Problem with ONE domain


#1

I use ispconfig 3.1-dev with letsencrypt support. It works on all domains well, except on one and I do not understand where the problem occurs. The name server entries pointing to the specific ip for the domain. There should not be a problem at all. The problems occurs with the ip for the domain as well as when I chance the ip to the domain of the server itself. It is always the same problem. And it only ONLY comes with this one domain.
Domain: kulturmaschinen.com

Here the log:

Domain: kulturmaschinen.com
Type: unauthorized
Detail: Invalid response from http://kulturmaschinen.com/.well-known/acme-challenge/Lzd56GGU0ZOqn9IgsRrrQYmClAC2PNwY2wmsT8Vt7PQ: "
<ht"

To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2016-09-15 18:38:06,442:INFO:certbot.auth_handler:Cleaning up challenges
2016-09-15 18:38:06,442:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/Lzd56GGU0ZOqn9IgsRrrQYmClAC2PNwY2wmsT8Vt7PQ
2016-09-15 18:38:06,443:DEBUG:certbot.plugins.webroot:Removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge/d6y7-HXcGo–ACz2Q7iNwi58TfB_umNwGy_2IhSq1mA
2016-09-15 18:38:06,443:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
2016-09-15 18:38:06,444:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
_ File “/root/.local/share/letsencrypt/bin/letsencrypt”, line 11, in _
_ sys.exit(main())_
_ File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 744, in main_
_ return config.func(config, plugins)_
_ File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 555, in obtain_cert_
_ , action = auth_from_domains(le_client, config, domains, lineage)
_ File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py”, line 94, in auth_from_domains
_ lineage = le_client.obtain_and_enroll_certificate(domains)

_ File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py”, line 276, in obtain_and_enroll_certificate_
_ certr, chain, key, _ = self.obtain_certificate(domains)_
_ File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py”, line 247, in obtain_certificate_
_ self.config.allow_subset_of_names)_
_ File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 74, in get_authorizations_
_ self.respond(resp, best_effort)
_ File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 131, in respond
_ self.poll_challenges(chall_update, best_effort)
_ File “/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py”, line 195, in poll_challenges
_ raise errors.FailedChallenges(all_failed_achalls)_
FailedChallenges: Failed authorization procedure. www.kulturmaschinen.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.kulturmaschinen.com/.well-known/acme-chall$
_ “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>_
<ht", kulturmaschinen.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://kulturmaschinen.com/.well-known/acme-challenge/Lzd56GGU0ZOqn9IgsRrrQYmClAC2PNwY2wmsT8Vt7PQ: "<$
_ “http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd”>_


#2

Check web server logs (both access and error one) to see how your server actually processes that request.


#3

Apache 2 Error log

[Fri Sep 16 14:12:07.825386 2016] [mpm_prefork:notice] [pid 24489] AH00169: caught SIGTERM, shutting down
[ 2016-09-16 14:12:08.9090 26900/7fbe1137e740 agents/Watchdog/Main.cpp:538 ]: Options: { ‘analytics_log_user’ => ‘nobody’, ‘default_group’ => ‘nogroup’, ‘default_python’ => ‘python’, ‘default_ruby’ => ‘/usr/bin/ruby’, ‘default_user’ => $
[ 2016-09-16 14:12:08.9130 26903/7f608381b740 agents/HelperAgent/Main.cpp:650 ]: PassengerHelperAgent online, listening at unix:/tmp/passenger.1.0.26898/generation-0/request
[ 2016-09-16 14:12:08.9210 26910/7f2d3a961780 agents/LoggingAgent/Main.cpp:321 ]: PassengerLoggingAgent online, listening at unix:/tmp/passenger.1.0.26898/generation-0/logging
[ 2016-09-16 14:12:08.9212 26900/7fbe1137e740 agents/Watchdog/Main.cpp:728 ]: All Phusion Passenger agents started!
[Fri Sep 16 14:12:08.921984 2016] [ssl:warn] [pid 26898] AH01906: literaturhausserver.de:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Sep 16 14:12:08.922077 2016] [ssl:error] [pid 26898] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: emailAddress=postman@literatur.land,CN=literaturhausserver.de,O=Literaturhaus,L=Ochsenfurt,ST=Bavari$
[Fri Sep 16 14:12:08.922084 2016] [ssl:error] [pid 26898] AH02567: Unable to configure certificate literaturhausserver.de:8080:0 for stapling
[Fri Sep 16 14:12:08.922189 2016] [suexec:notice] [pid 26898] AH01232: suEXEC mechanism enabled (wrapper: /usr/lib/apache2/suexec)
[Fri Sep 16 14:12:08.959266 2016] [auth_digest:notice] [pid 26920] AH01757: generating secret for digest authentication …
[Fri Sep 16 14:12:08.959818 2016] [:notice] [pid 26924] FastCGI: process manager initialized (pid 26924)
[Fri Sep 16 14:12:08.960104 2016] [:warn] [pid 26924] FastCGI: server “/var/www/cgi-bin/php-cgi-5.4” started (pid 26925)
[ 2016-09-16 14:12:08.9629 26927/7fcccf5d6740 agents/Watchdog/Main.cpp:538 ]: Options: { ‘analytics_log_user’ => ‘nobody’, ‘default_group’ => ‘nogroup’, ‘default_python’ => ‘python’, ‘default_ruby’ => ‘/usr/bin/ruby’, ‘default_user’ => $
[ 2016-09-16 14:12:08.9665 26930/7f93a6493740 agents/HelperAgent/Main.cpp:650 ]: PassengerHelperAgent online, listening at unix:/tmp/passenger.1.0.26920/generation-0/request
[ 2016-09-16 14:12:08.9738 26938/7f4e53e70780 agents/LoggingAgent/Main.cpp:321 ]: PassengerLoggingAgent online, listening at unix:/tmp/passenger.1.0.26920/generation-0/logging
[ 2016-09-16 14:12:08.9739 26927/7fcccf5d6740 agents/Watchdog/Main.cpp:728 ]: All Phusion Passenger agents started!
[Fri Sep 16 14:12:08.997842 2016] [:error] [pid 26920] python_init: Python version mismatch, expected ‘2.7.5+’, found ‘2.7.9’.
[Fri Sep 16 14:12:08.997896 2016] [:error] [pid 26920] python_init: Python executable found ‘/usr/bin/python’.
[Fri Sep 16 14:12:08.997899 2016] [:error] [pid 26920] python_init: Python path being used '/usr/lib/python2.7/:/usr/lib/python2.7/plat-x86_64-linux-gnu:/usr/lib/python2.7/lib-tk:/usr/lib/python2.7/lib-old:/usr/lib/python2.7/lib-dynload$
[Fri Sep 16 14:12:08.997910 2016] [:notice] [pid 26920] mod_python: Creating 8 session mutexes based on 150 max processes and 0 max threads.
[Fri Sep 16 14:12:08.997913 2016] [:notice] [pid 26920] mod_python: using mutex_directory /tmp
[Fri Sep 16 14:12:09.004183 2016] [ssl:warn] [pid 26920] AH01906: literaturhausserver.de:8080:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Fri Sep 16 14:12:09.004240 2016] [ssl:error] [pid 26920] AH02217: ssl_stapling_init_cert: can’t retrieve issuer certificate! [subject: emailAddress=postman@literatur.land,CN=literaturhausserver.de,O=Literaturhaus,L=Ochsenfurt,ST=Bavari$
[Fri Sep 16 14:12:09.004244 2016] [ssl:error] [pid 26920] AH02567: Unable to configure certificate literaturhausserver.de:8080:0 for stapling
[Fri Sep 16 14:12:09.007099 2016] [mpm_prefork:notice] [pid 26920] AH00163: Apache/2.4.10 (Debian) mod_fastcgi/mod_fastcgi-SNAP-0910052141 mod_fcgid/2.3.9 Phusion_Passenger/4.0.53 mod_python/3.3.1 Python/2.7.9 OpenSSL/1.0.1t configured $
[Fri Sep 16 14:12:09.007128 2016] [core:notice] [pid 26920] AH00094: Command line: ‘/usr/sbin/apache2’

I really have not the tiniest idea, what might blocking the generation of the certs. If it is not something on the servers of letsencrypt, than there might be a problem with ispconfig and I should ask there …


#4

I’d go back to basics … from what it says here …

it was getting html back

if you manually add a file ( say test ) which is just a plain text file (with data “success” in it ) into the .well-known/acme-challenge/ folder in kulturmaschinen.com can you reach it in a browser, over the general internet at http://kulturmaschinen.com/.well-known/acme-challenge/test ?


#5

No, I can’t. But then ispconfig seems to locate acme in /usr/local/ispconfig/acme/ … And there is no link from the vhost to the folder. Maybe it is generated only while processing. After I cannot not reach the folder with those domains which already has got certificates (so it worked there), it might be something like that.


#6

I’m guessing ispconfig has done something with redirects / .htaccess if you can’t reach any files in those folders. I’d agree with your view above - time to ask on the ispconfig forums.


#7

The log doesn’t seem to have records related to the attempt to retrieve verification file. This is what needs to be found basically, because by the look of it you were getting a HTML page instead of that file. I see that logs mention Phusion Passenger, so you might try checking its logs too.


#8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.