Generate Let's Encrypt certificate via Ispconfig failed.

Discussion in 'Installation/Configuration' started by cremos, May 9, 2022.

  1. cremos

    cremos Member

    Hello!
    For several days, I can no longer create a Let's Encrypt certificate for a website via Ispconfig.
    In the domain creation form, I check the "SSL & Let's Encrypt" box.
    I then receive an error email with:
    Code:
    e-mail :  panel3.in.ac-amiens.fr - 09.05.2022-15:52 - WARNING - Let's Encrypt SSL Cert for: culture.lamarck-albert.ac-amiens.fr could not be issued.
    Extrait de log de letsencrypt.log :
    requests.exceptions.ProxyError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by ProxyError('Cannot connect to proxy.', NewConnectionError('<urllib3.connection.VerifiedHTTPSConnection object at 0x7f4eaaa10908>: Failed to establish a new connection: [Errno -2] Name or service not known')))
    
    1/ Renewing certificates via cron works.
    2/ I ran this command: "certbot certonly --apache" to generate a certificate, it works.
    3/ The Ispconfig server manages to reach the acme-v02.api.letsencrypt.org site via the commands :
    Code:
    curl -v https://acme-v02.api.letsencrypt.org"
    echo | openssl s_client -connect acme-v02.api.letsencrypt.org:443 -servername acme-v02.api.letsencrypt.org -proxy proxy1.ac-amiens.fr:3128 | head
    
    4/ To update ispconfig "ispconfig_update.sh", add the proxy in the file, /usr/local/ispconfig/server/lib/config.inc.php
    The Ispconfig server does not issue a proxy to go to the web.
    Thank you in advance for your answers.
    Crémos
     

    Attached Files:

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Please follow Let's Encrypt FAQ to find out what the reason for your issue is:

    https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/

    E.g. did you disable the let's encrypt check as suggested there? Using a proxy to run ISPConfig behind it is generally not supported and may lead to all kinds of malfunctions.

    Now your website is locked, never use this command on an ISPConfig system. ISPConfig is no longer able to manage that site, you have to undo all changes that the certbot command did with the config.
     
  3. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    I can confirm this, I work towards filtered outbound connections and using a proxy for needed http(s) requests, and it is a pain, and a perennial source of issues. I have setup proxy env/config in /usr/local/ispconfig/server/lib/config.inc.php and found it will fix one issue, but create another. Some of the issues in using the proxy may be due to the specific software in use to configure the underlying squid proxy, but I do not have any satisfactory configuration/setup on this currently.
     
  4. cremos

    cremos Member

    Hello!
    Thank you for your responsiveness and your answers, I do not understand the behavior of the server.
    Prior to April 6, I was able to generate a certificate via Ispconfig without issue.
    No changes and updates have been made on the server.
    Crémos
     
  5. cremos

    cremos Member

    I just figured out why it wasn't working.
    Configuring the proxy in "/usr/local/ispconfig/server/lib/config.inc.php" caused this malfunction.
    After removing proxy from "config.inc.php" file.
    everything is in order.
    Thanks again
     

Share This Page