Let's encrypt does not issue certificates (Resolved)

Hello, I just mounted a fresh VM following this tutorial : https://www.howtoforge.com/tutorial...-stretch-apache-bind-dovecot-ispconfig-3-1/3/

Everything went great.

- Debian 9
- PHP 7.0
- Apache2
- ISPConfig 3.1.11

This is my issue : When I'm creating a new website with let's encrypt SSL, it doesnt work. I can come back 20s later, and ssl checkboxes are unchecked.

There is nothing relevant in apache2/error.log or letencrypt.log
ISPConfig test script show nothing either.

I had the same problem a year ago with 3.0.x , I was advised to try the beta to resolve a known bug. But after some researches, I doesnt found anyone else with the same bug. So don't know where to go...

Edit : Certbot seems to work fine, I was able to generate a certificate manually.

 

First of all, this is not a firewall issue. Everything is redirected on my VM for TCP80/443/8080, and my iptables rules are OK.

Because of paranoia, I did a snapshot before generating manually the let's encrypt certificate. I rollbacked and tried again, but still the same problem.
After a reboot I checked the logs again and this is what I got :

apache2/error.log :

Code:

[Wed Mar 07 16:47:02.810172 2018] [ssl:warn] [pid 2139] AH01906: web.mydomain:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed Mar 07 16:47:02.810277 2018] [ssl:error] [pid 2139] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=xxx,CN=xxx,OU=IT,O=xx,L=xx,ST=xx,C=xx/ issuer: emailAddress=xx,CN=xxx,OU=IT,O=xx,L=xx,ST=xx,C=xx / serial:xx / notbefore: Feb 27 19:32:54 2018 GMT / notafter: Feb 25 19:32:54 2028 GMT]
[Wed Mar 07 16:47:02.810285 2018] [ssl:error] [pid 2139] AH02604: Unable to configure certificate web.mydomain:8080:0 for stapling
[Wed Mar 07 16:47:02.813296 2018] [mpm_prefork:notice] [pid 2139] AH00163: Apache/2.4.25 (Debian) mod_fcgid/2.3.9 Phusion_Passenger/5.0.30 mod_python/3.3.1 Python/2.7.13 OpenSSL/1.0.2l configured -- resuming normal operations
[Wed Mar 07 16:47:02.813321 2018] [core:notice] [pid 2139] AH00094: Command line: '/usr/sbin/apache2'

letsencrypt/letsencrypt.log :

Code:

2018-03-07 15:26:52,302:DEBUG:certbot.main:Root logging level set at 30
2018-03-07 15:26:52,302:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-03-07 15:26:52,303:DEBUG:certbot.main:certbot version: 0.10.2
2018-03-07 15:26:52,303:DEBUG:certbot.main:Arguments: ['-q']
2018-03-07 15:26:52,303:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2018-03-07 15:26:52,304:DEBUG:certbot.renewal:no renewal failures

Ideas ?

Edit : I remplaced the cert details by 'xxx' in purpose.
The subdomain in log is 'web', but I actually tried to create a website using the subdom "webmail".

 

Problem resolved. In the end... shame on me, but it was just a dns issue. I miss-edited a cname, et voilà.
Nethertheless, with debug, I have something else, a minor issue that I would like to understand.
I got this error :

Code:

[INTERFACE]: PHP IDS Alert.Total impact: 5<br/> Affected tags: dt, id, lfi<br/> <br/> Variable: POST.php_open_basedir | Value: /var/www/clients/client1/web7/web:/var/www/clients/client1/web7/private:/var/www/clients/client1/web7/tmp:/var/www/webmail.xxx/web:/srv/www/webmail.xxx/web:/usr/share/php5:/usr/share/php:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin:/dev/random:/dev/urandom<br/> Impact: 5 | Tags: dt, id, lfi<br/> Description: Detects specific directory and path traversal | Tags: dt, id, lfi | ID 11<br/> <br/>

I did not install phpmyadmin, because that thing is a security issue. So, i do not understand this log ? Where does this phpmyadmin thing comes out ? (I double checked with apt-get remove phpmyadmin, and tells me it is not installed).

And I don't understand this log either :

Code:

[Wed Mar 07 16:47:02.810285 2018] [ssl:error] [pid 2139] AH02604: Unable to configure certificate web.mydomain:8080:0 for stapling

the 'web' subdomain is my subdomain for the ispconfig interface, and it bother me that I can't validate the certificate.

 

I seriouly don't understand the matter.
I got a LE certificate for a first subdomain, and now when i'm adding new sites (that I can reach on http://mydomain), and I check the SSL checkbox, I got theses errors...???

Let's Encrypt SSL Cert for: wiki.mydom could not be issued.
Could not verify domain wiki.mydom, so excluding it from letsencrypt request.
Maybe I just need to wait more, but for some, it has been more than 30 min..

 

Well, I'm giving up for now.
I reinstalled cleanly a new ispconfig.
There is NO firewall thing.

I can access to one of my website on :80
http://xx.mydom.xx

But when I try to add LE SSL, I have this in debug :

Code:

Let's Encrypt SSL Cert for: xx.mydom.xx could not be issued.   
Warning     Could not verify domain xx.mydom.xx, so excluding it from letsencrypt request.

And I have no explanations for that.

 

I can access the domain just fine from here as it shows ISPConfig default welcome page. Have you waited for it to be properly propagated? It most of the time takes about 48 hours to be properly propagated.

And if your server behind is a router, like @till said above, do try Skip Lets Encrypt Check in Server Config > Web > SSL Settings.

One more thing, which might not be related, I dig both domain and subdomain but they both have different ip. If it's me, I would ensure the dns server for the root domain is pointing rightly to the intended ISPConfig web server ip address.

 

God, that was it.

I sincerly apologies for that, I lost my temper. I think I just missed the

from till.

For that part, it's completely normal.

This issue is resolved, thanks again.

 

I have something like below:

Code:

2018-03-12 03:00:08,461:WARNING:letsencrypt.cli:Renewal configuration file /etc/letsencrypt/renewal/estm-game.pl.conf is broken. Skipping.
2018-03-12 03:00:08,462:DEBUG:letsencrypt.cli:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 900, in _reconstitute
    full_path, configuration.RenewerConfiguration(config))
  File "/usr/lib/python2.7/dist-packages/letsencrypt/storage.py", line 200, in __init__
    "file reference".format(self.configfile))
CertStorageError: renewal config file {} is missing a required file reference

I see in /etc/letsencrypt/renewal that there are:

Code:

-rwxr-xr-x 1 root root 1873 Jan 25 09:28 estm-game.pl-0001.conf
-rwxr-xr-x 1 root root    0 Jan 25 09:26 estm-game.pl.conf
-rwxr-xr-x 1 root root 1853 Jan 25 08:16 estm-game.pl.conf~backup

Website still works with green padlock.

But from another website cert from 12 dec 2017 was expired today around 8:00 and didn't renew, error from letsencrypt.log:

Code:

2018-03-12 03:01:27,380:INFO:letsencrypt.reporter:Reporting to user: The following errors were reported by the server:

Domain: kz16.pl
Type:   unauthorized
Detail: Invalid response from http://kz16.pl/.well-known/acme-challenge/3RLSB3fmSCSoEU7j4prECNCWeBlTuHgAeor6jZsETDE: "<!doctype html><html lang="en"><head><meta charset="utf-8"><title>Generator identyfikatorów</title><base href="/"><meta name="v"

and further in log:

Code:

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.

Code:

Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 1017, in renew
    obtain_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 706, in obtain_cert
    _, action = _auth_from_domains(le_client, config, domains, lineage)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 457, in _auth_from_domains
    new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/client.py", line 252, in obtain_certificate
    return self.obtain_certificate_from_csr(domains, csr) + (key, csr)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/client.py", line 225, in obtain_certificate_from_csr
    authzr = self.auth_handler.get_authorizations(domains)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py", line 84, in get_authorizations
    self._respond(cont_resp, dv_resp, best_effort)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py", line 142, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py", line 204, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: <unprintable FailedChallenges object>

and finally at the end of log file:

Code:

2018-03-12 03:01:27,429:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/letsencrypt", line 9, in <module>
    load_entry_point('letsencrypt==0.4.1', 'console_scripts', 'letsencrypt')()
  File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 1986, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 1034, in renew
    len(renew_failures), len(parse_failures)))
Error: 3 renew failure(s), 2 parse failure(s)

2018-03-12 03:01:27,431:DEBUG:letsencrypt.cli:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/lib/python2.7/atexit.py", line 24, in _run_exitfuncs
    func(*targs, **kargs)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/reporter.py", line 66, in atexit_print_messages
    self.print_messages()
  File "/usr/lib/python2.7/dist-packages/letsencrypt/reporter.py", line 97, in print_messages
    next_wrapper.fill(line) for line in lines[1:]))
UnicodeEncodeError: 'ascii' codec can't encode character u'\xf3' in position 264: ordinal not in range(128)

I can put whole log file to file and attach it.

 

From what I see there are two group of LE certs issued to the same domain of estm-game.pl. I believe the later is with the 0001 and the original is without it. I am not sure the cause of it but I will normally delete the later totally before applying for new certs again.

I will run this command (may not be necessary but I'd like to clean any redundancies) "rm -rf /etc/letsencrypt/renewal/estm-game.pl-0001* && rm -rf /etc/letsencrypt/live/estm-game.pl-0001* && rm -rf /etc/letsencrypt/archive/estm-game.pl-0001*".

I will then "dig estm-game.pl" ensuring it is pointing to its intended web server IP (currently, it doesn't resolve to any IP).

Then I will check whether the website is accessible by public and access it (even if there is warning as to the SSL certs).

Lastly, I would untick SSL + save and then retick LE + save in its web settings page.

The last step should, if everything earlier are correct, cause LE to issue new SSL certs for the original folder estm-game.pl.

By the way, your issue is quite different from the OP, so next time, try to open a new thread.

 

Thank you for answer Ahrasis. This domain was changed on purpose. One time when I put domain on forum I got almost ddos.
Do you know why some .conf files under /etc/letsencrypt/renewal has chmod 644 but much more has chmod 755? Nobody change it, me neither.
Moreover size of file "estm-game.pl.conf" is 0 as you can see in my 1st post.

 

The only person who can change normally, unless others have access to your server terminal, is your own self, but whether you did it knowingly or by mistake is some other things. You can view its date and time to determine when it happened and then check who accessed it during that period.

 

Ok, thanks God it could be by mistake. Doesn't matter then. What about different chmod's? They are by default mainly 755 but in few examples are 644.

 

I think for that you have to check into the Let's Encrypt / Certbot code because the SSL certs are generated by it.

Edited: ISPConfig didn't not generate the LE SSL certs but the official client (Let's Encrypt / Certbot) did it on ISPConfig request.

 

It will be too hard at the moment but I am curious why this happens in this way. Maybe @till would know?
Btw estm-game.pl is an alias (vhost). Is it possible that this bring two directories in /etc/letsencrypt/live for estm-game.pl?

PS

I would untick LE SSL and SSL. Then remove both estm-game.pl and estm-game.pl-0001. Then check again LE SSL and SSL.
I also found out that estm-game.pl uses cert from estm-game.pl-0001 directory.

 

I still observe the letsencrypt.log file and I see what happens but I don't understand why it happens. I see:

Code:

2018-03-15 03:00:40,090:INFO:letsencrypt.reporter:Reporting to user: The following errors were reported by the server:

Domain: derm-in.pl
Type:   unauthorized
Detail: Invalid response from http://derm-in.pl/.well-known/acme-challenge/51qNNlFpM-uw88txxVh5W9BuyO32jr_YtA4J6oBWL1s: "<!DOCTYPE html>
<html ng-app="webApp">

<head>
    <!--<title>DermIN</title>-->


    <title>Derm-In</title>
    <link rel=""

Domain: www.derm-in.pl
Type:  unauthorized
Detail: Invalid response from http://www.derm-in.pl/.well-known/acme-challenge/sLohkfeUI7F5EDHxCPOsKC86aTRi2WtXlCjpS2AtIXE: "<!DOCTYPE html>
<html ng-app="webApp">

<head>
  <!--<title>DermIN</title>-->


  <title>Derm-In</title>
  <link rel=""

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.

Code:

2018-03-15 03:00:40,091:WARNING:letsencrypt.cli:Attempting to renew cert from /etc/letsencrypt/renewal/derm-in.pl.conf produced an unexpected error: Failed authorization procedure. derm-in.pl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://derm-in.pl/.well-known/acme-challenge/51qNNlFpM-uw88txxVh5W9BuyO32jr_YtA4J6oBWL1s: "<!DOCTYPE html>
<html ng-app="webApp">

<head>
    <!--<title>DermIN</title>-->


    <title>Derm-In</title>
    <link rel="", www.derm-in.pl (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.derm-in.pl/.well-known/acme-challenge$
<html ng-app="webApp">

<head>
    <!--<title>DermIN</title>-->


    <title>Derm-In</title>
    <link rel="". Skipping.

2018-03-15 03:00:40,095:DEBUG:letsencrypt.cli:Traceback was:
Traceback (most recent call last):
  File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 1017, in renew
    obtain_cert(lineage_config, plugins, renewal_candidate)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 706, in obtain_cert
    _, action = _auth_from_domains(le_client, config, domains, lineage)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 457, in _auth_from_domains
    new_certr, new_chain, new_key, _ = le_client.obtain_certificate(domains)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/client.py", line 252, in obtain_certificate
    return self.obtain_certificate_from_csr(domains, csr) + (key, csr)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/client.py", line 225, in obtain_certificate_from_csr
    authzr = self.auth_handler.get_authorizations(domains)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py", line 84, in get_authorizations
    self._respond(cont_resp, dv_resp, best_effort)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py", line 142, in _respond
    self._poll_challenges(chall_update, best_effort)
  File "/usr/lib/python2.7/dist-packages/letsencrypt/auth_handler.py", line 204, in _poll_challenges
    raise errors.FailedChallenges(all_failed_achalls)

@ahrasis This time it's real domain. You can see when enter the site that ssl is still working and dns works, points to some ip. I am helpless. Moreover it's not the problem for each from maybe 20 websites but only few.

 

Why are you so worry about? So far the derm-in.pl domain is concerned (that I can see from here), its https is working with www or without.

 

Because there is error in renewing ssl cert logged today and I don't know why it happens. Current cert should expire after 3 days (cert generated 18 Dec 2017). Then I will know all is ok or not. I am afraid that cert will expire and won't be renewed. I had this problem few times. Moreover - if cert will expire on derm-in.pl then each enter this site will produce error about cert expiration but I am able to open this site (after add cert exception in browser) but then another site - first deployed on this server - will open with url of derm-in.pl. It's really strange and this same behavior happens for each website which cert will expire.

 

I would suggest you check what is the result of "ls -lt /etc/lets*/*/derm-in.pl* && dig derm-in.pl && dig www.derm-in.pl".