Let’s Encrypt Error FAQ

Discussion in 'General' started by till, Oct 5, 2016.

Thread Status:
Not open for further replies.
  1. till

    till Super Moderator Staff Member ISPConfig Developer

    There are many threads that deal with problems generating SSL certificates with Let’s Encrypt, so I start a FAQ here. Please read the whole post when you are having trouble.

    Why does Letsencrypt not create an SSL cert?
    Let’s Encrypt verifies your server by downloading an individual token from each domain of the website, including auto-subdomains, subdomains, and aliasdomains. If one of these domains and subdomains is unreachable (no DNS, wrong DNS, closed firewall, etc) then Let's Encrypt will refuse to create the SSL cert.

    Why does the Let’s Encrypt in ISPConfig get disabled automatically?
    When the creation of the SSL certificate through Let’s Encrypt fails, the Let’s Encrypt and SSL checkbox get disabled in the settings of your website.

    What can I do if SSL certificate creation with Let’s Encrypt for a website fails?
    1. Check that you have a Let’s Encrypt client installed. On servers installed before the release of ISPConfig 3.2, this is most likely certbot. On servers installed after the release, it's most likely acme.sh.
    2. Check that the Let's encrypt client 'certbot' is updated (when using certbot). If your system is using acme.sh, then ISPConfig takes care of the acme.sh update automatically.
    3. Check that you run the latest ISPConfig version.
    4. When your server is behind a NAT router or a firewall so that the server itself can not reach the hosted domains, then enable the option "Skip Letsencrypt check" under System -> Server config -> server1.example.com -> Web.
    5. If you are using a Cloudflare proxy, you can not get a Let's Encrypt SSL cert. Using Cloudflare DNS (without proxy function enabled) is fine, though.
    6. Check that all domain names (incl. auto subdomain www etc.), subdomains, and alias domains really point to the right website in DNS and are working. Open one after another in your browser and test that. You might also want to check DNS records and servers of that domain using a DNS test tool like intodns.com for inconsistencies. If the domain also has IPv6 (AAAA) records, then your system must be reachable by IPv6 and not just IPv4.
    7. Ensure that all websites of the server use either * in the IPv4 field or the IP address. Do not mix * and IP on a system, as an IP is a stronger match than * and will cause traffic to get redirected from sites that use * to the sites that use an IP. generally, it's recommended to use * for all sites.
    8. If you still use Apache 2.2, then update your ispconfig to the latest version with the ispconfig_update.sh script to get an updated vhost template. After you do that, use Tools > resync to apply the new template to all sites or apply it to a single site by altering a value in the site settings and press save, before you try to activate Let’s Encrypt again. This is only necessary on apache 2.2 systems. Newer apache 2.4 or nginx systems are not affected.
    9. If you updated from ISPConfig < 3.1 to ISPConfig > 3.1 and deselected the "Reconfigure services" option during update (which is selected by default), then Let’s Encrypt will fail as your server is missing the Let’s Encrypt configuration in the ispconfig apache configuration files. Redo the update with the command "ispconfig_update.sh --force" and choose to reconfigure services in that case.
    10. Check that 'Server Migration Mode' option under System > Server Config is not enabled, as migration mode disables the creation of new Let's encrypt certificates.
    What if I did not get a Let's Encrypt cert for server hostname during ISPConfig installation?
    First, check if your system meets the prerequisites to get a Let's encrypt certificate. The mail system certificate is issued for the hostname. You can see the hostname of your system with this command:

    hostname -f
    This hostname must exist in DNS, point to your server and must be accessible from the internet on port 80. So check DNS record for the hostname first and ensure you do not block port 80 with a firewall.

    Then, you can redo the SSL cert creation for the system-wide SSL cert at any time using the following command:

    ispconfig_update.sh --force
    During ISPConfig update, choose to reconfigure services and later choose to create a new SSL certificate when the updater asks. If you still do not get a Let's Encrypt certificate for the system hostname, then check the acme.sh or certbot log files (see above chapter for website SSL cert issues for details, too).

    Where do I find detailed error messages?
    You can find the log files here when using certbot: /var/log/letsencrypt
    When using acme.sh, it can be in /var/log/ispconfig/acme.log or /root/.acme.sh/acme.sh.log
    If you need further help, post the relevant log excerpt for the certificate that can't get issued in the forum.

    What if the above steps don't help?
    Enable the ISPConfig debug mode by following the steps from this guide:

    After doing so, enable Let's Encrypt for the web and run the server.sh script manually. Post the debug output in the forum if you cannot identify the issue yourself.
    Don't forget to re-enable the server.sh cronjob when your problem is resolved.
    Last edited: Jan 23, 2024
Thread Status:
Not open for further replies.

Share This Page