Let's Encrypt SSL Cert for: could not be issued

Discussion in 'ISPConfig 3 Priority Support' started by elmacus, Nov 16, 2016.

  1. elmacus

    elmacus Active Member

    Hi.
    Creating Lets Encrypt works for new domains.
    When testing on an old domain with previous selfsigned cert we get two emails with errorcode:
    1.
    15.11.2016-15:59 - WARNING - Falsche Anfrage / Wrong QuerySQL-Query = UPDATE web_domain SET `ssl` = 'n', `ssl_letsencrypt` = 'n' WHERE `domain` = 'xxxxx.xx' -> 1143 (UPDATE command denied to user 'ispcsrv16'@'multiserver.hidden' for column 'ssl' in table 'web_domain')
    2.
    15.11.2016-15:59 - WARNING - Let's Encrypt SSL Cert for: xxxxx.xx could not be issued.
    Both emails is sent by the node, not master. The ispcsrv16 user exists only on master.
    No certificate is created in the /ssl nor in /etc/letsencrypt/live/.
    This is a multiserver with 3.1.1p1 latest + Debian Jessie.
    Anyone has a clue on how to fix this ?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Maybe yiu did not chose "reconfigure permissions in master database" while updating the slaves to ispconfig 3.1? Run an ispconfig update on a slave again and select this option during update, it should fix the issue for all servers.
     
  3. elmacus

    elmacus Active Member

    Actually i did once. Now i did rerun update and the first error email is gone, strange.
    Found the problem in debug log now, the domain had two domainalias, that was not setup correctly in DNS (due to testing).
    I never thought that Letsencrypt also tried to create cert also for aliases.
    Case closed.
     
  4. elmacus

    elmacus Active Member

    Actually, the DNS was set correctly, i guess that Letsencrypt failed when it tried to register extra domainname. Then i added the alias, deactivated LetsEnct, activated LetsEncypt, it still worked. (firefox warns some of the alias ofc).
    So this need some more testing to be sure on how it works.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    ispconfig adds all alias and subdomains to an SSL cert that exist for this website when you activate letsencrypt.
     
  6. elmacus

    elmacus Active Member

    Regarding the "Reconfigure Permissions", it looks like it MUST be run on every server in multiserver in upgraded 3.1.1 (just for the record incase other people looks here).
    In 3.0.5 the instructions was to run it once in multiserver setup on one slave.
    I guess it cant hurt to run it everytime just to be sure (if there is some new columns).
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Running it on one server should fix all servers (at least this was the case in 3.0.5. and I'm not aware that this code has been changed), but it does not hurt to run it on each server to be sure.
     
  8. elmacus

    elmacus Active Member

    I have lots of diffrent warnings from all our servers like this, so after reconfigure permissions, they wont come back:
    WARNING - Falsche Anfrage / Wrong QuerySQL-Query = DELETE FROM mail_backup WHERE server_id = 19 AND parent_domain_id = 'xxx' AND mailuser_id = 'xxx' -> 1142 (DELETE command denied to user 'ispcsrv19'@'xxx' for table 'mail_backup')
     

Share This Page