Let's Encrypt SSL certificate not installing inside ISPConfig during installation - DNS server issue

Hi, I could not manage to get the Let's Cert SSL certificate to be installed correctly within ISPConfig 3.2, in the end I gave up and I have done it externally (using the instrucions on certbot eff org). So now I have the funny result that the main website (i.e. the frontend of the domain name ISPCOnfig points to) works with an SSL certificate, but all the backend services don't (ispconfig, roundcube, phpmyadmin etc.), and they are using the auto-generated non-verified SSL certificate.
During my many attempts, I was encountering the error I saw above:
Server's public ip(s) (***.***.***.***) not found in A/AAAA records for server.example.com: 127.0.1.1
It's a DNS issue, but in all the tutorials I have found, everybody mention about checking/working on the configuration of the DNS servers, but it's not clear to me which ones. Are they talking about the ISP/Registrar DNS servers, the ISPConfig DNS area, Bind DNS configuration?
I believe that the ISP DNS servers and my ubuntu server host file are configured correctly, but I don't see why ISPconfig tries to resolve my static public IP address on 127.0.0.1.
Thanks in advance for the possible reply

 

Thank you very much for the explanation.
As far as I know, that has been done correctly, still the procedure fails within ISPConfig. Instead I have done it via certbot, which is a different procedure and it worked. With the funny result now that the website is secured, while all the services that are managed by ISPConfig and ISPConfig control panel itself, are not covered. I assume the certificate is different, and probably it's stored in a different location.
What I was not understanding, was why, when it failed, it couldn't find the public static IP address; it was reportedly not found by 127.0.0.1, I would have expected the message to mention the registrar's DNS servers. I thought of some issues between the physical server and the router (i.e. some ports not open, or configured correctly). Is there a procedure to work on the certificates, and try until it works, without having to reinstall or update ISPConfig over and over?
Thanks

 

if you have anything saying the ip it's found for your hostname is 127.0.1.1 then you don't necessarily have any dns problems.
* you may still have other dns problems, but this isn't one of them.

the only place you will find any references to 127.0.1.1 is in your /etc/hosts file.
if you have this entry in there, (make sure it is really 127.0.1.1 and not 127.0.0.1, you don't want to mess with the 127.0.0.1 entry)
then you should probably comment it out and create a new entry with your servers local ip address, along with it's hostname and fqdn.

eg assuming your server is host1 on domain2.com and it's local ip is 123.45.67.89 (it may have another public floating ip that can be re-assigned between hosts, eg 234.12.34.56)

in this case your /etc/hosts file would go from

Code:

127.0.1.1  host1 host1
127.0.0.1 localhost

to

Code:

#127.0.1.1  host1 host1
127.0.0.1 localhost

123.45.67.89  host1.domain2.com   host1

you would also add other ispconfig hosts on the same local net in here, eg:

123.45.67.90 host2.domain2.com host2
123.45.67.91 host3.domain2.com host3

this would ensure that can all contact each other using the local ip's and no going out through some front-facing firewall/lb and back in again.
you would then add the public floating ip's as A records in the dns zone. ie:
234.12.34.56 host1.domain2.com
234.12.34.57 host2.domain2.com

so that they can be reached from external locations.
these public floating ip's are also the ip's you would add to the dns for any websites you host on each parti

 

################################################################################
Thank you both for your reply, this second one is deeper into my curiosity, so I appreciate also the extra lenght in explaining.
I am going to post here my current host file and the registrar's DNS records, just in case I did not notice anything wrong (i.e. I had not seen the error message was about 127.0.1.1 and I thought it was 127.0.0.1, my bad). I will change some names and IPs just for security reasons:
/etc/hosts

127.0.0.1 localhost
#127.0.1.1 shuttle.shuttle.example.com
176.16.2.100 shuttle.shuttle.example.com shuttle

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
#fe00::0 ip6-localnet
#ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Damn! I have just discovered that what was supposed to be shuttle.example.com is, for some reason, listed as shuttle.shuttle.example.com
I wonder where that comes from, as it's nowhere written like that, and I have never written it like that, nor in the hostfile, or inside ISPConfig!

DNS Zone:

DNS ENTRY TYPE PRIORITY TTL DESTINATION/TARGET
* A xx.xxx.xxx.224
@ MX 10 shuttle.example.com.
@ A xx.xxx.xxx.224
cp A xx.xxx.xxx.224
ftp A xx.xxx.xxx.224
shuttle A xx.xxx.xxx.224
www A xx.xxx.xxx.224

I will look into what you explained and I will see how to implement it.
I have also seen that CERTBOT can provide wildcard SSL certificates, I am not sure whether ISPConfig is able to do that or not, as so far I had all the trouble I was talking about, and the result was also a self-generated SSL, which Chrome and Firefox notify me about every time.

Thanks so far, this is all very helpful

Regards

 

Hi, I've exactly the same problem. During installation I got the message: Server's public ip(s) (***.***.***.***) not found in A/AAAA records for server.example.com: 127.0.1.1
My dns records are ok (checked with mxtools and google dig).
Hosts file is like the Th0m's one
I already cleaned the ssl directory (/usr/local/ispconfig/interface/ssl) and re-launched the ispconfig_update.sh.
I'd like to know if (and how) you solved the problem. Thank you

 

Hi Thom,
I did the force update and then said yes to go on, but I just obtain a self-signen certificate.
Below the message. Any ideas?
---
Ignore DNS check and continue to request certificate? (y,n) [n]: y
Using apache for certificate validation
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for bla.bla.com
Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
Waiting for verification...
Challenge failed for domain bla.bla.com
http-01 challenge for bla.bla.com
Cleaning up challenges
Some challenges have failed.
Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
Could not issue letsencrypt certificate, falling back to self-signed.
Generating RSA private key, 4096 bit long modulus (2 primes)
..........................................................................................................................................................................................++++
.................++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:...

 

I'd prefer not to share publicly, should I start a conversation? Other ways?

 

Hi, thank you Thom,
unfortunately, I disabled the default apache page and then run a force update, but I got the same result: Server's public ip(s) (***.***.***.***) not found in A/AAAA records for server.example.com: 127.0.1.1 and therefore a self-signed certificate

 

Hi Till,
thank you. So:
1) I changed the hosts file adding the router public IP
2) I changed ispconfig port from 8091 to 8080
3) I opened the 8080 port in the router and the 80 port to the internal machine ip
4) I cleaned the ssl folder and run again the force update.
Now it doesn't mention the "Server's public ip(s) (***.***.***.***) not found in A/AAAA records for server.example.com: 127.0.1.1" issue, but still it says: "Challenge failed for domain" and creates a self-signed certificate

 

My provider has ipv6 enabled but not assigned

 

Hi,
I eventually rebuilt the machine from scratch and everything went smoothly.

At the first attempt I had two-three problems:
1) I missed the A record
2) the port 80 was closed
3) (maybe) file hosts missing the external IP
I fixed all the issues afterwards and then run the ispconfig_update.sh (many times), with no result (always "Connection refused" in the log).
The impression is that after the first failure, the ispconfig force update for some reason couldn't succeed in releasing the certificate.
https://quickview.cloudapps.cisco.com/quickview/bug/CSCvt34984
Hope this is helpful to whoever has the same problem.

 

Hi! I Have the same issue, do you find a solution? :/