alexalouit / ispconfig-letsencrypt Goto Github PK
View Code? Open in Web Editor NEWLet's Encrypt support for ISPConfig
Let's Encrypt support for ISPConfig
Although I didn't created a Let's Encrypt cert for Postfix yet, I think we can use it to do that too.
I don't know if we need to create a single certificate with all mail virtual domains - which will force us to revoke/renew each new domain is created, or we can add a single cert for each mail domain.
If so, maybe is a good opportunity to allow the the Let's Encrypt integration routine to include not only web alias domains, but also MX records (if they're point to same IP / server).
This is also good due to LE limitations per domain.
Any ideas on that?
In https://github.com/alexalouit/ISPConfig-letsencrypt/blob/ISPConfig-3.0.5.4p8/src/server/plugins-available/nginx_plugin.inc.php#L1133 the whole .well-known directory gets deleted.
It might contain other stuff - I think only /.well-known/acme-challenge
should be deleted.
For example Thunderbird auto configuration uses the path /.well-known/autoconfig/mail/config-v1.1.xml
.
Hi,
Alias domains (pointing several domains to a single site) seems to be not working at least for me.
If I missed something, kindly give me a pointer.
Thanks!
Feature request: right now the email in letsencrypt
command line is hardcoded in this format postmaster@$domain
. This is a good solution right now.
My sugestion is to get email address from ISPConfig client
table, if provided.
Also, I don't know if we have to use same domain of the certificate and email address. So, maybe you could get the email address in this order:
client.email
table;cli.ini
;hostmaster@$domain
.I think hostmaster
is better than postmaster
, which refers to mail servers admins (even if most of time they are the same guy).
Hi,
I have registered succesfully my domain csoellinger.at. Now i want xyz.csoellinger.at also but it's not an alias or normal sub domain, it has it's own vhost config. So i'm not 100% sure how i can enable letsencrypt for it.
Does i have to make an extra cert request for this subdomain or can i use the existing from csoellinger.at, the main domain? If i have to make an extra request, i think there should be a checkbox for letsencrypt like at the normal website edit view.
It's all fine with the installation steps. (You could also add how to uninstall this patch)
But then what ?
I see the checkboxes SSL & Let's Encrypt. I enabled both and I don't see anything new now. How do you go about creating a Cert with Let's Encrypt?
Do we have to use the SSL tab ? Should a new tab appear (eg. Let's Encrypt) ??
If you have to use the SSL Tab... what should someone enter in the State, Locality, Organisation, etc fields? I tried to create a cert, but ended up not being a valid one, so I guess this isn't how you create the certs.
Hi!
I am running ISConfig 3.0.5.4p9 on a Debian Wheezy.
If I folow your instructions and try to make the install script go I got:
ERROR: Let's Encrypt ( /root/.local/share/letsencrypt/bin/letsencrypt ) is missing, install it corecctly!
If I try to get it insalled manually. I couldn't get any further after: a2enconf letsencrypt
It states: -bash: a2enconf: Kommando nicht gefunden.
- it's german for "command not found"
Do you have any advice?
All the best! Thanks a lot for your work for this community.
allow subdomains, which are configured in ispconfig.
example websites in use:
website1.de
ab.website1.de
website1.de can use Letsencrypt
ab.website1.de gets the error: wrong cert and it shows me the cert for website1.de if i inspect it.
Hi,
Kudos for the script.
Just wondering whether this script support SNI-based domains (single public IP multiple domains under ISPconfig3)?.
Thanks.
i really appreciate the work you have done and i would love to test it, hence to have letsencrypt within ISPConfig, but the hell of dependencies is keeping me from using it:
by now i am using a simple shell script which does the job in a perfect way without all the bloated stuff. Easy installation, simple configuration, automatic renewal via cron and even features the possibility for a hook script:
I have some issues, as i think letsencrypt doesnt use the right server, although its configured in the cli.ini to their acme server.
/etc/letsencrypt/cli.ini content:
# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Let's Encrypt with
# "--help" to learn more about the available options.
# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096
# Always use the staging/testing server
#server = https://acme-staging.api.letsencrypt.org/directory
# Uncomment and update to register with the specified e-mail address
# email = [email protected]
# Uncomment to use a text interface instead of ncurses
# text = True
# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = dvsni
# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
# authenticator = webroot
# webroot-path = /usr/share/nginx/html
text = True
agree-tos = True
authenticator = webroot
server https://acme-v01.api.letsencrypt.org/directory
centos
bash -c ALTER TABLE web_domain
ADD ssl_letsencrypt
enum('n','y') NOT NULL DEFAULT 'n';
-bash: syntax error near unexpected token `('
Hi, this is a cross post with https://community.letsencrypt.org/t/include-server-ip-address-for-the-main-web-server-helps-with-non-sni-browsers/8531
I was thinking if Let's Encrypt can include the IP server for one domain (that one with most traffic) to help minimize impact on non SNI browsers? If so, maybe the ISPconfig should allow that (or alex plugin)...
I have one case where server has 5 domains, one with 20k page views per day, and the others together don't have 1k PER MONTH! So makes sense to include IP as part of the main CERT.
Hello, script isnt generating certs for alias domain correctly
Missing www. subdomains for alias domains.
http://i.imgur.com/tzwkSxb.png
Missing subdomains
http://i.imgur.com/mme6WZ0.png
I have a few alias domains left over from when I had just one SSL certificate. For example:
http://bugs.<domain1>.com redirects to https://secure.<domain2>.com and
http://support.<domain1>.com also redirects to https://secure.<domain2>.com
Both alias domains are setup as follows:
Redirect Type: R,L
Auto Subdomain: None
SEO Redirect:
The script is trying to generate certs for domain1 but the client is presumably redirected to domain2 (and therefore authorization fails with a 404). It also tries to create a certificate for the None subdomain which should be ignored. Here is a snippet from the LetsEncrypt log file:
FailedChallenges: Failed authorization procedure. none.support.<domain>.com (http-01):
The only way to get a certificate to renew is by disabling the subdomains and then re-enabling LetsEncrypt.
Hi,
For example ... the main server I have ispconfig on is called ispconfig.domain.com. All the other vhosts running on ispconfig can be hooked into the letsencrypt update sequence by checking the box on the domain's settings page. However the main server domain isn't on here, so can't be included. Its specified in /etc/nginx/sites-enabled/000-apps.vhost
Could this be included?
I want to update a Server to ISPConfig 3.1. How should I uninstall ISPConfig-letsencrypt?
Thanks
He i am not sure if its realy a bug, but when i install Letsencrypt on the way its documented it give a error that the Letsencrypt-renew is not installed:
Installed following the instructions of:
https://github.com/letsencrypt/letsencrypt
Error (CLI output):
root@server:/tmp/ISPConfig-letsencrypt# php -q install.php PHP Deprecated: Comments starting with '#' are deprecated in /etc/php5/cli/conf.d/ming.ini on line 1 in Unknown on line 0
Create backup on /var/backup/ directory /bin/tar: Removing leading /' from member names Backup finished
ERROR: Let's Encrypt ( /root/.local/share/letsencrypt/bin/letsencrypt-renewer ) is missing, install it corecctly!
root@server:/tmp/ISPConfig-letsencrypt# letsencrypt renew bash: letsencrypt: command not found
i hope you have a solution for this
Hi,
thanks for your great work. I've installed cerbot auto and also ISPConfig-letsencrypt. Both seems to work but every time i try to create a cert in ISP Config it fails. There is an error in recognizing the Domain.
/var/log/letsencrypt/letsencrypt.log looks like this:
I've replace My Domain with . IP Adress is also correct so there is no Problem with DNS resolution. I could also create a cert by running certbot-auto
2016-07-28 14:50:06,106:DEBUG:certbot.main:Root logging level set at 30
2016-07-28 14:50:06,106:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2016-07-28 14:50:06,106:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
2016-07-28 14:50:06,107:DEBUG:certbot.main:certbot version: 0.8.1
2016-07-28 14:50:06,107:DEBUG:certbot.main:Arguments: ['-a', 'webroot', '--email', 'postmaster@<mydomain>.de', '--domains', '<mydomain>.de', '--domains', 'www.<mydomain>.de', '--webroot-path', '/var/www/clients/client1/web33/web']
2016-07-28 14:50:06,107:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#webroot,PluginEntryPoint#null,PluginEntryPoint#manual,PluginEntryPoint#standalone)
2016-07-28 14:50:06,107:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
2016-07-28 14:50:06,114:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot.plugins.webroot:Authenticator
Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f1b7e834790>
Prep: True
2016-07-28 14:50:06,115:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f1b7e834790> and installer None
2016-07-28 14:50:06,574:DEBUG:certbot.main:Picked account: <Account(93766f57480462df490123329a22e361)>
2016-07-28 14:50:06,575:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. args: (), kwargs: {}
2016-07-28 14:50:06,622:INFO:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2016-07-28 14:50:06,842:DEBUG:requests.packages.urllib3.connectionpool:"GET /directory HTTP/1.1" 200 280
2016-07-28 14:50:06,845:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '280', 'Expires': 'Thu, 28 Jul 2016 14:50:06 GMT', 'Boulder-Request-Id': 'VnR42pCM-drO1_krLH8geE9THgtWL1A0SYhP0dZ8d2g', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Thu, 28 Jul 2016 14:50:06 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'LX5SKu5gozG17k3Qvv33RmSc68OhcxOXixTO9vTO35g'}. Content: '{\n "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",\n "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",\n "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",\n "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"\n}'
2016-07-28 14:50:06,845:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '280', 'Expires': 'Thu, 28 Jul 2016 14:50:06 GMT', 'Boulder-Request-Id': 'VnR42pCM-drO1_krLH8geE9THgtWL1A0SYhP0dZ8d2g', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Thu, 28 Jul 2016 14:50:06 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'LX5SKu5gozG17k3Qvv33RmSc68OhcxOXixTO9vTO35g'}): '{\n "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz",\n "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert",\n "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg",\n "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert"\n}'
2016-07-28 14:50:06,918:DEBUG:root:Requesting fresh nonce
2016-07-28 14:50:06,918:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {}
2016-07-28 14:50:07,098:DEBUG:requests.packages.urllib3.connectionpool:"HEAD /acme/new-authz HTTP/1.1" 405 0
2016-07-28 14:50:07,100:DEBUG:root:Received <Response [405]>. Headers: {'Content-Length': '91', 'Pragma': 'no-cache', 'Boulder-Request-Id': '8ONUg_F8LHfSnni9W4sID6BUoOUaWmq8L0b7i0dpPzw', 'Expires': 'Thu, 28 Jul 2016 14:50:07 GMT', 'Server': 'nginx', 'Connection': 'keep-alive', 'Allow': 'POST', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Thu, 28 Jul 2016 14:50:07 GMT', 'Content-Type': 'application/problem+json', 'Replay-Nonce': 'QiIvn-KZdQCAyfJcMHziJw9-a2Xv4bh866pZxiycA3Y'}. Content: ''
2016-07-28 14:50:07,100:DEBUG:acme.client:Storing nonce: 'B"/\x9f\xe2\x99u\x00\x80\xc9\xf2\\0|\xe2\'\x0f~ke\xef\xe1\xb8|\xeb\xaaY\xc6,\x9c\x03v'
2016-07-28 14:50:07,101:DEBUG:acme.jose.json_util:Omitted empty fields: expires=None, challenges=None, status=None, combinations=None
2016-07-28 14:50:07,101:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "<mydomain>.de"}, "resource": "new-authz"}
2016-07-28 14:50:07,102:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), kid=None, jwk=None, x5t=None, x5tS256=None, cty=None, x5u=None, typ=None, alg=None, jku=None
2016-07-28 14:50:07,106:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), kid=None, nonce=None, x5tS256=None, cty=None, x5t=None, x5u=None, typ=None, jku=None
2016-07-28 14:50:07,107:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "s6cM5vur_0VkcMmWs4kEaoAosuTirJQ26Ga17gNOkP-gSgHXNiO22m_khAfzjqeQSN7Ae13_4FtcTo-MBiftOrWILg0KkTsWZ06BcFNVNnj_-L-KvyP-coB5kCZ1iiJpFDNcL14d_8yhtGzkYFbHT6ZEZ6Hbf2YOLlpa2VZpt1Qtv_9eXD4K3E9o0CmYr_L6fHWfGUvxTC_h76_D5ZagUoujB4o_K6D5NMdmBkQdG9OhOJQRygGRbWl45d4Okd34VBr4DGfWPtYTTfbc1fQf6_6VvNFKnWYkqGX4eG2kMw1LppF6Pm96gR4jgYPglrW6yQcKYNgIiTd7zoCZxnq3qQ"}}, "protected": "eyJub25jZSI6ICJRaUl2bi1LWmRRQ0F5ZkpjTUh6aUp3OS1hMlh2NGJoODY2cFp4aXljQTNZIn0", "payload": "eyJpZGVudGlmaWVyIjogeyJ0eXBlIjogImRucyIsICJ2YWx1ZSI6ICJsaXF1aWRyYXRpbmcuZGUifSwgInJlc291cmNlIjogIm5ldy1hdXRoeiJ9", "signature": "PIcrnPiQORViKUPR9P1S8OmWIoq2JS2byCw0t36BxSLL66c3TFtS7m2vmOZqzVijnfWJjW4x5LG6ZtE6yGo_hGHh9G5NRf8AAZGPqflLifdjc4NYGgJcg7vXvTNmzbUKj2z9z_aXdVVE5N88eB4JweUFdEOQfPjeZb2FAa8d4ItfaaOtJbZKJlLwniTWUuyAQHadmFMp6Wp7vCHbv_apCMensvSKl_s930zfbpkkidk5f-4DEJuIo2kDwKUZITXSscoh3vYpkFA5EfdRR5qdwTp0D_0qjkbcNRkaGe_J-GqKKMqLYNmkHs9jOR7YOOerFzBgrwI2UnOy9dVyBM7uoA"}'}
2016-07-28 14:50:08,025:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 1000
2016-07-28 14:50:08,027:DEBUG:root:Received <Response [201]>. Headers: {'Content-Length': '1000', 'Expires': 'Thu, 28 Jul 2016 14:50:08 GMT', 'Boulder-Request-Id': '3NNP-S4t7-kfuV0AQkQBfadCoDTwFLUSt33NxY9VJyg', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/authz/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI', 'Pragma': 'no-cache', 'Boulder-Requester': '2739174', 'Date': 'Thu, 28 Jul 2016 14:50:08 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'daufgkftS8hGQUwotXo_XLLoD8GHtMoleY7gqgCJXuQ'}. Content: '{\n "identifier": {\n "type": "dns",\n "value": "<mydomain>.de"\n },\n "status": "pending",\n "expires": "2016-08-04T14:50:07.511787162Z",\n "challenges": [\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI/201929163",\n "token": "blT_V5U_nGs3BplDqnfIhFNq6SfmjK86ucQgpsWzDrA"\n },\n {\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI/201929167",\n "token": "BQ-mGSQPKWmYg3tS8ekNWM7DqG33sQrcav_m438pkpw"\n },\n {\n "type": "http-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI/201929171",\n "token": "ksDbVlU6WNqOXQgzZrZNk_BEINSLN0Az7hMrkyRip6U"\n }\n ],\n "combinations": [\n [\n 2\n ],\n [\n 0\n ],\n [\n 1\n ]\n ]\n}'
2016-07-28 14:50:08,027:DEBUG:acme.client:Storing nonce: 'u\xab\x9f\x82G\xedK\xc8FAL(\xb5z?\\\xb2\xe8\x0f\xc1\x87\xb4\xca%y\x8e\xe0\xaa\x00\x89^\xe4'
2016-07-28 14:50:08,027:DEBUG:acme.client:Received response <Response [201]> (headers: {'Content-Length': '1000', 'Expires': 'Thu, 28 Jul 2016 14:50:08 GMT', 'Boulder-Request-Id': '3NNP-S4t7-kfuV0AQkQBfadCoDTwFLUSt33NxY9VJyg', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/authz/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI', 'Pragma': 'no-cache', 'Boulder-Requester': '2739174', 'Date': 'Thu, 28 Jul 2016 14:50:08 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'daufgkftS8hGQUwotXo_XLLoD8GHtMoleY7gqgCJXuQ'}): '{\n "identifier": {\n "type": "dns",\n "value": "<mydomain>.de"\n },\n "status": "pending",\n "expires": "2016-08-04T14:50:07.511787162Z",\n "challenges": [\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI/201929163",\n "token": "blT_V5U_nGs3BplDqnfIhFNq6SfmjK86ucQgpsWzDrA"\n },\n {\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI/201929167",\n "token": "BQ-mGSQPKWmYg3tS8ekNWM7DqG33sQrcav_m438pkpw"\n },\n {\n "type": "http-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI/201929171",\n "token": "ksDbVlU6WNqOXQgzZrZNk_BEINSLN0Az7hMrkyRip6U"\n }\n ],\n "combinations": [\n [\n 2\n ],\n [\n 0\n ],\n [\n 1\n ]\n ]\n}'
2016-07-28 14:50:08,029:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'blT_V5U_nGs3BplDqnfIhFNq6SfmjK86ucQgpsWzDrA', u'type': u'dns-01', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI/201929163'}
2016-07-28 14:50:08,030:DEBUG:acme.jose.json_util:Omitted empty fields: expires=None, challenges=None, status=None, combinations=None
2016-07-28 14:50:08,031:DEBUG:acme.client:Serialized JSON: {"identifier": {"type": "dns", "value": "www.<mydomain>.de"}, "resource": "new-authz"}
2016-07-28 14:50:08,033:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), kid=None, jwk=None, x5t=None, x5tS256=None, cty=None, x5u=None, typ=None, alg=None, jku=None
2016-07-28 14:50:08,036:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), kid=None, nonce=None, x5tS256=None, cty=None, x5t=None, x5u=None, typ=None, jku=None
2016-07-28 14:50:08,036:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "s6cM5vur_0VkcMmWs4kEaoAosuTirJQ26Ga17gNOkP-gSgHXNiO22m_khAfzjqeQSN7Ae13_4FtcTo-MBiftOrWILg0KkTsWZ06BcFNVNnj_-L-KvyP-coB5kCZ1iiJpFDNcL14d_8yhtGzkYFbHT6ZEZ6Hbf2YOLlpa2VZpt1Qtv_9eXD4K3E9o0CmYr_L6fHWfGUvxTC_h76_D5ZagUoujB4o_K6D5NMdmBkQdG9OhOJQRygGRbWl45d4Okd34VBr4DGfWPtYTTfbc1fQf6_6VvNFKnWYkqGX4eG2kMw1LppF6Pm96gR4jgYPglrW6yQcKYNgIiTd7zoCZxnq3qQ"}}, "protected": "eyJub25jZSI6ICJkYXVmZ2tmdFM4aEdRVXdvdFhvX1hMTG9EOEdIdE1vbGVZN2dxZ0NKWHVRIn0", "payload": "eyJpZGVudGlmaWVyIjogeyJ0eXBlIjogImRucyIsICJ2YWx1ZSI6ICJ3d3cubGlxdWlkcmF0aW5nLmRlIn0sICJyZXNvdXJjZSI6ICJuZXctYXV0aHoifQ", "signature": "BW-S7UmK81zDc_k7Cl8rV5ov8sF5Nb-MYK2z-9y5J9Q5rs1vK4I54kv0BxHBH1r4NUi7mNKgjRk1OY-7zZyz7FBGzcMJSyJ712Uh0KTLMahRXWH0mSNUIwYDEmytOyuLL1pGNM3pJ7E4_49WA0ZxaWFVRYUcXrjMpqLaPveJqTG_iqr7FPEOfpuAjSLvkbYYMsuyWG0nu8KTSDTqNzMYU38NoXpMDFtrPc2KvrxcQwlVqmChBprAbnPGgKjLBnk7L5-OzHyN18BQ_xid-I2H0Kch9jtKa7LREYfImIFvWEYWk0ktHXZ8KZL2lMNbWwIaIk3NmUDC3aWqHNGS_npfTQ"}'}
2016-07-28 14:50:08,574:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/new-authz HTTP/1.1" 201 1004
2016-07-28 14:50:08,576:DEBUG:root:Received <Response [201]>. Headers: {'Content-Length': '1004', 'Expires': 'Thu, 28 Jul 2016 14:50:08 GMT', 'Boulder-Request-Id': 'ExYS6Rp4nsnRxFQGqXd0mNZKkUu5uwtx8k6a0ejiL5k', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/authz/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8', 'Pragma': 'no-cache', 'Boulder-Requester': '2739174', 'Date': 'Thu, 28 Jul 2016 14:50:08 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'Y1Ntgv5LiDQCIJwiyZ4TpIgXIl5VLjQGT3LWjMwOixI'}. Content: '{\n "identifier": {\n "type": "dns",\n "value": "www.<mydomain>.de"\n },\n "status": "pending",\n "expires": "2016-08-04T14:50:08.211268148Z",\n "challenges": [\n {\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8/201929203",\n "token": "4czhu8JzXnO_7vyE1e-2VzwGhICt1RXrpiGA0d7hawk"\n },\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8/201929205",\n "token": "kBzLY7x9CCisgI6_aPmIF7GdPHul_L-fVB6R-AnDuYM"\n },\n {\n "type": "http-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8/201929207",\n "token": "95jyAJrq5EF2oTecUdf1U_eLNM7tIGn7AURZAk0tjBY"\n }\n ],\n "combinations": [\n [\n 2\n ],\n [\n 0\n ],\n [\n 1\n ]\n ]\n}'
2016-07-28 14:50:08,577:DEBUG:acme.client:Storing nonce: 'cSm\x82\xfeK\x884\x02 \x9c"\xc9\x9e\x13\xa4\x88\x17"^U.4\x06Or\xd6\x8c\xcc\x0e\x8b\x12'
2016-07-28 14:50:08,577:DEBUG:acme.client:Received response <Response [201]> (headers: {'Content-Length': '1004', 'Expires': 'Thu, 28 Jul 2016 14:50:08 GMT', 'Boulder-Request-Id': 'ExYS6Rp4nsnRxFQGqXd0mNZKkUu5uwtx8k6a0ejiL5k', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/authz/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8', 'Pragma': 'no-cache', 'Boulder-Requester': '2739174', 'Date': 'Thu, 28 Jul 2016 14:50:08 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'Y1Ntgv5LiDQCIJwiyZ4TpIgXIl5VLjQGT3LWjMwOixI'}): '{\n "identifier": {\n "type": "dns",\n "value": "www.<mydomain>.de"\n },\n "status": "pending",\n "expires": "2016-08-04T14:50:08.211268148Z",\n "challenges": [\n {\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8/201929203",\n "token": "4czhu8JzXnO_7vyE1e-2VzwGhICt1RXrpiGA0d7hawk"\n },\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8/201929205",\n "token": "kBzLY7x9CCisgI6_aPmIF7GdPHul_L-fVB6R-AnDuYM"\n },\n {\n "type": "http-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8/201929207",\n "token": "95jyAJrq5EF2oTecUdf1U_eLNM7tIGn7AURZAk0tjBY"\n }\n ],\n "combinations": [\n [\n 2\n ],\n [\n 0\n ],\n [\n 1\n ]\n ]\n}'
2016-07-28 14:50:08,579:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'kBzLY7x9CCisgI6_aPmIF7GdPHul_L-fVB6R-AnDuYM', u'type': u'dns-01', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8/201929205'}
2016-07-28 14:50:08,581:INFO:certbot.auth_handler:Performing the following challenges:
2016-07-28 14:50:08,581:INFO:certbot.auth_handler:http-01 challenge for <mydomain>.de
2016-07-28 14:50:08,582:INFO:certbot.auth_handler:http-01 challenge for www.<mydomain>.de
2016-07-28 14:50:08,582:INFO:certbot.plugins.webroot:Using the webroot path /var/www/clients/client1/web33/web for all unmatched domains.
2016-07-28 14:50:08,582:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/clients/client1/web33/web/.well-known/acme-challenge
2016-07-28 14:50:08,583:DEBUG:certbot.plugins.webroot:Creating root challenges validation dir at /var/www/clients/client1/web33/web/.well-known/acme-challenge
2016-07-28 14:50:08,591:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/www/clients/client1/web33/web/.well-known/acme-challenge/ksDbVlU6WNqOXQgzZrZNk_BEINSLN0Az7hMrkyRip6U
2016-07-28 14:50:08,596:DEBUG:certbot.plugins.webroot:Attempting to save validation to /var/www/clients/client1/web33/web/.well-known/acme-challenge/95jyAJrq5EF2oTecUdf1U_eLNM7tIGn7AURZAk0tjBY
2016-07-28 14:50:08,597:INFO:certbot.auth_handler:Waiting for verification...
2016-07-28 14:50:08,597:DEBUG:acme.client:Serialized JSON: {"keyAuthorization": "ksDbVlU6WNqOXQgzZrZNk_BEINSLN0Az7hMrkyRip6U.pH3xQgbcCBUOCVZBO49aje9GUadGl44Uqo_dD7apSxg", "type": "http-01", "resource": "challenge"}
2016-07-28 14:50:08,599:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), kid=None, jwk=None, x5t=None, x5tS256=None, cty=None, x5u=None, typ=None, alg=None, jku=None
2016-07-28 14:50:08,603:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), kid=None, nonce=None, x5tS256=None, cty=None, x5t=None, x5u=None, typ=None, jku=None
2016-07-28 14:50:08,604:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI/201929171. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "s6cM5vur_0VkcMmWs4kEaoAosuTirJQ26Ga17gNOkP-gSgHXNiO22m_khAfzjqeQSN7Ae13_4FtcTo-MBiftOrWILg0KkTsWZ06BcFNVNnj_-L-KvyP-coB5kCZ1iiJpFDNcL14d_8yhtGzkYFbHT6ZEZ6Hbf2YOLlpa2VZpt1Qtv_9eXD4K3E9o0CmYr_L6fHWfGUvxTC_h76_D5ZagUoujB4o_K6D5NMdmBkQdG9OhOJQRygGRbWl45d4Okd34VBr4DGfWPtYTTfbc1fQf6_6VvNFKnWYkqGX4eG2kMw1LppF6Pm96gR4jgYPglrW6yQcKYNgIiTd7zoCZxnq3qQ"}}, "protected": "eyJub25jZSI6ICJZMU50Z3Y1TGlEUUNJSndpeVo0VHBJZ1hJbDVWTGpRR1QzTFdqTXdPaXhJIn0", "payload": "eyJrZXlBdXRob3JpemF0aW9uIjogImtzRGJWbFU2V05xT1hRZ3paclpOa19CRUlOU0xOMEF6N2hNcmt5UmlwNlUucEgzeFFnYmNDQlVPQ1ZaQk80OWFqZTlHVWFkR2w0NFVxb19kRDdhcFN4ZyIsICJ0eXBlIjogImh0dHAtMDEiLCAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIn0", "signature": "S8phZF5OrAQ2NiZewHeCc4BSoNZTMBj7wYlIjgpoURWyCsrBq51I6W0ddvQ6WRF0f8KKYBlPyfCDxtpWKCBrv92NwHrlvMang159rXdpmds-8LMU0OcleBsthswz_KAwLDHWXLogBkziG1Mos88O5N_wh7TI_g9ROb4gSHd4mY6MIU52n3ybgCo54p64ljy9KGtGaDu2ireUoZ3kZztCzIJzVlrCbi53OAc01s3unsD_eptaJnnY5wyttMLSplXU0Rbfce3C7GFvJpmQC2o3qsrJ70WechHsaQ0OCxfR0WjrcMJDOR87cjCOQUKb51q8atnQ4N9fwHG4zV2wT_mVEQ"}'}
2016-07-28 14:50:09,304:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI/201929171 HTTP/1.1" 202 335
2016-07-28 14:50:09,305:DEBUG:root:Received <Response [202]>. Headers: {'Content-Length': '335', 'Boulder-Request-Id': 'eBUzX7fqzq_tEI8OezpXAX6fuKofTBenqAVNM42k6Us', 'Expires': 'Thu, 28 Jul 2016 14:50:09 GMT', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/authz/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI>;rel="up"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/challenge/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI/201929171', 'Pragma': 'no-cache', 'Boulder-Requester': '2739174', 'Date': 'Thu, 28 Jul 2016 14:50:09 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'QfqLCpE1o-yt4ZK2Ycgy4y6y_41SbrF0T4hLOcrDz0I'}. Content: '{\n "type": "http-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI/201929171",\n "token": "ksDbVlU6WNqOXQgzZrZNk_BEINSLN0Az7hMrkyRip6U",\n "keyAuthorization": "ksDbVlU6WNqOXQgzZrZNk_BEINSLN0Az7hMrkyRip6U.pH3xQgbcCBUOCVZBO49aje9GUadGl44Uqo_dD7apSxg"\n}'
2016-07-28 14:50:09,305:DEBUG:acme.client:Storing nonce: 'A\xfa\x8b\n\x915\xa3\xec\xad\xe1\x92\xb6a\xc82\xe3.\xb2\xff\x8dRn\xb1tO\x88K9\xca\xc3\xcfB'
2016-07-28 14:50:09,305:DEBUG:acme.client:Received response <Response [202]> (headers: {'Content-Length': '335', 'Boulder-Request-Id': 'eBUzX7fqzq_tEI8OezpXAX6fuKofTBenqAVNM42k6Us', 'Expires': 'Thu, 28 Jul 2016 14:50:09 GMT', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/authz/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI>;rel="up"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/challenge/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI/201929171', 'Pragma': 'no-cache', 'Boulder-Requester': '2739174', 'Date': 'Thu, 28 Jul 2016 14:50:09 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'QfqLCpE1o-yt4ZK2Ycgy4y6y_41SbrF0T4hLOcrDz0I'}): '{\n "type": "http-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI/201929171",\n "token": "ksDbVlU6WNqOXQgzZrZNk_BEINSLN0Az7hMrkyRip6U",\n "keyAuthorization": "ksDbVlU6WNqOXQgzZrZNk_BEINSLN0Az7hMrkyRip6U.pH3xQgbcCBUOCVZBO49aje9GUadGl44Uqo_dD7apSxg"\n}'
2016-07-28 14:50:09,306:DEBUG:acme.client:Serialized JSON: {"keyAuthorization": "95jyAJrq5EF2oTecUdf1U_eLNM7tIGn7AURZAk0tjBY.pH3xQgbcCBUOCVZBO49aje9GUadGl44Uqo_dD7apSxg", "type": "http-01", "resource": "challenge"}
2016-07-28 14:50:09,307:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), kid=None, jwk=None, x5t=None, x5tS256=None, cty=None, x5u=None, typ=None, alg=None, jku=None
2016-07-28 14:50:09,310:DEBUG:acme.jose.json_util:Omitted empty fields: x5c=(), crit=(), kid=None, nonce=None, x5tS256=None, cty=None, x5t=None, x5u=None, typ=None, jku=None
2016-07-28 14:50:09,311:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/challenge/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8/201929207. args: (), kwargs: {'data': '{"header": {"alg": "RS256", "jwk": {"e": "AQAB", "kty": "RSA", "n": "s6cM5vur_0VkcMmWs4kEaoAosuTirJQ26Ga17gNOkP-gSgHXNiO22m_khAfzjqeQSN7Ae13_4FtcTo-MBiftOrWILg0KkTsWZ06BcFNVNnj_-L-KvyP-coB5kCZ1iiJpFDNcL14d_8yhtGzkYFbHT6ZEZ6Hbf2YOLlpa2VZpt1Qtv_9eXD4K3E9o0CmYr_L6fHWfGUvxTC_h76_D5ZagUoujB4o_K6D5NMdmBkQdG9OhOJQRygGRbWl45d4Okd34VBr4DGfWPtYTTfbc1fQf6_6VvNFKnWYkqGX4eG2kMw1LppF6Pm96gR4jgYPglrW6yQcKYNgIiTd7zoCZxnq3qQ"}}, "protected": "eyJub25jZSI6ICJRZnFMQ3BFMW8teXQ0WksyWWNneTR5NnlfNDFTYnJGMFQ0aExPY3JEejBJIn0", "payload": "eyJrZXlBdXRob3JpemF0aW9uIjogIjk1anlBSnJxNUVGMm9UZWNVZGYxVV9lTE5NN3RJR243QVVSWkFrMHRqQlkucEgzeFFnYmNDQlVPQ1ZaQk80OWFqZTlHVWFkR2w0NFVxb19kRDdhcFN4ZyIsICJ0eXBlIjogImh0dHAtMDEiLCAicmVzb3VyY2UiOiAiY2hhbGxlbmdlIn0", "signature": "Zh7p3xBTHJeaDEsJ34VPv72YHDoLdjXsKk0AsHn0maOCUzlzKUetCsY9p1dIjqrUdFO6leag_g0Rrdrebu3s3E6CNT6GOhqxGGgXLHSRqsEGASpodyKdqJRxj1hhKdKRZ5M3zpjQ---FgNV9c5VTV1fMOxowjfkBzMKW6UMmh1pdLrfOmRF_-CiJA5c5Yffa8j_0s8pkqSb9xJjndUJj5XCIXcssw3ugUe0n2CPq6z53FaoysUzhwlEz3in9wc0BgBbQlff0MOuL2n9a0hmXy4yMYom6zzd6jmOWi-TMrypfGqepUGh2VtiWe0La-U6UtvcPi5RHl2yEesbgELk0iw"}'}
2016-07-28 14:50:09,559:DEBUG:requests.packages.urllib3.connectionpool:"POST /acme/challenge/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8/201929207 HTTP/1.1" 202 335
2016-07-28 14:50:09,560:DEBUG:root:Received <Response [202]>. Headers: {'Content-Length': '335', 'Boulder-Request-Id': 'w2ET1aLlAfgB4od2g5M0LAN4rOPdwIHyS5BI2vSvsZw', 'Expires': 'Thu, 28 Jul 2016 14:50:09 GMT', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/authz/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8>;rel="up"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/challenge/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8/201929207', 'Pragma': 'no-cache', 'Boulder-Requester': '2739174', 'Date': 'Thu, 28 Jul 2016 14:50:09 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'UqSooCF97T1uBi-98zFPE3yykcIYw38HziKMH6X6Lf8'}. Content: '{\n "type": "http-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8/201929207",\n "token": "95jyAJrq5EF2oTecUdf1U_eLNM7tIGn7AURZAk0tjBY",\n "keyAuthorization": "95jyAJrq5EF2oTecUdf1U_eLNM7tIGn7AURZAk0tjBY.pH3xQgbcCBUOCVZBO49aje9GUadGl44Uqo_dD7apSxg"\n}'
2016-07-28 14:50:09,560:DEBUG:acme.client:Storing nonce: 'R\xa4\xa8\xa0!}\xed=n\x06/\xbd\xf31O\x13|\xb2\x91\xc2\x18\xc3\x7f\x07\xce"\x8c\x1f\xa5\xfa-\xff'
2016-07-28 14:50:09,560:DEBUG:acme.client:Received response <Response [202]> (headers: {'Content-Length': '335', 'Boulder-Request-Id': 'w2ET1aLlAfgB4od2g5M0LAN4rOPdwIHyS5BI2vSvsZw', 'Expires': 'Thu, 28 Jul 2016 14:50:09 GMT', 'Server': 'nginx', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/authz/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8>;rel="up"', 'Location': 'https://acme-v01.api.letsencrypt.org/acme/challenge/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8/201929207', 'Pragma': 'no-cache', 'Boulder-Requester': '2739174', 'Date': 'Thu, 28 Jul 2016 14:50:09 GMT', 'Content-Type': 'application/json', 'Replay-Nonce': 'UqSooCF97T1uBi-98zFPE3yykcIYw38HziKMH6X6Lf8'}): '{\n "type": "http-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8/201929207",\n "token": "95jyAJrq5EF2oTecUdf1U_eLNM7tIGn7AURZAk0tjBY",\n "keyAuthorization": "95jyAJrq5EF2oTecUdf1U_eLNM7tIGn7AURZAk0tjBY.pH3xQgbcCBUOCVZBO49aje9GUadGl44Uqo_dD7apSxg"\n}'
2016-07-28 14:50:12,564:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8. args: (), kwargs: {}
2016-07-28 14:50:12,757:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8 HTTP/1.1" 200 1861
2016-07-28 14:50:12,758:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '1861', 'Expires': 'Thu, 28 Jul 2016 14:50:12 GMT', 'Boulder-Request-Id': 'A24Vb27flBn5lqax2FqWVJYKgT8j-Nm5_WC5YAavvUY', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Thu, 28 Jul 2016 14:50:12 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'bA1maYhOJ2o7wtse5bPfc0qdJA_wZz99GH6msxlYc20'}. Content: '{\n "identifier": {\n "type": "dns",\n "value": "www.<mydomain>.de"\n },\n "status": "invalid",\n "expires": "2016-08-04T14:50:08Z",\n "challenges": [\n {\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8/201929203",\n "token": "4czhu8JzXnO_7vyE1e-2VzwGhICt1RXrpiGA0d7hawk"\n },\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8/201929205",\n "token": "kBzLY7x9CCisgI6_aPmIF7GdPHul_L-fVB6R-AnDuYM"\n },\n {\n "type": "http-01",\n "status": "invalid",\n "error": {\n "type": "urn:acme:error:unauthorized",\n "detail": "Invalid response from http://www.<mydomain>.de/.well-known/acme-challenge/95jyAJrq5EF2oTecUdf1U_eLNM7tIGn7AURZAk0tjBY: \\"\\u003c!DOCTYPE html PUBLIC \\"-//W3C//DTD XHTML 1.0 Transitional//EN\\"\\n \\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\\"\\u003e\\n\\u003cht\\"",\n "status": 403\n },\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8/201929207",\n "token": "95jyAJrq5EF2oTecUdf1U_eLNM7tIGn7AURZAk0tjBY",\n "keyAuthorization": "95jyAJrq5EF2oTecUdf1U_eLNM7tIGn7AURZAk0tjBY.pH3xQgbcCBUOCVZBO49aje9GUadGl44Uqo_dD7apSxg",\n "validationRecord": [\n {\n "url": "http://www.<mydomain>.de/.well-known/acme-challenge/95jyAJrq5EF2oTecUdf1U_eLNM7tIGn7AURZAk0tjBY",\n "hostname": "www.<mydomain>.de",\n "port": "80",\n "addressesResolved": [\n "46.38.241.213"\n ],\n "addressUsed": "46.38.241.213"\n }\n ]\n }\n ],\n "combinations": [\n [\n 2\n ],\n [\n 0\n ],\n [\n 1\n ]\n ]\n}'
2016-07-28 14:50:12,759:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '1861', 'Expires': 'Thu, 28 Jul 2016 14:50:12 GMT', 'Boulder-Request-Id': 'A24Vb27flBn5lqax2FqWVJYKgT8j-Nm5_WC5YAavvUY', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Thu, 28 Jul 2016 14:50:12 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'bA1maYhOJ2o7wtse5bPfc0qdJA_wZz99GH6msxlYc20'}): '{\n "identifier": {\n "type": "dns",\n "value": "www.<mydomain>.de"\n },\n "status": "invalid",\n "expires": "2016-08-04T14:50:08Z",\n "challenges": [\n {\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8/201929203",\n "token": "4czhu8JzXnO_7vyE1e-2VzwGhICt1RXrpiGA0d7hawk"\n },\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8/201929205",\n "token": "kBzLY7x9CCisgI6_aPmIF7GdPHul_L-fVB6R-AnDuYM"\n },\n {\n "type": "http-01",\n "status": "invalid",\n "error": {\n "type": "urn:acme:error:unauthorized",\n "detail": "Invalid response from http://www.<mydomain>.de/.well-known/acme-challenge/95jyAJrq5EF2oTecUdf1U_eLNM7tIGn7AURZAk0tjBY: \\"\\u003c!DOCTYPE html PUBLIC \\"-//W3C//DTD XHTML 1.0 Transitional//EN\\"\\n \\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\\"\\u003e\\n\\u003cht\\"",\n "status": 403\n },\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8/201929207",\n "token": "95jyAJrq5EF2oTecUdf1U_eLNM7tIGn7AURZAk0tjBY",\n "keyAuthorization": "95jyAJrq5EF2oTecUdf1U_eLNM7tIGn7AURZAk0tjBY.pH3xQgbcCBUOCVZBO49aje9GUadGl44Uqo_dD7apSxg",\n "validationRecord": [\n {\n "url": "http://www.<mydomain>.de/.well-known/acme-challenge/95jyAJrq5EF2oTecUdf1U_eLNM7tIGn7AURZAk0tjBY",\n "hostname": "www.<mydomain>.de",\n "port": "80",\n "addressesResolved": [\n "46.38.241.213"\n ],\n "addressUsed": "46.38.241.213"\n }\n ]\n }\n ],\n "combinations": [\n [\n 2\n ],\n [\n 0\n ],\n [\n 1\n ]\n ]\n}'
2016-07-28 14:50:12,760:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'kBzLY7x9CCisgI6_aPmIF7GdPHul_L-fVB6R-AnDuYM', u'type': u'dns-01', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/TupehswyfUC9xAk-ujTY4eqiV8iucfq9pD9s-Q26do8/201929205'}
2016-07-28 14:50:12,760:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/acme/authz/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI. args: (), kwargs: {}
2016-07-28 14:50:12,948:DEBUG:requests.packages.urllib3.connectionpool:"GET /acme/authz/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI HTTP/1.1" 200 1845
2016-07-28 14:50:12,949:DEBUG:root:Received <Response [200]>. Headers: {'Content-Length': '1845', 'Expires': 'Thu, 28 Jul 2016 14:50:12 GMT', 'Boulder-Request-Id': 'dPJLFZveInbf4lAfOkMPLbP4Mo09mjJnAvCOxUW5ugc', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Thu, 28 Jul 2016 14:50:12 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'NEdktqxkVmwPGIVPejgmxB_q4CqelJ-T0uRBTa-doiM'}. Content: '{\n "identifier": {\n "type": "dns",\n "value": "<mydomain>.de"\n },\n "status": "invalid",\n "expires": "2016-08-04T14:50:07Z",\n "challenges": [\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI/201929163",\n "token": "blT_V5U_nGs3BplDqnfIhFNq6SfmjK86ucQgpsWzDrA"\n },\n {\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI/201929167",\n "token": "BQ-mGSQPKWmYg3tS8ekNWM7DqG33sQrcav_m438pkpw"\n },\n {\n "type": "http-01",\n "status": "invalid",\n "error": {\n "type": "urn:acme:error:unauthorized",\n "detail": "Invalid response from http://<mydomain>.de/.well-known/acme-challenge/ksDbVlU6WNqOXQgzZrZNk_BEINSLN0Az7hMrkyRip6U: \\"\\u003c!DOCTYPE html PUBLIC \\"-//W3C//DTD XHTML 1.0 Transitional//EN\\"\\n \\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\\"\\u003e\\n\\u003cht\\"",\n "status": 403\n },\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI/201929171",\n "token": "ksDbVlU6WNqOXQgzZrZNk_BEINSLN0Az7hMrkyRip6U",\n "keyAuthorization": "ksDbVlU6WNqOXQgzZrZNk_BEINSLN0Az7hMrkyRip6U.pH3xQgbcCBUOCVZBO49aje9GUadGl44Uqo_dD7apSxg",\n "validationRecord": [\n {\n "url": "http://<mydomain>.de/.well-known/acme-challenge/ksDbVlU6WNqOXQgzZrZNk_BEINSLN0Az7hMrkyRip6U",\n "hostname": "<mydomain>.de",\n "port": "80",\n "addressesResolved": [\n "46.38.241.213"\n ],\n "addressUsed": "46.38.241.213"\n }\n ]\n }\n ],\n "combinations": [\n [\n 2\n ],\n [\n 0\n ],\n [\n 1\n ]\n ]\n}'
2016-07-28 14:50:12,950:DEBUG:acme.client:Received response <Response [200]> (headers: {'Content-Length': '1845', 'Expires': 'Thu, 28 Jul 2016 14:50:12 GMT', 'Boulder-Request-Id': 'dPJLFZveInbf4lAfOkMPLbP4Mo09mjJnAvCOxUW5ugc', 'Strict-Transport-Security': 'max-age=604800', 'Server': 'nginx', 'Connection': 'keep-alive', 'Link': '<https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"', 'Pragma': 'no-cache', 'Cache-Control': 'max-age=0, no-cache, no-store', 'Date': 'Thu, 28 Jul 2016 14:50:12 GMT', 'X-Frame-Options': 'DENY', 'Content-Type': 'application/json', 'Replay-Nonce': 'NEdktqxkVmwPGIVPejgmxB_q4CqelJ-T0uRBTa-doiM'}): '{\n "identifier": {\n "type": "dns",\n "value": "<mydomain>.de"\n },\n "status": "invalid",\n "expires": "2016-08-04T14:50:07Z",\n "challenges": [\n {\n "type": "dns-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI/201929163",\n "token": "blT_V5U_nGs3BplDqnfIhFNq6SfmjK86ucQgpsWzDrA"\n },\n {\n "type": "tls-sni-01",\n "status": "pending",\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI/201929167",\n "token": "BQ-mGSQPKWmYg3tS8ekNWM7DqG33sQrcav_m438pkpw"\n },\n {\n "type": "http-01",\n "status": "invalid",\n "error": {\n "type": "urn:acme:error:unauthorized",\n "detail": "Invalid response from http://<mydomain>.de/.well-known/acme-challenge/ksDbVlU6WNqOXQgzZrZNk_BEINSLN0Az7hMrkyRip6U: \\"\\u003c!DOCTYPE html PUBLIC \\"-//W3C//DTD XHTML 1.0 Transitional//EN\\"\\n \\"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd\\"\\u003e\\n\\u003cht\\"",\n "status": 403\n },\n "uri": "https://acme-v01.api.letsencrypt.org/acme/challenge/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI/201929171",\n "token": "ksDbVlU6WNqOXQgzZrZNk_BEINSLN0Az7hMrkyRip6U",\n "keyAuthorization": "ksDbVlU6WNqOXQgzZrZNk_BEINSLN0Az7hMrkyRip6U.pH3xQgbcCBUOCVZBO49aje9GUadGl44Uqo_dD7apSxg",\n "validationRecord": [\n {\n "url": "http://<mydomain>.de/.well-known/acme-challenge/ksDbVlU6WNqOXQgzZrZNk_BEINSLN0Az7hMrkyRip6U",\n "hostname": "<mydomain>.de",\n "port": "80",\n "addressesResolved": [\n "46.38.241.213"\n ],\n "addressUsed": "46.38.241.213"\n }\n ]\n }\n ],\n "combinations": [\n [\n 2\n ],\n [\n 0\n ],\n [\n 1\n ]\n ]\n}'
2016-07-28 14:50:12,950:DEBUG:acme.challenges:dns-01 was not recognized, full message: {u'status': u'pending', u'token': u'blT_V5U_nGs3BplDqnfIhFNq6SfmjK86ucQgpsWzDrA', u'type': u'dns-01', u'uri': u'https://acme-v01.api.letsencrypt.org/acme/challenge/D4DZg6kTkTR-bxzlUZB_Vf3BbOV6fh8sxnESzdD1hSI/201929163'}
2016-07-28 14:50:12,952:INFO:certbot.reporter:Reporting to user: The following errors were reported by the server:
Domain: <mydomain>.de
Type: unauthorized
Detail: Invalid response from http://<mydomain>.de/.well-known/acme-challenge/ksDbVlU6WNqOXQgzZrZNk_BEINSLN0Az7hMrkyRip6U: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ht"
Domain: www.<mydomain>.de
Type: unauthorized
Detail: Invalid response from http://www.<mydomain>.de/.well-known/acme-challenge/95jyAJrq5EF2oTecUdf1U_eLNM7tIGn7AURZAk0tjBY: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ht"
To fix these errors, please make sure that your domain name was entered correctly and the DNS A record(s) for that domain contain(s) the right IP address.
2016-07-28 14:50:12,952:INFO:certbot.auth_handler:Cleaning up challenges
2016-07-28 14:50:12,952:DEBUG:certbot.plugins.webroot:Removing /var/www/clients/client1/web33/web/.well-known/acme-challenge/ksDbVlU6WNqOXQgzZrZNk_BEINSLN0Az7hMrkyRip6U
2016-07-28 14:50:12,952:DEBUG:certbot.plugins.webroot:Removing /var/www/clients/client1/web33/web/.well-known/acme-challenge/95jyAJrq5EF2oTecUdf1U_eLNM7tIGn7AURZAk0tjBY
2016-07-28 14:50:12,953:DEBUG:certbot.plugins.webroot:All challenges cleaned up, removing /var/www/clients/client1/web33/web/.well-known/acme-challenge
2016-07-28 14:50:12,957:DEBUG:certbot.main:Exiting abnormally:
Traceback (most recent call last):
File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
sys.exit(main())
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 744, in main
return config.func(config, plugins)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 555, in obtain_cert
_, action = _auth_from_domains(le_client, config, domains, lineage)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/main.py", line 94, in _auth_from_domains
lineage = le_client.obtain_and_enroll_certificate(domains)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 276, in obtain_and_enroll_certificate
certr, chain, key, _ = self.obtain_certificate(domains)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/client.py", line 247, in obtain_certificate
self.config.allow_subset_of_names)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 74, in get_authorizations
self._respond(resp, best_effort)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 131, in _respond
self._poll_challenges(chall_update, best_effort)
File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/auth_handler.py", line 195, in _poll_challenges
raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. <mydomain>.de (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://<mydomain>.de/.well-known/acme-challenge/ksDbVlU6WNqOXQgzZrZNk_BEINSLN0Az7hMrkyRip6U: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ht", www.<mydomain>.de (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.<mydomain>.de/.well-known/acme-challenge/95jyAJrq5EF2oTecUdf1U_eLNM7tIGn7AURZAk0tjBY: "<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<ht"
I installed your plug-in on my server and tried to get a certificate for a domain.
But I don't get any certificate, because the LE-client ends with the error:
The server experienced an internal error :: Error creating new authz
The full log-file is here: https://paste.ee/p/opqe6
(changed domain-name to example.com)
My Server:
Ubuntu 14.04
Apache 2.4
ISPConfig 3.0.5.4
nginx_plugin.inc.php:1146 - change "a" to "as":
bad:
// generate cli format
foreach($temp_domains a $temp_domain) {
$lddomain .= (string) " --domains " . $temp_domain;
}
good:
// generate cli format
foreach($temp_domains as $temp_domain) {
$lddomain .= (string) " --domains " . $temp_domain;
}
as here
https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29?u=nemis
in the 2 patch files "jose+json" need to change to "text/plain"
for me work this directive . in nginx snipplets
location /.well-known/acme-challenge {
location ~ /.well-known/acme-challenge/(.*) {
allow all;
add_header Content-Type "text/plain";
}
}
Set an Alias to a Domain and select "none" on auto subdomain.
It will generate a none.aliasDomain.xx wich could not verify by letsencrypt
my solution in apache2_plugin.inc work for me.
if(isset($aliasdomain['subdomain']) && ! empty($aliasdomain['subdomain'])) {
// .. we dont like "none.aliasdomain"
if($aliasdomain['subdomain'] != "none"){
$temp_domains[] = $aliasdomain['subdomain'] . "." . $aliasdomain['domain'];
}
}
How to deploy this in a distributed ISPconfig environment? Do I have to install it on every server? Only on the master server?
I was able to create Let's Encrypt SSL for a few domains right now, but I always need to try generating SSL a lot of times, because apache crashes in "emergency error", with X509_check_private_key:key values mismatch
. Looking at MD5 hashes I can see they do don't match.
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in privateKey.key | openssl md5
After trying more times I can get certificates - I removed /etc/letsencrypt/live|archive|renewal/[domain] - i get eventually same key values, or I get blocked by Let's Encrypt limits.
Since the key values mismatch
can prevent Apache from restart, It will be a good precaution to implement this validation on the plugin routine, or maybe in Let's Encrypt itself.
At least for me, I never got a valid key pair in the first attempt using this plugin.
Hi,
Just noticed that I get errors when the crontab command executes:
30 02 * * * /root/.local/share/letsencrypt/bin/letsencrypt-renewer >> /var/log/ispconfig/cron.log; done
Malformed expression.
Removing "; done" from the end of the command allows it to run, and the messages appear in cron.log now.
This should be without "--domains"(apache2_plugin.inc.php:956 & :959):
$lddomain = (string) "--domains $domain";
if($data['new']['subdomain'] == "www" OR $data['new']['subdomain'] == "*") {
$lddomain .= (string) " --domains www." . $domain;
}
Hi,
In my case some domains worked fine, but some domains which were working alright till yesterday have failed to work with LE certs.
I tried as explained in the troubleshooting in README.md file, but no go.
It gives errors like:
# cat /var/log/letsencrypt/letsencrypt.log
"Failed authorization procedure. www-domain.com (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://www.domain.com/.well-known/acme-challenge/<String>
# cat /var/log/ispconfig/cron.log
chattr: Inappropriate ioctl for device while reading flags on /var/www/clients/client2/web9
Removed certs for the affected domains, re-generated certs, unchecked SSL & Let's Encrypt options, saved, rechecked both again and saved. But no go.
Thanks!
What is the proper way to upgrade this project source and patch ISPConfig?
I found out by myself (wow) that git pull
from inside the project folder will sync git repo, can I safelly run php -q install.php
again?
Hi,
it seems that the .well-known folder does not get created in the correct way or the vhost lags the entry when the Cert is requested.
I have debug logging enabled and there are no errors in the ispconfig.log. But the letsencrypt log says "404".
Would be very nice if you can help.
On my other hosts with Apache2 everything works without any problem.
Cheers
When I look at the cronjob created by ISPConfig-letsencrypt,
30 02 * * * /root/.local/share/letsencrypt/bin/letsencrypt-renewer >> /var/log/ispconfig/cron.log; done
This will renew the certificate every night at half past two.
https://community.letsencrypt.org/t/rate-limits-for-lets-encrypt/6769 states:
Certificates/Domain you could run into through repeated re-issuance. This limit measures certificates issued for a given combination of Public Suffix + Domain (a "registered domain"). This is limited to 5 certificates per domain per week.
This means you're exceeding the limit as renewing every night would request 7 certificates per domain per week.
Just installed the latest patch and if the bundle file exists in the sites SSL directory it is removed and the symlink is not created when enabling Lets Encrypt on a site. Apache SSLCACertificateFile is not added to vhost (related to file not existing?)
If the file doesn't exist when LE is enabled in the site then the symlink isn't created either.
The plugin needs to check to see if auto-subdomain www is checked. If it is it should request a certificate for it.
LE doesn't issue wildcards certificates. So not sure how to handle the * option.
Quality SSL Labs returns the following when testing a LetsEncrypt certified domain with the current ISPConfig plugin.
This server's certificate chain is incomplete. Grade capped to B.
Adding SSLCertificateChainFile directive to the virtual host file and pointing it to the chain.pem file generated by the LE client solves this issue.
Hello. I'm having an issue. After i installed ISPConfig-letsencrypt (i'm using the right version of ISPConfig) a checkbox appeared in my panel but when i check it and save nothing happens different than before. not even a single change in letsencrypt log file. When i check ssl, old certificates are being loaded.
Hey guys, love the project so far, rolled it out on a few servers today, installation and all worked flawless.
Is there a way to pass on this information via api call when creating websites?
I am using the latest version of ISPConfig, and the server is powered by Nginx. I saw issue #38 and thought that it would solve my issue but has not. Below is what happens when I try to install:
root@server:~/ISPConfig-letsencrypt# php -q install.php Create backup on /var/backup/ directory /bin/tar: Removing leading /' from member names Backup finished ERROR: Let's Encrypt ( /root/.local/share/letsencrypt/bin/letsencrypt ) is missing, install it corecctly!
Nevertheless, /root/.local/share/letsencrypt/bin/letsencrypt does exist. Is there something I'm missing?
To be able to update existing certificate, you can add this :
if(file_exists($crt_tmp_file) OR file_exists($key_tmp_file)) {
$this->_exec("/root/.local/share/letsencrypt/bin/letsencrypt auth --expand --quiet -a webroot --email postmaster@$domain --domains $lddomain --webroot-path $webroot");
}
After the block (line 1017-1036) :
//* check if we have already a Let's Encrypt cert
if(!file_exists($crt_tmp_file) && !file_exists($key_tmp_file)) {
$app->log("Create Let's Encrypt SSL Cert for: $domain", LOGLEVEL_DEBUG);
...
$this->_exec("/root/.local/share/letsencrypt/bin/letsencrypt auth -a webroot --email postmaster@$domain --domains $lddomain --webroot-path $webroot");
};
[apache2_plugin.inc.php.zip](https://github.com/alexalouit/ISPConfig-letsencrypt/files/317269/apache2_plugin.inc.php.zip)
/* ADD IT HERE */
This command will expand current certificate - and with "quiet" argument, will prevent getting error if the new certificate is identical to existing one ;-)
In https://github.com/alexalouit/ISPConfig-letsencrypt/blob/ISPConfig-3.0.5.4p8/src/server/plugins-available/apache2_plugin.inc.php the following is used:
$rand_data .= md5(uniqid(microtime(), 1));
According to the OpenSSL Docs (https://www.openssl.org/docs/manmaster/apps/genrsa.html) this is then used to seed the generation of a rsa keypair. This is most probably broken really badly and easily exploitable.
Use a better source of randomness or follow the best practices (use /dev/random for cryptographic randomness):
http://stackoverflow.com/questions/637278/what-is-the-best-way-to-generate-a-random-key-within-php
Every SSL Certificate generated in this matter is most probably easily compromised. Also it does not generate 4096 keys as the config file would suggest but 2048.
In the end I'm really asking myself, why you are not using the Openssl Wrapper functions provided in PHP and instead are using exec. (http://php.net/manual/en/function.openssl-pkey-new.php)
Just pulled the latest commit and received the following error when running
php -q install.php
PHP Parse error: syntax error, unexpected ';' in /root/ISPConfig-letsencrypt/install.php on line 116
hi,
the install and the signing works in general, most domains work very well, but only one fails and this what i can extract from the logs
07.04.2016-10:31 - DEBUG - chmod failed: /var/www/clients/client2/web6/web/.well-known/acme-challenge : g+s
the .well-known folder is left in the Web Directory
if i run the Command only it shows, there is a problem with the alias Domains attached to the main domain.
/root/.local/share/letsencrypt/bin/letsencrypt auth -a webroot --email [email protected] --domains xxx.de --domains www.xxx.de --domains xxxx.de --domains www.xxxx.de --webroot-path /var/www/clients/client666/web666/web
xxx.de (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Error parsing key authorization file: Invalid key authorization: 119 parts
The following errors were reported by the server:
Domain: www.xxx.de
Type: unauthorized
Detail: Error parsing key authorization file: Invalid key
authorization: 119 parts
Domain: xxx.de
Type: unauthorized
Detail: Error parsing key authorization file: Invalid key
authorization: 119 parts
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.