unable to LETSENCRYPT with ISPCONFIG3.2 on UBUNTUPERFECTSERVER20.04 / possible issue with https

Discussion in 'Installation/Configuration' started by FFG28, Mar 10, 2022.

  1. FFG28

    FFG28 Member

    Good Day:

    I have been doing a lot of reading on this issue; here and elsewhere (as we are having trouble as well with creating a cert for a private mail server upgraded to ispconfig 3.2 / new install). And I think our issue could be web related. Wanted to check with the howtoforge community and hopefully have some ideas how to go around it. Let me take the opportunity on congratulating you on your great work in ISPCONFIG and all the support given to the community.

    Our mail server is only reachable by its clients through VPN (company policy). Only SMTP is allowed from outside (Public). All IMAP, and http/https has to be done from the inside (through VPN)

    DNS records are created outside (Public ISP) in the following manner (some comments for clarification as well).

    1. Domain Registar points our domains to our ISP Public DNS
    2. Our ISP provides records for us as follows (any recommendations on DNS configuration will be well received).
    3. server1.mydomain1.com is the server running ISPCONFIG.
    4. We have at the moment two other domains in the same situation as mydomain2.com. (One host, 3 Aliases in total).
    5. MXTOOLBOX shows no errors on DNS.

    Code:
    mydomain1.com
    NAME                        TYPE                     DATA
    default_domainkey      TXT RECORD         DKIM (configured)
    _dmarc                 TXT RECORD         DMARC (configured)
                           TXT RECORD         SPF1 (configured)
    mail                   A RECORD           "mypublicIP"
                           MX RECORD          0 server1.mydomain1.com
                           NS RECORD          "ISP DNS PublicIP"
    
    mydomain2.com
    default_domainkey      TXT RECORD         DKIM (configured)
    _dmarc                 TXT RECORD         DMARC (configured)
                           TXT RECORD         SPF1 (configured)
                           A RECORD.          "External Web Server Public IP"
    www                    CNAME RECORD       "External Web Server FQDN"
                           MX RECORD          10 server1.mydomain1.com
                           NS RECORD          "ISP DNS PublicIP"
    
    During ISPCONFIG configuration I get the following (I see that the challenge is only done by HTTP-01, but I understand that the LETSENCRYPT provides other methods as well ). This to me would seem to be the issue:

    Code:
    Checking / creating certificate for server1.mydomain1.com
    Using certificate path /etc/letsencrypt/live/server1.mydomain1.com
    Server's public ip(s) ("mypublicIP") not found in A/AAAA records for server1.mydomain1.com: "myprivateIP"
    Ignore DNS check and continue to request certificate? (y,n) [n]: y
    
    Using apache for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for server1.mydomain1.com
    Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
    Waiting for verification...
    Challenge failed for domain server1.mydomain1.com
    http-01 challenge for server1.mydomain1.com
    Cleaning up challenges
    Some challenges have failed.
    Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    
    Initially (when I didn't noticed the challenge method used, I did try to create a new cert by force update of ISPCONFIG, but prior to that, I followed this tutorial (because we have other domains different from the host domain).

    https://www.howtoforge.com/communit...d-lets-encrypt-ssl-certificate-certbot.86372/

    This did not work, but then I believe that we would have to open http communication with the server from outside which would be an issue.

    Your comments are appreciated.

    Cheers

    LFE
     
  2. Rockey75

    Rockey75 New Member

    The challenge fails because the port is in use. You have to stop the service, issue the cert, then restart
     
    FFG28 likes this.
  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  4. FFG28

    FFG28 Member

    Thank you. Could you be more specific on the mentioned service
     
  5. Rockey75

    Rockey75 New Member

    Code:
    sudo service httpd stop
    or
    Code:
    sudo service apache2 stop
     
    FFG28 likes this.
  6. FFG28

    FFG28 Member

    Thank You for the reference. Did checked it, Although I’m not sure if it would help me with the VPN issue

    from letsencrypt community

    https://community.letsencrypt.org/t/http-01-challenge-fail/147751/1

    From Osiris (community leader)
    comments are appreciated

    cheers
     
  7. FFG28

    FFG28 Member

    I will try this abs come back with comments
     
  8. FFG28

    FFG28 Member

    Just as follow up. Im getting this error with ISPCONFIG during force update

    Code:
    PHP Warning:  symlink(): No such file or directory in /tmp/update_runner.sh.oMoyO29EPl/install/lib/installer_base.lib.php on line 3215
    PHP Warning:  symlink(): No such file or directory in /tmp/update_runner.sh.oMoyO29EPl/install/lib/installer_base.lib.php on line 3216
    But I think is related to a miss procedure I did applying this:

    https://www.howtoforge.com/communit...d-lets-encrypt-ssl-certificate-certbot.86372/

    Regarding suggested procedure, I did try stoping the service (both suggested scenarios -apache2 and http - in separate occasions while force updating). Neither worked.

    Please advise

    Cheers
     
  9. Rockey75

    Rockey75 New Member

    You shouldn't need to run the ISPConfig installer again -- just run certbot with the services disabled
    Code:
    certbot --apache
     
    FFG28 likes this.
  10. FFG28

    FFG28 Member

    Question:
    As a possible procedure how would you have approach this. Install first with errors (no challenge)

    then stop service and run certbot. ?
     
  11. Rockey75

    Rockey75 New Member

    Yup
    I'm also assuming you have the correct ports open. Assuming (again) you followed the Perfect Server Setup, with ufw
    Code:
    sudo ufw status verbose
    Ensure ports 80 & 443 are enabled
     
    FFG28 likes this.
  12. FFG28

    FFG28 Member

    ok. any comments regarding the three domain aliases.

    should I still follow this

    https://www.howtoforge.com/communit...d-lets-encrypt-ssl-certificate-certbot.86372/

    Being
    1. First Complete Perfect Server Install (no challenge)
    2. Stop services and run certbot
    3. Follow procedures in url https://www.howtoforge.com/communit...d-lets-encrypt-ssl-certificate-certbot.86372/

    Please advise

    Cheers
     
  13. Rockey75

    Rockey75 New Member

    You can run certbot multiple times to setup for each domain, or if its multiple websites hosted through ISPConfig, you can just check the box to set up SSL when configuring the website settings.
     
    FFG28 likes this.
  14. FFG28

    FFG28 Member

    just for the sake of it, I did a clean install.

    Went through the error and finished installing. Right away followed the procedure (stop apache2 only) and followed with the certbot command:

    Code:
    sudo certbot --apache
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    The requested apache plugin does not appear to be installed
    Please advise.

    Cheers
     
  15. Rockey75

    Rockey75 New Member

    Try
    Code:
    apt install python3-certbot-apache
     
    FFG28 likes this.
  16. FFG28

    FFG28 Member

    Some feedback (Registar is correct / DNS are as expected), so I checked with the above command.

    Please see below

    Code:
    No names were found in your configuration files. Please enter in your domain
    name(s) (comma and/or space separated)  (Enter 'c' to cancel): mydomain1.com server1.mydomain1.com                                   
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for mydomain1.com
    http-01 challenge for server1.mydomain1.com
    Waiting for verification...
    Challenge failed for domain mydomain1.com
    Challenge failed for domain server1.mydomain1.com
    http-01 challenge for mydomain1.com
    http-01 challenge for server1.mydomain1.com
    Cleaning up challenges
    Some challenges have failed.
    
    IMPORTANT NOTES:
     - The following errors were reported by the server:
    
       Domain: mydomain1.com
       Type:   unauthorized
       Detail: Invalid response from
       http://mydomain1.com/.well-known/acme-challenge/....
       ["ExternalWebServerIP"]: 403
    
       To fix these errors, please make sure that your domain name was
       entered correctly and the DNS A/AAAA record(s) for that domain
       contain(s) the right IP address.
     - The following errors were reported by the server:
    
       Domain: server1.mydomain1.com
       Type:   connection
       Detail: Fetching
       http://server1.mydomain1.com/.well-known/acme-challenge/....
       Error getting validation data
    
    To fix these errors, please make sure that your domain name was
       entered correctly and the DNS A/AAAA record(s) for that domain
       contain(s) the right IP address. Additionally, please check that
       your computer has a publicly routable IP address and that no
       firewalls are preventing the server from communicating with the
       client. If you're using the webroot plugin, you should also verify
       that you are serving files from the webroot path you provided.
    
    The way I see it:
    DNS configuration issue for ALIAS domains (needs to be fixed) and FIREWALL (ROUTER) issue for host mail server (I need to see how this will be fixed. Certificate Renewing will be an issue / VPN).

    In any case, It does not appear to be a problem with ISPCONFIG or LETSENCRYPT

    Thank you Rockey75, this was helpful.

    Cheers
     
    Last edited: Mar 11, 2022
  17. FFG28

    FFG28 Member

    After some tinkering I did achieve some things:

    1. I opened my Firewall just for the test of trying to get the certificate (Forward on port 80)
    2. Stoped apache2 service and run the certbot
    3. Successfully got my certificate with challenge HTTP-01 (No errors / felt awesome :))
    4. Restarted apache2 service
    5. I confirmed having the certicate files in:

    /etc/letsencrypt/live/server1.mydomain1.com/fullchain.pem
    /etc/letsencrypt/live/server1.mydomain1.com/privkey.pem

    5. Closed the ports again (FIREWALL)
    6. ISPCONFIG still not using new certificate for control panel (HTTPS) or mail

    Am I missing something....

    I did try checking with SSLCHECKER - but because I closed the port to the public again, I get an error; but that I expected as it does on 443.

    Do take note that my mail domains are different from the host domain

    The way I achieve this, is by having the ISPCONFIG host (which is the e-mail server) having an A record pointing to its own public IP. The other domains (as in different domains) point to an MX Record (that goes to the ISPCONFIG mail server). I do have A records as well for this "other domains" but they point to an external web server. We don't host web at our site.

    Hope I could explain myself and looking forward to comments.

    Please advise.

    Cheers
     
    Last edited: Mar 12, 2022
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    Port 80 must be permanently open, otherwise, renewal of the SSL cert will fail.

    That's a prerequisite for let's encrypt certs anyway, see let's encrypt error FAQ: https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/

    That's because you did not use the ISPConfig updater to get that cert. Creating it manually will not include the cert into your system's configuration. You must run an ISPConfig update with --force option and let ISPConfig create a new SSL cert for the system, and take care that port 80 is open this time.
     
    FFG28 likes this.
  19. FFG28

    FFG28 Member

    good day Till

    I tried your suggested method (ISP config force update) but during force update I get a message that the certificate is not yet due for renew so it doesn’t renew it.

    It! Also shows a simlink warning

    systems is still using self signed

    please advise

    cheers
     
    Last edited: Mar 12, 2022
  20. ahrasis

    ahrasis Well-Known Member

    To me the right way is to fully delete the already created LE certs first because the renewal conf is different when created with ISPConfig installer but to fix the symlink issue you mentioned is to use git stable as there is a new fix for it in there that is not yet available in stable version.

    However be clear that using git stable won't fix renewal conf for the LE certs already obtained manually, thus the deletion of the already created LE certs first is still necessary to me.

    The renewal conf for the LE certs created by ISPConfig has pre and post hook that will autimatically recreate the needed ispserver.pem file for the server and restart all necessary services upon renewal thus it is vital for its config to be correct in any ISPConfig server.

    Manually fixing the renewal conf file is possible but not advisable.
     
    Last edited: Mar 13, 2022
    FFG28 likes this.

Share This Page