Hi everyone, I just added 3 websites on ispconfig 3.1 dev (prod.domain.com, test.domain.com and mail.domain.com). As I need to separate each of them, they're created as websites, with one ssh jailed user each. I issued the certifications through let's encrypt for the domain through: Code: letsencrypt auth --text --agree-tos --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@`hostname -d` --domains `hostname -f` --webroot-path /usr/local/ispconfig/interface/acme dt=`date '+%Y%m%d%H%M%S'` cd /usr/local/ispconfig/interface/ssl/ for ext in csr key.secure key crt; do if [ -f ispserver.$ext ]; then mv ispserver.$ext ispserver.$ext.old.$dt; fi; done ln -s /etc/letsencrypt/live/`hostname -f`/privkey.pem ispserver.key ln -s /etc/letsencrypt/live/`hostname -f`/fullchain.pem ispserver.crt service apache2 restart and have no problem for domain.com, www.domain.com (subdomain) and server1.domain.com (server). Regarding the new ones, it's working perfectly fine for prod.domain.com, but the certificates for test.domain.com and mail.domain.com are shown as not valid : 13.11.2018-22:17 - WARNING - Let's Encrypt SSL Cert for: test.domain.com could not be issued) I created the 3 websites with exactly the same configuration... Any ideas of how to fix it? Thanks a lot,
Is test.domain.com in DNS? Did you disable the www auto subdomain? If those don't find the issue, refer to the letsencrypt faq here in the forums for further troubleshooting.
Hi, thanks for the reply. Yes, test.domain.com is in DNS (same syntax as prod.domain.com), and www auto subdomain is disabled. I checked, when I actually go to https://test.domain.com it's: - actually working even though I unchecked SSL and deleted it through the ssl tab - showing an invalid certificate in the tab (common name being domain.com and subject alternative name domain.com and www.domain.com) It's the exact same for mail.domain.com I checked the test and mail vhosts, no 443. I guess the SSL is enabled and looking at the wrong cert because of the domain.com.vhost. Would you know how to remove the certs neatly and issue them again? Any ideas of what's happening?
Please see here to find out why the certs could not be issued: https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/ If your server is behind a router and the router blocks access to the domaisn from within the network, then you have to disable the LE check in ispconfig as the check is blocked by the router then and the cert will not be issued.
Hi, I did the following checks: - Check that you have Let’s Encrypt installed. =>Yes - When your server is behind a NAT router so that the server itself can not reach the hosted domains, then enable the option "Skip Letsencrypt check" under System > Server config > web. =>Not behind a router - Check that all domain names (icl auto subdomain www etc), subdomains and aliasdomains really point to the right website and are working. Open one after another in your browser and test that. =>checked, everything is fine - If you still use Apache 2.2, then update your ispconfig to git-stable branch with the ispconfig_update.sh script to get an updated vhost template. After you did that, use Tools > resync to apply the new template to all sites or apply it to a single site by altering a value in the site settings and press save, before you try to activate Let’s Encrypt again. This is only necessary on apache 2.2 systems, newer apache 2.4 or nginx systems are not affected. =>Apache/2.4.25 (Debian) - If you updated to ISPConfig 3.1 and deselected the "reconfigure services" option during update (which is selected by default), then Let’s Encrypt will fail as your server is missing the Let’s Encrypt configuration in the ispconfig apache configuration files. Redo the update and chose to reconfigure services in that case. =>Did a fresh install I've checked the letsencrypt logs, and no error appears in it. I followed the instructions to enter ISPConfig debug mode. I resynced everything, and it's stuck on 35 tasks to populate (nothing has changed for the last 15 minutes). Should I reboot?
Whoops! Ok, did it. Managed to have some info : 14.11.2018-11:16 - DEBUG - exec: /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --domains test.mydomain.com --webroot-path /usr/local/ispconfig/interface/acme The only problem I could see: [email protected] which should be [email protected] (not sure it's the real deal though). Any ideas?
Ok, found the solution... I actually added a proxy before requesting the certs... Removed the directives, requested certs, added the directives and everything's fine! Thanks for the help
You have to exclude the acme well-known url from being sent to your proxy, otherwise, the LE renewal will fail in 3 months.