Letsencrypt geht nicht für alle Domains (> token not available)

herrkaffeetrinken · 30. März 2017

Bei einer Konfiguration treten bei der Erstellung von LetsEncrypt Zertifikaten bei einigen Domains Fehler auf:

HTML

root@v22016102474838XXX:~# /usr/bin/php -q /var/www/froxlor/scripts/froxlor_master_cronjob.php --letsencrypt --debug
[information] Updating Let's Encrypt certificates
[information] Updating v22016102474838XXX.nicesrv.de
[information] letsencrypt Using 'https://acme-v01.api.letsencrypt.org' to generate certificate
[information] letsencrypt Using existing account key
[information] letsencrypt Starting certificate generation process for domains
[information] letsencrypt Requesting challenge for v22016102474838XXX.nicesrv.de
[information] letsencrypt Sending signed request to /acme/new-authz
[information] letsencrypt Got challenge token for v22016102474838XXX.nicesrv.de
[information] letsencrypt Token for v22016102474838XXX.nicesrv.de saved at /var/www/froxlor/.well-known/acme-challenge/jTYfYPQijNbXULpWegsaxIhBsIBGmJX64AxWG0--0Ds and should be available at http://v22016102474838XXX.nicesrv.de/.well-known/acme-challenge/jTYfYPQijNbXULpWegsaxIhBsIBGmJX64AxWG0--0Ds
[error] letsencrypt Please check http://v22016102474838XXX.nicesrv.de/.well-known/acme-challenge/jTYfYPQijNbXULpWegsaxIhBsIBGmJX64AxWG0--0Ds - token not available; PHP error: {"type":2,"message":"file_get_contents(http:\/\/v22016102474838XXX.nicesrv.de\/.well-known\/acme-challenge\/jTYfYPQijNbXULpWegsaxIhBsIBGmJX64AxWG0--0Ds): failed to open stream: Connection refused","file":"\/var\/www\/froxlor\/lib\/classes\/ssl\/class.lescript.php","line":232}
[information] letsencrypt Sending request to challenge
[information] letsencrypt Sending signed request to https://acme-v01.api.letsencrypt.org/acme/challenge/_1-2bhvSdgsRx5wGNgKi1vj4i7SrtxIqtMpbrhB8rjM/913689768
[information] letsencrypt Verification pending, sleeping 1s
[error] Could not get Let's Encrypt certificate for v22016102474838XXX.nicesrv.de: Verification ended with error: {"identifier":{"type":"dns","value":"v22016102474838XXX.nicesrv.de"},"status":"invalid","expires":"2017-04-06T06:45:31Z","challenges":[{"type":"http-01","status":"invalid","error":{"type":"urn:acme:error:unauthorized","detail":"Invalid response from http:\/\/v22016102474838XXX.nicesrv.de\/.well-known\/acme-challenge\/jTYfYPQijNbXULpWegsaxIhBsIBGmJX64AxWG0--0Ds: "<html>\r\n<head><title>404 Not Found<\/title><\/head>\r\n<body bgcolor="white">\r\n<center><h1>404 Not Found<\/h1><\/center>\r\n<hr><center>"","status":403},"uri":"https:\/\/acme-v01.api.letsencrypt.org\/acme\/challenge\/_1-2bhvSdgsRx5wGNgKi1vj4i7SrtxIqtMpbrhB8rjM\/913689768","token":"jTYfYPQijNbXULpWegsaxIhBsIBGmJX64AxWG0--0Ds","keyAuthorization":"jTYfYPQijNbXULpWegsaxIhBsIBGmJX64AxWG0--0Ds.3eZ9pwD1rA_X2Uzh-UwdC1XtcolJ4XkJTZscM3MIbv0","validationRecord":[{"url":"http:\/\/v22016102474838XXX.nicesrv.de\/.well-known\/acme-challenge\/jTYfYPQijNbXULpWegsaxIhBsIBGmJX64AxWG0--0Ds","hostname":"v22016102474838XXX.nicesrv.de","port":"80","addressesResolved":["188.68.55.20"],"addressUsed":"188.68.55.20"}]},{"type":"dns-01","status":"pending","uri":"https:\/\/acme-v01.api.letsencrypt.org\/acme\/challenge\/_1-2bhvSdgsRx5wGNgKi1vj4i7SrtxIqtMpbrhB8rjM\/913689769","token":"qBqkSivdUIdc1o37NUDEgHiN4rTrw_72Sg_vUzgWPqU"},{"type":"tls-sni-01","status":"pending","uri":"https:\/\/acme-v01.api.letsencrypt.org\/acme\/challenge\/_1-2bhvSdgsRx5wGNgKi1vj4i7SrtxIqtMpbrhB8rjM\/913689770","token":"2c4WlW-ZSsIBeSR73hfekbGBML9q3MBhHbhN-rMZhL0"}],"combinations":[[2],[1],[0]]}
[information] Let's Encrypt certificates have been updated
[notice] Checking system's last guid

Alles anzeigen

Das System ist folgendermaßen konfiguriert

Debian Jessie
Froxlor
nginx mit php-fcgi
Apache2.4 als optionaler Proxy über Port 8080
Konfiguration ausgehend von den Froxlor Vorgaben

Eine erstellte /var/www/froxlor/.well-known/acme-challenge/test.txt ist über die entsprechende Domain aufrufbar.
Was mich wundert ist, dass weitere Domains und auch Subdomains diesen Fehler nicht auslösen.

Viele Grüße, Dorian

KB19 · 30. März 2017

In der ersten Fehlermeldung steht seltsamerweise: Connection refused (und trotzdem macht das Script weiter?!)

Läuft auf dem Server eine Firewall? Oder wurde der Webserver durch das Script restarted/reloaded und lief beim Teestaufruf noch nicht?

MfG Christian

herrkaffeetrinken · 30. März 2017

Sollte eigentlich keinen restart geben.

Die /var/log/nginx/error.log sagt:

Code

2017/03/30 13:05:33 [error] 4336#4336: *15 open() "/var/www/froxlor/.well-known/acme-challenge/O2AlwgIQbdIa3iWxFk8ibAtDp8YYqHfV7uU7_uuuYXg" failed (2: No such file or directory), client: 66.133.109.36, server: v22016102474838XXX.nicesrv.de, request: "GET /.well-known/acme-challenge/O2AlwgIQbdIa3iWxFk8ibAtDp8YYqHfV7uU7_uuuYXg HTTP/1.1", host: "v22016102474838XXX.nicesrv.de"

Ich werde nochmal eine erfolgreiche Generierung aus den logfiles raussuchen.. hier für eine weitere, bei Froxlor eingetragene Domain:
access.log

Code

66.133.109.36 - - [30/Mar/2017:01:11:53 +0200] "GET /.well-known/acme-challenge/0LP2i8hU7U1FOts62IF12fFgLA4WqNyCi4LZUwJl7Fc HTTP/1.1" 200 87 "-" "Mozilla/5.0 (compatible; Let's Encrypt validation server; +https://www.letsencrypt.org)"

Dementsprechend steht in der Konsole dann:

Code

[information] Updating scanalog.de
[information] Adding SAN entry: scanalog.de
[information] letsencrypt Using 'https://acme-v01.api.letsencrypt.org' to generate certificate
[information] letsencrypt Using existing account key
[information] letsencrypt Starting certificate generation process for domains
[information] letsencrypt Requesting challenge for scanalog.de
[information] letsencrypt Sending signed request to /acme/new-authz
[information] letsencrypt Got challenge token for scanalog.de
[information] letsencrypt Token for scanalog.de saved at /var/www/froxlor/.well-known/acme-challenge/V7xebdcUszgv3lKGQxmVEVxM-q-bEdAK-YBwKXxfSbA and should be available at http://scanalog.de/.well-known/acme-challenge/V7xebdcUszgv3lKGQxmVEVxM-q-bEdAK-YBwKXxfSbA
[information] letsencrypt Sending request to challenge
[information] letsencrypt Sending signed request to https://acme-v01.api.letsencrypt.org/acme/challenge/cAWD_Fhz80P3y8bBpPAuzsoOUoXX-v5rNBAzpJKsp4M/915065393
[information] letsencrypt Verification pending, sleeping 1s
[information] letsencrypt Verification ended with status: valid
[information] letsencrypt Sending signed request to /acme/new-cert
[information] letsencrypt Got certificate! YAY!
[information] letsencrypt Requesting chained cert at https://acme-v01.api.letsencrypt.org/acme/issuer-cert
[information] letsencrypt Done, returning new certificates and key
[information] Updated Let's Encrypt certificate for scanalog.de
[information] Let's Encrypt certificates have been updated
[notice] Checking system's last guid

Alles anzeigen

herrkaffeetrinken · 30. März 2017

Hier noch die entsprechenden config files für die nicht funktionierende Domain:

C

# 10_froxlor_ipandport_188.68.55.20.80.conf
# Created 30.03.2017 13:12
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.




server { 
	listen	188.68.55.20:80 default_server;
	# Froxlor default vhost
	server_name	v22016102474838XXX.nicesrv.de;
	access_log  	/var/log/nginx/access.log;
	include /etc/nginx/acme.conf;
	root 	/var/www/froxlor/;
	index	index.php index.html index.htm;




	location / {
	}
#location /phpmyadmin {
#root 	/usr/share/;
#proxy_pass http://127.0.0.1:8080;
#include /etc/nginx/proxy.conf;
#}
	location ~ \.php {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		include /etc/nginx/fastcgi_params;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param PATH_INFO $fastcgi_path_info;
		try_files $fastcgi_script_name =404;
		fastcgi_pass 127.0.0.1:8888;
		fastcgi_index index.php;
	}
}

Alles anzeigen

und für die funktionierende Domain:

Code

# 35_froxlor_normal_vhost_scanalog.de.conf
# Created 30.03.2017 13:12
# Do NOT manually edit this file, all changes will be deleted after the next domain change at the panel.




server {
	listen 188.68.55.20:80;
	server_name scanalog.de;
	include /etc/nginx/acme.conf;
	access_log /var/customers/logs/dorianadmin-scanalog.de-access.log combined;
	error_log /var/customers/logs/dorianadmin-scanalog.de-error.log error;
	root /var/customers/webs/dorianadmin/scanalog.de/;

	location / {
		index index.php index.html index.htm;
		try_files $uri $uri/ @rewrites;
	}




	
	location @rewrites {
		rewrite ^ /index.php last;
	}




	location /webalizer {
		alias /var/customers/webs/dorianadmin/webalizer/scanalog.de/;
		auth_basic "Restricted Area";
		auth_basic_user_file /etc/nginx/htpasswd/1-8bfe074323f97615cd5927a3e71491b0.htpasswd;
	}




	location ~ \.php {
		try_files /e36f573c6aeeac0e8984c8d1019ec2de.htm @php;
	}




	location @php {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		include /etc/nginx/fastcgi_params;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_param PATH_INFO $fastcgi_path_info;
		try_files $fastcgi_script_name =404;
		fastcgi_pass 127.0.0.1:8888;
		fastcgi_index index.php;
	}
}

Alles anzeigen

herrkaffeetrinken · 30. März 2017

Ich habe das Problem nun etwas eingrenzen können:
Mein Server scheint die entsprechende Domain nur mit der internen IP 127.0.1.1 aufzulösen:

Code

ping v22016102474838XXX.nicesrv.de
PING v22016102474838XXX.nicesrv.de (127.0.1.1) 56(84) bytes of data.

Eine andere funktionierende Domain löst korrekt auf:

Code

ping scanalog.de
PING scanalog.de (188.68.55.20) 56(84) bytes of data.

Wie lässt sich das korrigieren?

KB19 · 30. März 2017

/etc/hosts