Spun up 2 new ISPconfig servers on Debian Bookworm using the auto-installer on defaults. The server SSL certificate was installed on both - no issue so I assume acme is up and working. I did a --force update and that updated the server certificate. However, when I come to add sites on both ticking both SSL & Letsencrypt - no certificate is installed. Both are unticked afterwards. The subdomain is set to none and the domain resolves and can be accessed via http. One is on an amd-64 Proxmox VM. The other a Raspberrypi. Another old Raspberrypi on the same LAN has no problem adding SSL sites. There is no /var/log/letsencrypt directory on the new instances hence I don't know where to start diagnosing the issue. Help!
First the good news. I have one of the two new servers working. I found the acme log under /var/log/ispconfig and it indicated a firewall issue. Tracking it through and the router had a 'shadow' entry for when the raspberrypi was a different host. Cleared that and it worked. Weird it could re-issue the server certificate but not a site certificate The Proxmox ISPConfig server isn't getting site certs. I did try an ispconfig_update.sh --force to get new server certificate. Although that appeared the cert date was unaltered and there did not appear to be an entry in /var/log/ispconfig/acme.log. I plan to detach and re-attach the server to the router. Meanwhile this was part of the ispconfig update dialogue: Code: Create new ISPConfig SSL certificate (yes,no) [no]: yes Checking / creating certificate for xx.xxxx.co.uk Discovered acme.sh version 3.1.3 with certificate home /root/.acme.sh Using certificate path /root/.acme.sh/xx.xxxx.co.uk_ecc / /root/.acme.sh/xx.xxxx.co.uk_ecc/xx.xxxx.co.uk.cer Using apache for certificate validation Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: y Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: y
Please follow the FAQ, step-by-step. An ISPConfig update is not related to website SSL certificates in any way, so this cannot help you with your problem.
You were right to return to the checklist. Ticking Skip Letsencrypt check did it. I had ignored it because it isn't behind a NAT or known Firewall and all other ISPConfig servers on the LAN had not needed it. The only difference is they are raw servers and this is a Proxmox VM. Presumably this is the difference. What does the Skip Letsencrypt check actually not do? Port 53 is open.
It tries to reach the domain in the same way LE does. However, this request originates from your server, not a LE server. So if this test fails, then it's not possible to reach this domain name by HTTP from your server. This typically only fails when you are behind a NAT router, which blocks outgoing requests to a target that's in the same private network. You can think of this test like doing a curl call to the domain name from your server, where it tries to fetch a certain URL where ISPconfig placed a test file on your server. So in your case, you probably put the VM in Proxmox behind a NAT router (a private network).
Hi, thanks for your help. The problem may not have been with behin behind a NAT, but mainly because when i installed the VM i had no dns entry for my management subdomain. Regards.
Your issue is a bit different from what's discussed in this thread, which is about working SSL for the management domain, but failed SSL for sites. But your problem is also covered in the LE error FAQ. So if someone has an issue with Let's Encrypt not issuing certs, just follow all steps of the FAQ post.
And thank you Till. I've been experimenting and it all points to Proxmox being the villain. I assumed in networking terms it would expose my public IP facing ISPConfig server to my internet router like a normal switch. Obviously it doesn't. I will need to dig deeper into Proxmox networking (I'm a Proxmox newbie). The bottom line appears to be - if it's a Proxmox VM then you need to tick 'don't check' which I have never had an issue with any other ISPConfig public IP servers on the same LAN. But all is good now. Thanks again.
I would qualify it as a maybe. I'm a single case. It may depend on both the VM & Promox network settings. It would seem Promox is acting as a sort of unseen proxy. But it is obviously something to try rather than dismiss (as I did as not relevant). So adding it as a possibility may save someone else a few headaches.
