Hi! Im trying to setup a new enviroment (debian jessie) for multidomain-hosting. The base is done, now up for setting up ISPConfig 3.1.2 The basics are done, but know I try to use LetsEncrypt. And this runs into troubles. The software: letsencrypt:all/jessie-backports 0.9.3-1~bpo8+2 uptodate letsencrypt.sh:all/jessie-backports 0.3.1-3~bpo8+1 uptodate letsencrypt.sh-apache2:all/jessie-backports 0.3.1-3~bpo8+1 uptodate certbot:all/jessie-backports 0.9.3-1~bpo8+2 uptodate python-certbot:all/jessie-backports 0.9.3-1~bpo8+2 uptodate If I try to install a certificate on a domain, it fails. Here the last lines of /var/log/letsencrypt/letsencrypt.log (Domainname is replaced by FQDN, IP is replaced by 0.0.0.0 - both values are correct in the original log; www is replaced by 3timesw because of forumlimitations ) ------------- 2017-03-04 15:13:07,951EBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '1837', 'Expires': 'Sat, 04 Mar 2017 15:13:07 GMT', 'Boulder-Request-Id': '2_L56uXxlksQUmrxwCej2NfIMeaPsx3kV0q9KGIiT2U', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Sat, 04 Mar 2017 15:13:07 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': '9K-N1NiCyNcTMpb1P0dEi9RTyP-yQ8qVFzSlJvkf-30'}): '{\n "identifier": {\n "type": "dns",\n "value": "FQDN.at"\n },\n "status": "invalid",\n "expires": "2017-03-11T15:13:03Z",\n "challenges": [\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "acme-v01.api.letsencrypt.org/acme/challenge/Cb17zIdOtkpi7fQNwc0RjAy8D1ZdVgyEwNRkNGod_5I/741490150",\n "token": "JrpnPQ032WsNKv-8SGd5DlWd8-_jGtPyYwTzY1zt_hc"\n },\n {\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "acme-v01.api.letsencrypt.org/acme/challenge/Cb17zIdOtkpi7fQNwc0RjAy8D1ZdVgyEwNRkNGod_5I/741490151",\n "token": "y0kf9J4DnXDbwr0daI49PXUvyVbJ3bb4_X8iBLVc4Ww"\n },\n {\n "type": "http-01",\n "status": "invalid",\n "error": {\n "type": "urn:acme:error:unauthorized",\n "detail": "Invalid response from FQDN.at/.well-known/acme-challenge/Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw: \\"\\u003c!DOCTYPE html PUBLIC \\"-//W3C//DTD XHTML 1.0 Transitional//EN\\"\\n \\"3timesWw3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\\"\\u003e\\n\\u003cht\\"",\n "status": 403\n },\n "uri": "acme-v01.api.letsencrypt.org/acme/challenge/Cb17zIdOtkpi7fQNwc0RjAy8D1ZdVgyEwNRkNGod_5I/741490152",\n "token": "Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw",\n "keyAuthorization": "Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw.fdbOPairyNMFtrUe2okKB8okxfEZoY7ZTF3cfVcJqy8",\n "validationRecord": [\n {\n "url": "FQDN.at/.well-known/acme-challenge/Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw",\n "hostname": "FQDN.at",\n "port": "80",\n "addressesResolved": [\n "0.0.0.0"\n ],\n "addressUsed": "0.0.0.0"\n }\n ]\n }\n ],\n "combinations": [\n [\n 2\n ],\n [\n 0\n ],\n [\n 1\n ]\n ]\n}' 2017-03-04 15:13:07,952EBUG:certbot.reporter:Reporting to user: The following errors were reported by the server: Domain: 3timesWFQDN.at Type: unauthorized Detail: Invalid response from 3timesWFQDN.at/.well-known/acme-challenge/aYgYSWx9dHWMS5XUXTqpOWyTZVIejsLWvwZ860igl7M: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "3timesWw3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <ht" Domain: FQDN.at Type: unauthorized Detail: Invalid response from FQDN.at/.well-known/acme-challenge/Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "3timesWw3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <ht" To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address. 2017-03-04 15:13:07,952:INFO:certbot.auth_handler:Cleaning up challenges 2017-03-04 15:13:07,952EBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw 2017-03-04 15:13:07,952EBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/aYgYSWx9dHWMS5XUXTqpOWyTZVIejsLWvwZ860igl7M 2017-03-04 15:13:07,953:INFO:certbot.plugins.webroot:Unable to clean up challenge directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge 2017-03-04 15:13:07,953EBUG:certbot.plugins.webroot:Error was: [Errno 39] Directory not empty: '/usr/local/ispconfig/interface/acme/.well-known/acme-challenge' 2017-03-04 15:13:07,954EBUG:certbot.main:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/letsencrypt", line 9, in <module> load_entry_point('certbot==0.9.3', 'console_scripts', 'certbot')() File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 776, in main return config.func(config, plugins) File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 563, in obtain_cert action, _ = _auth_from_domains(le_client, config, domains, lineage) File "/usr/lib/python2.7/dist-packages/certbot/main.py", line 100, in _auth_from_domains lineage = le_client.obtain_and_enroll_certificate(domains) File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 281, in obtain_and_enroll_certificate certr, chain, key, _ = self.obtain_certificate(domains) File "/usr/lib/python2.7/dist-packages/certbot/client.py", line 253, in obtain_certificate self.config.allow_subset_of_names) File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 78, in get_authorizations self._respond(resp, best_effort) File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 135, in _respond self._poll_challenges(chall_update, best_effort) File "/usr/lib/python2.7/dist-packages/certbot/auth_handler.py", line 199, in _poll_challenges raise errors.FailedChallenges(all_failed_achalls) FailedChallenges: Failed authorization procedure. 3timesWFQDN.at (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from 3timesWFQDN.at/.well-known/acme-challenge/aYgYSWx9dHWMS5XUXTqpOWyTZVIejsLWvwZ860igl7M: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "3timesWw3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <ht", FQDN.at (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from FQDN.at/.well-known/acme-challenge/Iv_iXgUy6uFuIrw4GDplRv-q6BIKfbxuBnm13PYV7Hw: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "3timesWw3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <ht" ------------- Another strange thing is found in /var/log/apache2/error.log. Maybe this things have somthing in common. --------- [Sat Mar 04 16:13:09.387850 2017] [:error] [pid 17655] python_init: Python version mismatch, expected '2.7.5+', found '2.7.9'. [Sat Mar 04 16:13:09.387899 2017] [:error] [pid 17655] python_init: Python executable found '/usr/bin/python'. [Sat Mar 04 16:13:09.387901 2017] [:error] [pid 17655] python_init: Python path being used '/usr/lib/python2.7/:/usr/lib/python2.7/plat-x86_64-linux-gnu:/usr/lib/python2.7/lib-tk:/usr/lib/python2.7/lib-old:/usr/lib/python2.7/lib-dynload'. [Sat Mar 04 16:13:09.387911 2017] [:notice] [pid 17655] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads. [Sat Mar 04 16:13:09.387913 2017] [:notice] [pid 17655] mod_python: using mutex_directory /tmp [Sat Mar 04 16:13:09.393183 2017] [ssl:warn] [pid 17655] AH01906: monarch.FQDN2.at:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Sat Mar 04 16:13:09.393221 2017] [ssl:error] [pid 17655] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=monarch.FQDN2.at,O=XXX,L=Wiener Neustadt,ST=NOE,C=AT / issuer: CN=monarch.FQDN2.at,O=XXX,L=Wiener Neustadt,ST=NOE,C=AT / serial: A00BCDDD9B2AE815 / notbefore: Feb 26 15:57:41 2017 GMT / notafter: Feb 24 15:57:41 2027 GMT] [Sat Mar 04 16:13:09.393223 2017] [ssl:error] [pid 17655] AH02567: Unable to configure certificate monarch.FQDN2.at:8080:0 for stapling [Sat Mar 04 16:13:09.395829 2017] [mpm_prefork:notice] [pid 17655] AH00163: Apache/2.4.10 (Debian) mod_fastcgi/mod_fastcgi-SNAP-0910052141 mod_fcgid/2.3.9 Phusion_Passenger/4.0.53 mod_python/3.3.1 Python/2.7.9 OpenSSL/1.0.1t configured -- resuming normal operations [Sat Mar 04 16:13:09.395842 2017] [core:notice] [pid 17655] AH00094: Command line: '/usr/sbin/apache2' --- Thank you for taking time to read this and thanks for all your answers. Best regards, martin
Hi! Here further informations to this thread: If I do curl -k https://FQDN.at:443 from another debian-server, the result ist curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol So I checked http://www.FQDN.at:443 (please not the missing S) in Firefox - and i got the default apache-page (not the default ISPC-Page). If I check https://www.FQDN.at, I get as answer "ERR_SSL_PROTOCOL_ERROR" (Chrome) or "SSL_ERROR_RX_RECORD_TOO_LONG" (Firefox). Some hints around the web telling, that apache2 is not listening on Port 443. But netstat -anp|grep 443 tcp6 0 0 :::443 :::* LISTEN 30851/apache2 unix 3 [ ] STREAM CONNECTED 3002443 1756/mastersays, that apache2 will do. If I try to telnet form another machine to FQDN.at I was able to conncet on 443: telnet FQDN.at 443 Trying 136.XXX.9.XXX... Connected to FQDN.at. Escape character is '^]'. connection.info HTTP/1.1 400 Bad Request Date: Sun, 05 Mar 2017 10:51:29 GMT Server: Apache/2.4.10 (Debian) Content-Length: 316 Connection: close Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>400 Bad Request</title> </head><body> <h1>Bad Request</h1> <p>Your browser sent a request that this server could not understand.<br /> </p> <hr> <address>Apache/2.4.10 (Debian) Server at monarch.XXXX.at Port 80</address> </body></html> Connection closed by foreign host. Looking in /etc/apache2/error.log, there are some errors: [Sun Mar 05 11:17:07.596204 2017] [ssl:warn] [pid 30851] AH01906: monarch.XXX.at:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Sun Mar 05 11:17:07.596240 2017] [ssl:error] [pid 30851] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: CN=monarch.XXXX.at,O=XXXX,L=Wiener Neustadt,ST=NOE,C=AT / issuer: CN=monarch.XXX.at,O=XXXX,L=Wiener Neustadt,ST=NOE,C=AT / serial: A00BCDDD9B2AE815 / notbefore: Feb 26 15:57:41 2017 GMT / notafter: Feb 24 15:57:41 2027 GMT] [Sun Mar 05 11:17:07.596243 2017] [ssl:error] [pid 30851] AH02567: Unable to configure certificate monarch.XXXX.at:8080:0 for stapling Any ideas around this SSL-issues? Thanks for any hints! Martin
Ok - it tooks hours, but its so simple: apt-get install python-certbot-apachedid the job. I only installed 'python-certbot' - so some of the LE-scripts did their job but failed finally.
I'm a little curious here .. I don't install python-certbot-apache, only python-certbot, and recommend the same to others. I've not had a problem with that.