SSL working for one website, but not the others...

Discussion in 'Installation/Configuration' started by Fazzax, Nov 13, 2018.

  1. Fazzax

    Fazzax New Member

    Hi everyone,

    I just added 3 websites on ispconfig 3.1 dev (prod.domain.com, test.domain.com and mail.domain.com). As I need to separate each of them, they're created as websites, with one ssh jailed user each.

    I issued the certifications through let's encrypt for the domain through:

    Code:
    letsencrypt auth --text --agree-tos --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@`hostname -d` --domains `hostname -f` --webroot-path /usr/local/ispconfig/interface/acme
    dt=`date '+%Y%m%d%H%M%S'`
    cd /usr/local/ispconfig/interface/ssl/
    for ext in csr key.secure key crt; do if [ -f ispserver.$ext ]; then mv ispserver.$ext ispserver.$ext.old.$dt; fi; done
    
    ln -s /etc/letsencrypt/live/`hostname -f`/privkey.pem ispserver.key
    ln -s /etc/letsencrypt/live/`hostname -f`/fullchain.pem ispserver.crt
    
    service apache2 restart
    
    and have no problem for domain.com, www.domain.com (subdomain) and server1.domain.com (server).
    Regarding the new ones, it's working perfectly fine for prod.domain.com, but the certificates for test.domain.com and mail.domain.com are shown as not valid :
    13.11.2018-22:17 - WARNING - Let's Encrypt SSL Cert for: test.domain.com could not be issued)

    I created the 3 websites with exactly the same configuration...

    Any ideas of how to fix it?
    Thanks a lot,
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Is test.domain.com in DNS? Did you disable the www auto subdomain? If those don't find the issue, refer to the letsencrypt faq here in the forums for further troubleshooting.
     
  3. Fazzax

    Fazzax New Member

    Hi,


    thanks for the reply.
    Yes, test.domain.com is in DNS (same syntax as prod.domain.com), and www auto subdomain is disabled.

    I checked, when I actually go to https://test.domain.com it's:
    - actually working even though I unchecked SSL and deleted it through the ssl tab
    - showing an invalid certificate in the tab (common name being domain.com and subject alternative name domain.com and www.domain.com)

    It's the exact same for mail.domain.com
    I checked the test and mail vhosts, no 443. I guess the SSL is enabled and looking at the wrong cert because of the domain.com.vhost.

    Would you know how to remove the certs neatly and issue them again? Any ideas of what's happening?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Please see here to find out why the certs could not be issued: https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/

    If your server is behind a router and the router blocks access to the domaisn from within the network, then you have to disable the LE check in ispconfig as the check is blocked by the router then and the cert will not be issued.
     
  5. Fazzax

    Fazzax New Member

    Hi,

    I did the following checks:
    - Check that you have Let’s Encrypt installed.
    =>Yes
    - When your server is behind a NAT router so that the server itself can not reach the hosted domains, then enable the option "Skip Letsencrypt check" under System > Server config > web.
    =>Not behind a router
    - Check that all domain names (icl auto subdomain www etc), subdomains and aliasdomains really point to the right website and are working. Open one after another in your browser and test that.
    =>checked, everything is fine
    - If you still use Apache 2.2, then update your ispconfig to git-stable branch with the ispconfig_update.sh script to get an updated vhost template. After you did that, use Tools > resync to apply the new template to all sites or apply it to a single site by altering a value in the site settings and press save, before you try to activate Let’s Encrypt again. This is only necessary on apache 2.2 systems, newer apache 2.4 or nginx systems are not affected.
    =>Apache/2.4.25 (Debian)
    - If you updated to ISPConfig 3.1 and deselected the "reconfigure services" option during update (which is selected by default), then Let’s Encrypt will fail as your server is missing the Let’s Encrypt configuration in the ispconfig apache configuration files. Redo the update and chose to reconfigure services in that case.
    =>Did a fresh install

    I've checked the letsencrypt logs, and no error appears in it.
    I followed the instructions to enter ISPConfig debug mode. I resynced everything, and it's stuck on 35 tasks to populate (nothing has changed for the last 15 minutes).

    Should I reboot?
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you activate the root cronjob again after you finished debugging?

    and see post #4
     
  7. Fazzax

    Fazzax New Member

  8. Fazzax

    Fazzax New Member

    Ok, found the solution...

    I actually added a proxy before requesting the certs...
    Removed the directives, requested certs, added the directives and everything's fine!

    Thanks for the help
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    You have to exclude the acme well-known url from being sent to your proxy, otherwise, the LE renewal will fail in 3 months.
     
  10. Fazzax

    Fazzax New Member

    Right! Thanks Till,

    added ProxyPass /.well-known/ ! before the proxy directives
     

Share This Page