LetsEncrypt not working on fresh install

Discussion in 'Installation/Configuration' started by labsy, Jun 26, 2017.

Thread Status:
Not open for further replies.
  1. labsy

    labsy Member

    Hi,
    I am following this manual https://www.howtoforge.com/tutorial/perfect-server-ubuntu-with-nginx-and-ispconfig-3/2/#comments to install new web server. Everytinhg else working fine, except of Let's Encrypt. It is shown checkbox in ISPConfig, but after Enabling it for any site, it does - nothing. Also checkbox does not stay checked.
    Is there anytihng else to be done with Ubuntu 16.04 + NGINX except of this?
    Code:
    apt-get -y install letsencrypt
    In /var/log/letsencrypt/letsencrypt.log I find only this:
    Code:
    2017-06-26 01:00:08,715:DEBUG:letsencrypt.cli:Root logging level set at 30
    2017-06-26 01:00:08,716:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2017-06-26 01:00:08,717:DEBUG:letsencrypt.cli:letsencrypt version: 0.4.1
    2017-06-26 01:00:08,717:DEBUG:letsencrypt.cli:Arguments: ['-n']
    2017-06-26 01:00:08,717:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
    2017-06-26 01:00:08,717:DEBUG:letsencrypt.cli:no renewal failures
    
     
    Last edited: Jun 26, 2017
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    No.

    Ensure that you create the website first, save it, and then enable letsencrypt. The site must exist already for letsencrypt to verify the domain name. And all domain names of the site must be pointing to this server already in DNS as Letsencrypt and ispconfig are trying to reach them before the SSL cert gets generated.
     
  3. labsy

    labsy Member

    Hmmm...well, DNS for website is definitelly pointing to this server. Server is behind NAT, ports 80 and 443 are NAT-ed to proper LAN IP and website is publically available via both HTTP and HTTPS protocols.
    Maybe the culpit would be OUTBOUND NAT (masquerade), because from LAN to WAN by default firewall is NOT using the same WAN IP as for incoming NAT. Outgoing by default goes through firewall's WAN IP say x.x.x.131, while website incoming NAT is using x.x.x.133 IP for 80 and 443. Might that be a problem?
    So to pair WAN IP addresses I would need to know which destination port does Let's Encrypt use to comunicate outbound, so I can create proper outhoing NAT rule.

    ***EDIT***
    I added outbound NAT rule to use the same outbound public IP as for inbound NAT, but still letsencrypt does nothing via ISPConfig.
     
    Last edited: Jun 26, 2017
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Ensure that you have ISPConfig 3.1.4 installed, in that version you can disable the letsencrypt check under system > server config. This disables the tests in ISPConfig if the domain points to the right server. But you have to ensure manually then that all domains and subdomains of a site exist and are reachable on port 80 from outside before you enable LE as the whole cert will fail if one of the domains or subdomains of the site fails.
     
  5. labsy

    labsy Member

    Thanx, Till, but I've tried disabling Let's Encrypt check too, but at no avail. The checkbox for Let's Encrypt under Web Site now stays CHECKED, but SSL is still not working.
    BTW...the https://www.problemsite.com does NOT point to the same page as http://www.problemsite.com, but rather to "default" HTTPS site.
     
    Last edited: Jun 26, 2017
  6. MITDK

    MITDK New Member

    Just updated from 3.0.X to 3.1.4
    There's no "LetsEncrypt" at System -> Server Config
    It's visible on sites -> website -> domain. But when enabling it, it gets disabled afterwards (checkmark). Suggestions?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Letsenycrpt is in the website settungs. Under system > server config is an option to disable the letsencrypt check. And when you used ISPConfig 3.0.5 before, then you probably don't have certbot installed yet which is required to get letsencrypt SSL certs.
     
  8. MITDK

    MITDK New Member

    I did the following:
    apt-get install software-properties-common
    add-apt-repository ppa:certbot/certbot
    apt-get update
    apt-get install python-certbot-apache
    certbot --apache certonly
    Applied HTTPS for 1 website only

    Still no LetsEncrypt under System -> Server config
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    As I wrote above, the checkbox to enable lets encrypt is in the website settings (sites). This thread here is about a specific problem from @labsy about Let's encrypt in NAT environments, so please do not hijack this thread with a completely different topic. There is also a sticky thread in the forum with a FAQ to debug letsencrypt issues.
     
  10. labsy

    labsy Member

    Till, thank you for following up.
    Well, I read a lot of your and other threads, so I did not install ANYTHING else regarding Let's Encrypt, except of:
    Code:
    apt-get install letsencypt
    on fresh install. This is actually the 3rd installation of Ubuntu 16.04 + Nginx + MariaDB as per tutorial from initial link. What was different in all my installs is that I DID NOT install Dovecot, Mailman and other mail-related features. Everything else is there. But NONE of those 3 fresh installs is working in regards to LetsEncrypt?!
    /etc/letsencrypt is empty. Is this OK?

    ...but WAIT, something happened BY ITSELF today! Here's the LOG:
    /var/log/letsnecrypt/letsencrypt.log growed significantly and /etc/letsencrypt is not empty anymore!
    Code:
    2017-06-26 08:59:11,888:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '1174', 'Expires': 'Mon, 26 Jun 2017 08:59:11 GMT', 'Boulder-Request-Id': 'NIE3-Gyfy6092QCO9Qi80nZxVSYS16jR4ZjD9hT-yqc', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Mon, 26 Jun 2017 08:59:11 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/pkix-cert', 'Replay-Nonce': 'OuYJeOxetvz46zc54z54ctG9SSPZ2wkwBN9tSf2o'}): '0\x82............\n\x13\rLet\'s Encrypt1#0!\x06\x03U\x04\x03\x13\x1aLet\'s Encrypt Authority X30\x82\x01"0\r\x0............\x01\x86&http://isrg.trustid.ocsp.identrust.com0;\x06\x08+\x06\x01\x05\x05\x070\x02\x86/http://apps.identrust.com/roots/dstrootcax3.p7c0\x1f\x06\x03U\x1d#\x04\x180...........2\x01\x16"http://cps.root-x1.letsencrypt.org0<\x06\x03U\..........\xa0/\xa0-\x86+http://crl.identrust.com/DSTROOTCAX3CRL.crl0\x1d\x06\x0....... .......c34[\xb4B'
    2017-06-26 08:59:11,899:DEBUG:letsencrypt.storage:Creating directory /etc/letsencrypt/archive.
    2017-06-26 08:59:11,899:DEBUG:letsencrypt.storage:Creating directory /etc/letsencrypt/live.
    2017-06-26 08:59:11,899:DEBUG:letsencrypt.storage:Archive directory /etc/letsencrypt/archive/domain.com and live directory /etc/letsencrypt/live/domain.com created.
    2017-06-26 08:59:11,899:DEBUG:letsencrypt.storage:Writing certificate to /etc/letsencrypt/live/domain.com/cert.pem.
    2017-06-26 08:59:11,899:DEBUG:letsencrypt.storage:Writing private key to /etc/letsencrypt/live/domain.com/privkey.pem.
    2017-06-26 08:59:11,899:DEBUG:letsencrypt.storage:Writing chain to /etc/letsencrypt/live/domain.com/chain.pem.
    2017-06-26 08:59:11,899:DEBUG:letsencrypt.storage:Writing full chain to /etc/letsencrypt/live/domain.com/fullchain.pem.
    2017-06-26 08:59:11,899:DEBUG:letsencrypt.storage:Writing new config /etc/letsencrypt/renewal/domain.com.conf.
    2017-06-26 08:59:11,901:INFO:letsencrypt.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/domain.com/fullchain.pem. Your cert will expire on 2017-09-24. To obtain a new version of the certificate in the future, simply run Let's Encrypt again.
    2017-06-26 08:59:11,901:INFO:letsencrypt.reporter:Reporting to user: If you like Let's Encrypt, please consider supporting our work by:
    
    Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
    Donating to EFF:                    https://eff.org/donate-le
    
    Now it's getting weird:
    - Certificate obviously did get created somehow....maybe by itself, cron?
    - Now when I do under Web Site --> SSL = OFF, Letsencrypt=OFF, then once again both to ON... now HTTPS is working!
    - but under Web Site --> Letsencrypt checkbox is OFF

    ***EDIT***
    The only thing I changed was assign Web Site from customer = <EMPTY> to real, defined customer. This obviously did some magic in background.
     
    Last edited: Jun 26, 2017
    ahrasis likes this.
  11. labsy

    labsy Member

    Doh...upgraded to latest ISPConfig and the issue is still present - simply cannot engage Let's Encrypt. Out of 4 web sites on this server, I managed to get LetsEncrypt functional only on 1 site, the other 3 simply refuse to cooperate with LetsEncrypt.
    Any idea how to troubleshoot?
     
  12. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

  13. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    till and labsy like this.
  14. labsy

    labsy Member

    Jesse, brilliant! I have server behind NAT and "Skip Letsencrypt check" under SSL settings of server WEB service config did the job! Thank you!
    BTW...now I see Till also mentioned this setting few posts ago, but I missed that.
     
    Last edited: Sep 7, 2017
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    That's a good idea. I've added it to the FAQ.
     
    ahrasis likes this.
  16. Hi,
    I am using ver 3.2 with 20.4LTS. I am stack. It is showing SSL error. I can see certbot is working and certificates were created but those are not in apache config. Please help.
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

Thread Status:
Not open for further replies.

Share This Page