LetsEncrypt when there is no access to DNS

Discussion in 'General' started by thisiszeev, Jun 10, 2022.

  1. thisiszeev

    thisiszeev Member HowtoForge Supporter

    I have a client who has his domain hosted by another company as they give him a complete Office365 solution. However, he has them pointing his domain athena.co.za with www.athena.co.za to my server for the website, as the other company doesn't know how to work with Wordpress.

    I am trying to get SSL going and I have backed up his Wordpress to a local machine and nuked the account to start again.

    Running certbot locally I used --manual -d athena.co.za and it tells me to place a string in /.well-known/acme-challenge/string
    I created the folder and subfolder and using nano I place the string inside the file with the string name
    certbot fails.

    So created a file index.html using echo "Test" > index.html and guess what, it says Error 404 when I try access it via my browser?

    http://athena.co.za/.well-known/acme-challenge/index.html

    Here is the corresponding entry in error.log

    [Fri Jun 10 15:45:59.776666 2022] [autoindex:error] [pid 446931:tid 140451201906432] [client 165.255.239.88:54628] AH01276: Cannot serve directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/: No matching DirectoryIndex (index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm,index.html,index.cgi,index.pl,index.php,index.xhtml,index.htm,standard_index.html) found, and server-generated directory index forbidden by Options directive
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    1) There is no DNS access required for getting a Let's encrypt certificate on an ISPConfig system. Just all domains and subdomains that shall get a LE cert must point to the system in public DNS with DNS A-Records. So the setup of your client is perfectly fine.
    2) Never use certbot manually on an ISPConfig server, it breaks the setup of the site and might even destroy the vhost config file, so don't do that if you wish to have a working system.
    3) Never create /.well-known/acme-challenge/ folder in the site, if you do so, then issuing of let's encrypt certs must fail.
    4) "So created a file index.html using echo "Test" > index.html and guess what, it says Error 404 when I try access it via my browser?" That's to be expected and no indication of an error, this must happen due to the mistakes in points 2 - 3.

    So now, let's fix your setup first and then issue a LE cert in the right way.

    1) Delete the folder .well-known and subfolders that you created. Thankfully certbot failed in an early stage on its own, so it was not able to break your system and you don't have to restore and fix it.
    2) To issue a let's encrypt SSL cert on an ISPConfig server, all you have to do is to enable the Let#s Encrypt and SSL checkboxes in the settings of that website and press save.

    in case the let's encrypt checkbox gets unticked after about a minute, follow each step from this page until you know why the checkbox was unticked. https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
     
  3. thisiszeev

    thisiszeev Member HowtoForge Supporter

    Hi Till
    Thanks for the reply... I am rully aware running Certbot could mess with vhosts etc. I ran it on a local machine here at my place which is not used for hosting anything. I had a few domains where the DNS was external, and I used that process to create TXT records to place in the zones at the DNS host.

    This client however, I don't have any access to the DNS zones at all.

    I found that the Let's Encrypt checkbox only uses the DNS zone challenge method, so when the DNS is remote then it fails. So for the other domains, I ran certbot on a local machine here at my place, generated the TXT record and placed it in the remote DNS zones. Completed the challenge and then copy pasted the relevant Certs and Keys into the SSL section with only SSL selected under Site Settings.

    The issue here is not only is the DNS remote from the server, I have no access to it. The guys that run it are not comfortable adding records I give them "for security reasons".

    Let me read through the FAQ and see what I can come up with. I will remove the .well.... folder in the meantime


    Footnote: certbot is not even installed on the production server. Didn't want to have it there an accidentally do something stupid... like once before I was meant to rm -R * in the web folder but did it in the folder before that so it killed logs, SSL, web and everything else that goes with it. I wanted to smash my head into the keyboard, but I remembered it was attached to my laptop and my laptop was expensive, so I down a glass of wine instead.
     
  4. thisiszeev

    thisiszeev Member HowtoForge Supporter

    Hi Till
    Okay, I followed your instructions, which is what I had tried when I had domains on remote zones that I had access to. It failed in the past but it worked now, thanks.
    Now I have a new problem, when I access with https://www.athena.co.za it goes to https://billing.3volve.net.za
    I have configured no redirects, I ran certbot on a separate machine, where I can check to see why that is happening?
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig never uses DNS challenge, it always uses http challenge and that's why DNS access is not required. All you need is that the domains point to the server and you wrote yourself that this is the case.

    That's perfectly fine as I mentioned in my first answer, there is no access to DNS needed when using ISPConfig to get a let#s encrypt cert.

    As you host the system at home, the most likely reason for failing LE is that your router blocks the test access that ISPConfig is doing, so you must enable the 'Skip let's Encrypt check" option. But the FAQ explains this.

    Not having an LE client on a production system makes no sense at all to me as LE certs have a short expiration period and renewing works flawlessly. When using LE in ISPConfig, certbot is not editing any config files anyway. All production systems that use LE certs should have a LE client installed, current iSPConfig systems use acme.sh though and not certbot, But both will work.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    See 'Read before posting':

    https://www.howtoforge.com/community/threads/please-read-before-posting.58408/

    Chapter "When visiting domain b ...."

    So you either did not get a LE cert (created by ispconfig, not by you on a different machine, in this case, the let's encrypt checkbox got unticked and you can use the FAQ to find out why) or you missed enabling the SSL checkbox or there is a mix of * and ipv4 in the ipv4 fields of the sites on that system.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    There is one more option, SSL can also not be activated when there is a faulty manual config in the apache directives field that prevents the vhost to get saved, in this case, you can find a copy of the vhost file with .err file ending in the apache sites-available folder.
     
  8. thisiszeev

    thisiszeev Member HowtoForge Supporter

    The production server is in a DC in Israel.
    All my work servers and machines are at home.

    I did the Let's Encrypt check box this time as per your FAQ and it is still ticked and I am not getting a self-signed cert, I just have it redirecting.

    Let me read the link tomorrow morning as it is late, my girlfriend is here and I haven't seen her in a long time so want to spend some quality time.

    Thanks for your assistance thus far.
     
  9. thisiszeev

    thisiszeev Member HowtoForge Supporter

  10. thisiszeev

    thisiszeev Member HowtoForge Supporter

    Okay, I tried it on another PC. It works fine. I removed all the browser data etc from Firefox on my laptop... guess what... you get 10 guesses and the first 9 don't count.

    YEP!!! It works fine. I would love to know what caused firefox to do a redirect like that?
     

Share This Page