Letsencrypt not working anymore

Hi there,
I don't exactly since when, but since some weeks, the autmated generation of Letsencrypt certificates via ISPConfig does not work anymore. When a certificate is due to renewal, the following lines are generated by the server.sh script:

Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for test1.example.com
http-01 challenge for test1.example2.com
http-01 challenge for test1.example3.com
Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Unable to clean up challenge directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
Failed authorization procedure. test1.example.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http:/ / test1.example.com/.well-known/acme-challenge/y3bguedb9zfaHOssW1Q23he37T4HJ2Eot5ycj7kzPwQ: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p", test1.example2.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http:/ / test1.example2.com/.well-known/acme-challenge/eY7zN4_TA_FAKm-OkLKigtMBr960xdFZkXD4v7NpS7M: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>404 Not Found</title>
</head><body>
<h1>Not Found</h1>
<p"
finished.

(I've modified the links above to be able to post this message...)
Does anyone know, why that may occur?
Is there any way to debug it further?
Is there any way to get test certificates instead of live certs, as I'm constantly reaching Letsencrypt's rate limits during my tests?

I'm really stuck at the moment. Any hint would be very welcome.
I already searched the web, but did not find a solution which fixes this issue on my server.​

 

This part is working fine.
I can access the file but cert renewal still doesn't work.

 

Unfortunately, it does not.
I already tried that. The same error messages appear.
Could it be that the http challenge cannot be created for some reason?

 

Hello,
I'm having this same issue. getting the same error. I created the folder manually. put a hello.txt file in there. The full path is:
/var/www/clients/client7/web49/web/.well-known/acme-challenge/hello.txt (I copied the path from the terminal)
getting 404 errors. As near as I can tell the .well-known/acme-challenge folder isn't even being created. after checking the for letsencrypt on this particular site, I watched to see if the folder was ever created and it didn't seem to be as I repeatedly did a "ls .w*" while in the web folder. This is a setup that was working before, but I had to rebuild from scratch and lay in configs. I ran the php -q update from the install folder yesterday and had to redo all of the letsencrypt configs for postfix and dovecot as the reconfigure services overwrote my changes. letsencrypt works if I spin up a standalone webserver which is how I got the mail server certs working and the ispconfig console working. I also tried making the folder world writable which didn't work, either.

the system is otherwise working fine except for letsencrypt. Any help would be appreciated. Ispconfig version is 3.1.15p2

Seems to have something to do with the ".well-known" as soon as I created the path without the . in front of well-known, I can get to the hello.txt file

 

I'm assuming that I replace the test1.example.com with the actual website name? i issued "echo testing >/usr/local/ispconfig/interface/acme/.well-known/acme-challenge/hello.txt" and I get a 404 not found error. Something must be slightly wrong.

 

The file is there.
ls /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/hello.txt
/usr/local/ispconfig/interface/acme/.well-known/acme-challenge/hello.txt
getting 404 errors.

I did find a .htaccess file there for wordpress and moved it out to the folder above web (/var/www/clients/client7/web50/) but still makes no difference. I then moved it up one more level into client7 and it still made no difference. nothing in the options or custom php.ini. It is set to use php7-fpm
I did some digging around in the apache conf folder and found a couple of rewrite rules in a couple of configs (specific websites and not ispconfig confs) that I commented out. I also found a letsencrypt-apache.sh that pointed to something in /var/lib and disabled it. I also found something called dehydrated.conf in the conf-available and changed it to point /usr/local/ispconfig/interface/acme/.well-known/acme-challenge and now I'm getting a forbidden error. At least it's different. Seems to me that there needs to be some sort of general alias to point to that folder, though.

 

ah. got it. disabled dehydrated which pointed things to locations it shouldn't have. Things are working, now. Thanks for all your help. It's much appreciated.

 

About the same problem here.
Enabling SSL with Let's Encrypt SSL no longer works for new domains introduced.

I mention that: domains already existing on the server automatically renew their SSL certificate.

OS - Ubuntu 18.04.3 LTS

ISPConfig version - 3.1.15p2

certbot 0.27.0

Python 2.7.15rc1

hello.txt is working

From letsencrypt log:

Domain: ...... Type: connection Detail: Fetching ...../.well-known/acme-challenge/.....: Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. 2019-11-25 04:13:16,409DEBUG:certbot.error_handler:Encountered exception: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations self._respond(aauthzrs, resp, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond self._poll_challenges(aauthzrs, chall_update, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges raise errors.FailedChallenges(all_failed_achalls) certbot.errors.FailedChallenges: Failed authorization procedure. .................(http-01): urn:ietfarams:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching ..............well-known/acme-challenge/...: Timeout during connect (likely firewall problem)

2019-11-25 04:13:16,410EBUG:certbot.error_handler:Calling registered functions 2019-11-25 04:13:16,410:INFO:certbot.auth_handler:Cleaning up challenges 2019-11-25 04:13:16,410EBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/.... 2019-11-25 04:13:16,411DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/........ 2019-11-25 04:13:16,412DEBUG:certbot.plugins.webroot:All challenges cleaned up 2019-11-25 04:13:16,412DEBUG:certbot.log:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/letsencrypt", line 11, in load_entry_point('certbot==0.27.0', 'console_scripts', 'certbot')() File "/usr/lib/python3/dist-packages/certbot/main.py", line 1364, in main return config.func(config, plugins) File "/usr/lib/python3/dist-packages/certbot/main.py", line 1254, in certonly lineage = _get_and_save_cert(le_client, config, domains, certname, lineage) File "/usr/lib/python3/dist-packages/certbot/main.py", line 120, in _get_and_save_cert lineage = le_client.obtain_and_enroll_certificate(domains, certname) File "/usr/lib/python3/dist-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate cert, chain, key, _ = self.obtain_certificate(domains) File "/usr/lib/python3/dist-packages/certbot/client.py", line 334, in obtain_certificate orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) File "/usr/lib/python3/dist-packages/certbot/client.py", line 370, in _get_order_and_authorizations authzr = self.auth_handler.handle_authorizations(orderr, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 82, in handle_authorizations self._respond(aauthzrs, resp, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 155, in _respond self._poll_challenges(aauthzrs, chall_update, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 226, in _poll_challenges raise errors.FailedChallenges(all_failed_achalls) certbot.errors.FailedChallenges: Failed authorization procedure. .............(http-01): urn:ietfarams:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching ............/.well-known/acme-challenge/..........: Timeout during connect (likely firewall problem)

 

Looks like the new domains do not work. Can you access your web server with the new domains from outside your local network?

 

Yes, this work ok (externally tested - with mobile wireless off and 4G on).
.... /.well-known/acme-challenge/hello.txt

 

Access is not blocked, I tested from the outside, from 4G mobile, I can access text.txt (you can also try, you have the domain in the attachment above).

 

certbot 0.27.0
Python 2.7.15rc1

But in logs i see python3 directory ! Hm...
load_entry_point('certbot==0.27.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3