Let’s encrypt security lacking from bad to worse !

Discussion in 'Installation/Configuration' started by Keoz, Apr 18, 2020.

  1. Keoz

    Keoz Member


    *** MY ENVIRONMENT ***
    Remote VPS running distro Ubuntu 18.04 LTS

    As per preparing the development of my emerging business, I wish to test several CMSs (Iindispensable IT watch because of evolving technos…). In this purpose I recently set up a test environment including new installations of ISPConfig 3, exactly the same way that I used to install it on my actual production environments (still working fine).

    But this time, I am facing “LET’S ENCRYPT“ MAJOR SECURITY LACKS, to the point that for the first time I received an alert message of my hosting provider, saying that because of an attack, my VPS was put in mitigation.... This lack is subsequent to the bug of “Let’s Encrypt“ setting in ISPConfig 3 panel (as described below), that I started to point in a previous thread. I did solves this bug once, but now I can’t any more (as explained here below). Consequently to this, any app installation ends up with any browser displaying the same ERROR MESSAGE (instead of the app installation wizard…) :

    *** ERROR MESSAGE ***
    This website is unaccessible
    Impossible to find server IP address for “mydomainname.com

    *** LET’S ENCRYPT BUG ***
    From my two most recents ISPConfig 3 panels (the last installed yesterday), I can’t achieve creating a new website with both “SSL“ and “Let’s encrypt“ checked : it became now impossible to keep “Let's Encrypt“ check box checked... ! This is the reason why I am asking the questions below :

    *** Q1 ***
    Would you still recommend ones to rely on one or the other “Howtoforge tutorial“ (links below) for new installations of ISPConfig ?
    *** Q2 / Q3 ***
    • Does this mean that ISPConfig 3 needs to be upgraded in regard of a potential “Let’s Encrypt“ tech evolvment ?
    • Would you say that it is now preferable to install and run “Let’s Encrypt“ on my server manually… ?
  2. Keoz

    Keoz Member

    Please also take a look at this content of my “Let's Encrypt“ log file :

    2020-04-17 03:00:16,995:DEBUG:certbot.main:certbot version: 0.27.0
    2020-04-17 03:00:16,996:DEBUG:certbot.main:Arguments: ['-n', '--post-hook', "echo '1' > /usr/local/ispconfig/server/le.restart"]
    2020-04-17 03:00:16,996:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2020-04-17 03:00:17,007:DEBUG:certbot.log:Root logging level set at 20
    2020-04-17 03:00:17,007:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2020-04-17 03:00:17,009:DEBUG:certbot.renewal:no renewal failures
    2020-04-17 07:26:00,219:DEBUG:certbot.main:certbot version: 0.27.0
    2020-04-17 07:26:00,221:DEBUG:certbot.main:Arguments: ['-q']
    2020-04-17 07:26:00,222:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2020-04-17 07:26:00,236:DEBUG:certbot.log:Root logging level set at 30
    2020-04-17 07:26:00,237:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2020-04-17 07:26:00,238:DEBUG:certbot.renewal:no renewal failures
    2020-04-17 14:40:22,711:DEBUG:certbot.main:certbot version: 0.27.0
    2020-04-17 14:40:22,712:DEBUG:certbot.main:Arguments: ['-q']
    2020-04-17 14:40:22,713:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2020-04-17 14:40:22,723:DEBUG:certbot.log:Root logging level set at 30
    2020-04-17 14:40:22,724:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2020-04-17 14:40:22,725:DEBUG:certbot.renewal:no renewal failures
    2020-04-18 03:00:10,022:DEBUG:certbot.main:certbot version: 0.27.0
    2020-04-18 03:00:10,023:DEBUG:certbot.main:Arguments: ['-n', '--post-hook', "echo '1' > /usr/local/ispconfig/server/le.restart"]
    2020-04-18 03:00:10,024:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2020-04-18 03:00:10,033:DEBUG:certbot.log:Root logging level set at 20
    2020-04-18 03:00:10,034:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2020-04-18 03:00:10,035:DEBUG:certbot.renewal:no renewal failures
    2020-04-18 10:11:02,843:DEBUG:certbot.main:certbot version: 0.27.0
    2020-04-18 10:11:02,844:DEBUG:certbot.main:Arguments: ['-q']
    2020-04-18 10:11:02,845:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2020-04-18 10:11:02,855:DEBUG:certbot.log:Root logging level set at 30
    2020-04-18 10:11:02,856:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2020-04-18 10:11:02,857:DEBUG:certbot.renewal:no renewal failures
    2020-04-18 14:44:08,756:DEBUG:certbot.main:certbot version: 0.27.0
    2020-04-18 14:44:08,757:DEBUG:certbot.main:Arguments: ['-q']
    2020-04-18 14:44:08,757:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2020-04-18 14:44:08,766:DEBUG:certbot.log:Root logging level set at 30
    2020-04-18 14:44:08,767:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2020-04-18 14:44:08,768:DEBUG:certbot.renewal:no renewal failures
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The good thing first, there is neither a bug nor a security issue in what you describe. You simply have an error in your DNS which causes mydomainname.com to be unresolvable as that's what the error message:

    Impossible to find server IP address for “mydomainname.com

    means and therefore it is not working and if it does not work, then a LE cert for this nonworking domain can not be issued as well of course. When LE is not able to issue a cert because the DNS setup of that domain is faulty, then ISPConfig has to remove the LE checkbox, otherwise one might think that an LE cert was issued. So there is neither an issue with Let's encrypt nor with ISPConfig nor with your server installation, it's just a missing or wrong DNS A-Record.

    To fix your issue, all you have to do is to configure DNS for mydomainname.com properly so that it points to the IP address of your server with a DNS A-Record.

    Yes of course, they work pretty fine and your issue is not related to using any of these guides.

    You should install ISPConfig and certbot updates regularly anyway, so all as usual. But that's not related to your problem as well.
  4. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    in addition to what @till says, might I suggest that you create an alias for root, to your own email address in /etc/aliases, and then run 'newaliases', this way if letscencrypt fails to create a cert again, you should receive an email letting you know that's it failed, along with exactly why it failed.

    since you haven't seen these emails yet, I'd assume your not checking local system mail, or configuring these aliases on any of your other servers either. so I would also suggest googling for something like 'postfix root alias' to find out why it's a good idea to set it up.
  5. Keoz

    Keoz Member

    Thank U till,

    Your reply helped to partly solve the issue :
    servers DNS records was corrected to point the correct IPs of both two VPS mentioned previously. However, “Let’s encrypt“ works fine for one , but emains unactivable for the other (can’t connect to corresponding website…).

    I dug further on to find out why, and I received from a technical representative of my hosting provider, the report of a test upon DNS conncetion to ports. The reports shows that ports 443 (HTTPS), port 80 (HTTP) and other ports are filtered, and the representative added the following comment :

    “A firewall is probably blocking connection to ports“

    This is the reason why I opened a new thread :

Share This Page