I have done a fresh install of ISPCONFIG on Ubuntu 16.04 following this guide - The Perfect Server - Ubuntu 16.04 (Xenial Xerus) with Apache, PHP, MySQL, PureFTPD, BIND, Postfix, Dovecot and ISPConfig 3.1 - which includes Code: apt-get -y install letsencrypt Now activate the SSL I select the letsencrypt checkbox in ISPCONFIG - and save it. when opening website page in the checkbox shows as not selected. The error log of letsencrypt is like this: Code: 2017-02-10 15:22:06,294:DEBUG:letsencrypt.cli:Root logging level set at 30 2017-02-10 15:22:06,295:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2017-02-10 15:22:06,295:DEBUG:letsencrypt.cli:letsencrypt version: 0.4.1 2017-02-10 15:22:06,295:DEBUG:letsencrypt.cli:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v01.api.letsencrypt$ 2017-02-10 15:22:06,296:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standa$ 2017-02-10 15:22:06,296:DEBUG:letsencrypt.cli:Requested authenticator webroot and installer None 2017-02-10 15:22:06,296:DEBUG:letsencrypt.plugins.disco:Other error:(PluginEntryPoint#webroot): Missing parts of webroot configuration; please set either --webroot-path and --d$ Traceback (most recent call last): File "/usr/lib/python2.7/dist-packages/letsencrypt/plugins/disco.py", line 103, in prepare self._initialized.prepare() File "/usr/lib/python2.7/dist-packages/letsencrypt/plugins/webroot.py", line 56, in prepare "Missing parts of webroot configuration; please set either " PluginError: Missing parts of webroot configuration; please set either --webroot-path and --domains, or --webroot-map. Run with --help webroot for examples. 2017-02-10 15:22:06,296:DEBUG:letsencrypt.display.ops:No candidate plugin 2017-02-10 15:22:06,296:DEBUG:letsencrypt.cli:Selected authenticator None and installer None 2017-02-10 15:22:06,296:INFO:letsencrypt.cli:Could not choose appropriate plugin: The webroot plugin is not working; there may be problems with your existing configuration. The error was: PluginError('Missing parts of webroot configuration; please set either --webroot-path and --domains, or --webroot-map. Run with --help webroot for examples.',) 2017-02-10 15:22:06,297:DEBUG:letsencrypt.cli:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/letsencrypt", line 9, in <module> load_entry_point('letsencrypt==0.4.1', 'console_scripts', 'letsencrypt')() File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 1986, in main return config.func(config, plugins) File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 683, in obtain_cert installer, authenticator = choose_configurator_plugins(config, plugins, "certonly") File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 635, in choose_configurator_plugins diagnose_configurator_problem("authenticator", req_auth, plugins) File "/usr/lib/python2.7/dist-packages/letsencrypt/cli.py", line 536, in diagnose_configurator_problem raise errors.PluginSelectionError(msg) PluginSelectionError: The webroot plugin is not working; there may be problems with your existing configuration. The error was: PluginError('Missing parts of webroot configuration; please set either --webroot-path and --domains, or --webroot-map. Run with --help webroot for examples.',)
you need to run letsencrypt once from the root cli, it will pull dependencies and stuff. But do not let it configure anything.
how to run letsenrypt from cli. Just typing letsencrypt and enter will do. Again how I will skip configure.
okay in the ISPCONFIG admin after enabling debug: I am getting in this order: Code: Create Let's Encrypt SSL Cert for: megashopping.dk Let's Encrypt SSL Cert domains: exec: /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --webroot-path /usr/local/ispconfig/interface/acme Let's Encrypt SSL Cert for: megashopping.dk could not be issued. Writing the vhost file: /etc/apache2/sites-available/megashopping.dk.vhost Writing the PHP-FPM config file: /etc/php/7.0/fpm/pool.d/web1.conf Calling function 'restartPHP_FPM' from module 'web_module'.
Please try to run this command as root on the shell: /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --webroot-path /usr/local/ispconfig/interface/acme Which error message do you get and which error is logged in the letsencrypt log file?
Ok I run the command in the terminal and I get The webroot plugin is not working; there may be problems with your existing conf iguration. The error was: PluginError('Missing parts of webroot configuration; please set e ither --webroot-path and --domains, or --webroot-map. Run with --help webroot f or examples.',)
That's one of the development releases, download ispconfig 3.1.2 from ispconfig.org, unpack the tar.gz file and then run the update.php script in the install folder to update your system to the 3.1.2 stable release.
update the Ispconfig to 3.1.2 Run the command again in the terminal Code: usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --webroot-path /usr/local/ispconfig/interface/acme The webroot plugin is not working; there may be problems with your existing configuration. The error was: PluginError('Missing parts of webroot configuration; please set either --webroot-path and --domains, or --webroot-map. Run with --help webroot for examples.',)
Login to ispconfig and enable letsencrypt, the command is from the other ispconfig version, so not relevant for 3.1.2.
I already did that, just skipped to mention that. I get the similar error as mentioned Code: Let's Encrypt SSL Cert for: megashopping.dk could not be issued. exec: /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --domains megashopping.dk --domains www.megashopping.dk --webroot-path /usr/local/ispconfig/interface/acme This is the letsencrypt log Code: 2017-02-15 10:51:01,784:DEBUG:letsencrypt.cli:Root logging level set at 30 2017-02-15 10:51:01,784:INFO:letsencrypt.cli:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2017-02-15 10:51:01,785:DEBUG:letsencrypt.cli:letsencrypt version: 0.4.1 2017-02-15 10:51:01,785:DEBUG:letsencrypt.cli:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v01.api.letsencrypt$ 2017-02-15 10:51:01,785:DEBUG:letsencrypt.cli:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standa$ 2017-02-15 10:51:01,786:DEBUG:letsencrypt.cli:Requested authenticator webroot and installer None 2017-02-15 10:51:01,786:DEBUG:letsencrypt.plugins.webroot:Creating root challenges validation dir at /usr/local/ispconfig/interface/acme/.well-known/acme-challenge 2017-02-15 10:51:01,786:DEBUG:letsencrypt.plugins.webroot:Creating root challenges validation dir at /usr/local/ispconfig/interface/acme/.well-known/acme-challenge 2017-02-15 10:51:01,786:DEBUG:letsencrypt.display.ops:Single candidate plugin: * webroot Description: Webroot Authenticator Interfaces: IAuthenticator, IPlugin Entry point: webroot = letsencrypt.plugins.webroot:Authenticator Initialized: <letsencrypt.plugins.webroot.Authenticator object at 0x7feca97a4150> Prep: True 2017-02-15 10:51:01,787:DEBUG:letsencrypt.cli:Selected authenticator <letsencrypt.plugins.webroot.Authenticator object at 0x7feca97a4150> and installer None 2017-02-15 10:51:01,812:DEBUG:letsencrypt.cli:Picked account: <Account(7329a5253b0d8f448f5f1c3c7cd2cb66)> 2017-02-15 10:51:01,817:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {} 2017-02-15 10:51:01,824:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org 2017-02-15 10:51:02,026:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 280 2017-02-15 10:51:02,028:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '280', 'Expires': 'Wed, 15 Feb 2017 10:51:02 GMT', 'Boulder-Request-Id': 'EZU9qNXyd8Cj$ 2017-02-15 10:51:02,028:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '280', 'Expires': 'Wed, 15 Feb 2017 10:51:02 GMT', 'Boulder-Request-Id$ 2017-02-15 10:51:02,243:INFO:letsencrypt.crypto_util:Generating key (4096 bits): /etc/letsencrypt/keys/0001_key-letsencrypt.pem 2017-02-15 10:51:02,254:INFO:letsencrypt.crypto_util:Creating CSR: /etc/letsencrypt/csr/0001_csr-letsencrypt.pem 2017-02-15 10:51:02,255:DEBUG:letsencrypt.client:CSR: CSR(file='/etc/letsencrypt/csr/0001_csr-letsencrypt.pem', data='0\x82\x04\xa10\x82\x02\x89\x02\x01\x020\x1a1\x180\x16\x06\$ 2017-02-15 10:51:02,256:DEBUG:root:Requesting fresh nonce 2017-02-15 10:51:02,256:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {} 2017-02-15 10:51:02,257:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org 2017-02-15 10:51:02,447:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0 2017-02-15 10:51:02,449:DEBUG:root:Received <Response [405]>. Headers: {'Content-Length': '91', 'Pragma': 'no-cache', 'Boulder-Request-Id': 'kS7N5qwv4CSnIoA8w3HE1zQ6J_26Uwp1VAj$ 2017-02-15 10:51:02,449:DEBUG:acme.client:Storing nonce: "\x11!p\xae\x02M=\xd4w-\x1d\xbe\xc6\x01\xdc'\x95\xd8\xbev\x02>U\x0e\xdc:\xb1Ob\xdd\xf3\xf8" 2017-02-15 10:51:02,449:DEBUG:acme.jose.json_util:Omitted empty fields: challenges=None, combinations=None, status=None, expires=None 2017-02-15 10:51:02,450:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "megashopping.dk"}, "resource": "new-authz"} 2017-02-15 10:51:02,452:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), x5tS256=None, cty=None, jku=None, x5u=None, x5t=None, crit=(), kid=None, alg=None, jwk=None, typ$ 2017-02-15 10:51:02,461:DEBUG:acme.jose.json_util:Omitted empty fields: jku=None, x5tS256=None, cty=None, x5c=(), x5u=None, x5t=None, crit=(), nonce=None, kid=None, typ=None 2017-02-15 10:51:02,461:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {$ 2017-02-15 10:51:02,462:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org 2017-02-15 10:51:02,723:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 1000 2017-02-15 10:51:02,725:DEBUG:root:Received <Response [201]>. Headers: {'Content-Length': '1000', 'Expires': 'Wed, 15 Feb 2017 10:51:02 GMT', 'Boulder-Request-Id': 'qS6c0ta4MCx$ 2017-02-15 10:51:02,725:DEBUG:acme.client:Storing nonce: '\xb6Gd\r&\xdbN>\xf9\xfe\x06\x142@A\xd6\x80Cc\x16\x8d\x12N\xd6<\xf2\x9bAE7\xb82' 2017-02-15 10:51:02,725:DEBUG:acme.client:Received response <Response [201]> (headers: {'Content-Length': '1000', 'Expires': 'Wed, 15 Feb 2017 10:51:02 GMT', 'Boulder-Request-I$ 2017-02-15 10:51:02,726:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'veCPtLJ7bRVNvX9_fsAlTOGe3slj-SvYN2U8gzZCXKs', u'type'$ 2017-02-15 10:51:02,726:DEBUG:acme.jose.json_util:Omitted empty fields: challenges=None, combinations=None, status=None, expires=None 2017-02-15 10:51:02,726:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "www.megashopping.dk"}, "resource": "new-authz"} 2017-02-15 10:51:02,729:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), x5tS256=None, cty=None, jku=None, x5u=None, x5t=None, crit=(), kid=None, alg=None, jwk=None, typ$ 2017-02-15 10:51:02,738:DEBUG:acme.jose.json_util:Omitted empty fields: jku=None, x5tS256=None, cty=None, x5c=(), x5u=None, x5t=None, crit=(), nonce=None, kid=None, typ=None 2017-02-15 10:51:02,738:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {$ 2017-02-15 10:51:02,739:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Note: I would like to mention here that A record for the domain megashopping.dk doesn't point the IP of this server at present. Can this cause the error/
Ok, this explains the problem. Letsenycrpyt will only issue an SSL cert when it can reach a token trough all domain names that it created on this server in real-time, so when a domain points to another server, the LE can not issue that SSL cert. This also explains why the --domain switch was not there in the dev version as the dev version removes all domains from LE command that are not reachable on this server and as no domains of this site point to this system, all domains had been removed.
Another option would be to use DNS-01 challenge. It will not check the domain itself whether you can provide a challenge file but it will query the zone file whether you can add a TXT record. If you host the DNS for that domain with a ISPC 3.1 installation, then the acme.sh client can be used for that.
We will most likely switch to acme.sh in one of the next releases to be able to provide the DNS-01 challenge as option.
acme.sh - being a pure shell script without all that python stuff - just seems a lot less hassle for me The only drawback I noticed with DNS-01 is that it takes a bit longer to issue a cert. I made a 120s timeout between TXT added to the zone in ISPC and asking the LE servers to check updated zone file.