ok jesse you win but I was hardwired to do pings. that led me astray when I COULD ping the site (and pull it up) from outside the local net. I stand corrected. wget is not much harder LOL. But again you might want to explain a bit more in the FAQ whats vital is that the site be accessible FROM the ISPConfig server. being able to pull it up, check everything externally means nothing. I thought I had ticked off that box on the FAQ page And a small suggestion (only because I DO love ISPConfig so much) - how hard would it be to pull out that 'failed to validate' message from acme.sh and post it on the ISPConfig SITE page? right now - we check the SSL/LE boxes save them. wait. then all we wait to see if the checkmarks disappear. they do. with no other feedback. Is any useful info from LE available so that maybe a red line might pop up (under the LE tickbox line) saying 'Failed to validate website'? of course if its too difficult ....
This error is logged as a message of type Warning according to the output you posted in #1 of this thread and as such, it should be displayed in ISPConfig UI in the monitor module. So unless you disabled warnings, then your server status should turn from green to orange in the monitor module. I've just tested that here on a Debian 10 system with a non-existing domain, that's what my system shows: and when you click on more information: its shows that the domain could not be verified. The same warning should have arrived as email to the admin too if you configured to be notified about warnings by email. I have not set that up on this test server. I agree though that we should try if we can make the same info show up in the website itself somehow.
It's probably not trivial, but would certainly be useful info to bring to the UI. Feel free to add a feature request in the tracker for that.
correct me if i'm wrong, but the domain verification check occurs before the certificate request itself is actually sent to letsencrypt?. in this case can't the verification step take place when the letsencrypt checkbox gets ticked, rather than on changes being saved? then the validation failed message can be displayed directly above/under the checkbox, rather than waiting for the save button to be clicked, a new page loaded and then waiting up to 59 seconds later for any sort of feedback. (could even show a validation successful message under the checkbox) it would also then help avoid hitting any request limits at letenscrypt as the request doesn't have to be sent to them, the admin can go off and double check all the dns, firewalls etc, and come back to tick that checkbox and be sure the domains validated before the cert request is ever actually triggered. i realise doing this on ticking a checkbox may be tricky, maybe a separate button, just to immediately validate the domain?
Yes, and if it fails, no request is sent to Let's Encrypt. Actions on a form are only performed on save, it is possible to change this isn't something we do anywhere else. That is exactly why this check exists and is enable by default. As stated, if it fails, no request is sent, so you don't hit the rate limits.
Moving the internal "can we http to the certificate domain names" verification to the UI might have some benefit. Right now the check is performed on the the web server node, but having the control panel itself perform it probably wouldn't change very much. It does send the "verification failed" message to the wrong person when a client (not the admin) is enabling letsencrypt, but it would get noticed and reported to the admin sooner, who can fix it.
