Problem with multicerts

[Rikarin]

Hello, script isnt generating certs for alias domain correctly

Missing www. subdomains for alias domains.
http://i.imgur.com/tzwkSxb.png

Missing subdomains
http://i.imgur.com/mme6WZ0.png

[zenny]

https://github.com/alexalouit/ISPConfig-letsencrypt/blob/ISPConfig-3.0.5.4p8/_todo

[Rikarin]

cannot see this bug in the list

[Rikarin]

https://github.com/alexalouit/ISPConfig-letsencrypt/blob/ISPConfig-3.0.5.4p8/src/server/plugins-available/nginx_plugin.inc.php#L1170

Problem should be here. When i already have cert but I added new aliases or subdomains, cert isnt regenerated.

[zenny]

Oh it used to be in the todo list, but seems to have implemented. I updated the code and still have the same issue like you do. The certificates belongs to the same domain that was originally created for, no new certs were regenerated for aliases and subdomains. Confirmed!

[alexalouit]

Hi!
First, thanks for your feedback.

For forcing regenerate of cert, we have two methods:

• the first is much simple, disable an subdomain/aliasdomain, update, and enable it again.
• the second is nasty, remove cert files

rm -r /etc/letsencrypt/archive/$domain/
rm -r /etc/letsencrypt/live/$domain/
rm -r /etc/letsencrypt/renewal/$domain.conf

[Rikarin]

I removed the cert files, but now, I dont know how to regenerate it

[alexalouit]

Uncheck SSL & Let's Encrypt box in vhost (webdomain), save and re-check.

[zenny]

the first is much simple, disable an subdomain/aliasdomain, update, and enable it again.

Disabled sub-/alias-domain by checking off the 'Active'.

What do you mean by update? Update the script (I just replaced the changed file, nginx_plugin.inc.php, I think that is enough as the entire script was updated just yesterday, I think that is good enough, Or?

Enabled again, but no go.

[alexalouit]

In the panel of your ISPConfig, go to one subdomain (subdomain of the domain concerned), disable subdomain, click on «save» button, then, enable it, and save again.

Or you can uncheck Let's Encrypt checkbox in your domain, save it, enable and save.
Result are same

[zenny]

Tried both ways (disabling and enabling sub-/alias-domains, and uncheck, save and check the Let's Encrypt checkbox in the domain) except the nasty way to remove all certs from the /etc/letsencrypt directory, doesn't seem to work at my end.

Also did to confirm, prior to all above:

root@ns3:~/ISPConfig-letsencrypt# git fetch                                   
remote: Counting objects: 7, done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 7 (delta 3), reused 7 (delta 3), pack-reused 0
Unpacking objects: 100% (7/7), done.
From https://github.com/alexalouit/ISPConfig-letsencrypt
   73b52f7..a909731  ISPConfig-3.0.5.4p8 -> origin/ISPConfig-3.0.5.4p8

root@ns3:~/ISPConfig-letsencrypt# rsync -av ./src/ /usr/local/ispconfig/
sending incremental file list

sent 943 bytes  received 22 bytes  1930.00 bytes/sec
total size is 520275  speedup is 539.15

[zenny]

Or you can uncheck Let's Encrypt checkbox in your domain, save it, enable and save.
Result are same

Tried again after 12 hours thinking it could be a LE auth issue, but no go.

[alexalouit]

Can you post vhost of your domain and Let's Encrypt log?

[zenny]

vhost: http://pastebin.geany.org/tsZxH/
LE log: http://pastebin.geany.org/cifXu/ (this log has not been updated since your script has been updated to 73b52f7, fyi).

I am trying to create arspopuli.net as an aliasdomain for arspopuli.org, fyi.

[alexalouit]

LE log is not for the good domain, he attempt to manage cert for madhavpokharel.com.np, this domain is yours?
Force generation of a new cert (remove and re-add a subdomain/aliasdomain), and look at the LE log.

[zenny]

Force generation of a new cert (remove and re-add a subdomain/aliasdomain), and look at the LE log.

Removed and readded the aliasdomain, tail -f /var/log/letsencrypt/letsencrypt.log remained as it was!

Also tried each with 'permanent' 'proxy' and redirect' Redirection Type (See http://picpaste.com/8smO9lbb.png), but it does not seem to work. Pulling my hair now ...

[alexalouit]

Let's Encrypt is up to date?

Set ISPConfig server log level mode as debug.
Do it again (disable and enable subdomain), and see under /var/log/ispconfig/cron.log and /var/log/ispconfig/ispconfig.log what's going on.

[zenny]

Nothing erroneous in the log files. (ispconfig.log at http://pastebin.geany.org/TN6Nk/)

the tail of /var/log/ispconfig/cron.log is at http://pastebin.geany.org/fhi1U/

Nothing changed.

[alexalouit]

Okay, cert is not generated.
File `/usr/local/ispconfig/server/plugins-available/nginx_plugin.inc.php`` is up to date?
If is it, disable SSL and Let's Encrypt box in your domain. Update it.

Remove files under:

rm -r /etc/letsencrypt/archive/$domain/
rm -r /etc/letsencrypt/live/$domain/
rm /etc/letsencrypt/renewal/$domain.conf
rm /var/www/clients/client2/web21/ssl/$domain.crt
rm /var/www/clients/client2/web21/ssl/$domain.key
rm -r /var/www/clients/client2/web21/web/.well-known

Enable SSL and Let's Encrypt box in your domain. Update it.

That will purge any compromises files or with bad permissions, and generate certificat from Let's Encrypt.

[zenny]

It regenerated the certificate, yet the aliasdomains didn't work eventhough there is a categorical line in ispconfig.log (http://pastebin.geany.org/jesy9/) that creates certs for both arspopuli.org and arspopuli.net:

04.02.2016-14:58 - DEBUG - exec: /root/.local/share/letsencrypt/bin/letsencrypt auth -a webroot --email [email protected] --domains arspopuli.org --domains www.arspopuli.org --domains arspopuli.net --webroot-path /var/www/clients/client2/web21/web

And successful recreation of certs as evidence from letsencrypt.log posted at http://pastebin.geany.org/bWZz2/

nginx_plugin.inc.php is the latest, fyi.

https://arspopuli.org works as it should, but https://arspopuli.net does not.

The certs were recreated after a nasty way (which is what your work is trying to avoid), yet aliasdomains didn't work! Back to square one!

[alexalouit]

Okay, you can disable debug mode from server config. I understand what's the problem.
The domain is not arspopuli.net but www.arspopuli.net, for moment, alias domain don't support subdomain, i'm working on it.

[zenny]

@alexalouit Thanks. www is a must for SEO as you are aware. Let me wait till, subdomains too are supported. Merci beaucoup pour votre travaille!

[alexalouit]

@zenny can you test a909731 commit?

[zenny]

I tested against a909731 commit the above.

root@ns3:~/ISPConfig-letsencrypt# git fetch
remote: Counting objects: 7, done.
remote: Compressing objects: 100% (4/4), done.
remote: Total 7 (delta 3), reused 7 (delta 3), pack-reused 0
Unpacking objects: 100% (7/7), done.
From https://github.com/alexalouit/ISPConfig-letsencrypt
   a909731..ab8d08c  ISPConfig-3.0.5.4p8 -> origin/ISPConfig-3.0.5.4p8
root@ns3:~/ISPConfig-letsencrypt# rsync -av ./src/ /usr/local/ispconfig/
sending incremental file list

sent 947 bytes  received 22 bytes  1938.00 bytes/sec
total size is 520276  speedup is 536.92

No changes.

[alexalouit]

Delete repo and clone it again.
Or launch git pull after git fetch.

[zenny]

Yep it does work now**. Merci!

**However, there needed a manual intervention of deleting all cert, keys and auth files for other domains. It could not execute evertything from the ISPConfig UI iteself.

[alexalouit]

great!

[zenny]

The renewal of the LE certificate is not carried out still by the script once the SSL and Let's Encrypt checkboxes are deselected and saved, and reselected and saved again.

One can see the vhosts added with aliasdomains, but not the renewal of the certificate automagically as seen in the debug file here (http://pastebin.geany.org/7JAtc/).

It is quite tedious to delete the files as below for a number of domains with aliasdomains:

rm -r /etc/letsencrypt/archive/$domain/
rm -r /etc/letsencrypt/live/$domain/
rm /etc/letsencrypt/renewal/$domain.conf
rm /var/www/clients/clientX/webY/ssl/$domain.crt
rm /var/www/clients/clientX/webY/ssl/$domain.key
rm -r /var/www/clients/clientX/webY/web/.well-known

@alexalouit Please open this again as this can still not be able to execute from the ISPConfig GUI.

[Rikarin]

I had problem with lets encrypt. They allowed only 5 cert regeneration per 7 days. But if cert isnt regenerated ISPconfig dont notify me about it. Some counter for this would be fine.

[Rikarin]

Next thing what im missing is textfield for user defined subdomains. ex. I have subs like admin, mail, phpmyadmin, etc. for sites not defined in ISPConfig.

I can create sub in ISPConfig and then delete it in server_name variable, but its not the best idea for me.

[alexalouit]

I had problem with lets encrypt. They allowed only 5 cert regeneration per 7 days. But if cert isnt regenerated ISPconfig dont notify me about it. Some counter for this would be fine.

That's in to do list (https://github.com/alexalouit/ISPConfig-letsencrypt/blob/ISPConfig-3.0.5.4p8/_todo#L8)

Next thing what im missing is textfield for user defined subdomains. ex. I have subs like admin, mail, phpmyadmin, etc. for sites not defined in ISPConfig.
I can create sub in ISPConfig and then delete it in server_name variable, but its not the best idea for me

I don't understand, subdomain works.
If you have many, for prevent request to LE server, disable Let's Encrypt checkbox, create subdomain, then check Let's encrypt box.

[Rikarin]

But I cannot generate certificate for not added subdomains to ISPconfig. e.g. I have subdomain mail.domain.com, but I dont have registrered this sub in ISPconfig becasue I created it manualy by adding config to the sites-enabled dir.

[zenny]

@Rikarin Do you have mail.domain.com in your DNS records. You need both MX and A records, the latter pointing to the IP of your server. Just in case you skipped.

[alexalouit]

@Rikarin
ISPConfig-letsencrypt (as ISPConfig) don't support direct editing config file.
Their goal is to generate configuration files, not read them.
Use subdomains in ISPConfig, you can create a domain with the domain and subdomain (eg: subdomain.domain.tld).

[zenny]

After an update of ISPConfig-letsencrypt and letsencrypt to 0.5-dev, the unresolved issue as discussed at #31 (comment) is still not addressed. It further brought down all other domains which had been working, making it unable to renew! :-(

ISSUE:
And it reports a strange error:

# php -q install.php 
Create backup on /var/backup/ directory
/bin/tar: Removing leading `/' from member names
Backup finished
ERROR: Let's Encrypt ( /root/.local/share/letsencrypt/bin/letsencrypt-renewer ) is missing, install it corecctly!

There is also a typo- 'correctly' was spelled 'corecctly', fyi.

REASON:
BTW, read certbot/certbot#2376 (comment), the upstream changed letencrypt-renewer to 'letsencrypt renew' command which is yet to be reflected in this repo.

TEMPORARY SOLUTION:

Just:

crontab -e

and changed to:

30 02 * * * /root/.local/share/letsencrypt/bin/letsencrypt renew >> /var/log/ispconfig/cron.log; done

EXPLANATION

This issue is caused due to two reasons:

1. If the domains are redirected from http to https with redirection snippets, the LE cannot reach to fetch from .well-known directory.
2. Same as 1 above in the case of customized Apache/Nginx directives issues.
3. 1 and 2 demands to remove all the redirection code as well as customized directives before renewing or issueing the certificate. This appears to be a PITA it you have hundreds of domains in ISPConfig panel.

3 above is something that needs to be fixed with the script itself.

[skolarianer]

This issue is caused due to two reasons:

1. If the domains are redirected from http to https with redirection snippets, the LE cannot reach to fetch from .well-known directory.
2. Same as 1 above in the case of customized Apache/Nginx directives issues.
3. 1 and 2 demands to remove all the redirection code as well as customized directives before renewing or issueing the certificate. This appears to be a PITA it you have hundreds of domains in ISPConfig panel.

My first rule in the Apache Directives is as follows:

RewriteCond %{REQUEST_URI} ^/?\.well-known/
RewriteRule ^ - [L,END]

This prevents letsencrypt from failing for me. Even with https-redirection and a dozen other directives.