Hello I have a little problem with let's encrypt in ispconfig. I just installed ispcondif (stable) on a fresh debian buster (armbian buster under arm64). I have followed the guide of the perfect server under debian buster and it has not given me any errors. Then I created a new site and there I could not actvar ssl + let's encript although the domain works perfectly without ssl and the dns correctly resolves the domain. Investigating a bit I have seen that now for the ssl certificate acme.sh is used So I have tried launching it by hand and it gives me this error root@w2:~# /root/.acme.sh/acme.sh --issue --standalone -d r2.iesus.win --debug 2 [Sat 16 Jan 2021 11:16:11 PM CET] Lets find script dir. [Sat 16 Jan 2021 11:16:11 PM CET] _SCRIPT_='/root/.acme.sh/acme.sh' [Sat 16 Jan 2021 11:16:11 PM CET] _script='/root/.acme.sh/acme.sh' [Sat 16 Jan 2021 11:16:11 PM CET] _script_home='/root/.acme.sh' [Sat 16 Jan 2021 11:16:11 PM CET] Using config home:/root/.acme.sh [Sat 16 Jan 2021 11:16:11 PM CET] LE_WORKING_DIR='/root/.acme.sh' https://github.com/acmesh-official/acme.sh v2.8.9 [Sat 16 Jan 2021 11:16:11 PM CET] Running cmd: issue [Sat 16 Jan 2021 11:16:11 PM CET] _main_domain='r2.iesus.win' [Sat 16 Jan 2021 11:16:11 PM CET] _alt_domains='no' [Sat 16 Jan 2021 11:16:11 PM CET] Using config home:/root/.acme.sh [Sat 16 Jan 2021 11:16:11 PM CET] default_acme_server [Sat 16 Jan 2021 11:16:12 PM CET] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Sat 16 Jan 2021 11:16:12 PM CET] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Sat 16 Jan 2021 11:16:12 PM CET] DOMAIN_PATH='/root/.acme.sh/r2.iesus.win' [Sat 16 Jan 2021 11:16:12 PM CET] 'no' does not contain 'dns' [Sat 16 Jan 2021 11:16:12 PM CET] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory [Sat 16 Jan 2021 11:16:12 PM CET] _init api for server: https://acme-v02.api.letsencrypt.org/directory [Sat 16 Jan 2021 11:16:12 PM CET] GET [Sat 16 Jan 2021 11:16:12 PM CET] url='https://acme-v02.api.letsencrypt.org/directory' [Sat 16 Jan 2021 11:16:12 PM CET] timeout= [Sat 16 Jan 2021 11:16:12 PM CET] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L --trace-ascii /tmp/tmp.mQ6koBnm7f -g ' [Sat 16 Jan 2021 11:16:13 PM CET] ret='0' [Sat 16 Jan 2021 11:16:13 PM CET] response='{ "7XsMF8_KmQc": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change", "meta": { "caaIdentities": [ "letsencrypt.org" ], "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org" }, "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order", "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert" }' [Sat 16 Jan 2021 11:16:14 PM CET] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change' [Sat 16 Jan 2021 11:16:14 PM CET] ACME_NEW_AUTHZ [Sat 16 Jan 2021 11:16:14 PM CET] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order' [Sat 16 Jan 2021 11:16:14 PM CET] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct' [Sat 16 Jan 2021 11:16:14 PM CET] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert' [Sat 16 Jan 2021 11:16:14 PM CET] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf' [Sat 16 Jan 2021 11:16:14 PM CET] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce' [Sat 16 Jan 2021 11:16:14 PM CET] ACME_VERSION='2' [Sat 16 Jan 2021 11:16:14 PM CET] Le_NextRenewTime [Sat 16 Jan 2021 11:16:14 PM CET] Using CA: https://acme-v02.api.letsencrypt.org/directory [Sat 16 Jan 2021 11:16:14 PM CET] _on_before_issue [Sat 16 Jan 2021 11:16:14 PM CET] _chk_main_domain='r2.iesus.win' [Sat 16 Jan 2021 11:16:14 PM CET] _chk_alt_domains [Sat 16 Jan 2021 11:16:14 PM CET] 'no' contains 'no' [Sat 16 Jan 2021 11:16:14 PM CET] Le_LocalAddress [Sat 16 Jan 2021 11:16:14 PM CET] d='r2.iesus.win' [Sat 16 Jan 2021 11:16:14 PM CET] Check for domain='r2.iesus.win' [Sat 16 Jan 2021 11:16:14 PM CET] _currentRoot='no' [Sat 16 Jan 2021 11:16:14 PM CET] Standalone mode. [Sat 16 Jan 2021 11:16:14 PM CET] _checkport='80' [Sat 16 Jan 2021 11:16:14 PM CET] _checkaddr [Sat 16 Jan 2021 11:16:14 PM CET] Using: ss [Sat 16 Jan 2021 11:16:14 PM CET] LISTEN 0 511 *:80 *:* users("/usr/sbin/apach",pid=15164,fd=4),("/usr/sbin/apach",pid=15163,fd=4),("/usr/sbin/apach",pid=15161,fd=4),("/usr/sbin/apach",pid=15160,fd=4),("/usr/sbin/apach",pid=15159,fd=4),("/usr/sbin/apach",pid=15135,fd=4),("/usr/sbin/apach",pid=15134,fd=4),("/usr/sbin/apach",pid=15133,fd=4),("/usr/sbin/apach",pid=15132,fd=4),("/usr/sbin/apach",pid=15131,fd=4),("/usr/sbin/apach",pid=15100,fd=4),("/usr/sbin/apach",pid=15091,fd=4)) [Sat 16 Jan 2021 11:16:14 PM CET] tcp port 80 is already used by (("/usr/sbin/apach",pid=15164,fd=4),("/usr/sbin/apach",pid=15163,fd=4),("/usr/sbin/apach",pid=15161,fd=4),("/usr/sbin/apach",pid=15160,fd=4),("/usr/sbin/apach",pid=15159,fd=4),("/usr/sbin/apach",pid=15135,fd=4),("/usr/sbin/apach",pid=15134,fd=4),("/usr/sbin/apach",pid=15133,fd=4),("/usr/sbin/apach",pid=15132,fd=4),("/usr/sbin/apach",pid=15131,fd=4),("/usr/sbin/apach",pid=15100,fd=4),("/usr/sbin/apach",pid=15091,fd=4)) [Sat 16 Jan 2021 11:16:14 PM CET] Please stop it first [Sat 16 Jan 2021 11:16:14 PM CET] _on_before_issue. ...so i have stopped apache2 and relaunched acme.sh. This time it was possible to create the ssl certificate. So I have linked in /var/www/mydomain/ssl and relaunched apache2. The certificate works, so I think there is a bug in ispconfig, or acme.sh that uses port 80 instead of looking for a different one. I put here the logs and ispconfig test NOTE: the server is connected to the router with fixed ip on eth0 and the router use the DMZ redirection to the server, so all ports are opened regards MaX
root@w2:~# cat htf_report.txt ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Debian GNU/Linux 10 (buster) [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.2.2 ##### VERSION CHECK ##### [INFO] php (cli) version is 7.3.19-1~deb10u1 ##### PORT CHECK ##### [WARN] Port 22 (SSH server) seems NOT to be listening ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 15091) [INFO] I found the following mail server(s): Postfix (PID 2626) [INFO] I found the following pop3 server(s): Dovecot (PID 1381) [INFO] I found the following imap server(s): Dovecot (PID 1381) [INFO] I found the following ftp server(s): PureFTP (PID 2333) ##### LISTENING PORTS ##### (only () Local (Address) ***.***.***.***:53 (1420/named) ***.***.***.***:53 (1420/named) [anywhere]:21 (2333/pure-ftpd) ***.***.***.***:53 (1420/named) [localhost]:53 (1420/named) [anywhere]:25 (2626/master) [localhost]:953 (1420/named) [anywhere]:993 (1381/dovecot) [anywhere]:995 (1381/dovecot) [anywhere]:587 (2626/master) [localhost]:11211 (1393/memcached) [anywhere]:2222 (1478/sshd) [anywhere]:110 (1381/dovecot) [anywhere]:143 (1381/dovecot) [anywhere]:465 (2626/master) *:*:*:*::*:21 (2333/pure-ftpd) *:*:*:*::*:53 (1420/named) *:*:*:*::*:25 (2626/master) *:*:*:*::*:953 (1420/named) *:*:*:*::*:443 (15091/apache2) *:*:*:*::*:8445 (7689/docker-proxy) *:*:*:*::*:993 (1381/dovecot) *:*:*:*::*:995 (1381/dovecot) *:*:*:*::*:3306 (1477/mysqld) *:*:*:*::*:587 (2626/master) *:*:*:*::*:2222 (1478/sshd) [localhost]10 (1381/dovecot) [localhost]935 (7717/docker-proxy) [localhost]43 (1381/dovecot) *:*:*:*::*:8080 (15091/apache2) *:*:*:*::*:80 (15091/apache2) *:*:*:*::*:8081 (15091/apache2) *:*:*:*::*:465 (2626/master) *:*:*:*::*:8082 (7703/docker-proxy) ##### IPTABLES ##### Chain INPUT (policy ACCEPT) target prot opt source destination f2b-sshd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22 Chain FORWARD (policy DROP) target prot opt source destination DOCKER-USER all -- [anywhere]/0 [anywhere]/0 DOCKER-ISOLATION-STAGE-1 all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED DOCKER all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED DOCKER all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain f2b-sshd (1 references) target prot opt source destination REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable RETURN all -- [anywhere]/0 [anywhere]/0 Chain DOCKER (2 references) target prot opt source destination ACCEPT tcp -- [anywhere]/0 ***.***.***.*** tcp dpt:445 ACCEPT tcp -- [anywhere]/0 ***.***.***.*** tcp dpt:82 ACCEPT tcp -- [anywhere]/0 ***.***.***.*** tcp dpt:1935 Chain DOCKER-ISOLATION-STAGE-1 (1 references) target prot opt source destination DOCKER-ISOLATION-STAGE-2 all -- [anywhere]/0 [anywhere]/0 DOCKER-ISOLATION-STAGE-2 all -- [anywhere]/0 [anywhere]/0 RETURN all -- [anywhere]/0 [anywhere]/0 Chain DOCKER-ISOLATION-STAGE-2 (2 references) target prot opt source destination DROP all -- [anywhere]/0 [anywhere]/0 DROP all -- [anywhere]/0 [anywhere]/0 RETURN all -- [anywhere]/0 [anywhere]/0 Chain DOCKER-USER (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 root@w2:~#
Remove the certificate you manually requested and any configuration done by that, then follow https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/ to troubleshoot why it didn't work in ispconfig.
Putting your server in DMZ with all ports opened is not safe. For those whose servers are behind a NAT / Router, use port portforwarding and open only active ports used / suggested by ISPConfig and the passive ones as well, then enable the option "Skip Letsencrypt check" under System > Server config > web.
Resolved! thanks! Regarding the question about whether or not to use the DMZ function of the routers, it is that I prefer to use the linux firewall with an updated system, and not trust the firmware of a router that becomes obsolete in a few months.
I think port forwarding is an old config that still safely works nowadays, even in the most advanced router, so whether or not your router or its firmware becomes old, to me, it doesn't matter. Anyway, that is a matter of preference, thus so long you know what you are doing, I think it should be fine.
