1. I add site: site.domain.tld 2. It has Auto-Subdomain set to "None" 3. I try to activate SSL and SSL LetsEncrypt. 4. Nothing happens. Setting is updated in ISPC database and 2 new CAA records created, but no actions toward updating vhost file and creating LetsEncrypt SSL is taken. 5. Setting Auto-Subdomain to www. 6. Everything goes as it should be. Just minor annoyance, now domain forced to be https://www.site.domain.tld as https://site.domain.tld is not covered by valid SSL.
Please use the search function before posting: https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/ Your issue is not related to the setting of the subdomain btw. LE works perfectly fine with auto subdomain = none. If a SSL cert is issued by LE depends solely on the fact that the domain (and the subdomains you have chosen to use) point to this server properly so LE can access it on port 80. And you can verify that easily by following the FAQ and/or using debug mode.
Aha. Than why when Auto Subdomain is set to "none" DNS CAA record for none.sub.domain.tld is created? And if understand flow correctly, when I set website via API I must add subdomain dns records, wait for them being populated in DNS servers and only than create site? Because it ia possible to face race condition when dns is not yet populated, but site is already setting up.
Just a guess, you added 'none' as auto subdomain via API instead of leaving the field empty. This is not related to ISPConfig nor the ISPConfig API, it's how Let's Encrypt with http authentication works. Let's encrypt will try to reach all domains and subdomains that shall be in the SSL cert on port 80, if they can not be resolved or they resolve to the wrong server, the SSL cert will get rejected by LE. In this case, the SSL checkbox and LE checkbox get unchecked and the host gets created without SSL so that Apache will not fail for all sites due to missing SSL cert.
Ok, I'll look into the code for adding the CAA record, likely the person that added the function to add a caa record made a mistake then. I've not implemented that function myself. But it does not matter for this issue anyway as it does not harm to have an unused caa record subdomain, and the LE cert is not requested by using CAA record data. I have quite a few sites with subdomain set to none and all have correct LE certs, so there is no issue here when the requirements for LE are met. I posted the link to the let's encrypt FAQ already, which you should have followed if you wanted to know why no LE cert or just a partial LE cert was issued, in debug mode you will see also which subdomains get requested from LE and which fail.
Should I wait for official fix for enum in "subdomain" field or make changes manually? I believe upon update this will be rewritten.
I agree with you. Here is example what I pass to ISPC via API call: PHP: $website = $this->panelServer ->with( [ 'client_id' => $ISPC_user_ID, 'server_id' => $this->serverDetails['ispc_server_id'], 'ip_address' => '*', 'domain' => $po['domain'], 'type' => 'vhost', 'parent_domain_id' => 0, 'vhost_type' => 'name', 'hd_quota' => 1024, 'traffic_quota' => 102400, 'cgi' => 'n', 'ssi' => 'n', 'suexec' => 'y', 'errordocs' => 1, 'is_subdomainwww' => 1, 'subdomain' => 'www', 'php' => 'php-fpm', 'server_php_id' => $phpVersion['server_php_id'], 'ruby' => 'n', 'seo_redirect' => 'non_www_to_www', 'rewrite_to_https' => 'y', 'redirect_type' => '', 'redirect_path' => '', 'ssl' => 'y', 'ssl_letsencrypt' => 'y', 'php_fpm_chroot' => 'n', 'stats_password' => $goAccessPassword, 'stats_type' => 'goaccess', 'allow_override' => 'All', 'apache_directives' => '', 'php_open_basedir' => '/', 'pm' => 'ondemand', 'pm_max_requests' => 0, 'pm_process_idle_timeout' => 10, 'custom_php_ini' => "disable_functions=exec,mail,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_sourceallow_url_fopen=Offallow_url_include=Offupload_max_filesize=25Mpost_max_size=26M ", 'backup_interval' => '', 'backup_copies' => 0, 'backup_format_web' => 'default', 'backup_format_db' => 'gzip', 'active' => 'y', 'traffic_quota_lock' => 'y', 'http_port' => '80', 'https_port' => '443', //'delete_unused_jailkit' => 'y', 'added_by' => 'api', 'added_date' => date('Y-m-d H:i:s'), ] ) ->addWebDomain() ->response(); So, in my case 'subdomain' => 'www', should be sub without domain.tld ?
If you want to have a website that is accessible only via sub.domain.com, then you set domain to sub.domain.com and subdomain to none. Uf you want to have a website that is accessible as domain.com and sub.domain.com where sub is not www, then you set domain to domain.com, subdomain to none and add a subdomain to this website via separate API call. and as mentioned above, that a none caa record gets created is a separate issue and not related to the enum field, this additional caa record does not cause any issues and we will address it in the next release to prevent it from being created.
