Hello, all! I have a problem installing ssl certificate on a ispconfig site. Checking SSL snd Let's Encrypt SSL checkboxes does not work. I obtained certs via certbot and added them manually in SSL tab in site configuration but it's not working either. I observed that ISPConfig is not adding <VirtualHost myip:443> directive in mysite.vhost. It somehow fails. How can I debug that. Any suggestions would be much appreciated. Thanks
https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/ https://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/
Thank you till as always! Well, I set the debuging level of the logs and I got this error Code: "You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. The letsencrypt client has also been renamed to Certbot. We recommend upgrading to the latest certbot-auto script, or using native OS packages." Now, how do I update it ? Also, I have a newer version of certbot installed under /opt/certbot/ Can I tell ispconfig to use that one ?
ISPConfig uses the one from opt automatically. But maybe you have a second one installed in a system directory. If that's the case, remove the old copy. But normally the above message is not causing any issues, so the problem you have is most likely not related to this message.
To get the reason for your problem, enable debug log level in ispconfig as described in the faqforge article, comment out the ispconfig root cronjob, enable the ssl and lets encrypt checkbox and run the server.sh script as root user on the shell and post the output. It will show the details why SSL could not be enabled with Let's encrypt for that website.
I guess I found the issue : Code: 2019-03-01 18:20:02,777:DEBUG:certbot.log:Exiting abnormally: Traceback (most recent call last): File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module> sys.exit(main()) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1365, in main return config.func(config, plugins) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 1234, in certonly le_client = _init_le_client(config, auth, installer) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 605, in _init_le_client acc, acme = _determine_account(config) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 513, in _determine_account acc = display_ops.choose_account(accounts) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/display/ops.py", line 86, in choose_account "Please choose an account", labels, force_interactive=True) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/display/util.py", line 507, in menu self._interaction_fail(message, cli_flag, "Choices: " + repr(choices)) File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/display/util.py", line 469, in _interaction_fail raise errors.MissingCommandlineFlag(msg) MissingCommandlineFlag: Missing command line flag or config entry for this setting: Please choose an account Choices: ['mysite.com@2018-08-29T09:40:16Z (d3sd3)', 'mysite.com@2017-05-10T12:23:42Z (32asf3)'] I somehow have 2 LE accounts and the script has no instruction to choose one. Is it safe to remove the old one ? or is there another option to fix that ?
Yes, you have to remove one of the accounts. Remove the one that is not in use, if you used both accounts, then you will have to modify the renewal config files of the ssl certs manually to just use one account before you delete the other one. Otherwise renewals will fail for certs that use the removed account.
So, I removed one of the 2 accounts and solved the problem with getting the certs from letsencrypt. Now i'm facing another problem, regarding setting the cert for a subdomain. What I have: a domain example.com and a subdomain sub.example.com I created the subdomain as a new domain with sub.example.com filled in "domain" field In DNS records I added A record for sub.example.com and www.sub.example.com No problems with reaching the domain and subdomain Set the debug level for the server The letsencrypt log says: Congratulations! Your certificate and chain have been saved The only problem is that ispconfig does not trigger editing the sub.example.com.conf and it is missing the <VirtualHost myip:443> section. WHat could be the problem ? Thanks
Maybe this could clear a bit my situation: I successfully set the cert for example.com I successfully set the cert for subdomain first.example.com I can not set the cert for subdomain second.example.com This is the output of the server.sh script for example.com Code: 20.03.2019-09:07 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 20.03.2019-09:07 - DEBUG - Found 1 changes, starting update process. 20.03.2019-09:07 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 20.03.2019-09:07 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 20.03.2019-09:07 - DEBUG - Create Let's Encrypt SSL Cert for: example.com 20.03.2019-09:07 - DEBUG - Let's Encrypt SSL Cert domains: --domains example.com --domains www.example.com 20.03.2019-09:07 - DEBUG - exec: /root/.local/share/letsencrypt/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --domains example.com --domains www.example.com --webroot-path /usr/local/ispconfig/interface/acme You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. The letsencrypt client has also been renamed to Certbot. We recommend upgrading to the latest certbot-auto script, or using native OS packages. Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for example.com http-01 challenge for www.example.com Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains. Waiting for verification... Cleaning up challenges 20.03.2019-09:07 - DEBUG - Let's Encrypt Cert config path is: /etc/letsencrypt/renewal/example.com.conf. 20.03.2019-09:07 - DEBUG - Let's Encrypt Cert file: /etc/letsencrypt/live/example.com/fullchain.pem exists. 20.03.2019-09:07 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web22/.php-fcgi-starter 20.03.2019-09:07 - DEBUG - Enable SSL for: example.com 20.03.2019-09:07 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/example.com.vhost 20.03.2019-09:07 - DEBUG - Apache status is: running 20.03.2019-09:07 - DEBUG - Calling function 'restartHttpd' from module 'web_module'. 20.03.2019-09:07 - DEBUG - Restarting httpd: systemctl restart apache2.service 20.03.2019-09:07 - DEBUG - Apache restart return value is: 0 20.03.2019-09:07 - DEBUG - Apache online status after restart is: running 20.03.2019-09:07 - DEBUG - Processed datalog_id 2858 20.03.2019-09:07 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock finished. The output for first.example.com is quite the same This is the output of the server.sh script for subdomain second.example.com Code: 20.03.2019-09:34 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 20.03.2019-09:34 - DEBUG - Found 1 changes, starting update process. 20.03.2019-09:34 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 20.03.2019-09:34 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 20.03.2019-09:34 - DEBUG - Create Let's Encrypt SSL Cert for: second.example.com 20.03.2019-09:34 - DEBUG - Let's Encrypt SSL Cert domains: --domains second.example.com --domains www.second.example.com 20.03.2019-09:34 - DEBUG - exec: /root/.local/share/letsencrypt/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --domains second.example.com --domains www.second.example.com --webroot-path /usr/local/ispconfig/interface/acme You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. The letsencrypt client has also been renamed to Certbot. We recommend upgrading to the latest certbot-auto script, or using native OS packages. Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate 20.03.2019-09:34 - DEBUG - Let's Encrypt Cert file: does not exist. 20.03.2019-09:34 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web153/.php-fcgi-starter 20.03.2019-09:34 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/second.example.com.vhost 20.03.2019-09:34 - DEBUG - Apache status is: running 20.03.2019-09:34 - DEBUG - Calling function 'restartHttpd' from module 'web_module'. 20.03.2019-09:34 - DEBUG - Restarting httpd: systemctl restart apache2.service 20.03.2019-09:34 - DEBUG - Apache restart return value is: 0 20.03.2019-09:34 - DEBUG - Apache online status after restart is: running 20.03.2019-09:34 - DEBUG - Processed datalog_id 2863 20.03.2019-09:34 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock finished. The first script knows the location for Let's Encrypt Cert config and Let's Encrypt Cert file, while second script prompts Let's Encrypt Cert file: does not exist. This is what I digged so far.. Before execution, directories /etc/letsencrypt/{archive,live,renew}/{example.com,second.example.com} were clean Maybe I should remove specific pems from keys and csr directory also, but, as those files do not contain site name in their file name I just can't. Also, letsencrypt.log does not show any errors.
Check if the renewal config file for the second ssl cert in /etc/letsencrypt/renewal/.... contains the second domain name after webroot map in the same way the domains are listed in the first cert renewal file.
Add them in the same way they exist for the other cert, then enable the letsencrypt checkbox again and it should stay active. Certbot seems to miss adding this sometimes on some servers, we were not able to reproduce that on any of our servers yet but added some code in git-stable which hopefully works around this new issue in certbot.
I'm having a similar problem and sorry (Till & Z3roh0ur) it appears related so I'm posting into this thread. I am not an expert so please excuse my inaccuracies. (also as I am new to posting I am barred from posting links until {For this Forum, before you can create content with links, you must first meet the minimum requirements The number of posts you have created must exceed: 2 (Yours: 0) The number of Likes you've received must exceed: -1 (Yours: 0) The Likeost Ratio must exceed: -1% (Yours: 0%) The number of days you have been registered must exceed: -1 (Yours: 0)} , So links are modified spaces and with a ! instead of a . My current website setup is from: The Perfect Server - Ubuntu 14.04 (Apache2, PHP, MySQL, PureFTPD, BIND, Dovecot, ISPConfig 3) and is working perfectly from the same IP. Now very old and requires updating, has no SSL. During the following all open ports were redirected to the new internal IP address. I followed: How to Install Ubuntu 18.04 LTS (Bionic Beaver) Minimal Server ht tps://w ww!howtoforge!com/tutorial/ubuntu-lts-minimal-server/ I installed Ispconfig using: The Perfect Server - Ubuntu 18.04 (Nginx, MySQL, PHP, Postfix, BIND, Dovecot, Pure-FTPD and ISPConfig 3.1) I set up user, site, and DNS and FTP all worked and tested to (virtual server)w ww!whatever!com!au (from physical server w ww!whateverhost!com!au) So http worked perfectly. I tried to tick SSL and LetsEncrypt checkboxes, waited for red light to go away. Browsing to ht tps://w ww!whatever!com!au gave an error. I checked DNS etc, the check boxes for the site both SSL and LetsEncrypt were unchecked. (Tried again 2x) I started again from scratch in case I missed anything. This time with Apache: (in case Ngnix was a problem) ht tps://w ww!howtoforge!com/tutorial/perfect-server-ubuntu-18.04-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig/ With the same results as above. I started again: ht tps://w ww!howtoforge!com/tutorial/perfect-server-ubuntu-18.04-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig/ This time using - ISPConfig autoinstaller and setup from ht tps://github!com/servisys/ispconfig_setup (to speed things up and reduce potential typing errors) With the same results after trying to enable SSL and LetsEncrypt, no SSL site. So: I updated this installation :- ispconfig_update.sh to the Dev version (As I notice lots of LetsEncrypt changes in GitHub) Ticked the SSL checkbox, awaited update then ticked LetsEncrypt, awaited update This time the SSL box remained ticked but LetsEncrypt checkbox did not. The error from Firefox is like RX certificate too long/big and Firefox denies access to ht tps://w ww.whatever!com!au site, w ww!whatever!com!au worked fine. There is a new DNS entry that did not appear before in the above prior to Dev version update (that I can remember) CAA w ww!whatever!com!au 0 issue "letsencrypt!org" 3600 I cannot see any entries being created in the /etc/letsencrypt/live/ directory for any website. I assume its still trying to use my self generated certificate and generates this SSL error in Firefox. I'm guessing that the SSL entries into the Apache virtual server are not being populated in the /etc/apache2/sites-enabled for this website. And that the certificates are not being created (or at least not put in the /etc/letsencrypt/live/... directory. And also that autorenewal probably isnt being setup as well. I can manually create these certificates into /etc/letsencrypt/live/ using certbot on the command line, so its installed and functional. I would encourage you to try a new install to replicate the issue (it takes only 30min from scratch using the script above on a fresh Ubuntu server) I notice from Z3r0h0ur post 21 Mar that in his debug that "letsencrypt certonly -n......" but my install is using certbot. I will try the Debug thing as mentioned tonight. Any ideas so far that would help are welcomed.
@MarkMarkMark See here to find out why the cert was not issued, I posted the link already above: https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/ https://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/ You did not post the ISPConfig dug log which shows why you did not got a LE cert. This breaks the site so you will not be able to use ISPConfig to manage that site anymore and you will not be able to use LE with ISPConfig for that domain anymore, so further debugging with that domain is useless on this setup unless you wiped out the site and all remnants of this cert in /etc/letsencrypt.
Adding those missing lines after [[webroot_map]] fixed my problem. I can now manage certs from ISPconfig. Waiting for a new update from certbot. Thanks @till a lot! )
@MarkMarkMark, can you clarify/confirm here - you are running the latest Dev version (git-stable), and the domain was still not added to [[webroot_map]]? There is a fix for that issue in the latest git-stable, but per @till's comment yesterday the dev's were not able to reproduce the issue, so perhaps the fix does not work.
The fix will not re-add the lines, it just uses additional parameters which will hopefully persuade certbot to add the lines on all systems again, so if the cert was created before the git-stable update was made, then it will have no effect on this cert. So it really matters which version was installed when and when the cert was created the first time.
Thank-you for the suggestions, I will have to leave this thread until I get a new modem and confirm this. Why? It appears that this modem and its custom firmware setup by my ISP might be answering port 80 and 443 (ssl) on behalf of my network I guess like a proxy in the way that it forwards ports. (I'm not a Techie so my apologises if I've used the wrong terms.) The Modem is a:- • HUAWEI Home Gateway • HG659 I guess this is so they can remotely set-up and update firmware for newbies (maybe even access the network!!). Your connection is not secure The owner of w ww.whatever!com.au has configured their website improperly. To protect your information from being stolen, Firefox has not connected to this website. Learn more… Report errors like this to help Mozilla identify and block malicious sites w ww!whatever!com!au uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. The certificate is only valid for the following names: mediarouter.home, mediarouter1.home, mediarouter2.home, mediarouter3.home Error code: SEC_ERROR_UNKNOWN_ISSUER It was helped by a post here: ht tps://community!tpg!com!au/t5/Modems-and-Devices/How-do-I-upgrade-firmware-on-Huawei-HG659/td-p/7046/page/17 I will get back to this thread and confirm this later, again thank-you for your help on this what appears to be unrelated issue to the original thread my apologies to Till and Z3r0h0ur for poluting this thread, I hope that It helps someone else one-day. Mark.
Getting back to this thread. (An interesting side note is that the ISP fixed this issue recently for the Hawaui Modem for someone else in the forums without a firmware update,, or explanation of how or why, magic...) Replacing the modem with a Fritz!box and disabling the media centre got ISP Config3 to Issue and retain SSL for all 4 websites On a small note however in ISPconfig3 the SYSTEM :- Server setting : I notice that the server IP address is incorrect 0.0.0.0 and the DNS appear to be set to 8.8.8.8. Should these not have been gathered from /etc/netplan/01-netcfg.yaml when I set a static IP? as I use 1.1.1.1 and 1.0.0.1 and used them in the minimal server tut. (I did use the setup script listed above from ht tps://github!com/servisys/ispconfig_setup, but do not see how this would have mattered) MarkMarkMark
