Letsencrypt not working - apache2-issue? (debian 8, ISPC 3.1.2)

Hi!

Im trying to setup a new enviroment (debian jessie) for multidomain-hosting. The base is done, now up for setting up ISPConfig 3.1.2

The basics are done, but know I try to use LetsEncrypt. And this runs into troubles. The software:

letsencrypt:all/jessie-backports 0.9.3-1~bpo8+2 uptodate
letsencrypt.sh:all/jessie-backports 0.3.1-3~bpo8+1 uptodate
letsencrypt.sh-apache2:all/jessie-backports 0.3.1-3~bpo8+1 uptodate
certbot:all/jessie-backports 0.9.3-1~bpo8+2 uptodate
python-certbot:all/jessie-backports 0.9.3-1~bpo8+2 uptodate


If I try to install a certificate on a domain, it fails. Here the last lines of /var/log/letsencrypt/letsencrypt.log (Domainname is replaced by FQDN, IP is replaced by 0.0.0.0 - both values are correct in the original log; www is replaced by 3timesw because of forumlimitations )
-------------
2017-03-04 15:13:07,951EBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '1837', 'Expires': 'Sat, 04 Mar 2017 15:13:07 GMT', 'Boulder-Request-Id': '2_L56uXxlksQUmrxwCej2NfIMeaPsx3kV0q9KGIiT2U', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sat, 04 Mar 2017 15:13:07 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': '9K-N1NiCyNcTMpb1P0dEi9RTyP-yQ8qVFzSlJvkf-30'}): '{\n "identifier": {\n "type": "dns",\n "value": "FQDN.at"\n },\n "status": "invalid",\n "expires": "2017-03-11T15:13:03Z",\n "challenges": [\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "acme-v01.api.letsencrypt.org/acme/challenge/Cb17zIdOtkpi7fQNwc0RjAy8D1ZdVgyEwNRkNGod_5I/741490150",\n "token": "JrpnPQ032WsNKv-8SGd5DlWd8-_jGtPyYwTzY1zt_hc"\n },\n {\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "acme-v01.api.letsencrypt.org/acme/challenge/Cb17zIdOtkpi7fQNwc0RjAy8D1ZdVgyEwNRkNGod_5I/741490151",\n "token": "y0kf9J4DnXDbwr0daI49PXUvyVbJ3bb4_X8iBLVc4Ww"\n },\n {\n "type": "http-01",\n "status": "invalid",\n "error": {\n "type": "urn:acme:error:unauthorized",\n "detail": "Invalid response from FQDN.at/.well-known/acme-challenge/Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw: \\"\\u003c!DOCTYPE html PUBLIC \\"-//W3C//DTD XHTML 1.0 Transitional//EN\\"\\n \\"3timesWw3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\\"\\u003e\\n\\u003cht\\"",\n "status": 403\n },\n "uri": "acme-v01.api.letsencrypt.org/acme/challenge/Cb17zIdOtkpi7fQNwc0RjAy8D1ZdVgyEwNRkNGod_5I/741490152",\n "token": "Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw",\n "keyAuthorization": "Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw.fdbOPairyNMFtrUe2okKB8okxfEZoY7ZTF3cfVcJqy8",\n "validationRecord": [\n {\n "url": "FQDN.at/.well-known/acme-challenge/Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw",\n "hostname": "FQDN.at",\n "port": "80",\n "addressesResolved": [\n "0.0.0.0"\n ],\n "addressUsed": "0.0.0.0"\n }\n ]\n }\n ],\n "combinations": [\n [\n 2\n ],\n [\n 0\n ],\n [\n 1\n ]\n ]\n}'
2017-03-04 15:13:07,952EBUG:certbot.reporter:Reporting to user: The following errors were reported by the server:

Domain: 3timesWFQDN.at
Type: unauthorized
Detail: Invalid response from 3timesWFQDN.at/.well-known/acme-challenge/aYgYSWx9dHWMS5XUXTqpOWyTZVIejsLWvwZ860igl7M: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"3timesWw3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ht"

Domain: FQDN.at
Type: unauthorized
Detail: Invalid response from FQDN.at/.well-known/acme-challenge/Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"3timesWw3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ht"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2017-03-04 15:13:07,952:INFO:certbot.auth_handler:Cleaning up challenges
2017-03-04 15:13:07,952EBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw
2017-03-04 15:13:07,952EBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/aYgYSWx9dHWMS5XUXTqpOWyTZVIejsLWvwZ860igl7M
2017-03-04 15:13:07,953:INFO:certbot.plugins.webroot:Unable to clean up challenge directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
2017-03-04 15:13:07,953EBUG:certbot.plugins.webroot:Error was: [Errno 39] Directory not empty: '/usr/local/ispconfig/interface/acme/.well-known/acme-challenge'
2017-03-04 15:13:07,954EBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/letsencrypt", line 9, in <module>
load_entry_point('certbot==0.9.3', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 776, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 563, in obtain_cert
action, _ = _auth_from_domains(le_client, config, domains, lineage)
File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 100, in _auth_from_domains
lineage = le_client.obtain_and_enroll_certificate(domains)
File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 281, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 253, in obtain_certificate
self.config.allow_subset_of_names)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 78, in get_authorizations
self._respond(resp, best_effort)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 135, in _respond
self._poll_challenges(chall_update, best_effort)
File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 199, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. 3timesWFQDN.at (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from 3timesWFQDN.at/.well-known/acme-challenge/aYgYSWx9dHWMS5XUXTqpOWyTZVIejsLWvwZ860igl7M: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"3timesWw3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ht", FQDN.at (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from FQDN.at/.well-known/acme-challenge/Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"3timesWw3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ht"
-------------
Another strange thing is found in /var/log/apache2/error.log. Maybe this things have somthing in common.
---------

[Sat Mar 04 16:13:09.387850 2017] [:error] [pid 17655] python_init: Python version mismatch, expected '2.7.5+', found '2.7.9'.
[Sat Mar 04 16:13:09.387899 2017] [:error] [pid 17655] python_init: Python executable found '/usr/bin/python'.
[Sat Mar 04 16:13:09.387901 2017] [:error] [pid 17655] python_init: Python path being used '/usr/lib/python2.7/:/usr/lib/python2.7/plat-x86_64-linux-gnu:/usr/lib/python2.7/lib-tk:/usr/lib/python2.7/lib-old:/usr/lib/python2.7/lib-dynload'.
[Sat Mar 04 16:13:09.387911 2017] [:notice] [pid 17655] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
[Sat Mar 04 16:13:09.387913 2017] [:notice] [pid 17655] mod_python: using mutex_directory /tmp
[Sat Mar 04 16:13:09.393183 2017] [ssl:warn] [pid 17655] AH01906: monarch.FQDN2.at:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Sat Mar 04 16:13:09.393221 2017] [ssl:error] [pid 17655] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=monarch.FQDN2.at,O=XXX,L=Wiener Neustadt,ST=NOE,C=AT / issuer: CN=monarch.FQDN2.at,O=XXX,L=Wiener Neustadt,ST=NOE,C=AT / serial: A00BCDDD9B2AE815 / notbefore: Feb 26 15:57:41 2017 GMT / notafter: Feb 24 15:57:41 2027 GMT]
[Sat Mar 04 16:13:09.393223 2017] [ssl:error] [pid 17655] AH02567: Unable to configure certificate monarch.FQDN2.at:8080:0 for stapling
[Sat Mar 04 16:13:09.395829 2017] [mpm_prefork:notice] [pid 17655] AH00163: Apache/2.4.10 (Debian) mod_fastcgi/mod_fastcgi-SNAP-0910052141 mod_fcgid/2.3.9 Phusion_Passenger/4.0.53 mod_python/3.3.1 Python/2.7.9 OpenSSL/1.0.1t configured -- resuming normal operations
[Sat Mar 04 16:13:09.395842 2017] [core:notice] [pid 17655] AH00094: Command line: '/usr/sbin/apache2'
---
Thank you for taking time to read this and thanks for all your answers.

Best regards,
martin

 

Hi!

Here further informations to this thread:
If I do
curl -k https://FQDN.at:443
from another debian-server, the result ist
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

So I checked http://www.FQDN.at:443 (please not the missing S) in Firefox - and i got the default apache-page (not the default ISPC-Page).
If I check https://www.FQDN.at, I get as answer "ERR_SSL_PROTOCOL_ERROR" (Chrome) or "SSL_ERROR_RX_RECORD_TOO_LONG" (Firefox). Some hints around the web telling, that apache2 is not listening on Port 443.

But

netstat -anp|grep 443
tcp6 0 0 :::443 :::* LISTEN 30851/apache2
unix 3 [ ] STREAM CONNECTED 3002443 1756/master​

says, that apache2 will do.

If I try to telnet form another machine to FQDN.at I was able to conncet on 443:

telnet FQDN.at 443

Trying 136.XXX.9.XXX...
Connected to FQDN.at.
Escape character is '^]'.
connection.info
HTTP/1.1 400 Bad Request
Date: Sun, 05 Mar 2017 10:51:29 GMT
Server: Apache/2.4.10 (Debian)
Content-Length: 316
Connection: close
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>400 Bad Request</title>
</head><body>
<h1>Bad Request</h1>
<p>Your browser sent a request that this server could not understand.<br />
</p>
<hr>
<address>Apache/2.4.10 (Debian) Server at monarch.XXXX.at Port 80</address>
</body></html>
Connection closed by foreign host.​

Looking in /etc/apache2/error.log, there are some errors:

[Sun Mar 05 11:17:07.596204 2017] [ssl:warn] [pid 30851] AH01906: monarch.XXX.at:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)

[Sun Mar 05 11:17:07.596240 2017] [ssl:error] [pid 30851] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=monarch.XXXX.at,O=XXXX,L=Wiener Neustadt,ST=NOE,C=AT / issuer: CN=monarch.XXX.at,O=XXXX,L=Wiener Neustadt,ST=NOE,C=AT / serial: A00BCDDD9B2AE815 / notbefore: Feb 26 15:57:41 2017 GMT / notafter: Feb 24 15:57:41 2027 GMT]

[Sun Mar 05 11:17:07.596243 2017] [ssl:error] [pid 30851] AH02567: Unable to configure certificate monarch.XXXX.at:8080:0 for stapling​

Any ideas around this SSL-issues? Thanks for any hints!

Martin

 

Ok - it tooks hours, but its so simple:

apt-get install python-certbot-apache​

did the job.

I only installed 'python-certbot' - so some of the LE-scripts did their job but failed finally.