Hello I know this is a very talked about subject but I have a problem even though Ive gone through all the troubleshooting. We couldn't get Lets encrypt to work with haproxy so we rerouted passed that in our firewall and now it works when I test a --dry-run with certbot but I still cant create via ISPconfig control panel. Tried to create a hello.txt in the /.well-known/acme-challenge folder but cant reach it through website I get 403 - forbidden. I have also tested all the steps in Lets encrypt FAQ. Still get (http-01): urn:ietfarams:acme:error:unauthorized :: The client lacks sufficient authorization. But this works: certbot certonly --standalone --dry-run -d cluster.kulturhotell.se Thanks!
In which exact path on the server did you create it? The server path of the acme folder is /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/, so if you want to test this, use: touch /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/test.txt There is a let's encrypt FAQ with detailed steps how to debug this: https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
/usr/local/ispconfig/interface/acme/.well-known/acme-challenge/hello.txt Then I tried: http://cluster.kulturhotell.se/.well-known/acme-challenge/hello.txt
Debug mode gives me the same answers as letsencrypt.log Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for cluster.kulturhotell.se Waiting for verification... Cleaning up challenges Failed authorization procedure. cluster.kulturhotell.se (http-01): urn:ietfarams:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://cluster.kulturhotell.se/.wel...e/yQnw8jKKMx2ewU52ByYIaHyRlOWVmcpHRnb0q9pDOXk [80.244.87.143]: "<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n \"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\">\n<ht" finished.
If you can't reach it, then you must have blocked the URL in front of the server somewhere or you added custom rewrite rules in the website vhost that redirect that URL to a different place. When LE can not access it's verification token, then it will not issue a cert.
Another possibility is of course that the requests go to the wrong server. On a multiserver mirror setup, try to make /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/ a shared nfs mount that is shared between all nodes.
Thanks, it's very strange because now we pointed the IP back in our firewall as it was before when we could create Lets encrypt certs and a dry run works with standalone plugin but I get above error via checkboxes in ISPconfig. Even when I close down web-02 and only use master server its still the same error. Which certbot command does it run when you check the lets encrypt boxes on the website settings? I've compared all the vhost settings with our old setup that don't use mirror of function where we create sites on individual servers and every file has the same config. Created a new website with dns and same error there.
Get the original error once we pointed it back in the firewall to use HAproxy. Now I know it works without haproxy atleast. There isn't much content out there to troubleshoot the haproxy+ispconfig combo though. Thanks for all the help! Really like ISPconfig and hoping we can still use it with our server setup, might have to create certs manually directly on HAproxy and let them manage them
