[LetsEncrypt] Error when trying to retrieve certificate for services domain

**rcrave** · Jan 4th 2017

Hi,

I'm standing in front of a bit of a puzzling problem currently.

I was able to generate a LetsEncrypt certificate for the panel as well as a customer domain. However, generating a certificate for the services domain fails with the following error status:

HTML

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for [services domain]
Using the webroot path /var/www/virtual/LetsEncrypt for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. [services domain] (http-01):
urn:acme:error:unauthorized :: The client lacks sufficient authorization
:: Invalid response from
http://[services domain]/.well-known/acme-challenge/rk9wyXmxPgq9q292Pku6iIk4UrZK3EYVU4CayXR6rDQ:
"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>503 Service Unavailable</title>
</head><body>
<h1>Service"

Display More

Things I tried to resolve the issue:
- Rebooting the machine, just to do a sanity check
- Removing a customer account that had the same domain assigned to it as the services domain

Tried to get a certificate issued again after each of these, but that didn't help.

Environment info:

OS: Debian Jessie (8.6), last dist-upgrade was today
i-MSCP version: 1.3.14
LetsEncrypt plugin version: 2.0.5

I'm kind of stumped on what else to try. Would appreciate any help you folks can give me.

**Nuxwin** · Jan 4th 2017

Good morning

Do you use the PanelRedirect plugin and if yes, does it is up-to date?

Please provide us the domain name and the server IP
Post us the full content of the /var/log/letsencrypt/letsencrypt.log file

**Nuxwin** · Jan 4th 2017

@rcrave

I cannot reproduce the problem. In order, I've tried the following:

Creating customer domain name using server hostname
Enabling LetsEncrypt for services through admin interface

Result: No error

Enabling PanelRedirect plugin
Creating customer domain name using server hostname
Enabling LetsEncrypt for services through admin interface

Result: No error

Enabling PanelRedirect plugin
Creating customer domain name using server hostname
Enabling LetsEncrypt for services through admin interface
Enabling LetsEncrypt for customer domain (excluding www) through customer interface

Result: No error

Enabling PanelRedirect plugin
Creating customer domain name using server hostname
Enabling LetsEncrypt for services through admin interface
Enabling LetsEncrypt for customer domain (including www) through customer interface

Result: No error

Akinos · Jan 4th 2017

Hi Nuxwin,

thanks for your time. You have PM from myself because the admin is going to rest now.

Best regards,
Akinos

**Nuxwin** · Jan 4th 2017

@Akinos

Can I access the server for debugging? I'm unable to reproduce locally...

There is a problem on your side. If I try to access the domain you given me, I get:

Code

Service UnavailableThe server is temporarily unable to service your request due to maintenance downtime or capacity problems. Please try again later.Additionally, a 500 Internal Server Error error was encountered while trying to use an ErrorDocument to handle the request.

I should normally get:

Code

You're not allowed to access the requested resource!

**Nuxwin** · Jan 4th 2017

@Akinos

As said above, there is a problem on your side.

You've created the /etc/apache2/sites-available/000_default.conf file manually with the following content:

Shell-Script

# RCRAVE: All non-existing sub-domains should go to nirvana<VirtualHost 178.33.35.204:80>RewriteEngine onRewriteRule ^/(.*) blah [R=503]</VirtualHost>

which is causing the problem... After disabling the file:

Shell-Script

root@web2:/etc/apache2# a2dissite 000_default.conf
Site 000_default disabled.
To activate the new configuration, you need to run:
service apache2 reload
root@web2:/etc/apache2# service apache reload

all is working as expected (the SSL certificate for the services is issued without any problem). To resume, the problem comes from your side. You should use the DefaultServerPage plugin instead of your bad solution. Please, don't re-enable the 000_default.conf configuration file.

BTW: You should kill your administrator for adding such a rewrite rule. I don't even know how your other sites can work In my opinion, if there is someone that must go to nirvana, that is your administrator

Akinos · Jan 4th 2017

Thank you for your help finding this bad code. I’ll talking to my admin later this day The 000_default.conf belongs to ISPCP. We forgot this file totally. We never put this file to service again and we delete them everywhere we can find it.

Best regards,
Akinos

tobiasgies · Jan 4th 2017

Quote from Nuxwin

BTW: You should kill your administrator for adding such a rewrite rule. I don't even know how your other sites can work In my opinion, if there is someone that must go to nirvana, that is your administrator

Hey hey hey, let's not do anything drastic – I rather like this world and would like to avoid visiting nirvana for a few more decades.

Thanks a lot for your help, nuxwin. I really forgot that this file was there. In my defense: We upgraded this server from ispCP / Debian 6 to i-MSCP / Debian 8 yesterday (yes, I know… better late than never). I recall this thing being necessary for one reason or another in our ispCP setup, but obviously we no longer need it with the shiny new system.

Again, thanks for helping us out here, and also thanks a lot for the plugin recommendation. I'll look into that later.

[LetsEncrypt] Error when trying to retrieve certificate for services domain

Share

Daily visitors