Let's Encrypt problem...

Discussion in 'Installation/Configuration' started by mumbly, Jul 25, 2017.

  1. mumbly

    mumbly Member

    Hi,
    I've been using Let's Encrypt for 4 of my websites and it works just fine.
    But it's not working for my last one.
    I've checked the SSL function and it works but when i check the Let'Encrypt function, i wait for a few second for the task to end and when i verify the function is no more checked.
    I don't understand why this particular website can't have its let's encrypt certificate...
    The DNS are OK ans pointing to the good IP address.
    Where should i watch for the error logs ?
    I run ISPConfig 3.1.6 under Ubuntu 16.04 server and i have followed the tutorial : https://www.howtoforge.com/tutorial/perfect-server-ubuntu-with-nginx-and-ispconfig-3/ ... So i run Nginx, not Apache.
    Thanx in advance for your advices.
     
  2. mumbly

    mumbly Member

    Well... i've just activated debug in ISPConfig and was able to see the error message :
    Could not verify domain www.mysite.com, so excluding it from letsencrypt request.
    I've got the exact same configuration for all my domains and for mysite.com :
    mysite.com. 0 A 89.xxx.xxx.xxx
    www.mysite.com. 0 CNAME mysite.com.
    Any idea ?
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Is this server behind a router, so that you can not reach a domain from an internal system? In this case you have to deactivate the letsencrypt check under System > server config > web.
     
  4. mumbly

    mumbly Member

    It's not behind a router... I thought of a firewall problem ... but it all went fine for 4 other websites ! So i don't think it's a firewall problem.
    I've got the problem for my last domain only.
    The website is ok, the https self-signed is ok too
    Here is the entire log (debug) with the real domaine name :
    25-07-2017 07:01 groskuik.spacejerk.fr Warning Let's Encrypt SSL Cert for: freetorrent.fr could not be issued.
    25-07-2017 07:01 groskuik.spacejerk.fr Warning Could not verify domain www.freetorrent.fr, so excluding it from letsencrypt request.
    25-07-2017 07:01 groskuik.spacejerk.fr Warning Could not verify domain freetorrent.fr, so excluding it from letsencrypt request.
    25-07-2017 07:01 groskuik.spacejerk.fr Debug mkdir failed: /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/
    25-07-2017 07:01 groskuik.spacejerk.fr Debug Calling function 'update' from plugin 'nginx_plugin' raised by event 'web_domain_update'.
    25-07-2017 07:01 groskuik.spacejerk.fr Debug Calling function 'ssl' from plugin 'nginx_plugin' raised by event 'web_domain_update'.
    SSL Disabled. freetorrent.fr
    Restarting php-fpm: systemctl reload php7.0-fpm.service
    25-07-2017 07:01 groskuik.spacejerk.fr Debug Calling function 'restartPHP_FPM' from module 'web_module'.
    25-07-2017 07:01 groskuik.spacejerk.fr Debug Writing the PHP-FPM config file: /etc/php/7.0/fpm/pool.d/web2.conf
    25-07-2017 07:01 groskuik.spacejerk.fr Debug Writing the vhost file: /etc/nginx/sites-available/freetorrent.fr.vhost
    Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    25-07-2017 07:01 groskuik.spacejerk.fr Debug Processed datalog_id 167
    25-07-2017 07:01 groskuik.spacejerk.fr Debug nginx online status after restart is: running
    25-07-2017 07:01 groskuik.spacejerk.fr Debug nginx restart return value is: 0
    25-07-2017 07:01 groskuik.spacejerk.fr Debug Restarting httpd: systemctl restart nginx.service
    25-07-2017 07:01 groskuik.spacejerk.fr Debug nginx configuration ok!
    25-07-2017 07:01 groskuik.spacejerk.fr Debug Checking nginx configuration...
    25-07-2017 07:01 groskuik.spacejerk.fr Debug Calling function 'restartHttpd' from module 'web_module'.
    25-07-2017 07:01 groskuik.spacejerk.fr Debug nginx status is: running
    25-07-2017 07:01 groskuik.spacejerk.fr Debug Restarting php-fpm: systemctl reload php7.0-fpm.service
    25-07-2017 07:01 groskuik.spacejerk.fr Debug Calling function 'restartPHP_FPM' from module 'web_module'.
     
  5. sjau

    sjau Local Meanie Moderator

    Hmmm, this seems to be a tell:

    Code:
    mkdir failed: /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/ 
    
    Can you check permissions there?
     
  6. mumbly

    mumbly Member

    root@groskuik:/usr/local/ispconfig/interface/acme# ls -alh
    total 12K
    drwxr-xr-x 3 ispconfig ispconfig 4,0K juil. 19 14:31 .
    drwxr-x--- 9 ispconfig ispconfig 4,0K juil. 19 14:31 ..
    drwxr-xr-x 3 ispconfig ispconfig 4,0K juil. 19 14:31 .well-known
    root@groskuik:/usr/local/ispconfig/interface/acme# cd .well-known/
    root@groskuik:/usr/local/ispconfig/interface/acme/.well-known# ls -alh
    total 12K
    drwxr-xr-x 3 ispconfig ispconfig 4,0K juil. 19 14:31 .
    drwxr-xr-x 3 ispconfig ispconfig 4,0K juil. 19 14:31 ..
    drwxr-xr-x 2 ispconfig ispconfig 4,0K juil. 25 13:01 acme-challenge
    root@groskuik:/usr/local/ispconfig/interface/acme/.well-known# cd acme-challenge/
    root@groskuik:/usr/local/ispconfig/interface/acme/.well-known/acme-challenge# ls -alh
    total 12K
    drwxr-xr-x 2 ispconfig ispconfig 4,0K juil. 25 13:01 .
    drwxr-xr-x 3 ispconfig ispconfig 4,0K juil. 19 14:31 ..
    -rwxr-xr-x 1 ispconfig ispconfig 45 juil. 21 13:03 empty.dir
     
  7. mumbly

    mumbly Member

    Well... did it by hand and it worked like a charm :
    #letsencrypt certonly -d www.freetorrent.fr -d freetorrent.fr --agree-tos -m [email protected] --rsa-key-size 4096 --standalone
    IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/www.freetorrent.fr/fullchain.pem. Your cert
    will expire on 2017-10-23. To obtain a new version of the
    certificate in the future, simply run Let's Encrypt again.
    - If you like Let's Encrypt, please consider supporting our work by:
    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
     
  8. fsisti

    fsisti New Member

    I also have permissions issues and can not manually generate the certificate.
    mkdir failed: /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/
    How can I fix it?
     
  9. mumbly

    mumbly Member

    Still with my "weird" problem...
    I've migrated to another server in the meantime and configured carefully my DNS (still with Ubuntu 16.04 server AMD64).
    But i still have the same problem. Maybe Lets Encrypt refuses my demand because there is the word TORRENT in my domain ? (free - LIBRE - torrent only ! :D )
    I repeat that all my other websites are OK with Let's Encrypt ! It works like a charm. The only problem is for my domain freetorrent.fr

    Here are more details about the debug and my DNS test :
    26-07-2017 11:05 groskuik.freetorrent.fr Debug mkdir failed: /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/
    26-07-2017 11:05 groskuik.freetorrent.fr Warning Could not verify domain freetorrent.fr, so excluding it from letsencrypt request.
    26-07-2017 11:05 groskuik.freetorrent.fr Warning Could not verify domain www.freetorrent.fr, so excluding it from letsencrypt request.
    26-07-2017 11:05 groskuik.freetorrent.fr Warning Let's Encrypt SSL Cert for: freetorrent.fr could not be issued.
    26-07-2017 11:05 groskuik.freetorrent.fr Warning
    26-07-2017 11:05 groskuik.freetorrent.fr Debug SSL Disabled. freetorrent.fr

    dig freetorrent.fr
    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> freetorrent.fr
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10355
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;freetorrent.fr. IN A

    ;; ANSWER SECTION:
    freetorrent.fr. 52883 IN A 149.91.80.125

    ;; AUTHORITY SECTION:
    freetorrent.fr. 76323 IN NS dns101.ovh.net.
    freetorrent.fr. 76323 IN NS ns101.ovh.net.

    ;; ADDITIONAL SECTION:
    dns101.ovh.net. 153 IN A 213.251.188.145
    dns101.ovh.net. 200 IN AAAA 2001:41d0:1:4a91::1

    ;; Query time: 4 msec
    ;; SERVER: 89.234.180.19#53(89.234.180.19)
    ;; WHEN: Wed Jul 26 17:12:16 CEST 2017
    ;; MSG SIZE rcvd: 151
     
  10. emcee

    emcee New Member

    I have exactly the same problem on the same setup (Ubuntu 16.04, nginx). After I upgraded to 3.1.6, I receive the same error. The permissions on dirs/files are the same.
    Before upgrade letsencrypt worked fine. I have 3 domains successfully setup. The domain in question resolves for at least a month now.
    Bug?
     
  11. emcee

    emcee New Member

    And I don't use torrent in the name of domain ;).

    I'll try another domain now. I'll first have to wait for the dns to propagate.
     
  12. emcee

    emcee New Member

    Umm... another domain works without a glitch, letsencrypt install success! However, mkdir failed... is still in the log so I suppose it has nothing to do with error with domain that failed. Debug log:


    26.07.2017-19:12 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    26.07.2017-19:12 - DEBUG - Found 2 changes, starting update process.
    26.07.2017-19:12 - DEBUG - Calling function 'ssl' from plugin 'nginx_plugin' raised by event 'web_domain_insert'.
    26.07.2017-19:12 - DEBUG - Calling function 'insert' from plugin 'nginx_plugin' raised by event 'web_domain_insert'.
    26.07.2017-19:12 - DEBUG - Adding the user: web14
    26.07.2017-19:12 - DEBUG - Creating symlink: ln -s /var/www/clients/client2/web14/ /var/www/MYDOMAIN.TLD
    26.07.2017-19:12 - DEBUG - Creating symlink: ln -s /var/www/clients/client2/web14/ /var/www/clients/client2/MYDOMAIN.TLD
    26.07.2017-19:12 - DEBUG - exec: chown -R web14:client2 /var/www/clients/client2/web14/web/
    26.07.2017-19:12 - DEBUG - exec: chown web14:client2 /var/www/clients/client2/web14/web/
    26.07.2017-19:12 - DEBUG - exec: usermod --groups sshusers web14 2>/dev/null
    26.07.2017-19:12 - DEBUG - SSL Disabled. MYDOMAIN.TLD
    26.07.2017-19:12 - DEBUG - Writing the vhost file: /etc/nginx/sites-available/MYDOMAIN.TLD.vhost
    26.07.2017-19:12 - DEBUG - Creating symlink: /etc/nginx/sites-enabled/100-MYDOMAIN.TLD.vhost->/etc/nginx/sites-available/MYDOMAIN.TLD.vhost
    26.07.2017-19:12 - DEBUG - Created AWStats config file: /etc/awstats/awstats.MYDOMAIN.TLD.conf
    26.07.2017-19:12 - DEBUG - Writing the PHP-FPM config file: /etc/php/7.0/fpm/pool.d/web14.conf
    26.07.2017-19:12 - DEBUG - Calling function 'restartPHP_FPM' from module 'web_module'.
    26.07.2017-19:12 - DEBUG - Restarting php-fpm: systemctl reload php7.0-fpm.service
    26.07.2017-19:12 - DEBUG - nginx status is: running
    26.07.2017-19:12 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    26.07.2017-19:12 - DEBUG - Checking nginx configuration...
    26.07.2017-19:12 - DEBUG - nginx configuration ok!
    26.07.2017-19:12 - DEBUG - Restarting httpd: systemctl restart nginx.service
    26.07.2017-19:12 - DEBUG - nginx restart return value is: 0
    26.07.2017-19:12 - DEBUG - nginx online status after restart is: running
    26.07.2017-19:12 - DEBUG - Processed datalog_id 313
    26.07.2017-19:12 - DEBUG - Calling function 'ssl' from plugin 'nginx_plugin' raised by event 'web_domain_update'.
    26.07.2017-19:12 - DEBUG - Calling function 'update' from plugin 'nginx_plugin' raised by event 'web_domain_update'.
    26.07.2017-19:12 - DEBUG - mkdir failed: /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/
    26.07.2017-19:12 - DEBUG - Verified domain MYDOMAIN.TLD should be reachable for letsencrypt.
    26.07.2017-19:12 - DEBUG - Verified domain www.MYDOMAIN.TLD should be reachable for letsencrypt.
    26.07.2017-19:12 - DEBUG - Create Let's Encrypt SSL Cert for: MYDOMAIN.TLD
    26.07.2017-19:12 - DEBUG - Let's Encrypt SSL Cert domains: --domains MYDOMAIN.TLD --domains www.MYDOMAIN.TLD
    26.07.2017-19:12 - DEBUG - exec: /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --domains MYDOMAIN.TLD --domains www.MYDOMAIN.TLD --webroot-path /usr/local/ispconfig/interface/acme
    26.07.2017-19:13 - DEBUG - Let's Encrypt Cert config path is: /etc/letsencrypt/renewal/MYDOMAIN.TLD.conf.
    26.07.2017-19:13 - DEBUG - Let's Encrypt Cert file: /etc/letsencrypt/live/MYDOMAIN.TLD/fullchain.pem exists.
    26.07.2017-19:13 - DEBUG - Enable SSL for: MYDOMAIN.TLD
    26.07.2017-19:13 - DEBUG - Writing the vhost file: /etc/nginx/sites-available/MYDOMAIN.TLD.vhost
    26.07.2017-19:13 - DEBUG - Writing the PHP-FPM config file: /etc/php/7.0/fpm/pool.d/web14.conf
    26.07.2017-19:13 - DEBUG - Calling function 'restartPHP_FPM' from module 'web_module'.
    26.07.2017-19:13 - DEBUG - Restarting php-fpm: systemctl reload php7.0-fpm.service
    26.07.2017-19:13 - DEBUG - nginx status is: running
    26.07.2017-19:13 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    26.07.2017-19:13 - DEBUG - Checking nginx configuration...
    26.07.2017-19:13 - DEBUG - nginx configuration ok!
    26.07.2017-19:13 - DEBUG - Restarting httpd: systemctl restart nginx.service
    26.07.2017-19:13 - DEBUG - nginx restart return value is: 0
    26.07.2017-19:13 - DEBUG - nginx online status after restart is: running
    26.07.2017-19:13 - DEBUG - Processed datalog_id 314
    26.07.2017-19:13 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished.
     
  13. razor7

    razor7 Member

    Hi! Today I felt into this issue. Just upgraded ISPConfig to git-stable and now, it fails for a site that was wotking just fine.

    If I check the LetsEncript check it gets unchecked after the ISPConfig cron job run, here is the debug log, it states that mkdir failed: /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/ and WARNING - Could not verify domain git.xxxx.com.ar, so excluding it from letsencrypt request.

    Complete log...
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Really starnge. Please check that no part of this path is a symlink:

    /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/
     
  15. razor7

    razor7 Member

    Hi @till ! Reviewing the directory hierachy I found no links and no obvious permission issues.
    Code:
    ls -la /usr/local
    drwxr-xr-x  5 root root 4096 abr 28  2016 ispconfig
    
    ls -la /usr/local/ispconfig/
    drwxr-x---  9 ispconfig ispconfig 4096 abr 28  2016 interface
    
    ls -la /usr/local/ispconfig/interface/
    drwxr-xr-x  3 ispconfig ispconfig 4096 abr 28  2016 acme
    
    ls -la /usr/local/ispconfig/interface/acme/
    drwxr-xr-x 3 ispconfig ispconfig 4096 abr 28  2016 .well-known
    
    ls -la /usr/local/ispconfig/interface/acme/.well-known/
    drwxr-xr-x 2 ispconfig ispconfig 4096 ago  3 23:33 acme-challenge
    
    ls -la /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/
    -rwxr-xr-x 1 ispconfig ispconfig  45 ago  3 21:10 empty.dir
    
    Regarding the LetsEncrypt check issue I realized that the issue affected a particular site. If I create a new site and make it public through DNS, I got LE certs and the checks remained checked. To solve the issue with that particular site I had to erase all LE data for that site with this command lines. After this, the site got the new LE cert and the LE check remained checked...
    Before running those lines I got this in the ispconfig.log file
    Take a look at the line 03.08.2017-23:06 - DEBUG - Let's Encrypt Cert file: does not exist. The cert files where in the correct place and linked just fine!

    After removing all domain related data from LE folders I got
    PS: @till would you please take a look at this thread https://www.howtoforge.com/community/threads/nextcloud-and-php-fpm-as-global-alias-issues.77025/ thanks!
     
  16. kwisatz

    kwisatz New Member

    I too have the mkdir failed issue. Permissions seem fine:
    Code:
    root@server:~# ls -ld /usr/local/ispconfig/interface/acme/
    drwxr-sr-x 3 ispconfig ispconfig 4096 Aug  4 21:33 /usr/local/ispconfig/interface/acme/
    
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    That's ok and can be ignored.
     

Share This Page