LetsEncrypt Live No such file or directory

Discussion in 'Installation/Configuration' started by Chris Capitana, Jan 8, 2022.

  1. Chris Capitana

    Chris Capitana New Member

    I'm installing ISPConfig (NginX only) on Debian 10. Although I'm very new to this I got it running but I can't seem to be able to get passed this:

    Code:
    [email protected]:/usr/local/ispconfig/interface/ssl# ls -l /etc/letsencrypt/live/
    ls: cannot access '/etc/letsencrypt/live/': No such file or directory
    [email protected]:/usr/local/ispconfig/interface/ssl# 
    ...and the list of the ssl folder after I tried getting new crt and key.

    Code:
    [email protected]:/usr/local/ispconfig/interface/ssl# ls
    empty.dir      ispserver.crt-220108200301.bak  ispserver.crt-220108220356.bak  ispserver.key-220108200402.bak  ispserver.key-220108220358.bak  ispserver.pem              ispserver.pem-220108220401.bak
    ispserver.crt  ispserver.crt-220108220211.bak  ispserver.key              ispserver.key-220108220216.bak  ispserver.key.secure          ispserver.pem-220108220219.bak
    So if I run:
    Code:
    [email protected]:/usr/local/ispconfig/interface/ssl# ls -l /etc/letsencrypt/live/
    ls: cannot access '/etc/letsencrypt/live/': No such file or directory
    [email protected]:/usr/local/ispconfig/interface/ssl# 
    I would expect my domain to be there? mydomain.com
    I tried to give SSL to my hostname through ISPConfig, the SSL check stays on, Let'sEncrypt just turns off after saving.
    As I understand I need to be able to do this before I can link it to ispserver.
    Code:
    ln -s /etc/letsencrypt/live/mydomain.com/privkey.pem ispserver.key
    A noob-proof answer would be highly appreciated. Thanks in advance!
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I suspect you are using acme.sh, certs are in /root/.acme.sh
     
    Chris Capitana likes this.
  3. Chris Capitana

    Chris Capitana New Member

    I think you are correct. Although I also have certbot installed with with snap.
    This is in /.acme.sh
    Code:
    [email protected]:~/.acme.sh# ls
    account.conf  acme.sh  acme.sh.env  ca    deploy    dnsapi    host.<mydomain>.com  http.header    notify
    And the files in my host.<mydomain>.com folder:
    Code:
    [email protected]:~/.acme.sh# cd host.<mydomain>.com
    [email protected]:~/.acme.sh/host.<mydomain>.com# ls
    host.<mydomain>.com.conf    host.<mydomain>.com.csr  host.<mydomain>.com.csr.conf  host.<mydomain>.com.key
    [email protected]:~/.acme.sh/host.<mydomain>.com#
    
    Any thoughts on how to solve this?

    I think I should be using .acme.sh instead of certbot if I understood correctly.
    If I check the SSL certificate in the browser of my ISPConfig install it says:
    host.<mydomain>.com
    Root certificate authority
    This root certificate is not trusted​
     
    Last edited: Jan 9, 2022
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Run:

    ispconfig_update.sh --force

    and let the updater recreate the SSL cert when it asks. Do not create any symlinks manually in ISPConfig SSL folder in ISPConfig 3.2 or newer. And you might want to remove certbot as you should either have certbot o acme.sh installed, but not both and acme.sh is the preferred option for new installations and also used by the ISPConfig auto installer on Debian 10 and 11: https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/
     
  5. Chris Capitana

    Chris Capitana New Member

    Thank you Till, this is exactly what I did. Unfortunately without succes so I decided to start over with a fresh install of Debian 11 and installing ISPConfig following the perfect server guide (https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/). That worked flawlessly using auto install (with nginx option).

    Unfortunately, it didn't result in a working SSL certificate for the ISPConfig GUI (https://<my-vps-ip>:8080/). As I understood it the only additional thing I have to do is putting an A record in my registrar (Namecheap) like so:
    Type = A
    Host = host.<my-domain>.com
    Value = <my-vps-ip>
    TTL = Automatic​
    Then I add a website within ISPConfig like so:
    Server = host.<my-domain>.com
    Domain = host.<my-domain>.com​

    Do I miss something here? Thanks for your help!
     
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    The a record for the hostname has to exist before installing.
     
    Chris Capitana likes this.
  7. Chris Capitana

    Chris Capitana New Member

    Ahhh okey, I wasn't aware. Thank you, so the only option I have is to wait for Namecheap to set the DNS record and then do a re-install?
    (B.t.w. I did edit the nano /etc/hosts and the nano /etc/hostname according the installation guide.)
     
  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Or do a force upgrade with ispconfig_update.sh --force and let it create the cert.
     
    Chris Capitana likes this.
  9. Chris Capitana

    Chris Capitana New Member

    Thanks you so much! I'll wait for Namecheap to be ready and then do the suggested ispconfig_update.sh --force command tomorrow.
     
  10. Chris Capitana

    Chris Capitana New Member

    Hello again,
    I did wait for Namecheap to update the DNS. After I checked that it worked I started the ispconfig_update.sh --force command and let ISPConfig recreate the SSL certificate.
    Unfortunately it didn't work fully out as expected.

    At this moment the following urls have SSL :
    https://host.<my-domain>.com (here lives my ISPConfig installation)
    https://<my-domain>.com​
    The following urls don't have a working SSL:
    https://host.<my-domain>.com:8080
    https://<my-vps-ip>:8080​

    I did use the command in combination with --force but during the update the output suggests that I should use it.. Here the update process starting from creating a new ISPConfig SSL certificate:

    Code:
    Create new ISPConfig SSL certificate (yes,no) [no]: yes
    Checking / creating certificate for host.<my-domain>.com
    Using certificate path /root/.acme.sh/host.<my-domain>.com
    Using nginx for certificate validation
    acme.sh is installed, overriding certificate path to use /root/.acme.sh/host.<my-domain>.com
    [Mon Jan 10 20:09:45 UTC 2022] Domain key exists, do you want to overwrite the key?
    [Mon Jan 10 20:09:45 UTC 2022] Add '--force', and try again.
    [Mon Jan 10 20:09:45 UTC 2022] Create domain key error.
    [Mon Jan 10 20:09:45 UTC 2022] Please check log file for more details: /var/log/ispconfig/acme.log
    Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating a RSA private key
    ...........................................................................................++++
    ...................................++++
    writing new private key to '/usr/local/ispconfig/interface/ssl/ispserver.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:NL
    State or Province Name (full name) [Some-State]:NH
    Locality Name (eg, city) []:Amsterdam
    Organization Name (eg, company) [Internet Widgits Pty Ltd]:<MyOrganisationName>
    Organizational Unit Name (eg, section) []:IT
    Common Name (e.g. server FQDN or YOUR name) []:host.<my-domain>.com
    Email Address []:[email protected]<my-domain>.com
    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]:
    
    Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: y
    
    Reconfigure Crontab? (yes,no) [yes]:
    
    Updating Crontab
    Update finished.
    [email protected]:~# reboot
    
    Looking at /var/log/ispconfig/acme.log this is some of the hopefully useful output:

    Code:
    [Mon Jan 10 20:09:45 UTC 2022] Creating domain key
    [Mon Jan 10 20:09:45 UTC 2022] Use DEFAULT_DOMAIN_KEY_LENGTH=2048
    [Mon Jan 10 20:09:45 UTC 2022] Using config home:/root/.acme.sh
    [Mon Jan 10 20:09:45 UTC 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Mon Jan 10 20:09:45 UTC 2022] Domain key exists, do you want to overwrite the key?
    [Mon Jan 10 20:09:45 UTC 2022] Add '--force', and try again.
    [Mon Jan 10 20:09:45 UTC 2022] Create domain key error.
    [Mon Jan 10 20:09:45 UTC 2022] pid
    [Mon Jan 10 20:09:45 UTC 2022] No need to restore nginx, skip.
    [Mon Jan 10 20:09:45 UTC 2022] _clearupdns
    [Mon Jan 10 20:09:45 UTC 2022] dns_entries
    [Mon Jan 10 20:09:45 UTC 2022] skip dns.
    [Mon Jan 10 20:09:45 UTC 2022] _on_issue_err
    [Mon Jan 10 20:09:45 UTC 2022] Please check log file for more details: /var/log/ispconfig/acme.log
    [Mon Jan 10 20:12:08 UTC 2022] Running cmd: upgrade
    [Mon Jan 10 20:12:08 UTC 2022] Using config home:/root/.acme.sh
    [Mon Jan 10 20:12:08 UTC 2022] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
    [Mon Jan 10 20:12:08 UTC 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Mon Jan 10 20:12:08 UTC 2022] GET
    [Mon Jan 10 20:12:08 UTC 2022] url='https://api.github.com/repos/acmesh-official/acme.sh/git/refs/heads/master'
    [Mon Jan 10 20:12:08 UTC 2022] timeout=
    [Mon Jan 10 20:12:08 UTC 2022] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L '
    [Mon Jan 10 20:12:08 UTC 2022] ret='0'
    [Mon Jan 10 20:12:08 UTC 2022] Already uptodate!
    [Mon Jan 10 20:12:08 UTC 2022] Upgrade success!
    [Mon Jan 10 20:12:08 UTC 2022] Running cmd: setdefaultca
    [Mon Jan 10 20:12:08 UTC 2022] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory
    
     
    Last edited: Jan 10, 2022
  11. ahrasis

    ahrasis Well-Known Member

    Clearly it says it cannot create LE certs for your server hostname fqdn and merely created self-signed certs for it.

    My best guess is that your server hostname fqdn has not been properly propagated during your running of ISPConfig installer.
     
  12. Chris Capitana

    Chris Capitana New Member

    Thank you very much @ahrasis. This problem is solved now. The only thing left is that SSL works for my ISPConfig at https://host.my-domain.com, for https://host.my-domain.com:8081/webmail and for https://another-domain.com - but not for - https://another-domain.com:8081/webmail... On the page it says:

    Code:
    NET::ERR_CERT_COMMON_NAME_INVALID
    This server could not prove that it is www.another-domain.com; 
    its security certificate is from host.my-domain.com. 
    This may be caused by a misconfiguration or an attacker 
    intercepting your connection.
    
    If I click on the SSL it says that the SSL belongs to host.my-domain.com instead of another-domain.com..
     
    Last edited: Jan 11, 2022
  13. ahrasis

    ahrasis Well-Known Member

    Depending on your web server, apache2 or nginx, there are directives you need to add to make that work for each domain in that server. Please check the related ISPConfig Perfect Server Tutorial for the how-tos as that should be covered.
     
  14. Chris Capitana

    Chris Capitana New Member

    Will do! I'm using nginx, digged around a lot today and tried some of those suggested directives in each domain, but will keep going. Thanks for your help!
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    That#s to be expected as the host on port 8081 is the SSL cert of the host. Do not use other domains to connect for webmail, only use https://host.my-domain.com:8081/webmail to access webmail.
     
    Chris Capitana likes this.
  16. Chris Capitana

    Chris Capitana New Member

    Ah that's why, okey, thank you @till!
     
  17. Chris Capitana

    Chris Capitana New Member

  18. till

    till Super Moderator Staff Member ISPConfig Developer

    Which adds an SSL cert for the server hostname, exactly as ISPConfig has done it on your system. So by following Thom's guide, your webmail URL is: https://host.my-domain.com:8081/webmail and by using the ISPConfig installer, your webmail URL is: https://host.my-domain.com:8081/webmail As you can see, it's exactly the same. The way Thom describes it was used in ISPConfig versions < 3.2 as ISPConfig was not able to create a SSL cert for the hostname on it's own, the result is exactly the same then what you have now by using ISPConfig 3.2.
     
    Chris Capitana likes this.
  19. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    It is still possible to use that old guide, but for most users the built in function is sufficient. Why do you think incron is deprecated?
     
  20. Chris Capitana

    Chris Capitana New Member

    Thank you @till, I'll leave it then.

    @Th0m, https://packages.debian.org/bullseye/incron
    Code:
    [email protected]:~# apt install incron
    Reading package lists... Done
    Building dependency tree... Done
    Reading state information... Done
    Package incron is not available, but is referred to by another package.
    This may mean that the package is missing, has been obsoleted, or
    is only available from another source
    
    E: Package 'incron' has no installation candidate
     

Share This Page