records for panel, web01, ns1 and mx1 ALL pointing to my external IP

    I can see that a folder named 'panel.domain.com' is created in /root/.acme.sh in the 'panel' server in any of the above 2 ways, and it's content is:
    - panel.blacktiehost.com.conf
    - panel.blacktiehost.com.csr
    - panel.blacktiehost.com.csr.conf
    - panel.blacktiehost.com.key

    Any help appreciated.
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Issuing letsencrypt certs via the 'webroot' method, which is what ISPConfig itself supports, requires port 80 to be open to the server making the request; if you forward port 80 to your web server, then your control panel will be unable to obtain a certificate in that manner, as there are no port 80 requests getting through to it.

    Solutions would be to get more ip addresses, manually issue the certificate on your panel node using some other authentication method (eg. dns01), issue the certificate on your web server then copy it to the panel server (and automate that so it doesn't break every 90 days), or setup a reverse proxy to handle all your incoming port 80 requests and forward to the correct internal servers.
     
    Milen Karaganski likes this.
  3. Milen Karaganski

    Milen Karaganski New Member

    What if I temporary redirect the 80 port to the panel server?
    I guess I will get the certificate, but then it won't be able to be auto-updated, correct?
     
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Correct.
     
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    It's clearly stated in the guide: "Every server should have its own public IP and hostname."
     
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I think you installed both certbot and acme.sh because there should not be any /etc/letsencrypt folder if you use the latter that is why following please read before posting and LE FAQ is important in providing good info, troubleshooting and fixing your problem.
     
  7. Milen Karaganski

    Milen Karaganski New Member

    I don't have let's encrypt folder. It's the script I guess that first checks for it and if it's not found reverts to acme.sh. However, I'm anger to do a workaround:

    1. Create websites for the subdomains on the web01 server.
    2. Issue certificates
    3. Cronjob with scp to copy the coresponding folder to each of the slave servers
    4. Use symlinks on the slave servers to the copied folder
     
  8. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Add a step 5 to monitor the certificates on slave servers and restart services when they change.
     
  9. Milen Karaganski

    Milen Karaganski New Member

    I decided to exclude monitoring and just restart once a day for now, few minutes after the copy cronjob. Otherwise, I should also monitor on the main server for certificate reissue.
     
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I see then it is an issue to be noted as the script should not check that folder if you are using acme.sh, I think.

    You can create the LE certs manually using dns challenge and then adjust renewal config accordingly. ISPConfig can detect the LE certs already available for the server hostname and use them for it. I personally use this method for more than 4 years.
     
  11. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  12. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Sorry I revisit this.
    The above part, which may have caused my bit of confusion is coming from installer_base.lib.php:
    Code:
            swriteln('Checking / creating certificate for ' . $hostname);
            $acme_cert_dir = '/usr/local/ispconfig/server/scripts/' . $hostname;
            $check_acme_file = $acme_cert_dir . '/' . $hostname . '.cer';
            if(!@is_dir($acme_cert_dir)) {
                $acme_cert_dir = '/root/.acme.sh/' . $hostname;
                $check_acme_file = $acme_cert_dir . '/' . $hostname . '.cer';
                if(!@is_dir($acme_cert_dir)) {
                    $acme_cert_dir = '/etc/letsencrypt/live/' . $hostname;
                    $check_acme_file = $acme_cert_dir . '/cert.pem';
                }
            }
            swriteln('Using certificate path ' . $acme_cert_dir);
    
    I believe only if the cert file exist, then it inform the user of the cert path, but otherwise, it should not. May be the last part should be changed to something like:
    Code:
    if(is_file($check_acme_file))
            swriteln('Using certificate path ' . $acme_cert_dir);
    
    As I said above I was personally quite confused, and may be some others, when /etc/letsencrypt is reported when there is no certbot installed, so the above may remove any confusion.
     

Share This Page