Lets Encrypt Cannot Issue Certificate for Domain

Discussion in 'Installation/Configuration' started by rhinjard, Feb 25, 2021.

  1. rhinjard

    rhinjard New Member

    I have successfully installed and configure ISPConfig in my server. I have also configured a website in ISPConfig and it is working well. During the creation I did not enable Let's Encrypt. Later when I tried to enable Let's Encrypt I am getting error while issuing a certificate. I have enabled the debug logs in ISPConfig and it shows that "Verified domain XXX.XX should be reachable for letsencrypt." The website is working and when pinged the server from a system outside my network, it showed the correct IP of the server where the domain is hosted. What could be the issue?

    Info:
    ISPConfig: 3.2.2
    OS: Ubuntu 20.04
    Webserver: Apache
    Database: MySQL
    PHP Version: 7.4
    Letsencrypt logs:
    Code:
    2021-02-25 12:06:05,217:DEBUG:certbot.main:certbot version: 0.40.0
    2021-02-25 12:06:05,217:DEBUG:certbot.main:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v02.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', '[email protected]', '--webroot-map', '{"onewolf.in":"\\/usr\\/local\\/ispconfig\\/interface\\/acme","www.onewolf.in":"\\/usr\\/local\\/ispconfig\\/interface\\/acme"}']
    2021-02-25 12:06:05,217:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2021-02-25 12:06:05,223:DEBUG:certbot.log:Root logging level set at 20
    2021-02-25 12:06:05,223:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2021-02-25 12:06:05,223:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-02-25 12:06:05,223:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
    Description: Place files in webroot directory
    Interfaces: IAuthenticator, IPlugin
    Entry point: webroot = certbot.plugins.webroot:Authenticator
    Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f736ad35c10>
    Prep: True
    2021-02-25 12:06:05,223:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f736ad35c10> and installer None
    2021-02-25 12:06:05,223:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
    2021-02-25 12:06:05,227:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(key=None, contact=(), agreement=None, status=None, terms_of_service_agreed=None, only_return_existing=None, external_account_binding=None), uri='https://acme-v02.api.letsencrypt.org/acme/acct/113024633', new_authzr_uri=None, terms_of_service=None), 4c7e4d46ef21edb08677a334e35140b9, Meta(creation_dt=datetime.datetime(2021, 2, 17, 7, 0, 59, tzinfo=<UTC>), creation_host='mail.sumansa.com'))>
    2021-02-25 12:06:05,227:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
    2021-02-25 12:06:05,228:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org:443
    2021-02-25 12:06:06,418:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 658
    2021-02-25 12:06:06,419:DEBUG:acme.client:Received response:
    HTTP 200
    Server: nginx
    Date: Thu, 25 Feb 2021 06:36:06 GMT
    Content-Type: application/json
    Content-Length: 658
    Connection: keep-alive
    Cache-Control: public, max-age=0, no-cache
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    
    {
      "L7EaJgDovVU": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
      "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
      "meta": {
        "caaIdentities": [
          "letsencrypt.org"
        ],
        "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
        "website": "https://letsencrypt.org"
      },
      "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
      "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
      "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
      "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
    }
    2021-02-25 12:06:06,421:DEBUG:certbot.cert_manager:Renewal conf file /etc/letsencrypt/renewal/eden144.com.conf is broken. Skipping.
    2021-02-25 12:06:06,422:DEBUG:certbot.cert_manager:Traceback was:
    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/certbot/cert_manager.py", line 382, in _search_lineages
        candidate_lineage = storage.RenewableCert(renewal_file, cli_config)
      File "/usr/lib/python3/dist-packages/certbot/storage.py", line 444, in __init__
        raise errors.CertStorageError(
    certbot.errors.CertStorageError: renewal config file {} is missing a required file reference
    
    2021-02-25 12:06:06,426:INFO:certbot.main:Obtaining a new certificate
    2021-02-25 12:06:06,695:DEBUG:certbot.crypto_util:Generating key (4096 bits): /etc/letsencrypt/keys/0011_key-certbot.pem
    2021-02-25 12:06:06,700:DEBUG:certbot.crypto_util:Creating CSR: /etc/letsencrypt/csr/0011_csr-certbot.pem
    2021-02-25 12:06:06,700:DEBUG:acme.client:Requesting fresh nonce
    2021-02-25 12:06:06,700:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonce.
    2021-02-25 12:06:06,985:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce HTTP/1.1" 200 0
    2021-02-25 12:06:06,986:DEBUG:acme.client:Received response:
    HTTP 200
    Server: nginx
    Date: Thu, 25 Feb 2021 06:36:06 GMT
    Connection: keep-alive
    Cache-Control: public, max-age=0, no-cache
    Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
    Replay-Nonce: 0004WIsQV9YEp0kwINHgK3TAx-6rkNbiJYxfeEOORFnf7PA
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    
    
    2021-02-25 12:06:06,988:DEBUG:acme.client:Storing nonce: 0004WIsQV9YEp0kwINHgK3TAx-6rkNbiJYxfeEOORFnf7PA
    2021-02-25 12:06:06,989:DEBUG:acme.client:JWS payload:
    b'{\n  "identifiers": [\n    {\n      "type": "dns",\n      "value": "onewolf.in"\n    },\n    {\n      "type": "dns",\n      "value": "www.onewolf.in"\n    }\n  ]\n}'
    2021-02-25 12:06:07,008:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/new-order:
    {
      "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMTEzMDI0NjMzIiwgIm5vbmNlIjogIjAwMDRXSXNRVjlZRXAwa3dJTkhnSzNUQXgtNnJrTmJpSll4ZmVFT09SRm5mN1BBIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9uZXctb3JkZXIifQ",
      "signature": "GTIztZJxTPvsGP4FUU2PHnY1r4U0y0P5kCNPsNt5FLJS9IU9eX7AgclQ81ayEnSuy5pTLazieCLDjxYqiiTpWnCYZsSYx7jtp53qzVvzQpQ6ESi9giQ7jNWRaYFLhDwtUtB2C8en3Z78UY6TrXI3RoxlUtIIFvqCwj6tY7naR_SJzh9ts4_m3RxDDUdNzZcXrS-3iFmurDZNStk5EwaeBtNEbJWxv6yIRb1Xvr3gUVyxBnn9GxE1fChZS5kcXbCILiJ-1OV-bQud8JlhXnDaf_WRMpDD8rHieY4vVvIJEVZZyj0hqy13SfN8aLglYsPKStoUFHpEW_R2P0A3thkrv8t8Wv2q7nUNHgNPB3Ip5tnM8Uzq-G_qac86ZcmdvhSIJKXGYTkS_e7RzGa-Ivj9Je8Hov0gIyGIm1Qjix7CslIee8bp2cyXUHu_W1RnSlLCWdHUA6TWZUO-_Ed4YY9snPkMVLsJpPyefGL9uNkhvIRlQxSYcYXnA58SfNvg6L4gIe4dZcoa1XD5p3aNGfQCohKdQXh8YrRBl7YL7d9pELt99Y9HP76xoDAAwu9xPq2pX64bZ8eRr_CjaeZthq2R2N4vq3rQhNWjaMDT7RT0qsWf-iwX6XMIN4mhfzatz2eVr5BxYmwKmxHU2ckKnrWmhShGRdy4KoViRt7f4MD8KCw",
      "payload": "ewogICJpZGVudGlmaWVycyI6IFsKICAgIHsKICAgICAgInR5cGUiOiAiZG5zIiwKICAgICAgInZhbHVlIjogIm9uZXdvbGYuaW4iCiAgICB9LAogICAgewogICAgICAidHlwZSI6ICJkbnMiLAogICAgICAidmFsdWUiOiAid3d3Lm9uZXdvbGYuaW4iCiAgICB9CiAgXQp9"
    }
    2021-02-25 12:06:07,305:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/new-order HTTP/1.1" 429 250
    2021-02-25 12:06:07,306:DEBUG:acme.client:Received response:
    HTTP 429
    Server: nginx
    Date: Thu, 25 Feb 2021 06:36:07 GMT
    Content-Type: application/problem+json
    Content-Length: 250
    Connection: keep-alive
    Boulder-Requester: 113024633
    Cache-Control: public, max-age=0, no-cache
    Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
    Replay-Nonce: 0004059vzgTo-CqJfTWM-_NjymKX904kytGXvjk2Zah8Dr8
    
    {
      "type": "urn:ietf:params:acme:error:rateLimited",
      "detail": "Error creating new order :: too many certificates already issued for exact set of domains: onewolf.in,www.onewolf.in: see https://letsencrypt.org/docs/rate-limits/",
      "status": 429
    }
    2021-02-25 12:06:07,307:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
      File "/bin/letsencrypt", line 11, in <module>
        load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
        return config.func(config, plugins)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1265, in certonly
        lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in _get_and_save_cert
        lineage = le_client.obtain_and_enroll_certificate(domains, certname)
      File "/usr/lib/python3/dist-packages/certbot/client.py", line 417, in obtain_and_enroll_certificate
        cert, chain, key, _ = self.obtain_certificate(domains)
      File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate
        orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
      File "/usr/lib/python3/dist-packages/certbot/client.py", line 381, in _get_order_and_authorizations
        orderr = self.acme.new_order(csr_pem)
      File "/usr/lib/python3/dist-packages/acme/client.py", line 863, in new_order
        return self.client.new_order(csr_pem)
      File "/usr/lib/python3/dist-packages/acme/client.py", line 666, in new_order
        response = self._post(self.directory['newOrder'], order)
      File "/usr/lib/python3/dist-packages/acme/client.py", line 95, in _post
        return self.net.post(*args, **kwargs)
      File "/usr/lib/python3/dist-packages/acme/client.py", line 1171, in post
        return self._post_once(*args, **kwargs)
      File "/usr/lib/python3/dist-packages/acme/client.py", line 1184, in _post_once
        response = self._check_response(response, content_type=content_type)
      File "/usr/lib/python3/dist-packages/acme/client.py", line 1042, in _check_response
        raise messages.Error.from_json(jobj)
    acme.messages.Error: urn:ietf:params:acme:error:rateLimited :: There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: onewolf.in,www.onewolf.in: see https://letsencrypt.org/docs/rate-limits/
    2021-02-25 12:06:07,310:ERROR:certbot.log:An unexpected error occurred:
    2021-02-25 12:06:07,310:ERROR:certbot.log:There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: onewolf.in,www.onewolf.in: see https://letsencrypt.org/docs/rate-limits/
    2021-02-25 12:06:07,542:DEBUG:certbot.main:certbot version: 0.40.0
    2021-02-25 12:06:07,542:DEBUG:certbot.main:Arguments: ['--domains', 'onewolf.in', '--domains', 'www.onewolf.in']
    2021-02-25 12:06:07,542:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2021-02-25 12:06:07,547:DEBUG:certbot.log:Root logging level set at 20
    2021-02-25 12:06:07,547:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2021-02-25 12:06:07,547:WARNING:certbot.cert_manager:Renewal configuration file /etc/letsencrypt/renewal/eden144.com.conf produced an unexpected error: renewal config file {} is missing a required file reference. Skipping.
    2021-02-25 12:06:07,548:DEBUG:certbot.cert_manager:Traceback was:
    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/certbot/cert_manager.py", line 79, in certificates
        renewal_candidate = storage.RenewableCert(renewal_file, config)
      File "/usr/lib/python3/dist-packages/certbot/storage.py", line 444, in __init__
        raise errors.CertStorageError(
    certbot.errors.CertStorageError: renewal config file {} is missing a required file reference
    
    2021-02-25 12:06:07,549:WARNING:certbot.cert_manager:Renewal configuration file /etc/letsencrypt/renewal/mail.sumansa.com.conf produced an unexpected error: fullchain does not match cert + chain for mail.sumansa.com!. Skipping.
    2021-02-25 12:06:07,549:DEBUG:certbot.cert_manager:Traceback was:
    Traceback (most recent call last):
      File "/usr/lib/python3/dist-packages/certbot/cert_manager.py", line 80, in certificates
        crypto_util.verify_renewable_cert(renewal_candidate)
      File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 221, in verify_renewable_cert
        verify_fullchain(renewable_cert)
      File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 324, in verify_fullchain
        raise e
      File "/usr/lib/python3/dist-packages/certbot/crypto_util.py", line 318, in verify_fullchain
        raise errors.Error(error_str)
    certbot.errors.Error: fullchain does not match cert + chain for mail.sumansa.com!
    
     
    Last edited: Feb 25, 2021
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The log you posted contains details on several different certs, which domain is the one you refer to?
     
  3. rhinjard

    rhinjard New Member

    The domain mail.sumansa.com is the main domain where ISPConfig is configured. Onewolf.in is the domain where LetsEncrypt is unable to issue a certificate.
    I configured LetsEncrypt for the domain mail.sumansa.com during ISPConfig's installation but even that is also showing error. The installation of ISPConfig completed successfully and all the modules are functioning except 1)LetsEncrypt cannot issue certificates to any of the domain I create, and 2) I cannot access the ISPConfig's login page without ignoring the certificate warning.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Seems as if you have hit the rate limits for that domain, see this line in the log:

    Error creating new order :: too many certificates already issued for exact set of domains: onewolf.in,www.onewolf.in: see https://letsencrypt.org/docs/rate-limits/

    Details can be found in the link that is included in the error message.
     
  5. rhinjard

    rhinjard New Member

    Ah, my bad, didn't notice that line. Thanks much.
    Any idea about "certbot.errors.Error: fullchain does not match cert + chain for mail.sumansa.com!" ?
     

Share This Page