LetsEncrypt Auto renew issue with ISPConfig

Hello,

I am having issue with Auto renew of LetsEncrypt SSL on ISPConfig panel.

#Scenario
Given below is an Error I get when auto renew failed and try to manually re-generate the certificate

#Error
Failed authorization procedure. shop.equinetreatments.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://shop.equinetreatments.com/.well-known/acme-challenge/PH7Z4LPq0ZwAxXS8PrVNMGNd4Y7XWk5PolTnlwFN6uU:
<ht”

In order to fix it I will have to manually change the symlynk at /usr/local/ispconfig/interface/acme folder to point it to document root of domain to which I want to generate SSL

root@server:/usr/local/ispconfig/interface/acme# ll
total 12K
drwxr-s— 3 ispconfig ispconfig 4.0K May 24 08:29 .
drwxr-s— 9 ispconfig ispconfig 4.0K May 24 08:30 …
drwxr-s— 3 ispconfig ispconfig 4.0K Dec 29 2016 well
lrwxrwxrwx 1 root ispconfig 47 May 24 08:29 .well-known -> /var/www/clients/client1/web11/web/.well-known/
root@server:/usr/local/ispconfig/interface/acme# unlink .well-known
root@server:/usr/local/ispconfig/interface/acme# ln -s /var/www/clients/client1/web3/web/.well-known/
root@server:/usr/local/ispconfig/interface/acme#

Is there any permanent fix for this issue ?

post this on the ISPConfig forums or contact ISPConfig support

As these issues are specific to their plugins they would be the best source of assistance

Andrei

The error message is not, in fact, ISPConfig-specific. It’s an error from LE explaining that the challenge was not responded to accurately. It seems you’ve already figured out why (something about your webroot keeps changing. I don’t have any familiarity with ISPConfig itself.) The solution for you, assuming there’s no way to change this webroot behavior, is to simple use a different authorization method. Have you considered TLS-SNI or DNS methods?

I think the underlying cause of the error is ISPConfig-specific in that it appears that ISPConfig is trying to set up a path to complete HTTP-01 challenges, but it somehow sets or chooses the wrong path. Presumably it was ISPConfig that originally created /usr/local/ispconfig/interface/acme and created the symbolic link there.

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.