Hi all, I have been through as much as I can given my understanding... My issue is that for one of the (four) sites I have under ISPConfig, the SSL cert expired and did not automatically renew (other sites are fine so far). I tried to simply uncheck and recheck SSL and Let's Encrypt via the panel, but when I go back in, they have unchecked themselves. I have gone through the acme.log and have found the following (possibly) relevant lines: Code: [Thu 8 Dec 11:25:10 GMT 2022] writing token:is5BHcih4HyKfphQbcMGIjxPIR-vIcwac54MwXa-GjA to /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/is5BHcih4HyKfphQbcMGIjxPIR-vIcwac54MwXa-GjA [Thu 8 Dec 11:25:14 GMT 2022] mydomain.com:Verify error:2a07:7800::166: Invalid response from http://mydomain.com/.well-known/acme-challenge/is5BHcih4HyKfphQbcMGIjxPIR-vIcwac54MwXa-GjA: 404 To me, it seems that the token is being written to the wrong place, or there could be a symlink missing which is why it can't get the response it needs? I have also manually run server.sh and see similar errors: Code: 08.12.2022-12:59 - DEBUG [letsencrypt.inc:430] - Create Let's Encrypt SSL Cert for: mydomain.com 08.12.2022-12:59 - DEBUG [letsencrypt.inc:431] - Let's Encrypt SSL Cert domains: 08.12.2022-12:59 - DEBUG [system.inc:1819] - exec: R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue -d mydomain.com -d www.mydomain.com -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [[ $R -eq 0 || $R -eq 2 ]] ; then /root/.acme.sh/acme.sh --install-cert -d mydomain.com -d www.mydomain.com --key-file '/var/www/clients/client1/web1/ssl/mydomain.com-le.key' --fullchain-file '/var/www/clients/client1/web1/ssl/mydomain.com-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [[ $C -eq 0 ]] ; then exit $R ; else exit $C ; fi [Thu 8 Dec 12:59:21 GMT 2022] mydomain.com:Verify error:2a07:7800::166: Invalid response from http://mydomain.com/.well-known/acme-challenge/vfrhoiHWS1WlMnoXZE3ba3Wv1hz2a5slbisuSR0Z8aM: 404 [Thu 8 Dec 12:59:21 GMT 2022] Please check log file for more details: /var/log/ispconfig/acme.log 08.12.2022-12:59 - WARNING - Let's Encrypt SSL Cert for: mydomain.com could not be issued. 08.12.2022-12:59 - WARNING - R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue -d mydomain.com -d www.mydomain.com -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [[ $R -eq 0 || $R -eq 2 ]] ; then /root/.acme.sh/acme.sh --install-cert -d mydomain.com -d www.mydomain.com --key-file '/var/www/clients/client1/web1/ssl/mydomain.com-le.key' --fullchain-file '/var/www/clients/client1/web1/ssl/mydomain.com-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [[ $C -eq 0 ]] ; then exit $R ; else exit $C ; fi 08.12.2022-12:59 - DEBUG [system.inc:2399] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 What can I do to correct this? Any help would be greatly appreciated. Thank you in advance.
This can't be the case, unless you manually altered ISPConfig or acme.sh source code. So unless you did that, you can rule out these two options. First, you must find out why LE can't access the token on your system. Do you use any custom rewrite or proxy rules in the site that might prevent access to the token (either in apache or nginx directives field or in a .htaccess file when using apache)?
Hi @till Thanks so much for your quick response and help. I do not recall altering acme.sh nor ISPConfig so it's unlikely to be that. In fact I just redownloaded a copy of acme.sh and compared and is the same. I'm using apache and I cannot see anything in apache.conf that could be causing it, and the only thing in the .htaccess is this: Code: ErrorDocument 404 https://www.mydomain.com/errors/404.html I removed the line just in case but the same issue persists. I have just tried again manually but still persists: Code: root@:/usr/local/ispconfig/server/temp# /root/.acme.sh/acme.sh --issue --domain mydomain.com --apache --force [Thu 8 Dec 13:54:46 GMT 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory [Thu 8 Dec 13:54:47 GMT 2022] Checking if there is an error in the apache config file before starting. [Thu 8 Dec 13:54:47 GMT 2022] OK [Thu 8 Dec 13:54:47 GMT 2022] JFYI, Config file /etc/apache2/apache2.conf is backuped to /root/.acme.sh/apache2.conf [Thu 8 Dec 13:54:47 GMT 2022] In case there is an error that can not be restored automatically, you may try restore it yourself. [Thu 8 Dec 13:54:47 GMT 2022] The backup file will be deleted on success, just forget it. [Thu 8 Dec 13:54:47 GMT 2022] Single domain='mydomain.com' [Thu 8 Dec 13:54:48 GMT 2022] Getting domain auth token for each domain [Thu 8 Dec 13:54:50 GMT 2022] Getting webroot for domain='mydomain.com' [Thu 8 Dec 13:54:50 GMT 2022] Verifying: mydomain.com [Thu 8 Dec 13:54:51 GMT 2022] Pending, The CA is processing your order, please just wait. (1/30) [Thu 8 Dec 13:54:55 GMT 2022] mydomain.com:Verify error:2a07:7800::166: Invalid response from http://mydomain.com/.well-known/acme-challenge/RzhpiKMkyEGAJTIr0TFr3VYIRvjnnphM8ZaOFQziczY: 404 [Thu 8 Dec 13:54:55 GMT 2022] Please check log file for more details: /var/log/ispconfig/acme.log root@:/usr/local/ispconfig/server/temp# Once thing I am noticing is that every time I try to add the Let's Encrypt option in ISPConfig is that this gets added to the .conf file in Code: /etc/apache2/sites-available Code: RewriteEngine on RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/ RewriteRule ^ - [END] RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L,NE] This seems relevant, but not sure how... Thanks again for your help.
Just to verify, are you following this to find the reason LE fails? https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/
You enabled a http to https rewrite and the first part of the condition ensures that LE keeps working, so that's fine. Which ISPConfig version do you use? And very importantly, do not run commands like "/root/.acme.sh/acme.sh --issue --domain mydomain.com --apache --force". This will prevent LE from working, the site from working and ISPConfig from working for this site. So you can be happy that it probably failed before it damaged your website config. Nonetheless, you should check /etc/apache2/sites-enabled/ folder if there are any files ending with .conf for this website or files with 'le' in the file name as these would be remnants blocking ISPConfig and LE. the only file there ending with .conf is the ispconfig conf file. never run acme.sh or certbot manually on an ispconfig system for any domain managed in ISPConfig or for the system hostname. And you can do the following test: touch /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/test.txt you should now be able to reach the test file with: http://mydomain.com/.well-known/acme-challenge/test.txt
You probably the apache2.conf file that got messed up by the wrong use of the acme.sh command es mentioned in the output you posted.
Hello both, Thank you for your replies. Yes, correct. ISPConfig 3.2.9 OK, I think THIS was the problem, I removed the mydomain.com.conf file from /etc/apache2/sites-enabled/ there, went back into ISPConfig and checked the Let's Encrypt option and waited and sure enough, all is OK again now. I'm not sure how it got into that state, but it is OK now. Thank you very much for your quick responses which helped me resolve this!
