Hello, I encountered problems with acme very early in the process of familiarizing myself with ISPconfig, so I switched to Certbot, which I know well. I have now decided to give acme another try, mainly because I want to automate the process of getting certificates for individual websites. The shell script acme.sh running in standalone mode works without a problem, meaning we can exclude for example firewall issues. This is the output of me generating a new certificate for my server with --force. I stopped apache2 manually before I entered this command. root@mail2:/etc# acme.sh --issue --standalone -d mail2.consulting1x1.info --force ------------------------------------------------------------------------------------------------------------------------------ [Mi 11. Aug 14:19:07 CEST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory [Mi 11. Aug 14:19:07 CEST 2021] Standalone mode. [Mi 11. Aug 14:19:07 CEST 2021] Single domain='mail2.consulting1x1.info' [Mi 11. Aug 14:19:07 CEST 2021] Getting domain auth token for each domain [Mi 11. Aug 14:19:11 CEST 2021] Getting webroot for domain='mail2.consulting1x1.info' [Mi 11. Aug 14:19:11 CEST 2021] mail2.consulting1x1.info is already verified, skip http-01. [Mi 11. Aug 14:19:11 CEST 2021] Verify finished, start to sign. [Mi 11. Aug 14:19:11 CEST 2021] Lets finalize the order. [Mi 11. Aug 14:19:11 CEST 2021] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/156104120/16129009871' [Mi 11. Aug 14:19:14 CEST 2021] Downloading cert. [Mi 11. Aug 14:19:14 CEST 2021] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/049f92bb8ba6b38b3d42643eb66bb5c918d0' [Mi 11. Aug 14:19:15 CEST 2021] Cert success. ------------------------------------------------------------------------------------------------------------------------------ What now follows is the output of saying yes to the question if I want to renew my certificates at the end of the forced update of ISPConfig. I already searched the forum and Till asked one user with similar problems if he was using Virtualization. The server I am currently configuring is a VM running on Proxmox PVE7. Since there is a shell error in line 3 I think I should point out that I am using bash. How can I fix this? Checking / creating certificate for mail2.consulting1x1.info Using certificate path /etc/letsencrypt/live/mail2.consulting1x1.info sh: 1: cannot open /dev/tcp/127.0.0.1/80: No such file Using apache for certificate validation Job for apache2.service failed. See "systemctl status apache2.service" and "journalctl -xe" for details. acme.sh is installed, overriding certificate path to use /root/.acme.sh/mail2.consulting1x1.info Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: y PHP Warning: symlink(): No such file or directory in /root/ispconfig3_install/install/lib/installer_base.lib.php on line 3176 PHP Warning: symlink(): No such file or directory in /root/ispconfig3_install/install/lib/installer_base.lib.php on line 3177 Reconfigure Crontab? (yes,no) [yes]: no Restarting services ... Job for dovecot.service failed because the control process exited with error code. See "systemctl status dovecot.service" and "journalctl -xe" for details. Update finished. Yours sincerely Stefan
If you use LE client from command line and it creates or renews certificates that breaks the setup ISPConfig makes and ISPConfig can no longer create or renew certificates. Dry run is OK. Also changing the LE client, certbot or acme, to the other is non-trivial and usually involves removing all certificates and creating new ones with the now installed client.
Hi Taleman, the server is not yet in productive use and I have generated only one certificate for mail2.consulting1x1.info. Exchanging this will be rather easy. I can purge certbot and remove /etc/letsencrypt in under 30 seconds. acme.sh is already installed in root. This would not be a problem. Yours Stefan
Ok, other thing: Code: sh: 1: cannot open /dev/tcp/127.0.0.1/80: No such file My Linux does not have that file and I suspect Debian 10 never has that file. So some typo in the script perhaps?
Just to clarify, you had certbot installed, then installed acme.sh afterwards? (That could throw the autoinstaller off if certbot isn't fully removed.)
If I am are planning a new server, I won't bother much about the error you posted but start a fresh and just follow the tutorial for Debian 10 / Ubuntu 20.04 because I know I will then have a good new server. Changing from acme.sh to certbot or vice versa is the cause of many problems if you don't do it right.
Would it be enough to do update.php --force or do I have to install the ISPconfig completely new. If yes, is it enough to remove ISPConfig. (Databases and Files, but keep the Software installed) or would I have to start with a new server?
Hello Well, I just did a full new install - took less than 30 minutes, I am getting the hang of this. This time I stayed conservative and used Debian 10 (to be OldStable in 2-3 days). During the initial configuration run ISPConfig did create only self-signed-certificates. Afterwards I did an update --force and and and was asked if I wanted new certificates. I answered in the yes and was given the following output. (Ports 80 and 443 are of course open, Shell was reconfigured to bash.) Create new ISPConfig SSL certificate (yes,no) [no]: yes Checking / creating certificate for mail3.consulting1x1.info Using certificate path /etc/letsencrypt/live/mail3.consulting1x1.info Using apache for certificate validation acme.sh is installed, overriding certificate path to use /root/.acme.sh/mail3.consulting1x1.info [Do 12. Aug 14:06:14 CEST 2021] mail3.consulting1x1.info:Verify error:Fetching http://mail3.consulting1x1.info/.we...e/YhN13Xcaa9cyptJul_IWmKWleaQ4ybKMCKNwB_fB4Po: Connection refused [Do 12. Aug 14:06:14 CEST 2021] Please add '--debug' or '--log' to check more details. [Do 12. Aug 14:06:14 CEST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt Could not issue letsencrypt certificate, falling back to self-signed. If you compare the error messages to the ones on debian 11 you will see that they are different - no "sh: 1: cannot open /dev/tcp/127.0.0.1/80: No such file" and no " Job for apache2.service failed". But I still dont have a certificate and will most likely not be able to add certificates to websites or email domains with just the click of a button which is after all the point of using an integrated solution like ISPConfig. This is an How-can-I-help-you-to-help-me-Situation: I have tried --debug and --log with update.sh but unfortunately this did not produce the desired results. How can I get you the information you need to fix this problem? Yours Stefan
And the question is why this happened, it means that your hostname was unreachable or unresolvable at that timepoint, or maybe you pointed it to localhost IP or something similar in /etc/hosts file. To find a solution for your issue, please post the exact details you received on the shell during the initial install (not from a forced update) and what's in the acme.sh log file after initial install. The problem with the forced update ios a different issue, independent from the first one, and probably just caused by this: https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6121
Hi, well I did a complete new install and made a lot of snapshots so the point of installation of acme can be recreated as well as the first run of ispconfig. The new server is called mail1.consulting1x1.info. This is the result of an nmap scan from my Kali installation on an external network before installing acme or ispconfig: Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-17 13:16 CEST Nmap scan report for mail1.consulting1x1.info (195.34.186.13) Host is up (0.00036s latency). Not shown: 990 filtered ports PORT STATE SERVICE 22/tcp open ssh 25/tcp open smtp 80/tcp open http 110/tcp open pop3 143/tcp open imap 443/tcp open https 465/tcp open smtps 587/tcp open submission 993/tcp open imaps 995/tcp open pop3s Nmap done: 1 IP address (1 host up) scanned in 4.99 seconds This is the result of running the acme script on mail1 root@mail1:~# curl https://get.acme.sh | sh -s % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 937 0 937 0 0 9968 0 --:--:-- --:--:-- --:--:-- 9968 % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 203k 100 203k 0 0 856k 0 --:--:-- --:--:-- --:--:-- 856k [Di 17. Aug 13:18:17 CEST 2021] Installing from online archive. [Di 17. Aug 13:18:17 CEST 2021] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz [Di 17. Aug 13:18:17 CEST 2021] Extracting master.tar.gz [Di 17. Aug 13:18:17 CEST 2021] Installing to /root/.acme.sh [Di 17. Aug 13:18:17 CEST 2021] Installed to /root/.acme.sh/acme.sh [Di 17. Aug 13:18:17 CEST 2021] Installing alias to '/root/.bashrc' [Di 17. Aug 13:18:17 CEST 2021] OK, Close and reopen your terminal to start using acme.sh [Di 17. Aug 13:18:17 CEST 2021] Installing cron job no crontab for root no crontab for root [Di 17. Aug 13:18:17 CEST 2021] Good, bash is found, so change the shebang to use bash as preferred. [Di 17. Aug 13:18:18 CEST 2021] OK [Di 17. Aug 13:18:18 CEST 2021] Install success! and finally the the error during ssl creation: Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: y Checking / creating certificate for mail1.consulting1x1.info Using certificate path /etc/letsencrypt/live/mail1.consulting1x1.info Using apache for certificate validation acme.sh is installed, overriding certificate path to use /root/.acme.sh/mail1.consulting1x1.info [Di 17. Aug 13:33:24 CEST 2021] Please add '--debug' or '--log' to check more details. [Di 17. Aug 13:33:24 CEST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt Could not issue letsencrypt certificate, falling back to self-signed. Generating a RSA private key ------------------------------------------------------------ Some more experiments with acme.sh post-install. The Web Server Apache is up and running. root@mail1:/var/www/ispconfig# acme.sh --issue --domain mail1.consulting1x1.info --apache [Di 17. Aug 13:48:27 CEST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory [Di 17. Aug 13:48:27 CEST 2021] Checking if there is an error in the apache config file before starting. [Di 17. Aug 13:48:27 CEST 2021] OK [Di 17. Aug 13:48:27 CEST 2021] JFYI, Config file /etc/apache2/apache2.conf is backuped to /root/.acme.sh/apache2.conf [Di 17. Aug 13:48:27 CEST 2021] In case there is an error that can not be restored automatically, you may try restore it yourself. [Di 17. Aug 13:48:27 CEST 2021] The backup file will be deleted on success, just forget it. [Di 17. Aug 13:48:27 CEST 2021] Create account key ok. [Di 17. Aug 13:48:28 CEST 2021] Registering account: https://acme-v02.api.letsencrypt.org/directory [Di 17. Aug 13:48:29 CEST 2021] Registered [Di 17. Aug 13:48:29 CEST 2021] ACCOUNT_THUMBPRINT='w2PtUFchrWtHLdrjm-dY78rmb5yEoPM-Qe76KinJd4c' [Di 17. Aug 13:48:29 CEST 2021] Creating domain key [Di 17. Aug 13:48:29 CEST 2021] The domain key is here: /root/.acme.sh/mail1.consulting1x1.info/mail1.consulting1x1.info.key [Di 17. Aug 13:48:29 CEST 2021] Single domain='mail1.consulting1x1.info' [Di 17. Aug 13:48:29 CEST 2021] Getting domain auth token for each domain [Di 17. Aug 13:48:31 CEST 2021] Getting webroot for domain='mail1.consulting1x1.info' [Di 17. Aug 13:48:31 CEST 2021] Verifying: mail1.consulting1x1.info [Di 17. Aug 13:48:31 CEST 2021] Pending, The CA is processing your order, please just wait. (1/30) [Di 17. Aug 13:48:34 CEST 2021] mail1.consulting1x1.info:Verify error:Invalid response from http://mail1.consulting1x1.info/.we...e/RiMk0m_YHRpD-k_b56G6aWu32Sm6n4PkqoFDBLKwkBs [195.34.186.13]: [Di 17. Aug 13:48:34 CEST 2021] Please add '--debug' or '--log' to check more details. What follows is the debug output, reduced to the single important line: mail1.consulting1x1.info:Verify error:Invalid response from http://mail1.consulting1x1.info/.we...e/sj2nWS2ThrQE58f5s4p49VRrMgwlKMiCtfWOkA1ldXQ [195.34.186.13]: This is correct, opening this line gives the output: "Not Found. The requested URL was not found on this server." The IP is correct, opening http://mail1.consulting1x1.info/ opens the default debian apache page. As before, stopping apache and using acme standalone produces a valid certificate, which I am now going to use for the moment because a) I have no idea how to get a valid certificate with apache and b) I need to get the email server running and in productive use. I have attached the entire output of --apache --debug to this post, it is several pages long. Maybe someone more knowledgeable in apache can find a solution in there. Yours sincerely Stefan
From my side you already got valid LE certs when I visited: https://mail1.consulting1x1.info:8080. The time and date are consistent with your details above.
These are the ones I created standalone and inserted manually into the vhost config. What I want is auto-generated certs and as we have seen this part fails already during the installation process. I can go back to snapshot and repeat the procedure as often as I want, I wont get a valid certificate during the installation process.
ISPConfig will try to use standalone if your server is not a web server but will use webroot if it is a web server, so creating that on your own is not advisable as there are related hooks that will be added in LE renew conf. I read of the fix already added in nightly build but mainly for update and not install, so I think you can try updating using it and see if it can create LE certs for your server that way. If I am not mistaken, that should be included in the next stable release soon.
I was referring to these posts but not really sure which one in the git. I also am not sure whether this new fix will help you but surely you can try.
Creating a LE cert at install time works fine, as long as your hostname and DNS setup is correct. There was just a bug that you can't recreate a LE cert at update using the forced update option which has been fixed in nightly builds.
Believe me, hostname and DNS are set up correctly. Otherwise, shouldnt it also fail in standalone mode? nslookup mail1.consulting1x1.info Server: 192.168.99.1 Address: 192.168.99.1#53 Non-authoritative answer: Name: mail1.consulting1x1.info Address: 195.34.186.13 (mail1.consulting1x1.info is A record by the way) /etc/hosts/ 195.34.186.13 mail1.consulting1x1.info mail1 I can rollback to the snapshot of the initial install every time and despite these settings I wont get an LE certificate. This is not only an issue after a forced update! But let me ask differently: Which additional files should I check and possible correct in order to get an LE certificate at install? Yours Stefan
My guess is you included the www. -subdomain to your certificate request. Code: $ host www.consulting1x1.info www.consulting1x1.info has address 217.160.17.169 tale@ika ~ $ host mail1.consulting1x1.info mail1.consulting1x1.info has address 195.34.186.13 tale@ika ~ If that is not it, what show commands Code: hostname hostname -f
Might be that LE blocks your hostname now if you attempted that's several times. Then your issue is not related to the bug we closed plus it's an issue that is not reproducible here plus others don't seem to have it as well as we have about a thousand ISPConfig installs daily. But we will add some further debug flags to acme.sh in future versions which will make debugging of such issues easier.
And one more hint, you mentioned SSL certs for individual websites, these are also not related to the update issue, it#s a completely separate process.
