unable to LETSENCRYPT with ISPCONFIG3.2 on UBUNTUPERFECTSERVER20.04 / possible issue with https

Good Day:

I have been doing a lot of reading on this issue; here and elsewhere (as we are having trouble as well with creating a cert for a private mail server upgraded to ispconfig 3.2 / new install). And I think our issue could be web related. Wanted to check with the howtoforge community and hopefully have some ideas how to go around it. Let me take the opportunity on congratulating you on your great work in ISPCONFIG and all the support given to the community.

Our mail server is only reachable by its clients through VPN (company policy). Only SMTP is allowed from outside (Public). All IMAP, and http/https has to be done from the inside (through VPN)

DNS records are created outside (Public ISP) in the following manner (some comments for clarification as well).

1. Domain Registar points our domains to our ISP Public DNS
2. Our ISP provides records for us as follows (any recommendations on DNS configuration will be well received).
3. server1.mydomain1.com is the server running ISPCONFIG.
4. We have at the moment two other domains in the same situation as mydomain2.com. (One host, 3 Aliases in total).
5. MXTOOLBOX shows no errors on DNS.

Code:

mydomain1.com
NAME                        TYPE                     DATA
default_domainkey      TXT RECORD         DKIM (configured)
_dmarc                 TXT RECORD         DMARC (configured)
                       TXT RECORD         SPF1 (configured)
mail                   A RECORD           "mypublicIP"
                       MX RECORD          0 server1.mydomain1.com
                       NS RECORD          "ISP DNS PublicIP"

mydomain2.com
default_domainkey      TXT RECORD         DKIM (configured)
_dmarc                 TXT RECORD         DMARC (configured)
                       TXT RECORD         SPF1 (configured)
                       A RECORD.          "External Web Server Public IP"
www                    CNAME RECORD       "External Web Server FQDN"
                       MX RECORD          10 server1.mydomain1.com
                       NS RECORD          "ISP DNS PublicIP"

During ISPCONFIG configuration I get the following (I see that the challenge is only done by HTTP-01, but I understand that the LETSENCRYPT provides other methods as well ). This to me would seem to be the issue:

Code:

Checking / creating certificate for server1.mydomain1.com
Using certificate path /etc/letsencrypt/live/server1.mydomain1.com
Server's public ip(s) ("mypublicIP") not found in A/AAAA records for server1.mydomain1.com: "myprivateIP"
Ignore DNS check and continue to request certificate? (y,n) [n]: y

Using apache for certificate validation
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for server1.mydomain1.com
Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
Waiting for verification...
Challenge failed for domain server1.mydomain1.com
http-01 challenge for server1.mydomain1.com
Cleaning up challenges
Some challenges have failed.
Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
Could not issue letsencrypt certificate, falling back to self-signed.

Initially (when I didn't noticed the challenge method used, I did try to create a new cert by force update of ISPCONFIG, but prior to that, I followed this tutorial (because we have other domains different from the host domain).

https://www.howtoforge.com/communit...d-lets-encrypt-ssl-certificate-certbot.86372/

This did not work, but then I believe that we would have to open http communication with the server from outside which would be an issue.

Your comments are appreciated.

Cheers

LFE

 

The challenge fails because the port is in use. You have to stop the service, issue the cert, then restart

 

This post may be of interest: https://www.howtoforge.com/communit...s-of-errors-in-standalone.79363/#post-379+833

 

Thank you. Could you be more specific on the mentioned service

 

Code:

sudo service httpd stop

or

Code:

sudo service apache2 stop

 

Thank You for the reference. Did checked it, Although I’m not sure if it would help me with the VPN issue

from letsencrypt community

https://community.letsencrypt.org/t/http-01-challenge-fail/147751/1

From Osiris (community leader)

comments are appreciated

cheers

 

I will try this abs come back with comments

 

Just as follow up. Im getting this error with ISPCONFIG during force update

Code:

PHP Warning:  symlink(): No such file or directory in /tmp/update_runner.sh.oMoyO29EPl/install/lib/installer_base.lib.php on line 3215
PHP Warning:  symlink(): No such file or directory in /tmp/update_runner.sh.oMoyO29EPl/install/lib/installer_base.lib.php on line 3216

But I think is related to a miss procedure I did applying this:

https://www.howtoforge.com/communit...d-lets-encrypt-ssl-certificate-certbot.86372/

Regarding suggested procedure, I did try stoping the service (both suggested scenarios -apache2 and http - in separate occasions while force updating). Neither worked.

Please advise

Cheers

 

You shouldn't need to run the ISPConfig installer again -- just run certbot with the services disabled

Code:

certbot --apache

 

Question:
As a possible procedure how would you have approach this. Install first with errors (no challenge)

then stop service and run certbot. ?

 

Yup
I'm also assuming you have the correct ports open. Assuming (again) you followed the Perfect Server Setup, with ufw

Code:

sudo ufw status verbose

Ensure ports 80 & 443 are enabled

 

ok. any comments regarding the three domain aliases.

should I still follow this

https://www.howtoforge.com/communit...d-lets-encrypt-ssl-certificate-certbot.86372/

Being
1. First Complete Perfect Server Install (no challenge)
2. Stop services and run certbot
3. Follow procedures in url https://www.howtoforge.com/communit...d-lets-encrypt-ssl-certificate-certbot.86372/

Please advise

Cheers

 

You can run certbot multiple times to setup for each domain, or if its multiple websites hosted through ISPConfig, you can just check the box to set up SSL when configuring the website settings.

 

just for the sake of it, I did a clean install.

Went through the error and finished installing. Right away followed the procedure (stop apache2 only) and followed with the certbot command:

Code:

sudo certbot --apache
Saving debug log to /var/log/letsencrypt/letsencrypt.log
The requested apache plugin does not appear to be installed

Please advise.

Cheers

 

Try

Code:

apt install python3-certbot-apache

 

Some feedback (Registar is correct / DNS are as expected), so I checked with the above command.

Please see below

Code:

No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): mydomain1.com server1.mydomain1.com                                   
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mydomain1.com
http-01 challenge for server1.mydomain1.com
Waiting for verification...
Challenge failed for domain mydomain1.com
Challenge failed for domain server1.mydomain1.com
http-01 challenge for mydomain1.com
http-01 challenge for server1.mydomain1.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mydomain1.com
   Type:   unauthorized
   Detail: Invalid response from
   http://mydomain1.com/.well-known/acme-challenge/....
   ["ExternalWebServerIP"]: 403

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.
 - The following errors were reported by the server:

   Domain: server1.mydomain1.com
   Type:   connection
   Detail: Fetching
   http://server1.mydomain1.com/.well-known/acme-challenge/....
   Error getting validation data

To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

The way I see it:
DNS configuration issue for ALIAS domains (needs to be fixed) and FIREWALL (ROUTER) issue for host mail server (I need to see how this will be fixed. Certificate Renewing will be an issue / VPN).

In any case, It does not appear to be a problem with ISPCONFIG or LETSENCRYPT

Thank you Rockey75, this was helpful.

Cheers

 

After some tinkering I did achieve some things:

1. I opened my Firewall just for the test of trying to get the certificate (Forward on port 80)
2. Stoped apache2 service and run the certbot
3. Successfully got my certificate with challenge HTTP-01 (No errors / felt awesome )
4. Restarted apache2 service
5. I confirmed having the certicate files in:

/etc/letsencrypt/live/server1.mydomain1.com/fullchain.pem
/etc/letsencrypt/live/server1.mydomain1.com/privkey.pem

5. Closed the ports again (FIREWALL)
6. ISPCONFIG still not using new certificate for control panel (HTTPS) or mail

Am I missing something....

I did try checking with SSLCHECKER - but because I closed the port to the public again, I get an error; but that I expected as it does on 443.

Do take note that my mail domains are different from the host domain

The way I achieve this, is by having the ISPCONFIG host (which is the e-mail server) having an A record pointing to its own public IP. The other domains (as in different domains) point to an MX Record (that goes to the ISPCONFIG mail server). I do have A records as well for this "other domains" but they point to an external web server. We don't host web at our site.

Hope I could explain myself and looking forward to comments.

Please advise.

Cheers

 

good day Till

I tried your suggested method (ISP config force update) but during force update I get a message that the certificate is not yet due for renew so it doesn’t renew it.

It! Also shows a simlink warning

systems is still using self signed

please advise

cheers

 

To me the right way is to fully delete the already created LE certs first because the renewal conf is different when created with ISPConfig installer but to fix the symlink issue you mentioned is to use git stable as there is a new fix for it in there that is not yet available in stable version.

However be clear that using git stable won't fix renewal conf for the LE certs already obtained manually, thus the deletion of the already created LE certs first is still necessary to me.

The renewal conf for the LE certs created by ISPConfig has pre and post hook that will autimatically recreate the needed ispserver.pem file for the server and restart all necessary services upon renewal thus it is vital for its config to be correct in any ISPConfig server.

Manually fixing the renewal conf file is possible but not advisable.