Autoinstall fails on ISPconfig server

Server
1

I'm a new user, just got some domains whitelisted today.

One site ( which used PHP-FPM) failed at the first stage with an error that the config was invalid

./letsencrypt-auto --apache --server https://acme-v01.api.letsencrypt.org/directory --agree-dev-preview
Updating letsencrypt and virtual environment dependencies.......
Running with virtualenv: /root/.local/share/letsencrypt/bin/letsencrypt --apache --server https://acme-v01.api.letsencrypt.org/directory --agree-dev-preview
The apache plugin is not working; there may be problems with your existing configuration.
The error was: PluginError(('There has been an error in parsing the file (%s): %s', u'/etc/apache2/sites-enabled/100-domain.com.vhost', u'Syntax error'),)

Changing the site from PHP-FPM to Fast-CGI overcame this issue.

Other sites have all failed (so far) with a syntax error after obtaining the certificate

Error while restarting Apache:

  • Restarting web server apache2
    ...fail!
  • The apache2 configtest failed.

Output of config test was:
AH00526: Syntax error on line 141 of /etc/apache2/sites-enabled/domain.com.vhost.err:

The file referenced wasn't the correct file for the domain in question.

The good news is, I got SSL certs for 2 sites, and a manual install of them ( I took the certs from the /etc/letsencrypt/live directory) worked fine :slight_smile: I just have a couple of none-SSL links on pages I need to sort out, the bulk is fine though.

My question is, what's the best way to help debug things for everyone ? do I just put the details as an issue at Issues · certbot/certbot · GitHub or is there something more helpful I can do ?

2

Could you share the two apache config files mentioned in your logs? There are a couple of unresolved apache config issues, you might have run into one of them.

3

I checked the issues that I could fine.

this one fails ( it uses PHP-FPM)

<Directory /var/www/domain.com>
AllowOverride None
Require all denied

<VirtualHost *:80>
DocumentRoot /var/www/clients/client1/web3/web

  ServerName domain.com
  ServerAlias www.domain.com 
ServerAlias www.domain.com domain.com
  ServerAdmin webmaster@domain.com

  ErrorLog /var/log/ispconfig/httpd/domain.com/error.log

  Alias /error/ "/var/www/domain.com/web/error/"
  ErrorDocument 400 /error/400.html
  ErrorDocument 401 /error/401.html
  ErrorDocument 403 /error/403.html
  ErrorDocument 404 /error/404.html
  ErrorDocument 405 /error/405.html
  ErrorDocument 500 /error/500.html
  ErrorDocument 502 /error/502.html
  ErrorDocument 503 /error/503.html

  <IfModule mod_ssl.c>
  </IfModule>

  <Directory /var/www/domain.com/web>
  		# Clear PHP settings of this website
  		<FilesMatch ".+\.ph(p[345]?|t|tml)$">
  				SetHandler None
  		</FilesMatch>
  		Options +FollowSymLinks
  		AllowOverride All
  						Require all granted
  				</Directory>
  <Directory /var/www/clients/client1/web3/web>
  		# Clear PHP settings of this website
  		<FilesMatch ".+\.ph(p[345]?|t|tml)$">
  				SetHandler None
  		</FilesMatch>
  		Options +FollowSymLinks
  		AllowOverride All
  						Require all granted
  				</Directory>

  # suexec enabled
  <IfModule mod_suexec.c>
  	SuexecUserGroup web3 client1
  </IfModule>
  <IfModule mod_fastcgi.c>
  		<Directory /var/www/clients/client1/web3/cgi-bin>
  								Require all granted
  						    </Directory>
  		<Directory /var/www/domain.com/web>
  			<FilesMatch "\.php[345]?$">
  				SetHandler php5-fcgi
  			</FilesMatch>
  		</Directory>
  		<Directory /var/www/clients/client1/web3/web>
  			<FilesMatch "\.php[345]?$">
  				SetHandler php5-fcgi
  			</FilesMatch>
  		</Directory>
            Action php5-fcgi /php5-fcgi
  		Alias /php5-fcgi /var/www/clients/client1/web3/cgi-bin/php5-fcgi-*-80-domain.com
            FastCgiExternalServer /var/www/clients/client1/web3/cgi-bin/php5-fcgi-*-80-domain.com -idle-timeout 300 -socket /var/lib/php5-fpm/web3.sock -pass-header Authorization
  </IfModule>
  <IfModule mod_proxy_fcgi.c>
  	ProxyPassMatch ^/(.*\.php[345]?(/.*)?)$ fcgi://127.0.0.1:9012/var/www/clients/client1/web3/web/$1
  </IfModule>

  # add support for apache mpm_itk
  <IfModule mpm_itk_module>
  	AssignUserId web3 client1
  </IfModule>

  <IfModule mod_dav_fs.c>
  # Do not execute PHP files in webdav directory
  	<Directory /var/www/clients/client1/web3/webdav>
  		<ifModule mod_security2.c>
  			SecRuleRemoveById 960015
  			SecRuleRemoveById 960032
  		</ifModule>
  		<FilesMatch "\.ph(p3?|tml)$">
  			SetHandler None
  		</FilesMatch>
  	</Directory>
  	DavLockDB /var/www/clients/client1/web3/tmp/DavLock
  	# DO NOT REMOVE THE COMMENTS!
  	# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
  # WEBDAV BEGIN
  	# WEBDAV END
  </IfModule>

Modifying it to the following got rid of the initial "config error" - this uses Fast-CGI

<Directory /var/www/domain.com>
AllowOverride None
Require all denied

<VirtualHost *:80>
DocumentRoot /var/www/domain.com/web

  ServerName domain.com
  ServerAlias www.domain.com 
ServerAlias www.domain.com domain.com
  ServerAdmin webmaster@domain.com

  ErrorLog /var/log/ispconfig/httpd/domain.com/error.log

  Alias /error/ "/var/www/domain.com/web/error/"
  ErrorDocument 400 /error/400.html
  ErrorDocument 401 /error/401.html
  ErrorDocument 403 /error/403.html
  ErrorDocument 404 /error/404.html
  ErrorDocument 405 /error/405.html
  ErrorDocument 500 /error/500.html
  ErrorDocument 502 /error/502.html
  ErrorDocument 503 /error/503.html

  <IfModule mod_ssl.c>
  </IfModule>

  <Directory /var/www/domain.com/web>
  		# Clear PHP settings of this website
  		<FilesMatch ".+\.ph(p[345]?|t|tml)$">
  				SetHandler None
  		</FilesMatch>
  		Options +FollowSymLinks
  		AllowOverride All
  						Require all granted
  				</Directory>
  <Directory /var/www/clients/client1/web3/web>
  		# Clear PHP settings of this website
  		<FilesMatch ".+\.ph(p[345]?|t|tml)$">
  				SetHandler None
  		</FilesMatch>
  		Options +FollowSymLinks
  		AllowOverride All
  						Require all granted
  				</Directory>

  # suexec enabled
  <IfModule mod_suexec.c>
  	SuexecUserGroup web3 client1
  </IfModule>
  # php as fast-cgi enabled

For config options see: mod_fcgid - Apache HTTP Server Version 2.5

  <IfModule mod_fcgid.c>
  		IdleTimeout 300
  		ProcessLifeTime 3600
  		# MaxProcessCount 1000
  		DefaultMinClassProcessCount 0
  		DefaultMaxClassProcessCount 100
  		IPCConnectTimeout 3
  		IPCCommTimeout 600
  		BusyTimeout 3600
  </IfModule>
  <Directory /var/www/domain.com/web>
  		<FilesMatch "\.php[345]?$">
  			SetHandler fcgid-script
  		</FilesMatch>
  		FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php
  		FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php3
  		FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php4
  		FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php5
  		Options +ExecCGI
  		AllowOverride All
  						Require all granted
  				</Directory>
  <Directory /var/www/clients/client1/web3/web>
  		<FilesMatch "\.php[345]?$">
  			SetHandler fcgid-script
  		</FilesMatch>
  		FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php
  		FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php3
  		FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php4
  		FCGIWrapper /var/www/php-fcgi-scripts/web3/.php-fcgi-starter .php5
  		Options +ExecCGI
  		AllowOverride All
  						Require all granted
  				</Directory>

  # add support for apache mpm_itk
  <IfModule mpm_itk_module>
  	AssignUserId web3 client1
  </IfModule>

  <IfModule mod_dav_fs.c>
  # Do not execute PHP files in webdav directory
  	<Directory /var/www/clients/client1/web3/webdav>
  		<ifModule mod_security2.c>
  			SecRuleRemoveById 960015
  			SecRuleRemoveById 960032
  		</ifModule>
  		<FilesMatch "\.ph(p3?|tml)$">
  			SetHandler None
  		</FilesMatch>
  	</Directory>
  	DavLockDB /var/www/clients/client1/web3/tmp/DavLock
  	# DO NOT REMOVE THE COMMENTS!
  	# IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE!
  # WEBDAV BEGIN
  	# WEBDAV END
  </IfModule>

I think the other is related to a peculiarity of how ISPconfig deals with virtual hosts. They are named differently in /etc/apache2/sites-enabled/ to /etc/apache2/sites-available/

4

for ISPconfig there are two tread in specific forum :smile , but all WORKINPROGRESS:


2 Likes
5

Thanks, I’ll take a look.

6

A couple of small bugs with that script ( https://github.com/sjau/le2ispc ), got it working nicely though - thanks :slight_smile: