Let's Encrypt On Subdomains

Discussion in 'Installation/Configuration' started by olimortimer, Jan 25, 2017.

  1. olimortimer

    olimortimer Member

    I've just found an odd issue with Let's Encrypt...

    I have domain.co.uk setup, with Let's Encrypt SSL, and it was working fine.
    I then added beta.domain.co.uk, with Let's Encrypt SSL, and it made domain.co.uk redirect to beta.domain.co.uk, causing a redirect loop.

    Both had 'Auto-Subdomain' set to 'None'.

    Any ideas what could be causing this please? I'll try and do more testing, but I'm a bit reluctant because it's not a site I want to be offline.
     
  2. elmacus

    elmacus Active Member

    Both nonwww and www for domains and subdomain must work when letsencypt generate cert.
    Check your letsencrypt log.
     
  3. sjau

    sjau Local Meanie Moderator

    And you need to have a CNAME or A Record for every single (sub.)domain.tld in your dns zone file - at least I think it's still required. Do that means you can't have like * IN A xxx.xxx.xxx.xxx and request a LE cert for xxx.domain.tld
     
  4. olimortimer

    olimortimer Member

    Re-visiting this issue. Does this mean I can't host a subdomain on my server, and the www. domain on another server, and use LetsEncrypt on it?

    I've just setup staging.domain.co.uk on my server with LE (www.domain.co.uk and domain.co.uk is on my client's server). LE runs and creates a cert, however I receive a privacy error saying the cert is from one of my other domains; anotherdomain.com
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    No. You can host subdomains on different servers.

    Ensure that 'staging.domain.co.uk' is the main domain of that the website and not just an alias or subdomain, or at least, the main domain must exist and point to this server, otherwise SSL cert will get a wrong name and will not be found.
     
  6. olimortimer

    olimortimer Member

    I've added staging.domain.co.uk as a website on my ISPConfig server, and the DNS on Cloudflare points to my server. www.domain.co.uk and domain.co.uk is hosted elsewhere. During setup, I simply checked the SSL and 'Let's Encrypt SSL' checkbox, but the cert that's created is for anotherdomain.com

    What I haven't done, and don't do for any domains, is setup DNS on ISPConfig. Would this be where the issue lies?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    No, it does not matter where you setup dns as long as the domains exist in dns and point to the correct server. You can use the debug mode to see why LE can not be activated for this site.
     
  8. sjau

    sjau Local Meanie Moderator

    Also you must ensure, that the actual sub-domain (e.g. xxx.domain.tld) has also an entry in the DNS zone. This can be an actual A-Record or CNAME or it can be included as wildcard entry.
     
  9. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    1. You must have pointed your domain.co.uk to one dns server via nameservers for you to manage the dns for it and its subdomain. Example of this dns server is zoneedit, freedns etc.

    2. From there, you point www.domain.co.uk to another server and you point your staging.domain.co.uk to your ISPC server. You do this by providing nameservers for www and staging subdomain or setting up their A records in this dns server.

    3. Then you create a website and its dns for staging.domain.co.uk in your ISPC server, wait for it to work i.e. accessible from the internet. Only after that website is working you can check SSl + LE button in its website setting page to enable LE.

    If the DNS server is your ISPC server,
    1. You point your domain.co.uk to your ISPC server via its nameservers. Note: only do this if you got two fixed IPs for your ISPC server as that i think is the minimum requirement.

    2. You can then point your www.domain.co.uk to other server via its dns page config while creating staging.domain.co.uk as a website and its dns in your ISPC server.

    3. The third step should be the same as above #3.
     
    Last edited: Jul 12, 2017
  10. olimortimer

    olimortimer Member

    Cheers for the help guys.

    @till how do I enable debug mode for ISPC / LE please? LE creates everything, but is using the wrong domain in the cert.

    Should http://staging.domain.co.uk/.well-known/acme-challenge/<random> still be accessible after everything has been setup? Currently it shows a 404 error.

    FYI staging.domain.co.uk is a fresh setup, and only has the default pages in /var/www/staging.domain.co.uk/web and I haven't created any .htaccess etc that may be causing issues.

    @sjau and @ahrasis - to comment on the steps:

    1. domain.co.uk has it's nameservers pointing to Cloudflare. Cloudflare controls the DNS for domain.co.uk
    2. domain.co.uk and www.domain.co.uk exist, and are live sites on another server, and both are accessible - same site, but non-www doesn't redirect to www, and www doesn't redirect to non-www. staging.domain.co.uk points to my ISPC server via an A record.
    3. I don't have a DNS zone setup on ISPC for the domain, as the DNS is handled by Cloudflare.
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    I really would appreciate if you would at least try to find a solution first before asking :) Answering the same question at least once a day is not so funny when you do this for years. Please google "debug ispconfig" and click on the first link or click on the first (sticky) post in this forum which explains at the end how to debug ISPConfig or read the sticky post on debugging LE in the ispconfig general forum.
     
  12. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I am not sure whether you can choose not to create dns in your ISPC server but did you make sure your website for staging.domain.co.uk is working i.e. accessible publicly via internet before checking SSL + LE buttons?
     
  13. olimortimer

    olimortimer Member

    Thank you @till and apologies.

    Here's the output of the log, after enabling DEBUG and enabling SSL / LE for staging.domain.co.uk

    Code:
    12.07.2017-13:48 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    12.07.2017-13:48 - DEBUG - Found 1 changes, starting update process.
    12.07.2017-13:48 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    12.07.2017-13:48 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    12.07.2017-13:48 - DEBUG - Verified domain staging.domain.co.uk should be reachable for letsencrypt.
    12.07.2017-13:48 - DEBUG - Create Let's Encrypt SSL Cert for: staging.domain.co.uk
    12.07.2017-13:48 - DEBUG - Let's Encrypt SSL Cert domains:  --domains staging.domain.co.uk
    12.07.2017-13:48 - DEBUG - exec: /root/.local/share/letsencrypt/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected]  --domains staging.domain.co.uk --webroot-path /usr/local/ispconfig/interface/acme
    12.07.2017-13:48 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/staging.domain.co.uk.vhost
    12.07.2017-13:48 - WARNING - No awstats base config found. Either awstats.conf or awstats.model.conf must exist in /etc/awstats.
    12.07.2017-13:48 - DEBUG - Writing the PHP-FPM config file: /etc/php/7.0/fpm/pool.d/web35.conf
    12.07.2017-13:48 - DEBUG - Calling function 'restartPHP_FPM' from module 'web_module'.
    12.07.2017-13:48 - DEBUG - Restarting php-fpm: systemctl reload php7.0-fpm.service
    12.07.2017-13:48 - DEBUG - Apache status is: running
    12.07.2017-13:48 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    12.07.2017-13:48 - DEBUG - Restarting httpd: systemctl restart apache2.service
    12.07.2017-13:48 - DEBUG - Apache restart return value is: 0
    12.07.2017-13:48 - DEBUG - Apache online status after restart is: running
    12.07.2017-13:48 - DEBUG - Processed datalog_id 217
    12.07.2017-13:48 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    I check the domain again, and the SSL is still showing anotherdomain.com. Chrome output below:

    Code:
    This server could not prove that it is staging.domain.co.uk; its security certificate is from anotherdomain.com.
     
  14. olimortimer

    olimortimer Member

    Yeah, staging.domain.co.uk is accessible publicly, and shows the default "Welcome to your website!" page that ISPC creates.
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    The log looks fine so far.

    Are you using a custom vhost template on this server (in folder /usr/local/ispconfig/server/conf-custom/) ?
    Does the created vhost configuration file of this website contains an ssl section?
     
  16. olimortimer

    olimortimer Member

    No, I don't have a custom vhost

    Code:
    /usr/local/ispconfig/server/conf-custom$ ls -la
    total 28
    drwxr-x---  6 root root 4096 Jan 23 11:20 .
    drwxr-x--- 13 root root 4096 Jun  2 03:00 ..
    -rwxr-x---  1 root root   45 Jun 29 23:35 empty.dir
    drwxr-x---  2 root root 4096 Jan 23 11:20 error
    drwxr-x---  2 root root 4096 Jan 23 11:20 index
    drwxr-x---  2 root root 4096 Jan 23 11:20 install
    drwxr-x---  2 root root 4096 Jan 23 11:20 mail
    
     
  17. olimortimer

    olimortimer Member

    /etc/apache2/sites-available/staging.domain.co.uk.vhost starts with:

    Code:
    <Directory /var/www/staging.domain.co.uk>
                    AllowOverride None
                                    Require all denied
                    </Directory>
    
    <VirtualHost *:80>
    
                                            DocumentRoot /var/www/clients/client1/web35/web
    
                    ServerName staging.domain.co.uk
                    ServerAdmin [email protected]
    
                    ErrorLog /var/log/ispconfig/httpd/staging.domain.co.uk/error.log
    
                    Alias /error/ "/var/www/staging.domain.co.uk/web/error/"
                    ErrorDocument 400 /error/400.html
                    ErrorDocument 401 /error/401.html
                    ErrorDocument 403 /error/403.html
                    ErrorDocument 404 /error/404.html
                    ErrorDocument 405 /error/405.html
                    ErrorDocument 500 /error/500.html
                    ErrorDocument 502 /error/502.html
                    ErrorDocument 503 /error/503.html
    
                    <IfModule mod_ssl.c>
                    </IfModule>
     
  18. olimortimer

    olimortimer Member

    Ah, I think I've found the problem - in Server Config the IP Address was set to 127.0.1.1 for some reason. Setting this to the actual server IP, then disabling / re-enabling SSL and LE has solved it!

    Thanks for the help guys, and sorry for the obvious mistake during setup - I've been running the server for years, and this seems to be the only issue I've had relating to the IP not being set.
     
    ahrasis likes this.

Share This Page