Let's encrypt error

Discussion in 'General' started by maxlinux, Jan 16, 2021.

  1. maxlinux

    maxlinux New Member

    Hello
    I have a little problem with let's encrypt in ispconfig.
    I just installed ispcondif (stable) on a fresh debian buster (armbian buster under arm64).
    I have followed the guide of the perfect server under debian buster and it has not given me any errors.
    Then I created a new site and there I could not actvar ssl + let's encript although the domain works perfectly without ssl and the dns correctly resolves the domain.

    Investigating a bit I have seen that now for the ssl certificate acme.sh is used

    So I have tried launching it by hand and it gives me this error

    root@w2:~# /root/.acme.sh/acme.sh --issue --standalone -d r2.iesus.win --debug 2
    [Sat 16 Jan 2021 11:16:11 PM CET] Lets find script dir.
    [Sat 16 Jan 2021 11:16:11 PM CET] _SCRIPT_='/root/.acme.sh/acme.sh'
    [Sat 16 Jan 2021 11:16:11 PM CET] _script='/root/.acme.sh/acme.sh'
    [Sat 16 Jan 2021 11:16:11 PM CET] _script_home='/root/.acme.sh'
    [Sat 16 Jan 2021 11:16:11 PM CET] Using config home:/root/.acme.sh
    [Sat 16 Jan 2021 11:16:11 PM CET] LE_WORKING_DIR='/root/.acme.sh'
    https://github.com/acmesh-official/acme.sh
    v2.8.9
    [Sat 16 Jan 2021 11:16:11 PM CET] Running cmd: issue
    [Sat 16 Jan 2021 11:16:11 PM CET] _main_domain='r2.iesus.win'
    [Sat 16 Jan 2021 11:16:11 PM CET] _alt_domains='no'
    [Sat 16 Jan 2021 11:16:11 PM CET] Using config home:/root/.acme.sh
    [Sat 16 Jan 2021 11:16:11 PM CET] default_acme_server
    [Sat 16 Jan 2021 11:16:12 PM CET] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Sat 16 Jan 2021 11:16:12 PM CET] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
    [Sat 16 Jan 2021 11:16:12 PM CET] DOMAIN_PATH='/root/.acme.sh/r2.iesus.win'
    [Sat 16 Jan 2021 11:16:12 PM CET] 'no' does not contain 'dns'
    [Sat 16 Jan 2021 11:16:12 PM CET] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
    [Sat 16 Jan 2021 11:16:12 PM CET] _init api for server: https://acme-v02.api.letsencrypt.org/directory
    [Sat 16 Jan 2021 11:16:12 PM CET] GET
    [Sat 16 Jan 2021 11:16:12 PM CET] url='https://acme-v02.api.letsencrypt.org/directory'
    [Sat 16 Jan 2021 11:16:12 PM CET] timeout=
    [Sat 16 Jan 2021 11:16:12 PM CET] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L --trace-ascii /tmp/tmp.mQ6koBnm7f -g '
    [Sat 16 Jan 2021 11:16:13 PM CET] ret='0'
    [Sat 16 Jan 2021 11:16:13 PM CET] response='{
    "7XsMF8_KmQc": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
    "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
    "meta": {
    "caaIdentities": [
    "letsencrypt.org"
    ],
    "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
    "website": "https://letsencrypt.org"
    },
    "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
    "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
    "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
    "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
    }'
    [Sat 16 Jan 2021 11:16:14 PM CET] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
    [Sat 16 Jan 2021 11:16:14 PM CET] ACME_NEW_AUTHZ
    [Sat 16 Jan 2021 11:16:14 PM CET] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
    [Sat 16 Jan 2021 11:16:14 PM CET] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
    [Sat 16 Jan 2021 11:16:14 PM CET] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
    [Sat 16 Jan 2021 11:16:14 PM CET] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf'
    [Sat 16 Jan 2021 11:16:14 PM CET] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
    [Sat 16 Jan 2021 11:16:14 PM CET] ACME_VERSION='2'
    [Sat 16 Jan 2021 11:16:14 PM CET] Le_NextRenewTime
    [Sat 16 Jan 2021 11:16:14 PM CET] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Sat 16 Jan 2021 11:16:14 PM CET] _on_before_issue
    [Sat 16 Jan 2021 11:16:14 PM CET] _chk_main_domain='r2.iesus.win'
    [Sat 16 Jan 2021 11:16:14 PM CET] _chk_alt_domains
    [Sat 16 Jan 2021 11:16:14 PM CET] 'no' contains 'no'
    [Sat 16 Jan 2021 11:16:14 PM CET] Le_LocalAddress
    [Sat 16 Jan 2021 11:16:14 PM CET] d='r2.iesus.win'
    [Sat 16 Jan 2021 11:16:14 PM CET] Check for domain='r2.iesus.win'
    [Sat 16 Jan 2021 11:16:14 PM CET] _currentRoot='no'
    [Sat 16 Jan 2021 11:16:14 PM CET] Standalone mode.
    [Sat 16 Jan 2021 11:16:14 PM CET] _checkport='80'
    [Sat 16 Jan 2021 11:16:14 PM CET] _checkaddr
    [Sat 16 Jan 2021 11:16:14 PM CET] Using: ss
    [Sat 16 Jan 2021 11:16:14 PM CET] LISTEN 0 511 *:80 *:* users:(("/usr/sbin/apach",pid=15164,fd=4),("/usr/sbin/apach",pid=15163,fd=4),("/usr/sbin/apach",pid=15161,fd=4),("/usr/sbin/apach",pid=15160,fd=4),("/usr/sbin/apach",pid=15159,fd=4),("/usr/sbin/apach",pid=15135,fd=4),("/usr/sbin/apach",pid=15134,fd=4),("/usr/sbin/apach",pid=15133,fd=4),("/usr/sbin/apach",pid=15132,fd=4),("/usr/sbin/apach",pid=15131,fd=4),("/usr/sbin/apach",pid=15100,fd=4),("/usr/sbin/apach",pid=15091,fd=4))
    [Sat 16 Jan 2021 11:16:14 PM CET] tcp port 80 is already used by (("/usr/sbin/apach",pid=15164,fd=4),("/usr/sbin/apach",pid=15163,fd=4),("/usr/sbin/apach",pid=15161,fd=4),("/usr/sbin/apach",pid=15160,fd=4),("/usr/sbin/apach",pid=15159,fd=4),("/usr/sbin/apach",pid=15135,fd=4),("/usr/sbin/apach",pid=15134,fd=4),("/usr/sbin/apach",pid=15133,fd=4),("/usr/sbin/apach",pid=15132,fd=4),("/usr/sbin/apach",pid=15131,fd=4),("/usr/sbin/apach",pid=15100,fd=4),("/usr/sbin/apach",pid=15091,fd=4))
    [Sat 16 Jan 2021 11:16:14 PM CET] Please stop it first
    [Sat 16 Jan 2021 11:16:14 PM CET] _on_before_issue.

    ...so i have stopped apache2 and relaunched acme.sh.

    This time it was possible to create the ssl certificate. So I have linked in /var/www/mydomain/ssl and relaunched apache2.

    The certificate works, so I think there is a bug in ispconfig, or acme.sh that uses port 80 instead of looking for a different one.
    I put here the logs and ispconfig test


    NOTE: the server is connected to the router with fixed ip on eth0 and the router use the DMZ redirection to the server, so all ports are opened

    regards
    MaX
     
    Last edited: Jan 16, 2021
  2. maxlinux

    maxlinux New Member

    root@w2:~# cat htf_report.txt

    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] OS version is Debian GNU/Linux 10 (buster)
    [INFO] ISPConfig is installed.

    ##### ISPCONFIG #####
    ISPConfig version is 3.2.2


    ##### VERSION CHECK #####

    [INFO] php (cli) version is 7.3.19-1~deb10u1

    ##### PORT CHECK #####

    [WARN] Port 22 (SSH server) seems NOT to be listening

    ##### MAIL SERVER CHECK #####


    ##### RUNNING SERVER PROCESSES #####

    [INFO] I found the following web server(s):
    Apache 2 (PID 15091)
    [INFO] I found the following mail server(s):
    Postfix (PID 2626)
    [INFO] I found the following pop3 server(s):
    Dovecot (PID 1381)
    [INFO] I found the following imap server(s):
    Dovecot (PID 1381)
    [INFO] I found the following ftp server(s):
    PureFTP (PID 2333)

    ##### LISTENING PORTS #####
    (only ()
    Local (Address)
    ***.***.***.***:53 (1420/named)
    ***.***.***.***:53 (1420/named)
    [anywhere]:21 (2333/pure-ftpd)
    ***.***.***.***:53 (1420/named)
    [localhost]:53 (1420/named)
    [anywhere]:25 (2626/master)
    [localhost]:953 (1420/named)
    [anywhere]:993 (1381/dovecot)
    [anywhere]:995 (1381/dovecot)
    [anywhere]:587 (2626/master)
    [localhost]:11211 (1393/memcached)
    [anywhere]:2222 (1478/sshd)
    [anywhere]:110 (1381/dovecot)
    [anywhere]:143 (1381/dovecot)
    [anywhere]:465 (2626/master)
    *:*:*:*::*:21 (2333/pure-ftpd)
    *:*:*:*::*:53 (1420/named)
    *:*:*:*::*:25 (2626/master)
    *:*:*:*::*:953 (1420/named)
    *:*:*:*::*:443 (15091/apache2)
    *:*:*:*::*:8445 (7689/docker-proxy)
    *:*:*:*::*:993 (1381/dovecot)
    *:*:*:*::*:995 (1381/dovecot)
    *:*:*:*::*:3306 (1477/mysqld)
    *:*:*:*::*:587 (2626/master)
    *:*:*:*::*:2222 (1478/sshd)
    [localhost]10 (1381/dovecot)
    [localhost]935 (7717/docker-proxy)
    [localhost]43 (1381/dovecot)
    *:*:*:*::*:8080 (15091/apache2)
    *:*:*:*::*:80 (15091/apache2)
    *:*:*:*::*:8081 (15091/apache2)
    *:*:*:*::*:465 (2626/master)
    *:*:*:*::*:8082 (7703/docker-proxy)




    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    f2b-sshd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22

    Chain FORWARD (policy DROP)
    target prot opt source destination
    DOCKER-USER all -- [anywhere]/0 [anywhere]/0
    DOCKER-ISOLATION-STAGE-1 all -- [anywhere]/0 [anywhere]/0
    ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED
    DOCKER all -- [anywhere]/0 [anywhere]/0
    ACCEPT all -- [anywhere]/0 [anywhere]/0
    ACCEPT all -- [anywhere]/0 [anywhere]/0
    ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED
    DOCKER all -- [anywhere]/0 [anywhere]/0
    ACCEPT all -- [anywhere]/0 [anywhere]/0
    ACCEPT all -- [anywhere]/0 [anywhere]/0

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain f2b-sshd (1 references)
    target prot opt source destination
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain DOCKER (2 references)
    target prot opt source destination
    ACCEPT tcp -- [anywhere]/0 ***.***.***.*** tcp dpt:445
    ACCEPT tcp -- [anywhere]/0 ***.***.***.*** tcp dpt:82
    ACCEPT tcp -- [anywhere]/0 ***.***.***.*** tcp dpt:1935

    Chain DOCKER-ISOLATION-STAGE-1 (1 references)
    target prot opt source destination
    DOCKER-ISOLATION-STAGE-2 all -- [anywhere]/0 [anywhere]/0
    DOCKER-ISOLATION-STAGE-2 all -- [anywhere]/0 [anywhere]/0
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain DOCKER-ISOLATION-STAGE-2 (2 references)
    target prot opt source destination
    DROP all -- [anywhere]/0 [anywhere]/0
    DROP all -- [anywhere]/0 [anywhere]/0
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain DOCKER-USER (1 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0



    root@w2:~#
     
  3. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    ahrasis likes this.
  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Putting your server in DMZ with all ports opened is not safe. For those whose servers are behind a NAT / Router, use port portforwarding and open only active ports used / suggested by ISPConfig and the passive ones as well, then enable the option "Skip Letsencrypt check" under System > Server config > web.
     
  5. maxlinux

    maxlinux New Member

    Resolved! thanks!
    Regarding the question about whether or not to use the DMZ function of the routers, it is that I prefer to use the linux firewall with an updated system, and not trust the firmware of a router that becomes obsolete in a few months.
     
    ahrasis likes this.
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I think port forwarding is an old config that still safely works nowadays, even in the most advanced router, so whether or not your router or its firmware becomes old, to me, it doesn't matter. Anyway, that is a matter of preference, thus so long you know what you are doing, I think it should be fine.
     

Share This Page