Ispconfig + Let's encrypt + Nginx don't work for me.

Discussion in 'Installation/Configuration' started by Vik82000, Apr 27, 2016.

  1. Vik82000

    Vik82000 New Member

    Hi all,

    I decided to give a try to let's encrypt and I'm stuck since my ssl certs still not certified by my browsers.

    Here is my vhost conf :
    Code:
    server {
            listen *:80;
    
            listen *:443 ssl;
                    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_certificate /var/www/clients/client1/web2/ssl/mysite.com.crt;
            ssl_certificate_key /var/www/clients/client1/web2/ssl/mysite.com.$
    
            server_name dokkan-battle.fr www.mysite.com;
    
            root   /var/www/mysite.com/web/;
    
    
    
            index index.html index.htm index.php index.cgi index.pl index.xhtml;
    
    
            location ~ \.shtml$ {
                ssi on;
      }
            location / {
                    try_files $uri $uri/ /index.php?$args;
            }
    
    
            error_page 400 /error/400.html;
            error_page 401 /error/401.html;
            error_page 403 /error/403.html;
            error_page 404 /error/404.html;
            error_page 405 /error/405.html;
            error_page 500 /error/500.html;
            error_page 502 /error/502.html;
            error_page 503 /error/503.html;
            recursive_error_pages on;
            location = /error/400.html {
    
                internal;
            }
            location = /error/401.html {
    internal;
            }
            location = /error/403.html {
    
                internal;
            }
            location = /error/404.html {
    
                internal;
            }
            location = /error/405.html {
    
                internal;
            }
            location = /error/500.html {
    
                internal;
            }
            location = /error/502.html {
                internal;
            }
            location = /error/503.html {
    
                internal;
            }
    
            error_log /var/log/ispconfig/httpd/dokkan-battle.fr/error.log;
            access_log /var/log/ispconfig/httpd/dokkan-battle.fr/access.log combine$
    
            location ~ /\.(?!well-known/acme-challenge/) {
                deny all;
                access_log off;
                log_not_found off;
            }
    
            location = /favicon.ico {
                log_not_found off;
                access_log off;
    }
    
            location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
            }
    
            location /stats/ {
    
    index index.html index.php;
                auth_basic "Members Only";
                auth_basic_user_file /var/www/clients/client1/web2/web/stats/.htpas$
            }
    
            location ^~ /awstats-icon {
                alias /usr/share/awstats/icon;
            }
    
            location ~ \.php$ {
         try_files /b2c7b6c43338a0442cc2544187e4dd51.htm @php;
            }
    
            location @php {
                try_files $uri =404;
                include /etc/nginx/fastcgi_params;
                fastcgi_pass unix:/var/lib/php5-fpm/web2.sock;
                fastcgi_index index.php;
                fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                fastcgi_intercept_errors on;
      }
    
            location /cgi-bin/ {
                try_files $uri =404;
                include /etc/nginx/fastcgi_params;
                root /var/www/clients/client1/web2;
                gzip off;
                fastcgi_pass  unix:/var/run/fcgiwrap.socket;
                fastcgi_index index.cgi;
                fastcgi_param SCRIPT_FILENAME  $document_root$fastcgi_script_name;
         }
    
    
    
    
    
    
            location /\.well-known/acme-challenge {
               root /usr/local/ispconfig/interface/acme/.well-known/acme-challenge;
    
      }
    
    
    
    
    
    
            location /\.well-known/acme-challenge {
               root /usr/local/ispconfig/interface/acme/.well-known/acme-challenge;
               index index.html index.htm;
               try_files $uri =404;
            }
    
    
    
    }
    
    I can see my ssl certs on the ISP Site panel :

    [​IMG]


    and here the error.log of let's encrypt, which is pretty explicit :

    Code:
    Domain: mysite.com
    Type:   unauthorized
    Detail: Invalid response from http://mysite.com/.well-known/acme-challenge/NsL74h1qE36xo_RbsRTKJSB5EA4TwP95cRfWfwUpXZo [62.210.239.108]: 404
    
    Domain: www.mysite.com
    Type:   unauthorized
    Detail: Invalid response from http://www.mysite.com/.well-known/acme-challenge/8H7okjrIamKhTkFSYoDNy-vQSk8VZIrBzcZV2OYJtKA [62.210.239.108]: 404
    
    To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
    2016-04-26 21:57:11,401:INFO:letsencrypt.auth_handler:Cleaning up challenges
    2016-04-26 21:57:11,402:DEBUG:letsencrypt.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/NsL74h1qE36xo_RbsRTKJSB5EA4TwP95cRfWfwUpXZo
    2016-04-26 21:57:11,404:DEBUG:letsencrypt.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/8H7okjrIamKhTkFSYoDNy-vQSk8VZIrBzcZV2OYJtKA
    2016-04-26 21:57:11,405:DEBUG:letsencrypt.plugins.webroot:Challenges cleaned up but /usr/local/ispconfig/interface/acme/.well-known/acme-challenge not empty
    2016-04-26 21:57:11,407:DEBUG:letsencrypt.main:Exiting abnormally:
    Traceback (most recent call last):
      File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
        sys.exit(main())
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/main.py", line 692, in main
        return config.func(config, plugins)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/main.py", line 509, in obtain_cert
        _, action = _auth_from_domains(le_client, config, domains, lineage)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/main.py", line 93, in _auth_from_domains
        lineage = le_client.obtain_and_enroll_certificate(domains)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 274, in obtain_and_enroll_certificate
        certr, chain, key, _ = self.obtain_certificate(domains)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 246, in obtain_certificate
        self.config.allow_subset_of_names)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 74, in get_authorizations
        self._respond(resp, best_effort)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 131, in _respond
        self._poll_challenges(chall_update, best_effort)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/auth_handler.py", line 195, in _poll_challenges
        raise errors.FailedChallenges(all_failed_achalls)
    FailedChallenges: Failed authorization procedure. mysite.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://mysite.com/.well-known/acme-challenge/NsL74h1qE36xo_RbsRTKJSB5EA4TwP95cRfWfwUpXZo [62.210.XXX.XXX]: 404, www.mysite.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.mysite.com/.well-known/acme-challenge/8H7okjrIamKhTkFSYoDNy-vQSk8VZIrBzcZV2OYJtKA [62.210.XXX.XXX]: 404
    
    The folder .well-known/acme-challenge doesn't exist in my web folder.

    Is-it a bug with Ispcnfig beta version, let's encrypt and Nginx or a bad configuration ?

    Thanks!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    As you can see in the vhst that you osted, this is a redirect and not a local folder of the website. So you dont have this folder?

    /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/

    As you can see in the debug log, both challenges existed there before ispconfig cleaned them up, so not sure why letsencryot sid that they did not exist. Please take a look into the access.log and error.log of that website to see if letsencrypt tred to access the tokens and which messages or errors got logged for the attempts there.
     
  3. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    The issue has been fixed in stable-3.1 branch.
     
  4. Vik82000

    Vik82000 New Member

    Hi till,
    the /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/ folder exist with a file named "empty.dir" inside, that's all.

    When I check the error.log I can see a 404 not found related to the files which must be inside the repository.

    Hi Croydon,
    Thansk for the info, any way to solve this problem before he next 3.1 release come? If it will be released in one week or so I can wait for sure. If it's in 3 months, it will be more complicated.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Like Croydon posted, the issue has been solved already. Just run:

    ispconfig_update.sh

    and choose git-stable as update source to update your system.
     
    Nemis likes this.
  6. Vik82000

    Vik82000 New Member

    Code:
    Select update method (stable,git-stable,git-master) [stable]:
    
    There are no updates available for ISPConfig 3.1b1
    
     
  7. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    stable = 3.0.5.4p9
    git-stable = 3.1 branch
     
  8. Vik82000

    Vik82000 New Member

    It works! Many thanks to you guys and this awesome free panel.

    Last question, I heard that Let's encrypt certificates got a 3 month availability, will ispconfig automatically regenerate the cert once this period end up ?
     
  9. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Yes, ISPConfig includes a cron job that calls the Let's Encrypt renew.
     
  10. Vik82000

    Vik82000 New Member

    thanks again guys.

    You made my day.
     

Share This Page