Can't create cert ispconfig/haproxy

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g., so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain

I ran this command: Used ISPconfig interface to enable Let’s Encrypt on site

It produced this output: certbot.errors.FailedChallenges: Failed authorization procedure. (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from

My web server is (include version): Server version: Apache/2.4.29 (Ubuntu)

The operating system my web server runs on is (include version): Ubuntu 18.04

My hosting provider, if applicable, is:

I can login to a root shell on my machine (yes or no, or I don’t know): yes

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): ISPConfig

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot):certbot 0.31.0

We have a multiserver setup with ispconfig. It’s 2 webservers, 2 db servers, 2 haproxy servers and a virtual IP. When we point the public adress directly to the first web server we can create a cert via ISPconfig without issues. But when we set it up with the public adress pointing to the VIP we get above mentioned error. Tried to put a file in /.well-known/acme-challenge and I can access it with HTTPS but not with HTTP. With http I get Bad request - 400.

I’ve gotten som help that it might be because the folder /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/ gotta be shared between the two web servers. Not sure if that’s the problem. Just can’t go through port 80. Let me know if you need haproxy config also.


1 Like

If you can add a catch-all redirect to send all HTTP to HTTPS, that might do the trick.
[clearly that won’t “fix” the problem, but it might buy you some time]

1 Like

Put this in the vhost file for the site:

RewriteRule ^(.*)$ https://%{HTTP_HOST}$1 [R=301,L]

Now dry run works but through ISPconfig it still fails with the same error. Seems like ISPconfig uses webroot plugin for certbot but a dry run with that also works. Not sure what the exact command ISPconfig runs is.

Please show the error log file. (password: letsencrypt)

Active-active? Active-standby?

If it’s the former, then this is facts:

Yeah leaning towards that too. Command below works on web-01 but not web-02.

certbot certonly --standalone --dry-run -d

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.