Let's Encrypt SSL Not Working (No errors)

Discussion in 'Installation/Configuration' started by UTF_8x, Nov 2, 2020.

Thread Status:
Not open for further replies.
Page 1 of 4
  1. UTF_8x

    UTF_8x New Member

    When I check the SSL and Let's Encrypt checkboxes and save the site, I get that red circle thing for about a minute and then nothing happens. SSL doesn't get enabled, a certificate is not generated and there is nothing in the logs.

    The domain DNS is set correctly...

    Any ideas?
     
    UTF_8x, Nov 2, 2020
    #1
  2. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    so the red circle disappears then?

    what logs are you checking? /var/log/letsencrypt/letsencrypt.log?
     
    nhybgtvfr, Nov 2, 2020
    #2
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Please read and follow the FAQ for LE SSL to debug its real problem.
     
    ahrasis, Nov 2, 2020
    #3
  4. Taxi

    Taxi Member

    Many thanks for your answer.
    I purged certbot, which also removed python3-certbot and other packages. /etc/letsencrypt was also removed by apt.
    acme is still installed.
    After that I gave it another try with Lets Encrypt checkbox in ISPConfig. No certificates are created. Even the directory /etc/letsencrypt ist not created.
    Do I need the certbot package?
    Kind regards
    Christian
     
    Taxi, Dec 10, 2020
    #4
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Install certbot according to the perfect server tutorial for your OS and then do a reconfiguration of your services with a force upgrade:
    Code:
    ispconfig_update.sh --force
     
    Th0m, Dec 10, 2020
    #5
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I am not so sure acme.sh is using the same folder but do troubleshoot accordingly as laid out in our LE FAQ.
     
    ahrasis, Dec 11, 2020
    #6
  7. Taxi

    Taxi Member

    I'm getting closer...
    I purged certbot, python3-certbot-apache and installed acme.
    Then I run the ispconfig_update.sh. Coming to the SSL Certificate part I get the following:
    sh: 1: cannot open /dev/tcp/127.0.0.1/80: No such file
    AND
    http://host.domain1.tld/.well-known/acme-challenge/qBIytxVixDtA_3tQrOsadfAE6JAf2OoO7-79234EEs [123.456.78.9]:
    Well, this file is missing under /usr/local/ispconfig/interface/acme/.well-known/acme-challenge

    [Fri 11 Dec 2020 03:09:29 PM CET] Please add '--debug' or '--log' to check more details.
    [Fri 11 Dec 2020 03:09:29 PM CET] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
    Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus (2 primes)
    Then I run on the command line:
    acme.sh --issue --domain domain1.tld --webroot --debug
    And from the command line acme runs as expected and placed the Let's Encrypt certificate into /root/.acme.sh/domain1.tld/
    Why is ISPConfig using nginnx for certification validation although I'm running ISPConfig on Apache?
     
    Last edited: Dec 11, 2020
    Taxi, Dec 11, 2020
    #7
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    That's to be expected. This file gets created by acme.sh and removed immediately after it tested for it, so you can't find that file if you search for it later.

    Why do you think that ispconfig is using nginx?
     
    till, Dec 11, 2020
    #8
  9. Taxi

    Taxi Member

    Well, because it says during the ispconfig_update.sh --force:
    But ISPConfig is running on Apache, only on this part of creating the certificate it seems using nginx: Using nginx for certificate validation

    Do you want to create SSL certs for your server? (y,n) [y]:

    Checking / creating certificate for sun.domain1.net
    Using certificate path /root/.acme.sh/sun.domain1.net
    sh: 1: cannot open /dev/tcp/127.0.0.1/80: No such file
    Using nginx for certificate validation
    [Fri 11 Dec 2020 04:53:50 PM CET] sun.domain1.net:Verify error:Invalid response from http://sun.domain1.net/.well-known/acme-challenge/R-poU1BYWHIRSFkKwV3lTtoVhqN4MapDOLb-I4Vj7eY [83.232.13.12]:
    [Fri 11 Dec 2020 04:53:50 PM CET] Please add '--debug' or '--log' to check more details.
    [Fri 11 Dec 2020 04:53:50 PM CET] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
    Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus (2 primes)
    ...................................++++
    ..............................................................................++++
    e is 65537 (0x010001)
     
    Taxi, Dec 11, 2020
    #9
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    It's a bit complicated to help you when you do not post the full output of the update. Please run this command as root user on the shell of the server:

    which nginx

    and post the result.
     
    till, Dec 11, 2020
    #10
    ahrasis likes this.
  11. Taxi

    Taxi Member

    /usr/sbin/nginx
    which apache2
    /usr/sbin/apache2
    I have them installed both, but running only apache.
     
    Taxi, Dec 12, 2020
    #11
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    That's the reason for your problem. If you don't use nginx, then don't install it, see ISPConfig perfect server guides for a correct and working ISPConfig setup. Uninstall nginx and then run the updater in force mode again.
     
    till, Dec 12, 2020
    #12
  13. Taxi

    Taxi Member

    Many thanks. I purged nginx-core and the other nginx packages and did ispconfig_update.sh --force
    Here the result:

    Reconfigure Services? (yes,no,selected) [yes]:
    Configuring Postfix
    Configuring Dovecot
    Configuring Spamassassin
    Configuring Amavisd
    Configuring Getmail
    Configuring BIND
    Configuring Pureftpd
    Configuring Apache
    Configuring vlogger
    Configuring Apps vhost
    Configuring Jailkit
    Configuring Database
    Updating ISPConfig
    ISPConfig Port [8080]:

    Create new ISPConfig SSL certificate (yes,no) [no]: yes

    Checking / creating certificate for sun.rothmedia.net
    Using certificate path /root/.acme.sh/sun.rothmedia.net
    sh: 1: cannot open /dev/tcp/127.0.0.1/80: No such file
    Using apache for certificate validation
    [Sat 12 Dec 2020 12:37:39 PM CET] sun.rothmedia.net:Verify error:Invalid response from http://sun.rothmedia.net/.well-known/acme-challenge/PzjWJX-CHOILTjF8nl5utgjF8dqV9hat7TETKzgR92c [85.25.213.11]:
    [Sat 12 Dec 2020 12:37:39 PM CET] Please add '--debug' or '--log' to check more details.
    [Sat 12 Dec 2020 12:37:39 PM CET] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
    Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus (2 primes)
    ................++++
    ............................................++++
    e is 65537 (0x010001)
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:
     
    Taxi, Dec 12, 2020
    #13
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    till, Dec 12, 2020
    #14
  15. Taxi

    Taxi Member

    Apache is running, because I can see the index.html of some of the domains if not https.
    ISPConfig was running under https://rothmedia.net:8080, and also roundcube was running.
    During this process of trying to fix the letsencrypt issue, ISPConfig is not running any more. Now I get the SSL_ERROR_RX_RECORD_TOO_LONG error.

    Many, many thanks for looking for me into this issue!

    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] OS version is Debian GNU/Linux bullseye/sid

    [INFO] ISPConfig is installed.

    ##### ISPCONFIG #####
    ISPConfig version is 3.2.1


    ##### VERSION CHECK #####

    [INFO] php (cli) version is 7.4.11

    ##### PORT CHECK #####

    [WARN] Port 8080 (ISPConfig) seems NOT to be listening
    [WARN] Port 21 (FTP server) seems NOT to be listening

    ##### MAIL SERVER CHECK #####


    ##### RUNNING SERVER PROCESSES #####

    [INFO] I found the following web server(s):
    Apache 2 (PID 237812)
    [INFO] I found the following mail server(s):
    Postfix (PID 237650)
    [INFO] I found the following pop3 server(s):
    Dovecot (PID 237795)
    [INFO] I found the following imap server(s):
    Dovecot (PID 237795)
    [WARN] I could not determine which ftp server is running.

    ##### LISTENING PORTS #####
    (only ()
    Local (Address)
    ***.***.***.***:53 (237846/named)
    [localhost]:53 (237846/named)
    [anywhere]:22 (733/sshd:)
    [localhost]:953 (237846/named)
    [anywhere]:25 (237650/master)
    [anywhere]:993 (237795/dovecot)
    [anywhere]:995 (237795/dovecot)
    [localhost]:10023 (1332/postgrey)
    [localhost]:10024 (237686/amavisd-new)
    [localhost]:10025 (237650/master)
    [localhost]:10026 (237686/amavisd-new)
    [localhost]:3306 (236569/mariadbd)
    [localhost]:10027 (237650/master)
    [anywhere]:587 (237650/master)
    [localhost]:11211 (626/memcached)
    [anywhere]:110 (237795/dovecot)
    [anywhere]:143 (237795/dovecot)
    [anywhere]:465 (237650/master)
    *:*:*:*::*fab1:56ff:feb7:53 (237846/named)
    *:*:*:*::*:53 (237846/named)
    *:*:*:*::*:22 (733/sshd:)
    *:*:*:*::*:25 (237650/master)
    *:*:*:*::*:953 (237846/named)
    *:*:*:*::*:443 (237812/apache2)
    *:*:*:*::*:993 (237795/dovecot)
    *:*:*:*::*:995 (237795/dovecot)
    *:*:*:*::*:10024 (237686/amavisd-new)
    *:*:*:*::*:10026 (237686/amavisd-new)
    *:*:*:*::*:587 (237650/master)
    [localhost]10 (237795/dovecot)
    [localhost]43 (237795/dovecot)
    *:*:*:*::*:80 (237812/apache2)
    *:*:*:*::*:8081 (237812/apache2)
    *:*:*:*::*:465 (237650/master)




    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    f2b-sshd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain f2b-sshd (1 references)
    target prot opt source destination
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable
    RETURN all -- [anywhere]/0 [anywhere]/0
     
    Taxi, Dec 12, 2020
    #15
  16. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Your server FQDN must be a sub domain, not top domain, as per the ISPConfig manual and tutorials.
     
    ahrasis, Dec 12, 2020
    #16
  17. Taxi

    Taxi Member

    Yes, it is sun.rothmedia.net.
    Now the ispconfig site is not showing any more. I get the apache2/error.log with this:
    [Sat Dec 12 22:50:52.221802 2020] [mpm_prefork:notice] [pid 280415] AH00170: caught SIGWINCH, shutting down gracefully
    [Sat Dec 12 22:50:52.273190 2020] [suexec:notice] [pid 289369] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
    [Sat Dec 12 22:50:52.325457 2020] [mpm_prefork:notice] [pid 289371] AH00163: Apache/2.4.46 (Debian) mod_fcgid/2.3.9 OpenSSL/1.1.1h mod_perl/2.0.11 Perl/v5.32.0 configured -- resuming normal operations
    [Sat Dec 12 22:50:52.325505 2020] [core:notice] [pid 289371] AH00094: Command line: '/usr/sbin/apache2'

    I'm sorry to bother you, but I don't understand why it was working before and now because of the certificate with letsencrypt the whole site is not working any more.

    Many, many thanks for helping me!
     
    Taxi, Dec 12, 2020
    #17
  18. Taxi

    Taxi Member

    Is there an advantage on using nginx or apache?
    What is your experience?
     
    Taxi, Dec 12, 2020
    #18
  19. Taxi

    Taxi Member

    I found out that the 443 part in ispconfig.vhost is missing. That will explain why the login page of ISPConfig is not shown.
    How can this be. An ispconfig_update.sh --force finishes correctly if I'm using to generate a self signed certificate, because of the issues I have with a letsencrypt certificate.
     
    Taxi, Dec 13, 2020
    #19
  20. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Your problems may be do to running ISPConfig on a not supported OS.
    Only run testing versions of software if you are willing go contribute code and test broken code.
    It may not be possible to downgrade to Debian 10. I would start fresh and install Debian 10 and ISPConfig from scratch.
     
    Taleman, Dec 13, 2020
    #20
Page 1 of 4
Thread Status:
Not open for further replies.

Share This Page