Hello, I am using ispconfig 3.2.8p1 with ubuntu 20.04, I am using the server only as mail server. It was installed without issues and previously there was no issues to renew the letsencrypt cert. Today checking the log I saw there was an error trying to renew the cert: Code: Cert is due for renewal, auto-renewing... Plugins selected: Authenticator webroot, Installer None Renewing an existing certificate Performing the following challenges: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS. Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/domain.com.mx/fullchain.pem (failure) and the log is showing: Code: 2022-04-19 14:31:45,672:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/99718720250 HTTP/1.1" 200 386 2022-04-19 14:31:45,673:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Tue, 19 Apr 2022 19:31:45 GMT Content-Type: application/json Content-Length: 386 Connection: keep-alive Boulder-Requester: 364640610 Cache-Control: public, max-age=0, no-cache Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" Replay-Nonce: 0101ZZnHd8q5ozVGmbU8ablipGjam-dXnwkHmvyjw4oUIHE X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 { "identifier": { "type": "dns", "value": "domain.com" }, "status": "pending", "expires": "2022-04-26T01:03:47Z", "challenges": [ { "type": "dns-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/99718720250/SziBVQ", "token": "b_tQOzDXjfkqM8OrR1A0vopnwIFwrjMv1psY4iEhENo" } ], "wildcard": true } 2022-04-19 14:31:45,673:DEBUG:acme.client:Storing nonce: 0101ZZnHd8q5ozVGmbU8ablipGjam-dXnwkHmvyjw4oUIHE 2022-04-19 14:31:45,674:DEBUG:acme.client:JWS payload: b'' 2022-04-19 14:31:45,681:DEBUG:acme.client:Sending POST request to https://acme-v02.api.letsencrypt.org/acme/authz-v3/99718720260: { "protected": "eyJhbGciOiAiUlMyNTYiLCAia2lkIjogImh0dHBzOi8vYWNtZS12MDIuYXBpLmxldHNlbmNyeXB0Lm9yZy9hY21lL2FjY3QvMzY0NjQwNjEwIiwgIm5vbmNlIjogIjAxMDFaWm5IZDhxNW96VkdtYlU4YWJsaXBHamFtLWRYbndrSG12eWp3NG9VSUhFIiwgInVybCI6ICJodHRwczovL2FjbWUtdjAyLmFwaS5sZXRzZW5jcnlwdC5vcmcvYWNtZS9hdXRoei12My85OTcxODcyMDI2MCJ9", "signature": "P-TCaEOZlzm0GFynY_ykESWC3pSNT3rhpAHdzGdMJQU2ca-qolGIZ0mCW_TR3JHXuoB4Z8QWMHxLKcMjF3dzqjiIwqlBkMJEIj79jTB5iRn27RBJaBIfHmsyDjA_lYOKow8H0w-d8nlYdDxRdTFFaKnQP8mI3m7VhaXeLPHDWSUMkGFko74pGexRP8L8mJKxwaDD65qskPc9MX0t7ZeO0-2fXx2AC21L6jM-MnoZu4MdQfybYOBXzOTjRzowyzjonkTqiuSHjTweGEWrQlG7hOZrASpWHfbf5v24xyaLMCzK0vCjbsYeSXKOTj8KaQeNcxfp0zhZJweCFtCa7rJ56ogLWvpQX4bF572JL-_9uN6hkaSnMPb0z1pKT9S5A2VVzXQ4tG8TTkqLFVr3ErCGGo1perSpQNR18_CcUkxWNndvPHdHudZ9XL_pyG2AxR4qo8TI0Y_QyQObry6k7qgzKufx6_jEthlulljcLmB2VjYVmgLbaaqzNfksjQt3ix1U54kwX7uEtUlT7Iei_5ZDaTpP-AZycYWYJsEqjSCdX3aB8PvkzthTPSGOD1DH1m7VaUxbBOnIsGmW0iff6Wk0eqINuCO1qD6YMQdqCArYH-UvB5FgDo-mk9IWoAnTPqSRJZoJoSxggU9gfScoqF95aBRMViHoGedgqeIrahZjKJo", "payload": "" } 2022-04-19 14:31:45,729:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "POST /acme/authz-v3/99718720260 HTTP/1.1" 200 381 2022-04-19 14:31:45,731:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Tue, 19 Apr 2022 19:31:45 GMT Content-Type: application/json Content-Length: 381 Connection: keep-alive Boulder-Requester: 364640610 Cache-Control: public, max-age=0, no-cache Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" Replay-Nonce: 0101nhdYr3dRN4ekOGDX2V3lk8ADMmF1DN1Kg60_BJ3O4dM X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 { "identifier": { "type": "dns", "value": "domain2.com" }, "status": "pending", "expires": "2022-04-26T01:03:47Z", "challenges": [ { "type": "dns-01", "status": "pending", "url": "https://acme-v02.api.letsencrypt.org/acme/chall-v3/99718720260/X-s1pw", "token": "uDfw_0e2mQZzoShd6NMLSYUUatxWHjM1_4S7gGYaPeI" } ], "wildcard": true } 2022-04-19 14:31:45,731:DEBUG:acme.client:Storing nonce: 0101nhdYr3dRN4ekOGDX2V3lk8ADMmF1DN1Kg60_BJ3O4dM 2022-04-19 14:31:45,732:INFO:certbot.auth_handler:Performing the following challenges: 2022-04-19 14:31:45,732:CRITICAL:certbot.auth_handler:Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS. 2022-04-19 14:31:45,733:WARNING:certbot.renewal:Attempting to renew cert (domain.com) from /etc/letsencrypt/renewal/domain.com.conf produced an unexpected error: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS.. Skipping. 2022-04-19 14:31:45,741:DEBUG:certbot.renewal:Traceback was: Traceback (most recent call last): File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 462, in handle_renewal_request main.renew_cert(lineage_config, plugins, renewal_candidate) File "/usr/lib/python3/dist-packages/certbot/main.py", line 1208, in renew_cert renewed_lineage = _get_and_save_cert(le_client, config, lineage=lineage) File "/usr/lib/python3/dist-packages/certbot/main.py", line 116, in _get_and_save_cert renewal.renew_cert(config, domains, le_client, lineage) File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 320, in renew_cert new_cert, new_chain, new_key, _ = le_client.obtain_certificate(domains, new_key) File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_certificate orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names) File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_order_and_authorizations authzr = self.auth_handler.handle_authorizations(orderr, best_effort) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 62, in handle_authorizations achalls = self._choose_challenges(authzrs) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 204, in _choose_challenges path = gen_challenge_path( File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 320, in gen_challenge_path return _find_smart_path(challbs, preferences, combinations) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 356, in _find_smart_path _report_no_chall_path(challbs) File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 395, in _report_no_chall_path raise errors.AuthorizationError(msg) certbot.errors.AuthorizationError: Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA. You may need to use an authenticator plugin that can do challenges over DNS. 2022-04-19 14:31:45,743:ERROR:certbot.renewal:All renewal attempts failed. The following certs could not be renewed: 2022-04-19 14:31:45,743:ERROR:certbot.renewal: /etc/letsencrypt/live/domain.com/fullchain.pem (failure) 2022-04-19 14:31:45,744:DEBUG:certbot.log:Exiting abnormally: Traceback (most recent call last): File "/usr/bin/certbot", line 11, in <module> load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')() File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main return config.func(config, plugins) File "/usr/lib/python3/dist-packages/certbot/main.py", line 1287, in renew renewal.handle_renewal_request(config) File "/usr/lib/python3/dist-packages/certbot/renewal.py", line 486, in handle_renewal_request raise errors.Error("{0} renew failure(s), {1} parse failure(s)".format( certbot.errors.Error: 1 renew failure(s), 0 parse failure(s) I have reading other post related to letsencrypt issues but I was not able to get a clue. Any ideas? Thank you
UPDATE: I found this article with description of the issue. it said the cerbot needs to be updated but I have the version 0.40 Code: certbot --version || /path/to/certbot-auto --version certbot 0.40.0 Also I have tried remove and reinstall cerbot and same results. Thank you
Remove certbot, install snapd and use snap to install certbot. https://certbot.eff.org/instructions?ws=apache&os=ubuntufocal Just follow until step 6 in the official site above.
Thank you for the answer ahrasis, I did these steps: 1.- apt-get remove certbot 2.- apt autoremove 3.- snap install core; sudo snap refresh core 4.- snap install --classic certbot 5.- ln -s /snap/bin/certbot /usr/bin/certbot 6.- certbot renew got the same result, thinking that the certs can be the problem, I have removed the folder /etc/letsencrypt/archive/domain.com removed /usr/local/ispconfig/interface/ssl/* and the CF file in /etc/letsencrypt/renewal and send the ispconfig_update.sh --force to create again the ssl. The cert was created correctly however this is an mail server handle 2 email domains (domain.com and domain2.com) my previous cert contain reference to *.domain and *.domain2.com. The new cert only has reference for hostname.domain.com and did not set *domain.com and *.domain2.com like previous one. When I ran the ispconfig_update.sh --force I selected the reconfigure services and create ssl cert, all the remain options were default. Any ideas? Thank you for your time
The ISPConfig installer sets up an SSL cert for the hostname only, if you had more domains in that cert before, then it was not created by ISPConfig installer and you must set it up manually again in the same way you did before to have more domains in that cert.
To use wildcard you have to use dns challenge which is currently unsupported by ISPConfig installer nor its LE web config. You will need to do this manually which I believe @Th0m has written a tutorial about it but his method does not support wildcard either but multiple FQDN will work using his method. I personally use wildcard for my ISPConfig and I did share the general method to use it in tips and tricks board.
Hallo, Kann das bei mir auch das Probelem sein. Ich habe nach meinem Update ispconfig 3.2.8p1 mit neu erstelltem Zertifakt das Problem dass ich keine Mails mehr über meine Domain die vorher funktioniert hat versenden kann, das Eigenartige ist nach wiederholtem erzwungenen Update liefen alle Domains für ein kurze Zeit auf dem Server aber nur eine Domain meldet wieder Zertifakt soll nicht im Hostamen vorhanden sein. Und die anderen Domains versenden sehr langsam oder gar nicht. Außerdem gibt es diesene Fehler in mail.log Expand: Mail.log TLS handshaking: SSL_accept() failed: error:1408F10B:SSL routines:ssl3_get_record:wrong version number postfix/smtps/smtpd[5978]: warning: TLS library problem: error:14094416:SSL routines:ssl3_read_bytes:sslv3 alert certificate unknown
I am seeing the same problem. We just upgraded from 3.2.7p1 to 3.2.8p1 (Ubuntu 20.04) and started seeing SSL errors with email accounts and checking the LetsEncrypt logs we found the same errors as above. Everything was working fine before the upgrade (and we used the upgrade tool from the control panel to do the upgrade). Any suggestions as to what could cause this please?
I already advised on how to fix certbot problem earlier so do read and apply if you are using certbot too.
I don’t want to reinstall certbot until I understand how the upgrade broke it in the first place. Also, we have these errors in the logs suggesting some symlinks have be broken by the upgrade? postfix-script (total: 5) 1 symlink leaves directory: /etc/postfix/./smtpd.key-202103271327... 1 symlink leaves directory: /etc/postfix/./smtpd.cert-20210327132... 1 symlink leaves directory: /etc/postfix/./makedefs.out 1 symlink leaves directory: /etc/postfix/./smtpd.cert 1 symlink leaves directory: /etc/postfix/./smtpd.key
Well certbot code has a lot of changes version to version and installing via snap is the current recommended ways to get certbot installed or upgraded. It got nothing to do with ISPConfig or its upgrade. I have been advising this in various ISPConfig threads, so this is not a new advise but all that is up to you and that is your server.
