Hello, I am on ISPConfig 3.1.11 and I am trying to get a Let's Encrypt SSL certificate for one of my hosted sites, but it keeps failing (on the properties of the website I am just ticking the "SSL" and "Let's Encrypt SSL" boxes, then clicking "Save". I am not doing anything on the "SSL" tab) I have posted the output of the DEBUG info from running 'server.sh' below (I changed the domains for privacy purposes, but yes, the domains in question *so* point to my sever and come up when I go to them). I have gone through the "Let's Encrypt FAQ" and performed the steps in there. It looks like some sort of permissions or authentication issue, but I don't know the cause or how to fix. Thoughts and ideas greatly appreciated. Code: root@l-host01:/opt/letsencrypt# /usr/local/ispconfig/server/server.sh 07.05.2018-16:37 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 07.05.2018-16:37 - DEBUG - Found 1 changes, starting update process. 07.05.2018-16:37 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 07.05.2018-16:37 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 07.05.2018-16:37 - DEBUG - Create Let's Encrypt SSL Cert for: mydomain.com 07.05.2018-16:37 - DEBUG - Let's Encrypt SSL Cert domains: --domains mydomain.com --domains www.mydomain.com --domains mydomain2.com --domains www.mydomain2.com 07.05.2018-16:37 - DEBUG - exec: /opt/eff.org/certbot/venv/bin/certbot certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --domains mydomain.com --domains www.mydomain.com --domains mydomain2.com --domains www.mydomain2.com --webroot-path /usr/local/ispconfig/interface/acme You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages. Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for mydomain.com http-01 challenge for www.mydomain.com http-01 challenge for mydomain2.com http-01 challenge for www.mydomain2.com Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains. Waiting for verification... Cleaning up challenges Failed authorization procedure. www.mydomain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mydomain.com/.well-known/acme-challenge/TaaTOLxcctdWHuJ-4Cq05kfOO6lZyIkL7BG8AHQXcHY: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> <h1>Inter", www.mydomain2.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mydomain2.com/.well-known/acme-challenge/EK4brv6bx9PB8oSCLCV2SR4TLPJ8_h39vtwkOz5R23I: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> <h1>Inter", mydomain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain.com/.well-known/acme-challenge/LjZElmi4wiQ7FdMLSNT6fsCcXUNXwjbUlRH0DCnDkQo: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> <h1>Inter", mydomain2.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mydomain2.com/.well-known/acme-challenge/1CmNKLLQ93tJzTAm_74Uc-9vyomh05y0BWOoLa2KMEg: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>500 Internal Server Error</title> </head><body> <h1>Inter" 07.05.2018-16:37 - WARNING - Let's Encrypt SSL Cert for: mydomain.com could not be issued. 07.05.2018-16:37 - WARNING - /opt/eff.org/certbot/venv/bin/certbot certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --domains mydomain.com --domains www.mydomain.com --domains mydomain2.com --domains www.mydomain2.com --webroot-path /usr/local/ispconfig/interface/acme 07.05.2018-16:37 - DEBUG - Add server alias: mydomain2.com 07.05.2018-16:37 - DEBUG - Creating fastcgi starter script: /srv/websites/php-fcgi-scripts/web19/.php-fcgi-starter 07.05.2018-16:37 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/mydomain.com.vhost 07.05.2018-16:37 - DEBUG - Apache status is: running 07.05.2018-16:37 - DEBUG - Calling function 'restartHttpd' from module 'web_module'. 07.05.2018-16:37 - DEBUG - Restarting httpd: /etc/init.d/apache2 restart 07.05.2018-16:37 - DEBUG - Apache restart return value is: 0 07.05.2018-16:37 - DEBUG - Apache online status after restart is: running 07.05.2018-16:37 - DEBUG - Processed datalog_id 1147 07.05.2018-16:37 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock finished. Thanks!
You can test manually what LEteies to verify your domain. 1) Create a test token file: touch /usr/local/ispconfig/interface/acme/hello.txt 2) Now you must be able to fetcht this hello.txt file on all domains that shall be authorized: http://mydomain.com/.well-known/acme-challenge/hello.txt If thsi does not work, then LE will not issue the cert. The path .well-known/acme-challenge/ of each website is an alias that points to directory /usr/local/ispconfig/interface/acme/ One reason that this fails can be that you have some custom rewrite rules in the apache directives field of the site or in a .htaccess file which prevents access to the path .well-known/acme-challenge/ in that site.
