Hi, beside a domain itself, I´ve created several sub domains including (own) Let's Encrypt certs, but the generated certificates all using the FQDN of the server (not the domain) as CN. This always leads to an error, when opening the sites in web browsers. Did I miss something in the configuration? Thks. Tilman
See Let's Encrypt error faq, and follow the checklist step-by-step to find out why Let's Encrypt refused to add the domains to the SSL certificate of the website: https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/
Yeah, I already read this. I checked the acme log file and could not find any entry related to the sub domains. Then i disabbled SSL for one of these sites and, after ISPconfig did it´s work, re-enabled it. Still nothing in the acme log. Anything else to do in advance to force generation of the cert? BTW, FYI: There´s one site wo any sub-domains which has a proper cert.
The FAQ contains instructions on what you must do when you cannot find the reason for the issue on your own, see last part of the FAQ. Please follow these instructions and post the information that is requested there here in the thread.
Ok, running server.sh from the cl did not show anything. I ran acme.sh manually and got some output (acme_sh_console_log.txt, attached). From my POV, there´s two problems: 1. acme tries to access a folder called "/var/www/client0". AFAIK, client numbering starts at 1 ?! Line 47 and line 77 in the log 2. While verifying "sub.domain.tld", there is an error thrown. Might have to do something with DNS setup, but I am totally unsure, what the problem could be. Line 94
From zero. Which of the directories in that path do not exist? Or do they exist, but with wrong owner or permissions? Let's Encrypt FAQ has prosecure you follow, then you find what works and what does not work. Can you access with browser that website that fails with Let's Encrypt? Does the IP from DNS point to the server with the website?
Then, you missed enabling debug mode. Also, the indication for many errors is that something specific does not show up; that's why you must post the server.sh output as we know how it has to look like and you likely don't. And do not run acme.sh manually, it can not result in a working cert and might further damage your system. Back on topic, post the requested server.sh output that you get after enabling debug mode and enabling SSH, and Let's Encrypt checkboxes of the website again.
Both yes. But may be, I´ve found a problem in the DNS. sub.domain.tld is setup as CNAME of www.domain.tld and not as a A record. I´ll change this and will come back on this isuue ASAP.
Ok, thks. a lot. One hint in the log is "WARNING - Could not verify domain sub.domain.tld, so excluding it from letsencrypt request." Pls. look at my answer to taleman´s post above. Might be, this could be the problem.
This indicates that either the DNS record is wrong so that the subdomain does not point to your server or that your system is behind a NAT router and you must enable the checkbox "Skip let's encrypt check" (as mentioned in the FAQ) because your router blocks access to the domain from within the internal network.
Enabling the checkbox "Skip let's encrypt check" did not effect this behavior (already tested before). FYI: The system is a root server @ hetzner, so there no NAT router present. I changed the Zone file for the server a while ago, but ISPconfig is still providing "old" DNS info, because it´s contacting only localhost for DNS requests (why?). I have no DNS zone setup in ispconfig nor running DNS server and the nameserver are pointing to 8.8.8.8 and another common one. If i check the sub.domain.tld (e.g.) from elsewhere, the name resolution works as expected with current DNS info.
Still pending Q: why is ispconfig accessing the empty folder "/var/www/clients/client0", which, BTW from my POV, should not exist ?
The first client ISPConfig created is group client0. Did you perhaps remove that client? Have you removed websites, but acme.sh still tries to renew that domain certificate? Why exactly should it not exist?
Hmm, I cannot remember that I did it. No. And if I had, ISPConfig should have removed them from the SSL/Certs list. On none of my Server running ISPConfig I´ve seen a Client 0 and a Client ID of '0' looks a bit odd, but this is a bit out of scope now. Let´s focus on the main issue.
ISPConfig is never providing any DNS info. ISPConfig is a hosting control panel and not a DNS server, it is not even capable of providing DNS info of any kind. DNS is handled by BIND or the name resolver you installed, ISPConfig is not involved in that at all. Besides that, when Skip let's encrypt check is enabled, then the local DNS info does not even matter as the correct resolving is not tested then, but this has the drawback that if any domain or subdomain in the cert fails, it will fail for all domains as LE will not issue a cert for any domain in that cert in that case. That#s why the LE check exists, so ISPConfig is able to selectively remove domains from the cert that do not point to your server. So there is no DNS info provided by your server then, unless you added that zone manually in your /etc/hosts file This is the folder of the system administrator account, and I have no idea why you claim ISPConfig is accessing it. No, ISPConfig can not know if you use a SSL cert somewhere else and will not remove it on its own. As mentioned above, client0 is the administrator account of your server and any system that has or had a site assigned to the admin has this folder. So, nothing strange or odd here. The main problem is that you refuse to post the requested complete server.sh output, and I cannot further help you until you provide the requested info.
I assume your browser displayed a warning that the certificate is not valid for that domain. My question would be, did you accept the warning and continued browsing? Is the content beeing delivered via https with the warning the same as with http aka the expected content for that domain? Also maybe things can be easier for everyone, you removed the domains from the log but left the cert ids in place. https://crt.sh/?id=12776795039 no need to hide things Does the Setup involve multiple IP? Multiple Server? * wildcard for domains mixed with IP?
Ok, Till, let´s solve the main problem, even, if I don´t think that it will help. Pls. find the log attached. As mentioined before, from my POV, it looks like a DNS misconfiguration. FYI only: Today, I had to restore an earlier snapshot of the server, because the system was totally crippled regarding the DNS config. Yup, Ok, I tried to install Jitsi-Meet, but this is another task.
Ok, this means that the ISPConfig LE check removed the domain and no LE cert was requested as a http request made to the subdomain did not end up on this server, this can be a DNS issue indeed but it can also be another kind of misconfiguration like a custom made apache or nginx config that reroutes LE requests in a wrong way. Now enable the "Skip let's encrypt check" option under System > server config > web and redo the test and post the result.
Also run the command: dig sub.domain.tld and check that the IP that gets returned is in fact the IP of this server.
