Ispconfig 3.2 self-signed certificate

barbara2 · June 1, 2021, 8:14am

I ran this command: when I create new ISPConfig SSL certificate during installation

It produced this output:
Checking / creating certificate for gliese.net4wing.com
Using certificate path /etc/letsencrypt/live/gliese.net4wing.com
Using apache for certificate validation
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for gliese.net4wing.com
Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
Waiting for verification...
Challenge failed for domain gliese.net4wing.com
http-01 challenge for gliese.net4wing.com
Cleaning up challenges
Some challenges have failed.
Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
Could not issue letsencrypt certificate, falling back to self-signed.

My web server is (include version):
Server version: Apache/2.4.41 (Ubuntu)
Server built: 2020-08-12T19:46:17
Server's Module Magic Number: 20120211:88
Server loaded: APR 1.6.5, APR-UTIL 1.6.1
Compiled using: APR 1.6.5, APR-UTIL 1.6.1
Architecture: 64-bit
Server MPM: prefork
threaded: no
forked: yes (variable process count)
Server compiled with....
-D APR_HAS_SENDFILE
-D APR_HAS_MMAP
-D APR_HAVE_IPV6 (IPv4-mapped addresses enabled)
-D APR_USE_SYSVSEM_SERIALIZE
-D APR_USE_PTHREAD_SERIALIZE
-D SINGLE_LISTEN_UNSERIALIZED_ACCEPT
-D APR_HAS_OTHER_CHILD
-D AP_HAVE_RELIABLE_PIPED_LOGS
-D DYNAMIC_MODULE_LIMIT=256
-D HTTPD_ROOT="/etc/apache2"
-D SUEXEC_BIN="/usr/lib/apache2/suexec"
-D DEFAULT_PIDLOG="/var/run/apache2.pid"
-D DEFAULT_SCOREBOARD="logs/apache_runtime_status"
-D DEFAULT_ERRORLOG="logs/error_log"
-D AP_TYPES_CONFIG_FILE="mime.types"
-D SERVER_CONFIG_FILE="apache2.conf"

The operating system my web server runs on is (include version):
lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 20.04.2 LTS
Release: 20.04
Codename: focal

My hosting provider, if applicable, is: amen.fr

I can login to a root shell on my machine (yes or no, or I don't know): yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): ispconfig

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): certbot 0.40.0

Here letsencrypt last logs:
Domain: gliese.net4wing.com
Type: connection
Detail: Fetching http://gliese.net4wing.com/.well-known/acme-challenge/WxcI6psy!

To fix these errors, please make sure that your domain name was entered correct!
2021-06-01 10:07:18,801:DEBUG:certbot.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in ha!
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _!
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-06-01 10:07:18,801:DEBUG:certbot.error_handler:Calling registered functions
2021-06-01 10:07:18,801:INFO:certbot.auth_handler:Cleaning up challenges
2021-06-01 10:07:18,802:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispco!
2021-06-01 10:07:18,802:DEBUG:certbot.plugins.webroot:All challenges cleaned up
2021-06-01 10:07:18,803:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/letsencrypt", line 11, in
load_entry_point('certbot==0.40.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1382, in main
return config.func(config, plugins)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 1265, in certonly
lineage = get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python3/dist-packages/certbot/main.py", line 121, in get_and!
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 417, in obtain!
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3/dist-packages/certbot/client.py", line 348, in obtain_!
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_sub!
File "/usr/lib/python3/dist-packages/certbot/client.py", line 396, in _get_or!
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 91, in ha!
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3/dist-packages/certbot/auth_handler.py", line 180, in _!
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

Thank you for any suggestions

webprofusion · June 1, 2021, 9:35am

I'd suggest updating your version of certbot first, various things have changed since certbot 0.4 (Feb 2016).

hebbet · June 1, 2021, 11:49am

switch to snapd version of certbot.

or install acme.sh, which is also supported by ispconfig 3.2.

barbara2 · June 1, 2021, 12:47pm

Hi, thank you both for your help,
I updated certbot (now 1.15.0) via snapd
But after the force update with ispconfig 3.2, asking for a new ssl certificate, I got the same error and therefore a self-signed certificate:
http-01 challenge for gliese.net4wing.com
Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
Waiting for verification...
Challenge failed for domain gliese.net4wing.com
http-01 challenge for gliese.net4wing.com
Cleaning up challenges
Some challenges have failed.
Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
Could not issue letsencrypt certificate, falling back to self-signed.

Other ideas?

barbara2 · June 1, 2021, 1:48pm

I add that the log says:
Domain: gliese.net4wing.com
Type: connection
Detail: Fetching http://gliese.net4wing.com/.well-known/acme-challenge/wmwKpxlDerWjKqweaimLalrp-oJDKRNAHR2SV84XnDY: Connection refused

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. !
2021-06-01 15:12:31,505:DEBUG:certbot._internal.error_handler:Encountered exception...

Record A is ok - port 80 and 443 are open and I can read the file inside acme-challenge through the browser:
http://gliese.net4wing.com/.well-known/acme-challenge/empty.dir

rg305 · June 1, 2021, 2:30pm

~~Is there some GEO-Location type blocking in line?~~
I have access to it now.

Please place a test text file (without any extension, nor period, in the name) in that challenge location.
Also, please show the output of:
sudo apachectl -S

barbara2 · June 1, 2021, 4:18pm

Hi, thank you,
so I put a textfile here
http://gliese.net4wing.com/.well-known/acme-challenge/testtext

below the output of sudo apachectl -S
#apachectl -S
AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.vhost:7
VirtualHost configuration:
*:8081 gliese.net4wing.com (/etc/apache2/sites-enabled/000-apps.vhost:9)
*:8080 gliese.net4wing.com (/etc/apache2/sites-enabled/000-ispconfig.vhost:9)
ServerRoot: "/etc/apache2"
Main DocumentRoot: "/var/www/html"
Main ErrorLog: "/var/log/apache2/error.log"
Mutex proxy: using_defaults
Mutex ssl-cache: using_defaults
Mutex default: dir="/var/run/apache2/" mechanism=default
Mutex mpm-accept: using_defaults
Mutex fcgid-pipe: using_defaults
Mutex authdigest-opaque: using_defaults
Mutex watchdog-callback: using_defaults
Mutex rewrite-map: using_defaults
Mutex ssl-stapling-refresh: using_defaults
Mutex authdigest-client: using_defaults
Mutex fcgid-proctbl: using_defaults
Mutex ssl-stapling: using_defaults
PidFile: "/var/run/apache2/apache2.pid"
Define: DUMP_VHOSTS
Define: DUMP_RUN_CFG
Define: MODPERL2
Define: ENABLE_USR_LIB_CGI_BIN
User: name="www-data" id=33
Group: name="www-data" id=33

rg305 · June 1, 2021, 5:17pm

This name duplication may be confusion certbot:

Q1. What was the complete certbot command you ran?
Q2. To which ports are the external 80 and 443 forwarding to?

barbara2 · June 1, 2021, 6:41pm

As concerns the duplication, I'm using ispconfig 3.2: 8080 is the ispconfig panel; 8081 is the webmail (roundcube)
Q1. I don't know which is the command as it's ipconfig force update which manage letsencrypt
Q2. 80 goes to 80 and 443 goes to 443

barbara2 · June 2, 2021, 4:50pm

Hi,
I eventually rebuilt the machine from scratch and everything went smoothly.

At the first attempt I had two-three problems:

I missed the A record
the port 80 was closed
(maybe) file hosts missing the external IP
I fixed all the issues on the go and then run the ispconfig_update.sh (many times), with no result (always "Connection refused" in the log).
The impression is that after the first failure, the ispconfig force update for some reason couldn't succeed in releasing the certificate.
Cisco Bug: CSCvt34984 - ACME certificate signing failing (connection refused) if initially not correctly set up
Hope this is helpful to whoever has the same problem.

system · July 2, 2021, 4:51pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.