ISPConfig 3.1 and letsencrypt

Discussion in 'General' started by Jigal van Hemert, Aug 22, 2016.

  1. Jigal van Hemert

    Jigal van Hemert New Member

    I followed the HowToForge tutorial which says at step 9 ( https://www.howtoforge.com/tutorial...doveot-and-ispconfig/2/#-install-lets-encrypt ) to install letsencrypt and leave the generation of certificates to ISPConfig.
    There are checkboxes in the server configuration to activate SSL and Let's Encrypt, but these are always emptied again after returning to the configuration dialogue. Generating certs in the SSL tab doesn't help in this regard. FireFox just complaints about SSL headers that are too large and the SSL and Let's Encrypt checkboxes are emptied again.
    How is Let's Encrypt supposed to work with ISPConfig 3.1?
     
  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Enable the checkboxes for SSL and Let's Encrypt, and don't even visit the SSL tab, all you can do is break things there (there's a rfe to hide that tab and generally make the Let's Encrypt usage more clear). Since you already created a certificate under the SSL tab, you might go back in there and choose to Delete the certificate first (I dont' know if it'll matter or not).
     
  3. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

  4. Jigal van Hemert

    Jigal van Hemert New Member

    I had deleted the certificate already, but made sure the SSL key field was empty too. Waited for the job queue to finish, then set both checkboxes (SSL and Let's Encrypt). Waited again for the job queue to finish and then visited the frontend URL with https.
    Firefox produced error SSL_ERROR_RX_RECORD_TOO_LONG, Chrome said that the site didn't send a valid response (ERR_SSL_PROTOCOL_ERROR). When I check the site configuration both checkboxes are cleared.

    Because this was the site where I use an alias domain until the site is ready and the actual domain is moved to this server I also tried the same thing with the other site which has it's actual domain on this machine. Here I never tried to generate a certificate or activate SSL at all. I only set both checkboxes, waited for the job queue and things didn't work either. Also both checkboxes were cleared again.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    This happens when letsencrypt could not issue the cert, the most likely reason are missing dns records for any of the sub or aliasdomains. You can use the debug mode to get more details if you dont know which domain is missing in dns.
     
  6. Jigal van Hemert

    Jigal van Hemert New Member

    I didn't set any DNS data inside ISPConfig. The hoster of my VPS already provides the options to maintain DNS records on their name servers. It looks pretty complete:
    Code:
    Name  TTL  Type    Value
    *     24h  A       149.210.157.235
    *     24h  AAAA    2a01:7c8:aab3:502::1
    @     24h  A       149.210.157.235
    @     24h  MX      10 @
    ftp   24h  CNAME   @
    mail  24h  CNAME   @
    www   24h  CNAME   @
    This is for the domain typo3coder.nl that has been hosted on this server for a while now. The Let's Encrypt options inside ISPConfig are not working for this domain either.
    Is there a need to have any of this information inside ISPConfig (3.1-dev; installed Aug 5th) to let Let's Encrypt work?
    Also, where can I set the debug mode for let's encrypt? I found a debug log level inside the ISPConfig System > Server Config screen on the Server tab, but that will probably create a humongous amount of log data...
     
  7. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Do you have any subdomains or alias domains defined in ispconfig for this? If so, eg. say you created test.typo3coder.nl, then ispconfig will request a letsencrypt certificate with all of the names www.typo3coder.nl, typo3coder.nl and test.type3coder.nl, and letsencrypt will connect to all of those hosts to authenticate the request - hence all of those hostnames need to be in DNS (which my 'test.typo3coder.nl' example name is not present in your hoster's dns).

    That debug option is the setting, and you can disable the cronjob running server.sh temporarily then run it manually after making your changes (eg. enable the checkboxes, so the certificate will generate) to see the output. I think it gets logged so you can find it in Monitor > Show System-Log too, but as you said it becomes quite a bit of output, so don't leave it on Debug level long term (and re-enable your cronjob).
     
  8. Jigal van Hemert

    Jigal van Hemert New Member

    (www.)typo3coder.nl is associated with client1/web1 ; bordercollies.typo3coder.nl is an alias domain for the bordercollies.nl site that I'm re-building (the domain will be moved to this server later) and attached to client2/web5.
    It's not a problem to have let's encrypt activated for the second one after the domain is moved. I wanted to try it for the first site as a test case so I can easily enable it for the other later on.
     
  9. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    I wonder if you try deleting the bordercollies.typo3coder.nl alias and enabling letsencrypt on the first site if it'd work, ie. if there's a bug that's including that alias name when it shouldn't. If that works, file an issue in gitlab; if it doesn't... get debugging working, and see what you find there.
     
  10. Jigal van Hemert

    Jigal van Hemert New Member

    Tue Aug 23 23:46:01 CEST 2016 Job has schedule: */15 * * * *
    Tue Aug 23 23:46:01 CEST 2016 Called onPrepare() for class cronjob_monitor_email_quota
    Tue Aug 23 23:46:01 CEST 2016 Called onBeforeRun() for class cronjob_monitor_email_quota
    Tue Aug 23 23:46:01 CEST 2016 23.08.2016-23:46 - DEBUG - Create Let's Encrypt SSL Cert for: typo3coder.nl
    Tue Aug 23 23:46:01 CEST 2016 Jobs next run is 2016-08-24 00:00:00
    Tue Aug 23 23:46:01 CEST 2016 Date compare of 1471989600 and 1471988761 is -1
    Tue Aug 23 23:46:01 CEST 2016 Called onCompleted() for class cronjob_monitor_email_quota
    Tue Aug 23 23:46:01 CEST 2016 run job (cronjob_monitor_email_quota) done.
    Tue Aug 23 23:46:01 CEST 2016 Included cronjob_monitor_fail2ban from /usr/local/ispconfig/server/lib/classes/cron.d/100-monitor_fail2ban.inc.php -> will now run job.
    Tue Aug 23 23:46:01 CEST 2016 23.08.2016-23:46 - DEBUG - Let's Encrypt SSL Cert domains: typo3coder.nl --domains www.typo3coder.nl
    Tue Aug 23 23:46:01 CEST 2016 Called run() for class cronjob_monitor_fail2ban
    Tue Aug 23 23:46:01 CEST 2016 23.08.2016-23:46 - WARNING - Let's Encrypt SSL Cert for: typo3coder.nl could not be issued.
    Tue Aug 23 23:46:01 CEST 2016 Job has schedule: */5 * * * *
    Tue Aug 23 23:46:01 CEST 2016 Called onPrepare() for class cronjob_monitor_fail2ban
    Tue Aug 23 23:46:01 CEST 2016 Called onBeforeRun() for class cronjob_monitor_fail2ban
    Tue Aug 23 23:46:01 CEST 2016 Jobs next run is 2016-08-23 23:50:00
    Tue Aug 23 23:46:01 CEST 2016 Date compare of 1471989000 and 1471988761 is -1
    Tue Aug 23 23:46:01 CEST 2016 Called onCompleted() for class cronjob_monitor_fail2ban

    That's all I could find about Let's Encrypt. It looks like it didn't try to use the alias. Not very verbose regarding the error :-(
     
  11. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Yeah, looks like that alias isn't the problem. Try to request the certificate manually, as root:
    Code:
    certbot certonly --text --agree-tos --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] -d typo3coder.nl -d www.typo3coder.nl --webroot-path /usr/local/ispconfig/interface/web
    
    See if that gives more verbose output.
     
  12. Jigal van Hemert

    Jigal van Hemert New Member

    I found a certbot executable in :/home/jigal/.local/share/letsencrypt/bin . Running the command produced a traceback ending with
    PluginError: /usr/local/ispconfig/interface/web does not exist or is not a directory
    Next attempt to run it as root:
    Code:
    IMPORTANT NOTES:
    - The following errors were reported by the server:
    
      Domain: typo3coder.nl
      Type:  unauthorized
      Detail: Invalid response from
      http://typo3coder.nl/.well-known/acme-challenge/CbuFwA6K-MubZDW9cyTHxe5VcoWy1UCDt9SpPfrxY5s:
      "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
      <ht"
    
      Domain: www.typo3coder.nl
      Type:  unauthorized
      Detail: Invalid response from
      http://www.typo3coder.nl/.well-known/acme-challenge/h7OkpdPJ9gkrJ6_JKB_sqfeB31oPtKp7HgXWTncw2Fc:
      "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
      <ht"
    
      To fix these errors, please make sure that your domain name was
      entered correctly and the DNS A record(s) for that domain
      contain(s) the right IP address.
    
    
    I checked the .htaccess file and it has a section (inside an if mod_rewrite block)
    Code:
      # Block access to all hidden files and directories with the exception of
       # the visible content from within the `/.well-known/` hidden directory (RFC 5785).
       RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
       RewriteCond %{SCRIPT_FILENAME} -d [OR]
       RewriteCond %{SCRIPT_FILENAME} -f
       RewriteRule (?:^|/)\. - [F]
     
  13. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    That is not a path where ispconfig will find it, maybe that's (part of) your problem. It will look under /root/.local/share/.... or whatever is in $PATH. When you later ran it as root, did you run it from that /home/jigal/.local/.... path? If so, hit the perfect server guide and follow the section to install certbot again, specifically run certbot-auto as root. Or you can just install from system packages, apparently Ubuntu 16 has them (https://certbot.eff.org/all-instructions/#ubuntu-16-04-xenial-apache).
     
  14. Jigal van Hemert

    Jigal van Hemert New Member

    Reinstalled certbot (one stream of ... is already latest...) After that I ran "your" command from /root/.local/share/letsencrypt/bin but it had the same result.
    https://github.com/certbot/certbot/issues/1761 seems to describe a problem with permissions.
    So I tried watch -d -n 0.1 "ls -alrt" in the webroot of typo3coder.nl and ran the certbot command in another session as root. Absolutely nothing happened. It just doesn't create a .well-known directory.

    Next attempt: the OS package. Installation ran fine, but then it was time to run "letsencrypt --apache certonly". Result:
    Code:
    Error while running apache2ctl configtest.
    Action 'configtest' failed.
    The Apache error log may have more information.
    
    AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:67
    AH00526: Syntax error on line 2 of /etc/apache2/le_tls_sni_01_cert_challenge.conf:
    The address or port is invalid
    
     
  15. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    That should be normal I think, ispconfig uses /usr/local/ispconfig/interface/acme/.well-known

    did that /etc/apache2/le_tls_sni_01_cert_challenge.conf file come from your certbot OS package? That doesn't sound familiar (I've used the packages from jessie-backports, but not ubuntu offhand). Might try where that gets included in the apache config and comment it out, in case it's interfering with the .well-known configuration ispconfig sets up.
     
  16. Jigal van Hemert

    Jigal van Hemert New Member

    So, ISPConfig changes webroot temporarily!

    It's not a permanent file. I guess that "letsencrypt --apach certonly" creates it.
     
  17. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Sorry, try this:
    Code:
    certbot certonly -n --text --agree-tos --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] -d typo3coder.nl -d www.typo3coder.nl --webroot-path /usr/local/ispconfig/interface/acme
    I had that wrong in the above command (and might be wrong in another post I copied that from?).
     
  18. Jigal van Hemert

    Jigal van Hemert New Member

    Code:
     - Congratulations! Your certificate and chain have been saved at
      /etc/letsencrypt/live/typo3coder.nl/fullchain.pem. Your cert will
      expire on 2016-11-22. To obtain a new or tweaked version of this
      certificate in the future, simply run certbot again. To
      non-interactively renew *all* of your certificates, run "certbot
      renew"
    
    Certificate works, redirect to https works also! Yeah!
    Now I'm curious if the automatic renewal by ISPConfig will work... :)

    Thank you so much for all the help!
     
  19. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    It will (though might require at least one domain to be setup with letsencrypt, so make sure that checkbox is enabled), and your OS package probably includes another renewal cronjob which will work for redundancy, but you might test another domain setup only through ispconfig and make sure the cretificate request works there now.
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    No, that's an alias, the web root get's not changed.
     

Share This Page