Beta 2 Server Letsencrypt issue.

Discussion in 'Developers' Forum' started by brainsys, Sep 25, 2020.

  1. brainsys

    brainsys Member

    Returning the symlinks alone to previous state didn't work.

    It looks like when it tries to install the new certificate - it puts in the symlinks to itself - it then displays the cat errors as no certificate can be found. It looks like this error is recorded in dbipsconfig so it doesn't read the symlinks when corrected. Hence a restore was required to fix it (I couldn't investigate via phpMyAdmin as that required a working certificate to access). And yes I did service apache restart.

    Hi - are you in Croydon? I'm in Sydenham.
     
  2. brainsys

    brainsys Member

    Yes. This what the directory looked like. (bak is the original self-certs created by the email bug)

    drwxr-x--- 2 root root 4096 Sep 24 18:23 bak
    -rwxr-x--- 1 root root 45 Sep 28 12:37 empty.dir
    lrwxrwxrwx 1 root root 48 Sep 28 12:37 ispserver.crt -> /usr/local/ispconfig/interface/ssl/ispserver.crt
    lrwxrwxrwx 1 root root 58 Sep 24 18:24 ispserver.crt-20200928123706.bak -> /etc/letsencrypt/live/server.example.com/fullchain.pem
    lrwxrwxrwx 1 root root 48 Sep 28 12:37 ispserver.key -> /usr/local/ispconfig/interface/ssl/ispserver.key
    lrwxrwxrwx 1 root root 56 Sep 24 18:26 ispserver.key-20200928123706.bak -> /etc/letsencrypt/live/server.example.com/privkey.pem
    -rwxr-x--- 1 root root 0 Sep 28 12:37 ispserver.pem
    -rwxr-x--- 1 root root 5418 Sep 25 12:48 ispserver.pem-20200928123706.bak
     
  3. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Those lines are very strange. Will have to look into this.
    Are you using certbot or acme.sh?
     
  4. brainsys

    brainsys Member

    certbot. Installed via Debian Perfect Server tutorial.

    Here is the relevant output of the updater:

    Create new ISPConfig SSL certificate (yes,no) [no]: yes
    Checking / creating certificate for server.example.com
    Using certificate path /etc/letsencrypt/live/server.example.com
    Using apache for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    cat: /usr/local/ispconfig/interface/ssl/ispserver.key: No such file or directory
    cat: /usr/local/ispconfig/interface/ssl/ispserver.crt: No such file or directory
    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]:
     
  5. TonyG

    TonyG Active Member

    @croyden : I am sticking to the instructions as closely as possible. I did not execute install/update.php. I would not have thought to do so.
     
  6. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Okay, thanks . Guess the issue with that one is fixed. But not the other with certbot issue.
     
  7. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    No :) Just searched the English dictionary for some nice possible usernames.

    Okay, that seems to be fixed with the latest MR and such should be okay in tomorrow's nightly.
     
  8. brainsys

    brainsys Member

    Oh dear. You may have heard of David Bowie who lived in nearby Beckenham. He said in an interview in 1999: “It was my nemesis, I hated Croydon with a real vengeance. It represented everything I didn't want in my life, everything I wanted to get away from. I think it's the most derogatory thing I can say about somebody or something: ‘God, it's so f**king Croydon!’”.

    But don't think of changing your username to Sydenham 'cos that's also a nasty disease: https://en.wikipedia.org/wiki/Sydenham's_chorea ;)

    Thanks, for fixing it. Looking forward to general release.
     
    Croydon likes this.
  9. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Not really, but this username is somehow outdated already ;-) Using something like "StrathCole" (Strathclyde + Coleraine) now most of the time ;-) – but we are sliding off topic
     
  10. TonyG

    TonyG Active Member

    Just to confirm, as of right now with the current nightly, I'm still seeing this:
    Waiting for verification...
    Cleaning up challenges
    cat: /usr/local/ispconfig/interface/ssl/ispserver.key: No such file or directory
    cat: /usr/local/ispconfig/interface/ssl/ispserver.crt: No such file or directory

    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]:​

    I'm just confirming the issue. I see this should be fixed soon and I'm happy to wait. I'll continue to move forward, installing other systems for web, DNS, etc. Thanks All!!!
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    @TonyG: According to the post timestamp, I guess you might got still the last nightly version and not the new one which includes the fix.
     
    Croydon likes this.
  12. TonyG

    TonyG Active Member

    Yup. From my noobish perspective, there are no more issues with the install. So far I have three systems running and connected via ISPConfig. I broke my DNS - systems are internet-accessible but it's not all quite right yet ... but that's a topic for a separate thread. ;)
    Thanks for all of the efforts!

    Side notes:
    XMPP is still a prompt in the install. There is a prompt for configuring Rspamd but no info about it yet.
    Personally I have had a lot of confusion with specific aspects of the install (mostly for multi-server), but after doing the install about 20 times I think I get it now. :)
    - There are users and passwords for MySQL root, ispconfig, phpmyadmin. And we need to be aware of the primary controller's MySQL root password, which is entered in both the secondary and the primary for each new server.
    - To setup a secondary system we need to issue commands on the primary controller. It would be cool if a new server could make an HTTP web service call from secondary to primary so that the primary can issue its own user creation and setting privileges.
    - DNS must be configured and firewall ports left open Before installing a secondary system.
    - With all of the advice that server names Must be a FQDN, so far it looks like it's OK if systems within a network are referenced by hostname-only. For example, from web01 to ns01.
    - There doesn't seem to be a defined way to exit from the install.php prompts other than ^C. For example, on repeated failure to connect a secondary (web) server to a primary (db) server, we might want to break out and reboot or do something else. The immediate question is "will this continue where it left off or do I need to clean up first?". Having done this many times now, it seems like we can run install many times, until it's actually complete, and then we need to use update.php. But I don't see any docs for how to handle that.

    I think that's it for me. Again, doing this a few times helps to establish the patterns, but so far this knowledge comes from experimentation, not documentation. I have my Allinstall scripts doing everything now, up to the login into ISPConfig where we can then start configuring. I look forward to getting into API details to see what we can automate there too (create user, create client, create server, create DNS zone, create site, and all of the mail operations...).

    Regards
     
  13. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    I like the idea - it is planned to change the entire slave<->master communication to REST instead of mysql, so this would fit in well.
    Try entering 'quit' at a prompt, it looks like that should work (for any prompts using the simple_query() function at least, I don't know if they all do....).
     

Share This Page