Automated ISPConfig 3 Installation On Ubuntu 24.04 - Letsencrypt for webadmin (:8080) fails

Discussion in 'ISPConfig 3 Priority Support' started by curiousadmin, Oct 20, 2024.

Tags:
  1. curiousadmin

    curiousadmin Member HowtoForge Supporter

    Hello Community,

    I just did Perfect Server Automated ISPConfig 3 Installation on Ubuntu 24.04 and the Letsencrypt certificate for administration (server1.example.com:8080/login/) fails, only the self-signed certificate with 10 year validity is created.

    Let's assume my public server IP is 123.123.123.123
    and my server's domain name is server1.example.com
    Note: IPv6 is not available on my server (only IPv4) and any local IPv6 are disabled in /etc/sysctl.conf
    net.ipv6.conf.all.disable_ipv6=1
    net.ipv6.conf.default.disable_ipv6=1
    net.ipv6.conf.lo.disable_ipv6=1
    sysctl -p


    My guess is that the problem lies in this in the initial steps section:
    nano /etc/hosts
    127.0.0.1 localhost.localdomain localhost
    # This line should be changed to the correct servername:
    127.0.1.1 server1.example.com server1
    # The following lines are desirable for IPv6 capable hosts
    ::1 localhost ip6-localhost ip6-loopback
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters

    I suppose if we replace: 127.0.1.1 server1.example.com server1
    with 123.123.123.123 server1.example.com server1
    then it should fix the problem.
    I understand this is far from perfect but the reason why I think this is where the problem lies is the following workaround:

    So I did ispconfig_update.sh --force
    Code:
    Operating System: Ubuntu 24.04.1 LTS (Noble Numbat)

This application will update ISPConfig 3 on your server.

Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]:

Creating backup of "/usr/local/ispconfig" directory...
Creating backup of "/etc" directory...
Creating backup of "/root/.acme.sh" directory...
Creating backup of "/etc/letsencrypt" directory...
Checking MariaDB version 10.11.8 .. OK
Checking ISPConfig database .. OK
Starting incremental database update.
Loading SQL patch file: /tmp/update_runner.sh.vDgrfNv3uW/install/sql/incremental/upd_dev_collection.sql
Reconfigure Permissions in master database? (yes,no) [no]:

Service 'dns_server' has been detected (currently disabled) do you want to enable and configure it?  (yes,no) [no]:

Reconfigure Services? (yes,no,selected) [yes]:

The following local config override templates were found, be sure to incorporate upstream changes if needed:

/usr/local/ispconfig/server/conf-custom/install/dovecot_custom.conf.master

Configuring Postfix
Configuring Dovecot
Configuring Spamassassin
Configuring Rspamd
Configuring Getmail
Configuring Pureftpd
Configuring Apache
Configuring vlogger
Configuring Apps vhost
Configuring Jailkit
Configuring Ubuntu Firewall
Configuring Database
Updating ISPConfig
ISPConfig Port [8080]:

Create new ISPConfig SSL certificate (yes,no) [no]: yes

Checking / creating certificate for server1.example.com
Using certificate path /etc/letsencrypt/live/server1.example.com
Server's public ip(s) (123.123.123.123) not found in A/AAAA records for server1.example.com: 127.0.1.1
Ignore DNS check and continue to request certificate? (y,n) [n]: y

sh: 1: cannot open /dev/tcp/127.0.0.1/80: No such file
Using apache for certificate validation
acme.sh is installed, overriding certificate path to use /root/.acme.sh/server1.example.com
Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: y

Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: y

Reconfigure Crontab? (yes,no) [yes]: y
Reconfigure Crontab? (yes,no) [yes]: yes

Updating Crontab
Restarting services ...
Update finished.
    Notice the part:
    Server's public ip(s) (123.123.123.123) not found in A/AAAA records for server1.example.com: 127.0.1.1
    Ignore DNS check and continue to request certificate? (y,n) [n]: y

    I wonder what are your thoughts on this. Sure I can each time re-run the certificate creation manually but I suppose it's less than ideal...
     
    curiousadmin, Oct 20, 2024
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The line in /etc/hosts is fine using 127.0.1.1, it works like this on tens of thousands of systems and is chosen like this by the Debian and Ubuntu maintainers for good reason. Your problem is different and is related to your overall system and network setup. According to the output, your system is behind a firewall or proxy that blocks connections from your server or you missed creating a A-Record in the public DNS server. Such a A-Recod must exist before you install the system, not because ISPConfig needs it but because LE needs it and will not issue a SSL cert without it. If the automatic check fails because your system is behind a router or firewall that blocks incoming connections issue from the server, you must choose y when it asks to ignore the LE check. There is no manual creation of an LE cert needed afterwards at all.
     
    till, Oct 20, 2024
    #2
  3. curiousadmin

    curiousadmin Member HowtoForge Supporter

    Thank you for the followup @till.

    I wonder if the A-record needs to be propagated for a certain time - I tried to lookup whatsmydns.net and both PTR and A records were propagating already (well at least for the most part - I think 2 locations out of those 26 didn't "see it" yet). I waited for about 10 minutes before I initiated the automatic installation...

    Proxy/firewall is an unlikely issue - it's a dedicated server with a major datacenter provider and they won't give you a firewall unless you pay extra for it...
     
    curiousadmin, Oct 20, 2024
    #3
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Then it might just be that the record has not been propagated yet, and waiting a bit might help.
     
    till, Oct 20, 2024
    #4
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    It does.
    It is the name server Let's Encrypt server uses that needs to resolve the hostname, you must wait until the changes has propagated to that server.
     
    Taleman, Oct 20, 2024
    #5

Share This Page