I've got a problem I've not come across before, where letscencrypt doesn't seem to be requesting the main domain of a website is added to a certificate. I've got the domain/vhost fis.carmarthenshire.gov.wales added as a domain, with fis.carmarthenshire.wales and ggd.sirgar.llyw.cymru added as alias domains. they all exist ok in the ispconfig database on that webserver (multiserver config) : Code: MariaDB [ispconfig_VPS7]> select domain,type from web_domain; +-------------------------------+-------+ | domain | type | +-------------------------------+-------+ | ggd.sirgar.llyw.cymru | alias | | fis.carmarthenshire.wales | alias | | fis.carmarthenshire.gov.wales | vhost | +-------------------------------+-------+ they exist ok in the vhost configuration: Code: <VirtualHost *:80> DocumentRoot /var/www/clients/client567/web2316/web ServerName fis.carmarthenshire.gov.wales ServerAlias ggd.sirgar.llyw.cymru ServerAlias fis.carmarthenshire.wales ServerAdmin [email protected] but it doesn't add the main domain in letsencrypt: Code: 2019-05-21 11:12:04,390:DEBUG:certbot.main:certbot version: 0.17.0 2019-05-21 11:12:04,390:DEBUG:certbot.main:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v01.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', '[email protected]', '--domains', 'fis.carmarthenshire.wales', '--domains', 'ggd.sirgar.llyw.cymru', '--webroot-path', '/usr/local/ispconfig/interface/acme'] 2019-05-21 11:12:04,390:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) it successfully gets a certificate, with the aliasdomains on it, but not the main domain: certificate hierarchy: DST Root CA X3 Let's Encrypt Authority X3 fis.carmarthenshire.wales Certificate Subject Alt Name Not Critical DNS Name: fis.carmarthenshire.wales DNS Name: ggd.sirgar.llyw.cymru yet I can manually request a certificate for the domain: Code: letsencrypt certonly -d fis.carmarthenshire.gov.wales Saving debug log to /var/log/letsencrypt/letsencrypt.log How would you like to authenticate with the ACME CA? ------------------------------------------------------------------------------- 1: Spin up a temporary webserver (standalone) 2: Place files in webroot directory (webroot) ------------------------------------------------------------------------------- Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Obtaining a new certificate Performing the following challenges: http-01 challenge for fis.carmarthenshire.gov.wales Select the webroot for fis.carmarthenshire.gov.wales: ------------------------------------------------------------------------------- 1: Enter a new webroot ------------------------------------------------------------------------------- Press 1 [enter] to confirm the selection (press 'c' to cancel): 1 Input the webroot for fis.carmarthenshire.gov.wales: (Enter 'c' to cancel): /usr/local/ispconfig/interface/acme Waiting for verification... Cleaning up challenges Unable to clean up challenge directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/fis.carmarthenshire.gov.wales/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/fis.carmarthenshire.gov.wales/privkey.pem Your cert will expire on 2019-08-19. what is going on here? how do I fix this? I've not had this problem with any other domain, I thought it might be restricted because it's a gov domain, but then surely I wouldn't be able to request it manually. full ispconfig letsencrypt log for the certificate request is in the attached file.
You can see in ispconfig debug mode why it got excluded. This normally happens when the domain is unreachable from server itself.
do you mean setting ispconfig itself to debug? on the master? or just the affected webserver? because I've looked through the letsencrypt debug log, and the main domain simply isn't in the request. eg for penwernfach.co.uk, with alias penwern-fach-west-wales-cottages.co.uk, both appear as domains in the initial letsencrypt log: Code: letsencrypt.log.973:2018-09-10 10:06:02,525:DEBUG:certbot.main:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v01.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', '[email protected]', '--domains', 'penwernfach.co.uk', '--domains', 'www.penwernfach.co.uk', '--domains', 'penwern-fach-west-wales-cottages.co.uk', '--domains', 'www.penwern-fach-west-wales-cottages.co.uk', '--webroot-path', '/usr/local/ispconfig/interface/acme'] for fis.carmarthenshire.gov.wales with fis.carmarthenshire.wales and ggd.sirgar.llyw.cymru as aliases, fis.carmarthenshire.gov.wales simply isn't included in the initial request. Code: 2019-05-21 11:12:04,390:DEBUG:certbot.main:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v01.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', '[email protected]', '--domains', 'fis.carmarthenshire.wales', '--domains', 'ggd.sirgar.llyw.cymru', '--webroot-path', '/usr/local/ispconfig/interface/acme'] and each domain is reachable from that webserver: Code: root@vps7:/home/ubuntu# ping fis.carmarthenshire.gov.uk PING fis.carmarthenshire.gov.uk (52.209.39.50) 56(84) bytes of data. 64 bytes from carmarthenshire.gov.uk (52.209.39.50): icmp_seq=1 ttl=63 time=0.373 ms root@vps7:/home/ubuntu# ping fis.carmarthenshire.wales PING fis.carmarthenshire.wales (52.209.39.50) 56(84) bytes of data. 64 bytes from carmarthenshire.gov.uk (52.209.39.50): icmp_seq=1 ttl=63 time=0.450 ms root@vps7:/home/ubuntu# ping ggd.sirgar.llyw.cymru PING ggd.sirgar.llyw.cymru (52.209.39.50) 56(84) bytes of data. 64 bytes from carmarthenshire.gov.uk (52.209.39.50): icmp_seq=1 ttl=63 time=0.342 ms
Right, and to find out why, use debug mode in ispconfig. Enable it on the master for the affected slave, disable server.sh cronjob on the slave, untick letsencrypt checkbox for the site and activate it again and then run server.sh on the slave server and post the output that you get on the shell. If it tells you that the domain was excluded, then the domain could not be reached from that slave.
