Let's Encrypt can't renew certificate due to first hosted domain is disabled.

  • Hello,


    I notice a bug/problem by using Let's Encrypt Plugin for the address used to acces the i-mscp dashboard. I will explain the whole scenario,


    We have an i-mscp (1.5.1) instance with Let's Encrypt (3.3.0) plugin.


    The i-mscp dashboard is access on, let's say, https://i-mscp.domain.tld.


    If you enter http://i-mscp.domain.tld (without SSL) in a browser, the first added domain web site is displayed.


    If you disabled that first added domain account, aparently the renewal of the Let's Encrypt certificate for the control pannel and services can't be done.


    If I enable that first added domain an push the renew button, all works OK.



    See attachement for details.


    If you need more info, please let me know.

    Files

    • error.png

      (188.78 kB, downloaded 8 times, last: )
  • That is almost the expected behavior. I'll try to explain why.


    The control panel domain is not accessible through default HTTP ports. Therefore, there is not Apache2 configuration for it because it is served through Nginx.


    When you enable Let's Encrypt for the control panel, the validation request is made on port 80 (Apache), and because there are no vhost for the domain, Apache is serving first site he can found. That is normally not a problem because the LetsEncrypt plugin setup an alias for the /.well-known/acme-challenge/ path which act as a catchall for ACME requests:

    As you can see here, any request made for the /.well-known/acme-challenge/ path goes in reality to /var/www/imscp/gui/plugins/LetsEncrypt/acme/.well-known/acme-challenge/

    If you disabled that first added domain account, aparently the renewal of the Let's Encrypt certificate for the control pannel and services can't be done.


    If I enable that first added domain an push the renew button, all works OK.

    Here is the problem. I'll check. However, if you disable first added domain like you said, that mean that there is no customers, right?

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • If I disable the first added domain, it replace the customer website with a standard/generic "domain diasabled" page. And here is the problem that, probably /.well-known/acme-challenge/ is not reachable.
    Anyway, would'nt be easyer so thar i-mscp could create a http zone for the pannel address?


    If you check now the pannel address with this tool, it is going to show a "Certificate name mismatch", and it is not quite OK. :)

    Edited once, last by Delta04 ().

  • If I disable the first added domain, it replace the customer website with a standard/generic "domain diasabled" page. And here is the problem that, probably /.well-known/acme-challenge/ is not reachable.

    This shouldn't pose any problem because as I've explained already, there is an alias set that catch any request made on the /.well-known/acme-challenge/ path. But ok, I'll test that use case. There is maybe a bug somewhere.

    Anyway, would'nt be easyer so thar i-mscp could create a http zone for the pannel address?

    We don't do that automatically (from the LetsEncrypt plugin) because some users make use of the control panel domain as customer account or as subdomain. I'll see how we can handle that in next release (creating vhost for panel domain and also for system hostname if those are not already setup through control panel).


    However, for the time being, you can add the control panel domain to i-MSCP manually and enable Let's Encrypt for it. So here, depending of your current setup:

    • If your control panel domain is panel.domain.tld and you have already domain.tld as customer account in i-MSCP, you must create the panel.domain.tld as subdomain through the domain.tld customer interface. Once done, you must enable Let's Encrypt for the panel.domain.tld subdomain.
    • If your control panel domain is panel.domain.tld and you do not have already domain.tld setup as customer account in i-MSCP, you must create the panel.domain.tld customer account and once done, enable Let's Encrypt for the panel.domain.tld domain.

    Note that in both cases, this will not create additional SSL certificate if you have already enabled the Let's Encrypt via the Let's Encrypt administrator interface. The plugin is smart enough to reuse the same SSL certificate.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206