Debian 10 Multiserver setup

I have now re installed and ran the script on each server.
It does indeed fail when trying to run the 'LETS ENCRYPT' portion of the setup on each server.
I have set a A record for all the name servers at hosting company, pointing to each IP / hostname. its correct, i checked using "https://dnschecker.org/#A/panel.tlwebservices.co.uk" and for each hostname it all green. so i have as you tutorial shows.. panel, web01, mx1, mx2, ns1, ns2, webmail.
When the portal installed, its using a self signed cert and not a lets encrypt..
Other things to note..

states i should have a /var/log/letsencrypt log. i dont. i will follow the debugging ISPConfig 3 now.

Other issue,

As you mentioned a BUG, im adding the domain normally and not just the name of the name server?
And step 2, adding the seconday dns, 2nd box asks NS (IP-address) of the secondary name server? and it also states seperate the multiple IP's, and then last box allow zone transfer to these IP's?... seems like your asking for IP's of both name servers in 2 boxes..

 

I checked the logs and letencrypt wasnt installed.
Now its installed on web01, mx1, mx2, webamil.
but i cannot install it on panel, i cannot ping google.com. so something is blocking access

 

Have you checked the ISPConfig installer log?

 

ok, i ran

Code:

ispconfig_update.sh --force

for panel.tlwebservices.co.uk.. yes to backup, yes to reconfigure permissions in master database, no to mail server, no to dns, yes to reconfigure services.
then it tries to run acme.sh and errors with this..

Code:

[Mon  9 Aug 12:05:27 BST 2021] panel.tlwebservices.co.uk:Verify error:Fetching http://panel.tlwebservices.co.uk/.well-known/acme-challenge/STUFF----------: Connection refused

then tries to fall back self cert

=========EDIT
Do i need an API key?

 

No, there isnt any log files in either locations

 

Do you have subdomains activated for panel.tlwebservices.co.uk? Auto subdomain www. for example?

 

Hi Taleman,
thanks for answering
No, Im still setting them up, i have not got to moving any sites over yet.
seems the script fails when installing when the acme.sh starts, when i run ispconfig_update.sh --force it still errors

Code:

Updating ISPConfig
ISPConfig Port [8080]:

Create new ISPConfig SSL certificate (yes,no) [no]: yes

Checking / creating certificate for panel.tlwebservices.co.uk
Using certificate path /root/.acme.sh/panel.tlwebservices.co.uk
Using apache for certificate validation
acme.sh is installed, overriding certificate path to use /root/.acme.sh/panel.tlwebservices.co.uk
[Mon  9 Aug 12:52:28 BST 2021] panel.tlwebservices.co.uk:Verify error:Fetching http://panel.tlwebservices.co.uk/.well-known/acme-challenge/IKFGEHGvNObrUpIU0tf3U0_EdWCx0UgQ2fFAcitwbwo: Connection refused
[Mon  9 Aug 12:52:28 BST 2021] Please add '--debug' or '--log' to check more details.
[Mon  9 Aug 12:52:28 BST 2021] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
Could not issue letsencrypt certificate, falling back to self-signed.
Generating a RSA private key

firewall??

 

I don't think it is firewall issue because the code does check and open that if it is closed.

Web server failure to start has reported cases last time I checked.

Behind NAT could be the issue too but this one can be resolved as per the instruction in the LE FAQ unless multiple servers are behind it, then using proxy is better rather than to use port forwarding.

 

Yes. That is possible for servers under multi-level firewall system.

 

Ok, im not sure it is.
I can access port 80 and 8080 to the web server, i can edit /var/www/htlm/index.php adding hello world to the top of index.html file.
I have verified with Draytek and had them dial in to check settings, there was a issue with netmask, and we changed it to - IP Routed Subnet which my other setup uses, this is now identical.
Am i chasing ghosts here. when installing ISPCONFIG multi server, when script has run should i end up having lets encrypt certificate or a self signed one.
i enabled the log all 600 lines, fails, heres where it fails...

Code:

[Mon  9 Aug 16:52:23 BST 2021] code='200'
[Mon  9 Aug 16:52:23 BST 2021] original='{
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:connection",
    "detail": "Fetching http://panel.tlwebservices.co.uk/.well-known/acme-challenge/crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb8: Connection refused",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/20373779950/E9TlgA",
  "token": "crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb8",
  "validationRecord": [
    {
      "url": "http://panel.tlwebservices.co.uk/.well-known/acme-challenge/crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb8",
      "hostname": "panel.tlwebservices.co.uk",
      "port": "80",
      "addressesResolved": [
        "212.159.153.2"
      ],
      "addressUsed": "212.159.153.2"
    }
  ],
  "validated": "2021-08-09T15:52:21Z"
}'
[Mon  9 Aug 16:52:24 BST 2021] _json_decode
[Mon  9 Aug 16:52:24 BST 2021] _j_str='{
  "type": "http-01",
  "status": "invalid",
  "error": {
    "type": "urn:ietf:params:acme:error:connection",
    "detail": "Fetching http://panel.tlwebservices.co.uk/.well-known/acme-challenge/crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb8: Connection refused",
    "status": 400
  },
  "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/20373779950/E9TlgA",
  "token": "crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb8",
  "validationRecord": [
    {
      "url": "http://panel.tlwebservices.co.uk/.well-known/acme-challenge/crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb8",
      "hostname": "panel.tlwebservices.co.uk",
      "port": "80",
      "addressesResolved": [
        "212.159.153.2"
      ],
      "addressUsed": "212.159.153.2"
    }
  ],
  "validated": "2021-08-09T15:52:21Z"
}'
[Mon  9 Aug 16:52:24 BST 2021] response='{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:connection","detail":"Fetching http://panel.tlwebservices.co.uk/.well-known/acme-challenge/crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb8: Connection refused","status": 400},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/20373779950/E9TlgA","token":"crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb8","validationRecord":[{"url":"http://panel.tlwebservices.co.uk/.well-known/acme-challenge/crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb8","hostname":"panel.tlwebservices.co.uk","port":"80","addressesResolved":["212.159.153.2"],"addressUsed":"212.159.153.2"}],"validated":"2021-08-09T15:52:21Z"}'
[Mon  9 Aug 16:52:24 BST 2021] original='{"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:connection","detail":"Fetching http://panel.tlwebservices.co.uk/.well-known/acme-challenge/crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb8: Connection refused","status": 400},"url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/20373779950/E9TlgA","token":"crRZDzAf69lkvDaLlx4oqabe-dkCLonFYMOTBTw5Cb@@@

why does it fail, and where is this location on the server so i can check it exists?
http://panel.tlwebservices.co.uk/.well-known/acme-challenge - .well-known/acme-challenge

 

Try to modify firewall rules and allow incoming IPv6 connections or temporarily disable IPv6 on that server. The former is recommended.

 

I did as you suggested, i have also disabled the firewall as well and then run

Code:

ispconfig_update.sh

and again it fails letsencrypt and defaults to self signed.

Code:

/etc/default/ufw
IPV6=yes
root@panel:/etc/default# ufw status numbered
Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 22/tcp                     ALLOW IN    Anywhere               
[ 2] 80/tcp                     ALLOW IN    Anywhere               
[ 3] 443/tcp                    ALLOW IN    Anywhere               
[ 4] 8080/tcp                   ALLOW IN    Anywhere               
[ 5] 8081/tcp                   ALLOW IN    Anywhere               
[ 6] 3306/tcp                   ALLOW IN    2.*.*.*/24     
[ 7] 22/tcp (v6)                ALLOW IN    Anywhere (v6)           
[ 8] 80/tcp (v6)                ALLOW IN    Anywhere (v6)           
[ 9] 443/tcp (v6)               ALLOW IN    Anywhere (v6)           
[10] 8080/tcp (v6)              ALLOW IN    Anywhere (v6)           
[11] 8081/tcp (v6)              ALLOW IN    Anywhere (v6)

 

I did as you suggested and yes it shows up..
http://panel.tlwebservices.co.uk/.well-known/acme-challenge/test.txt

 

I tailed the log letsencrypt i spotted these 2 lines, the script thinks im running ngix

Code:

[Tue 10 Aug 07:19:29 BST 2021] '/usr/local/ispconfig/interface/acme' does not contain 'apache'
...
[Tue 10 Aug 07:19:36 BST 2021] responseHeaders='HTTP/1.1 400 Bad Request
Server: nginx

could this be the issue?

 

I did not mention anything about disabling firewall rather recommending you to allow ipv6 connection in the firewall or disabling the ipv6.

That could be the issue. Fully remove nginx if your web server is running apache2.

 

Ok, will remove nginx and report back