Jump to content
Froxlor Forum
  • 0

[SSL LE] Difference between acme.sh and Froxlor crons


Go to solution Solved by d00p,

Question

Hi,

I'm just wondering what the difference is between the following 2 folders:

Quote

 

/root/.acme.sh/domain.com/*

/etc/ssl/froxlor-custom/*

 

Why is froxlor installing acme.sh cron everytime it runs at 3am everyday especially since the 5-min let's encrypt froxlor cron is already in place? Also, all my db config points to /etc/ssl/froxlor-custom for the domains and all keys/certificates inside that folder have a different md5 from the ones under /root/.acme.sh/, so I'm wondering what's with the mismatch? Are we updating certificates for domains twice?

 

If anyone can shed some more light on this, it will be very much appreciated.

 

Many thanks!

Link to post
Share on other sites

1 answer to this question

Recommended Posts

  • 1
  • Solution

If you are using a recent version of froxlor it's like this:

If let's encrypt is activated for a domain, froxlors cronjob calls acme.sh to issue a certificate.

From this point on, acme.sh takes care of the certificate and it's renewal.

Froxlors cronjob simply checks for changes (new domains, SAN list changes, or similar) to issue to acme.sh.

Any renewal is a simple filesystem synchronisation from /root/.acme.sh/ to froxlors database. The cronjob then creates the certificate files in /etc/ssl/froxlor-custom/ from the contents of the database. The content can vary depending on the used Webserver because it's htttp oriented for the vhosts (e.g. cert + key + chain, or similar)

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Similar Content

    • By d00p
      Dear Froxlor Community,
      I am proud to finally release the stable version of a new API based froxlor. Due to massive internal improvements and changes in the core (almost 600 commits since 0.9.40.1) users are now able to list/create/edit/delete resources and entities of froxlor via API (requires activation of api-usage in the settings and a user based API-key). The froxlor frontend itself uses the API backend too.
      Froxlor now uses composer to include some of its requirements like phpMailer, Logger, IdnaConvert and TwoFactorAuth libraries. All required files will be included in the official tarball so you do not need to worry about installing and using composer (only if you are using / testing the git-master, see https://github.com/Froxlor/Froxlor/wiki/Install-froxlor-from-git-sources).
      Most important changes:
      froxlor now requires at least php-7.0 or newer, php-5.6 is no longer supported because of its EOL almost a year ago you can access data via API, for more information see https://api.froxlor.org/doc/. An example can be found here: https://github.com/Froxlor/Froxlor/tree/master/doc/example PHPUnit tested API backend with MySQL 5.6, 5.7 and 8 as well as MariaDB 10.3 and 10.4, see https://travis-ci.com/Froxlor/Froxlor compatibility for MySQL8 2FA (two-factor-authentication) for admins/resellers/customers (email or authenticator app) all froxlor-database tables will automatically be converted to the InnoDB engine added support for Debian 10 (buster) and Ubuntu 18.04 (bionic beaver) implemented Let's Encrypt via acme.sh - Note: all your current Let's Encrypt certificates will be removed and re-created due to another structure customizable error/access log handling for webserver (format, level, pipe-to-script, etc.) deprecated Debian 7 (wheezy) and Ubuntu 14.04 (trusty tahr) support dropped support for Ubuntu 12.04 (precise pangolin) dropped ticketsystem Changes in 0.10.1:
      allow/disallow API access on a per-customer base new API parameters for Admins.add(), Admins.update(), Customers.add() and Customers.update() bool $api_allowed (default: false for Customers, true for Admins) add explicit tlsv1.3 ciphersuite setting fixed wrong behaviour in Ftps.add() if customer is newly created and setting customer.ftpatdomain is true added expiration date to SSL certificates loaded via API request fixed wrong return in Certificates.get() if given domain does not have a certificate allow setting http2 flag for (sub)domains in customer view, fixes #725 Changes in 0.10.2:
      force Let's Encrypt ACMEv2 API, fixed #728 added default-ssl-vhost settings and optionally allow including of non-ssl default-vhost settings, fixes #727 new API parameters for Domains.add() and Domains.update() string $ssl_specialsettings bool $include_specialsettings bool $dont_use_default_ssl_ipandport_if_empty removed API parameters in Domains.add() bool $use_default_ssl_ipandport_if_empty new API parameters for IpsAndPorts.add() and IpsAndPorts.update() string $ssl_specialsettings bool $include_specialsettings string $ssl_default_vhostconf_domain bool $include_default_vhostconf_domain implemented DomainZones.listing() to return custom stored dns entries fix registration and termination date to flip between empty-value and 0000-00-00 Changes in 0.10.3:
      fallback to /tmp/froxlor.log if file-log is activated but no file given or not writeable; fixes #737 added tls-settings per domain for admins with change_serversettings-flag set; fixes #519 new API parameter for Domains.add() and Domains.update() bool $override_tls (default: false) array $ssl_protocols string $ssl_cipher_list string $tlsv13_cipher_list preserve downward compatibility for 0.10.1 updaters regarding specialsettings for ssl-enabled domains; fixes #739 Changes in 0.10.4:
      added support for CIDR/netmask in mysql-access-hosts; fixes #564 fixed invalid handling of escape-sequences in api-endpoint, fixes #746 fixed an issue with adding the default ftp user for new customer when added by admin/reseller with no ftp-resources; fixes #741 fixed nginx configuration issue with fastcgi_split_path_info option; fixes #744 Changes in 0.10.5:
      bugfix release due to errors in Let's Encrypt re-new check; fixes #747 Changes in 0.10.6:
      introducing new API parameters sql_search, sql_limit, sql_offset, sql_orderby for almost all listing() calls introducing new API method listingCount() for almost all modules to return the total number of entities available changed behavior of SubDomains.listing() to return all fields from the domain table instead of the limited ones for customers when called as admin added new API module SysLog to query froxlor logs according to permission optimized panel_admins and panel_customers table to avoid mysql/mariadb warning: Row size too large (> 8126); fixes #752 corrected update of hosting plans via interface; fixes #753 implemented API method EmailForwarders.listing(); fixes #754 fixed parameters defaults for Domains.update() parameters ssl_ipandports and add new parameter (see below); fixes #756 new API parameters for Domains.update() bool $remove_ssl_ipandport Changes in 0.10.7:
      corrected behavior when changing mysql-access-host values; fixes #758 fix UI error "API keys not accessable due to missing Paging-class" fix trauncating of SysLog using SysLog.delete() corrected UI issue of incorrect listing of domains for customers and admin, fixes #759 corrected ordering of listings in UI regarding pagination added new settings to set default value of domain-edit-settings 'Apply specialsettings to all subdomains' and 'Apply php-config to all subdomains' corrected vhost-merging of specialsettings in nginx; fixes #757 Changes in 0.10.8:
      fix duplicate domain entries in customer-domain-list when domain has aliases fix searching for alias-domains by link in customer_domains use correct apiendpoint for lets encrypt; pass debug-flag onto acme.sh; fixes #762 fix removing of ssl-ip-relation to domain if no ssl-ip is selected via interface Debian package: Move mysql server dependency to redommends; fixes #761 Changes in 0.10.9:
      fix SQL error when searching for certificates by domainname, fixes #764 fix ordering of listings when natural sorting is activated, fixes #765 check for valid result when reading database usage from information_schema; fixes #766 Changes in 0.10.10:
      add new API function Froxlor.generatePassword() to return a random password based on froxlor settings regarding min-length, included characters, etc.; fixes #768 fix mysql8 issue with group by and sorting within; fixes #774 add new 'ssl-enabled' flag for domains and subdomains so ssl can be deactivated (by a customer too) even if there are ssl-ip/ports assigned; introduce new honorcipherorder and sessiontickets flags for more control over ssl-related settings on a per domain base (admin only); fixes #767 and #769 new API parameters for Domains.add() and Domains.update() bool $sslenabled bool $honorcipherorder bool $sessiontickets new API parameters for SubDomains.add() and SubDomains.update() bool $sslenabled new API method Froxlor.generatePassword() Changes in 0.10.11:
      apply 'notryfiles', 'writeaccesslog' and 'writeerrorlog' flags to subdomains when editing a domain fix SysLog.delete(), SysLog.listing() and SysLog.listingCount() whencalled as admin/reseller withouth customers_see_all permission add option to disable SSL sessiontickets globally for older systems, fixes #784 ability to add custom config to PHPFPM version, fixes #643 new API parameters for FpmDaemons.add() and FpmDaemons.update() string $custom_config Changes in 0.10.12:
      allow using more advanced LogFormat for webserver and awstats fix issue in PhpHelper::trimArray() returning an empty array, fixes #751 fix wrong behaviour of Emails.update() which allowed setting iscatchall-flag for more than one address of the same domain fix writable-check of froxlor-logfile if logfile did not exist Changes in 0.10.13:
      validate nameserver ip-addresses for binds allow-transfer block; fixes #791 fix IpsAndPorts when checking for system.ipaddress in update() and delete() fix Domains.update() if called as admin/reseller without change_serversettings privileges, thx to rseffner fix the case that the spf record is not inserted with its quotes, and so the condition fails and 2 spf records are inserted in the domain fix wrongly initialized resource-usage when re-calculating it; fixes #797 update php-fpm defaults; update paths for current stable php-7.3; read froxlor default php.ini from file rather then using phpconfig with id=1; fixes #796 Changes in 0.10.14:
      require set password complexity for admins too when resetting password; display correct error message if password complexity is not satisfied do not require enabled vhost-container for froxlor-vhost to change sslsessiontickets-setting disable sslsessiontickets-option in domain-add/edit if globally disabled in the settings fix listing of customer email addresses if 'domain' section is hidden via settings, fixes #803 add Froxlor.integrityCheck() API call to externally run integrity/consistency check, fixes #801 new API method Froxlor.integrityCheck() make customer firstname,name,company and customer-no available for all templates; fixes #808 store ace-string of domain besides idn-converted string to have correct sorting in the frontend; fixes #809 allow private ip ranges in ips-and-ports as some configurations require that; fixes #802 Changes in 0.10.15:
      fixed temporary userdata file creation results in an empty file on installation; fixes #815 Changes in 0.10.16:
      remove ssl-certificates connected to domains that are being deleted when deleting a customer; fixes #818 fix removing ip address if ip is set as system-ipaddress but there are other entries of that ip with a different port fixed parsing due to changes in dovecots default mail_log_prefix restructure acmesh implementation and let acme.sh take care of renewing the certificates itself; fixes #792, fixes #816 Double check whether installation of acme.sh worked when not installed yet and do not continue if not; fixes #823 add optional dns validation for let's encrypt activated domains; fixes #817 let send-to-alternative-email be optional if no address is given instead of displaying error that the email address is invalid; fixes #829 Changes in 0.10.17:
      fix minor issue with let's encrypt and uppercase letters in domainnames validate we're using the required minimum version of php in frontend and cron, not only on installation adding email addresses via webinterface results in error if domains are hidden from customers; fixes #803 fix including of language-strings in reports-cron, fixes #836 Changes in 0.10.18:
      remove TLSv1 from the list of default SSL-protocols marked Ubuntu 16.04 configuration templates as deprecated removed Ubuntu 14.04 configuration templates added configuration-templates for Ubuntu 20.04 added configuration-templates for CentOS 8 added distribution detection on installation and OS possibility for specific setting-adjustments (for later use) read certificate data folder from acme.sh.env file, fixes #846 corrected API docs, fixes #856 and #857 Changes in 0.10.19:
      return full domain object on Domains.update() call, fixes #861 add missing parmeter customerid for SubDomains.delete() which is required when called as admin; fixes #862 check for possible CNAME overrides of A/AAAA record in dns-editor, fixes #864 corrected timestamp-check for let's encrypt filesystem sync, fixes #865 Changes in 0.10.20:
      fix permanent rebuilding of vhost configs when using let's encrypt updated jquery library, fixes #872 unset any limit as we do not have pagination when showing search-results, fixes #869 fix missing query-parameters for IpsAndPorts.listing() when using sql_search show current count of results besides total count in listings, fixes #869 remove underscore from dkim-selector, refs #619 use overridden limit_extensions and idle_timeout values in vhost config when using fpm and not mod_proxy Changes in 0.10.21:
      corrected check for possible empty-value but existing ssl-certificate on filesystem corrected wrong unit in traffic graphs, fixes #425 removed old/unused table panel_diskspace_admins  
      Download: 0.10.21

      Note: Debian/Ubuntu packages are available as of 21th of October 2019 - Note that there are no packages for oldoldstable (jessie) anymore

      Visit http://www.froxlor.org or join our IRC channel #froxlor on irc.freenode.net for support, help, participation or just a chat

      Thank you,
      d00p
    • By Markus Rassow
      Nachdem gestern die ersten Zertifikate von Let's encrypt mit Froxlor 0.9.40.1 nicht mehr erneuert wurden, musste ich nun doch auch auf die aktuelle 0.10.20 umsteigen.
      Das Setting: Apache 2.4, PHP 5.6 FPM,7.2-7.4 FPM, Dovecot, Postfix, diverse Domains, teilweise nur als Mail-Domains, MySQL 5.7.31. Froxlor läuft mit PHP7.3-FPM.
      Nach Backup der Datenbanken und Dateien von Froxlor habe ich den Cron-Dienst mit systemctl cron stop gestoppt und das alte Froxlor in einen Backup-Ordner verschoben und das aktuelle Froxlor in das Domain-Verzeichnis meines Servers abgelegt. Die userdata.inc.php aus dem alten Froxlor/lib ins neue Froxlor/lib kopiert und dann Froxlor aufgerufen.
      Froxlor meldet die Notwendigkeit, die Datenbank anzupassen und fragt, ob Domains durch Froxlor verifiziert werden sollen: ja. Upgrade läuft problemlos durch.
      Nachdem ich den Cron-Dienst wieder mit systemctl cron start gestartet habe, sind für ein paar Minuten noch alle Domains erreichbar, dann killt Froxlor alle bestehenden SSL-Dateien und stirbt selbst. Apache startet nicht mehr.
      Grund: keine SSL-Zertifikate mehr vorhanden. Nach manuellem Ausführen des Master-Cronjob von der Shell aus scheint zunächst auch alles zu funktionieren. Zertifikate wurden von Let's encrypt geholt - aber nicht in den bisherigen Ordner unter /etc/ssl/froxlor-custom/sub.domain.crt abgelegt sondern in einen Unterordner mit dem jeweiligen Domainnamen. Die Dateinamen der Zertifikate lauten wie bisher auf .crt .Dann scheitert alles weitere. Die Zertifikate werden nicht gefunden, die vHosts nicht angelegt. Apache2 startet zwar, aber nur mit den normalen vHosts. Die SSLs sind weg. Also das Script erneut aufgerufen mit Zusatz --verbose und in ein Logfile geschrieben (Usernamen, IPs und Domainnamen geändert):
      /usr/bin/php7.3 -q /customers/web/example/kap.example.de/scripts/froxlor_master_cronjob.php --tasks
      [Mo 10. Aug 14:33:00 CEST 2020] It is recommended to install socat first. [Mo 10. Aug 14:33:00 CEST 2020] We use socat for standalone server if you use standalone mode. [Mo 10. Aug 14:33:00 CEST 2020] If you don't use standalone mode, just ignore this warning. Nach diversen Fehlermeldungen also schnell noch socat installiert mit:
      apt install socat
      Dann erneut das Script aufgerufen
      /usr/bin/php7.3 -q /customers/web/example/kap.example.de/scripts/froxlor_master_cronjob.php --tasks --force --debug
       
      [information] TasksCron: Searching for tasks to do [information] TasksCron: Task10 started - setting filesystem quota [information] Running Let's Encrypt cronjob prior to regenerating webserver config files [information] Checking for LetsEncrypt client upgrades before renewing certificates: [Mo 10. Aug 14:49:42 CEST 2020] Installing from online archive. [Mo 10. Aug 14:49:42 CEST 2020] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz [Mo 10. Aug 14:49:43 CEST 2020] Extracting master.tar.gz [Mo 10. Aug 14:49:43 CEST 2020] Installing to /etc/ssl/froxlor-custom [Mo 10. Aug 14:49:43 CEST 2020] Installed to /etc/ssl/froxlor-custom/acme.sh [Mo 10. Aug 14:49:43 CEST 2020] Good, bash is found, so change the shebang to use bash as preferred. [Mo 10. Aug 14:49:44 CEST 2020] OK [Mo 10. Aug 14:49:44 CEST 2020] Install success! [Mo 10. Aug 14:49:44 CEST 2020] Upgrade success! [Mo 10. Aug 14:49:44 CEST 2020] Installing cron job 4 0 * * * "/customers/home/root/.acme.sh"/acme.sh --cron --home "/customers/home/root/.acme.sh" > /dev/null [information] Requesting 42 new Let's Encrypt certificates [information] Creating certificate for example.de [information] Adding common-name: example.de [information] Adding SAN entry: www.example.de [information] Validating DNS of example.de [information] Validating DNS of www.example.de [debug] https://github.com/acmesh-official/acme.sh v2.8.6 [Mo 10. Aug 14:49:45 CEST 2020] Domains not changed. [Mo 10. Aug 14:49:45 CEST 2020] Skip, Next renewal time is: Fr 9. Okt 12:33:15 UTC 2020 [Mo 10. Aug 14:49:45 CEST 2020] Add '--force' to force to renew. [error] Could not find file 'example.de.cer' in '/etc/ssl/froxlor-custom/example.de/' [error] Could not find file 'ca.cer' in '/etc/ssl/froxlor-custom/example.de/' [error] Could not find file 'fullchain.cer' in '/etc/ssl/froxlor-custom/example.de/' [error] Could not get Let's Encrypt certificate for example.de: [information] Let's Encrypt certificates have been updated [information] apache::createIpPort: creating ip/port settings for 1.2.3.4:80 [debug] 1.2.3.4:80 :: inserted listen-statement [debug] 1.2.3.4:80 :: inserted vhostcontainer [information] apache::createIpPort: creating ip/port settings for 1.2.3.4:443 [debug] 1.2.3.4:443 :: inserted listen-statement [debug] System certificate file "" does not seem to exist. Disabling SSL-vhost for "mail.example.de" [error] mail.lightserve.de :: empty certificate file! Cannot create ssl-directives [debug] 1.2.3.4:443 :: inserted vhostcontainer [information] apache::createVirtualHosts: creating vhost container for domain 1, customer ichselber [debug] System certificate file "" does not seem to exist. Disabling SSL-vhost for "example.de" [error] rassow.de :: empty certificate file! Cannot create ssl-directives --- und so sieht es dann auch für alle Domains aus ---
      [information] apache::writeConfigs: rebuilding /etc/apache2/sites-enabled/ [information] apache::writeConfigs: rebuilding /etc/apache2/htpasswd/ [information] apache::writeConfigs: rebuilding /etc/apache2/sites-enabled/ [information] Froxlor\Cron\Http\ApacheFcgi::reload: running /etc/init.d/php5.6-fpm reload [information] Froxlor\Cron\Http\ApacheFcgi::reload: running /etc/init.d/php7.2-fpm reload [information] Froxlor\Cron\Http\ApacheFcgi::reload: running /etc/init.d/php7.3-fpm reload [information] Froxlor\Cron\Http\ApacheFcgi::reload: running service php7.4-fpm restart [information] Froxlor\Cron\Http\ApacheFcgi::reload: reloading Froxlor\Cron\Http\ApacheFcgi [notice] Checking system's last guid So endet der erste Durchlauf
      Aus irgend einem Grund sucht das Script nicht wie bisher nach .crt -Zertifikaten sondern nach .cer. In den neu erstellten Unterordnern von /etc/ssl/froxlor-custom finden sich aber z.B. /etc/ssl/froxlor-custom/example.de/mail.example.crt. Nach langer, langer Suche bin ich dahinter gekommen, dass das acme-Script /root/.acme.sh/acme.sh die Schuld daran trägt. Bei mir lag dieses in der Version 2.8.6 vor und legte die Zertifikate als .crt an. Nach einem Update auf 2.8.7 läuft das obige Script nun komplett durch und erstellt die Zertifikate mit dem korrekten Dateinamen. Nun sollten die Configs für Apache auch korrekt erzeugt werden, meint man. Aber leider falsch.
      [information] TasksCron: Searching for tasks to do [information] TasksCron: Task10 started - setting filesystem quota [information] Running Let's Encrypt cronjob prior to regenerating webserver config files [information] Checking for LetsEncrypt client upgrades before renewing certificates: [Mo 10. Aug 15:45:22 CEST 2020] Installing from online archive. [Mo 10. Aug 15:45:22 CEST 2020] Downloading https://github.com/acmesh-official/acme.sh/archive/master.tar.gz [Mo 10. Aug 15:45:23 CEST 2020] Extracting master.tar.gz [Mo 10. Aug 15:45:23 CEST 2020] Installing to /etc/ssl/froxlor-custom [Mo 10. Aug 15:45:23 CEST 2020] Installed to /etc/ssl/froxlor-custom/acme.sh [Mo 10. Aug 15:45:23 CEST 2020] Good, bash is found, so change the shebang to use bash as preferred. [Mo 10. Aug 15:45:24 CEST 2020] OK [Mo 10. Aug 15:45:24 CEST 2020] Install success! [Mo 10. Aug 15:45:24 CEST 2020] Upgrade success! [Mo 10. Aug 15:45:24 CEST 2020] Installing cron job 4 0 * * * "/customers/home/root/.acme.sh"/acme.sh --cron --home "/customers/home/root/.acme.sh" > /dev/null [information] Requesting 42 new Let's Encrypt certificates [information] Creating certificate for example.de [information] Adding common-name: example.de [information] Adding SAN entry: www.example.de [information] Validating DNS of example.de [information] Validating DNS of www.example.de [debug] https://github.com/acmesh-official/acme.sh v2.8.7 [Mo 10. Aug 15:45:25 CEST 2020] Create account key ok. [Mo 10. Aug 15:45:25 CEST 2020] Registering account [Mo 10. Aug 15:45:26 CEST 2020] Registered [Mo 10. Aug 15:45:26 CEST 2020] ACCOUNT_THUMBPRINT='GIEw62wW9oLxZqEaVe-NxhNQKyQbOBDjBWGw8JoZy_c' [Mo 10. Aug 15:45:26 CEST 2020] Creating domain key [Mo 10. Aug 15:45:27 CEST 2020] The domain key is here: /etc/ssl/froxlor-custom/example.de/example.de.key [Mo 10. Aug 15:45:27 CEST 2020] Multi domain='DNS:example.de,DNS:www.example.de' [Mo 10. Aug 15:45:27 CEST 2020] Getting domain auth token for each domain [Mo 10. Aug 15:45:30 CEST 2020] Getting webroot for domain='example.de' [Mo 10. Aug 15:45:30 CEST 2020] Getting webroot for domain='www.example.de' [Mo 10. Aug 15:45:30 CEST 2020] Verifying: example.de [Mo 10. Aug 15:45:33 CEST 2020] Pending [Mo 10. Aug 15:45:44 CEST 2020] Success [Mo 10. Aug 15:45:44 CEST 2020] Verifying: www.example.de [Mo 10. Aug 15:45:47 CEST 2020] Success [Mo 10. Aug 15:45:47 CEST 2020] Verify finished, start to sign. [Mo 10. Aug 15:45:47 CEST 2020] Lets finalize the order, Le_OrderFinalize: https://acme-v02.api.letsencrypt.org/acme/finalize/einpaarzahlen123456789 [Mo 10. Aug 15:45:48 CEST 2020] Download cert, Le_LinkCert: https://acme-v02.api.letsencrypt.org/acme/cert/einhashwert123456789 Certificate: Data: Version: 3 (0x2) Serial Number: 04:ba:42:aa:c3:e2:99:b0:d4:96:55:e8:44:69:b7:85:a8:e7 Signature Algorithm: sha256WithRSAEncryption
      --- hier folgt das Zertifikat ---
      -----END CERTIFICATE----- [Mo 10. Aug 15:45:49 CEST 2020] Your cert is in /etc/ssl/froxlor-custom/example.de/example.de.cer [Mo 10. Aug 15:45:49 CEST 2020] Your cert key is in /etc/ssl/froxlor-custom/example.de/example.de.key [Mo 10. Aug 15:45:49 CEST 2020] The intermediate CA cert is in /etc/ssl/froxlor-custom/example.de/ca.cer [Mo 10. Aug 15:45:49 CEST 2020] And the full chain certs is there: /etc/ssl/froxlor-custom/example.de/fullchain.cer [error] Could not find certificate-folder '/root/.acme.sh/example.de/' [error] Could not get Let's Encrypt certificate for example.de: https://github.com/acmesh-official/acme.sh  
      Und hier folgt dasselbe Problem wie zuvor. Die Zertifikate liegen nun korrekt in den Unterordnern. Warum werden diese nun im Unterordner von /root/.acme.sh/ gesucht?
      Bis hierher bin ich in den vergangenen 16 Stunden vorgedrungen.
      Nun bitte ich um hilfreiche Tipps, wie und wo ich weiter machen soll.
    • By Michael Groß
      Hallo zusammen,
      ich kämpfe momentan mit der SSL Konfiguration von meinem Froxlor-Server.
      Bedauerlicherweise befindet sich der Webserver hinter einer Firewall und hat eine private IP Adresse zugewiesen bekommen. 
      Die Firewall leitet entsprechend den Traffic von außerhalb auf den Server weiter (HTTP ist das alles kein Problem).
      Nun habe ich vorhin SSL aktivieren wollen und hierzu kann ich leider keine private IP Adresse eintragen (lässt Froxlor nicht zu).
      Entsprechend habe ich die public IP eingetragen, was aber auch nicht funktioniert, da durch das NAT der Firewall die private IP angesprochen wird - somit funktioniert dies nicht.
      Habt ihr eine Idee, wie man das umbauen kann?
      An sich brauche ich nur die private IP Adresse als SSL Adresse eintragen - vermute aber, dass dadurch Let's Encrypt auch nicht mehr richtig laufen wird.
      Viele Grüße
      Michael
      PS: Ein 1:1 NAT wäre noch eine Möglichkeit, da ich die Public IP aber für diverse Server verwende, fällt das auch raus. Müsste dann eine neue Public IP kaufen, welche ich dann mit einem 1:1 NAT auf den Webserver laufen lasse (wäre noch eine Möglichkeit)
    • By ZARk
      Hello

      I can't renew certs (or create new certs) since the 0.10 upgrade. was working fine before on 0.9

      I'm basically getting the same output everytime i run this command.
       
      xander /var/www/froxlor # /usr/bin/php7.3 -q /var/www/froxlor/scripts/froxlor_master_cronjob.php --letsencrypt --debug [information] Requesting/renewing Let's Encrypt certificates [information] Creating certificate for Westecheurope.eu [information] Adding SAN entry: Westecheurope.eu [information] Adding SAN entry: www.Westecheurope.eu [Mon 4 Nov 11:23:46 CET 2019] It is recommended to install socat first. [Mon 4 Nov 11:23:46 CET 2019] We use socat for standalone server if you use standalone mode. [Mon 4 Nov 11:23:46 CET 2019] If you don't use standalone mode, just ignore this warning. [information] Checking for LetsEncrypt client upgrades before renewing certificates: [Mon 4 Nov 11:23:45 CET 2019] Installing from online archive. [Mon 4 Nov 11:23:45 CET 2019] Downloading https://github.com/Neilpang/acme.sh/archive/master.tar.gz [Mon 4 Nov 11:23:46 CET 2019] Extracting master.tar.gz [Mon 4 Nov 11:23:46 CET 2019] Installing to /root/.acme.sh [Mon 4 Nov 11:23:46 CET 2019] Installed to /root/.acme.sh/acme.sh [Mon 4 Nov 11:23:46 CET 2019] Good, bash is found, so change the shebang to use bash as preferred. [Mon 4 Nov 11:23:47 CET 2019] OK [Mon 4 Nov 11:23:47 CET 2019] Install success! [Mon 4 Nov 11:23:47 CET 2019] Upgrade success! [Mon 4 Nov 11:23:47 CET 2019] Removing cron job [Mon 4 Nov 11:23:52 CET 2019] get to authz error. [Mon 4 Nov 11:23:52 CET 2019] _authorizations_map='www.westecheurope.eu,{"identifier":{"type":"dns","value":"www.westecheurope.eu"},"status":"pending","expires":"2019-11-07T18:17:12Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/1025077162/e3Lmew","token":"H07E0jvAJ-vnQ4jirnVIxqLeRxDwQ_VC6PQ0RAJgEvU"},{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/1025077162/rs0T6w","token":"H07E0jvAJ-vnQ4jirnVIxqLeRxDwQ_VC6PQ0RAJgEvU"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/1025077162/ZPjfSg","token":"H07E0jvAJ-vnQ4jirnVIxqLeRxDwQ_VC6PQ0RAJgEvU"}]} westecheurope.eu,{"identifier":{"type":"dns","value":"westecheurope.eu"},"status":"pending","expires":"2019-11-07T18:17:12Z","challenges":[{"type":"http-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/1025077160/hOWGhQ","token":"Bd7XDicTn8dtJBIYc9Eod2d7eOxZGba42pnnl5aCNyI"},{"type":"dns-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/1025077160/nj7_Ow","token":"Bd7XDicTn8dtJBIYc9Eod2d7eOxZGba42pnnl5aCNyI"},{"type":"tls-alpn-01","status":"pending","url":"https://acme-v02.api.letsencrypt.org/acme/chall-v3/1025077160/v7Bc7A","token":"Bd7XDicTn8dtJBIYc9Eod2d7eOxZGba42pnnl5aCNyI"}]} ' [Mon 4 Nov 11:23:52 CET 2019] Please add '--debug' or '--log' to check more details. [Mon 4 Nov 11:23:52 CET 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh [debug] [Mon 4 Nov 11:23:48 CET 2019] Creating domain key [Mon 4 Nov 11:23:49 CET 2019] The domain key is here: /root/.acme.sh/Westecheurope.eu/Westecheurope.eu.key [Mon 4 Nov 11:23:49 CET 2019] Multi domain='DNS:Westecheurope.eu,DNS:www.Westecheurope.eu' [Mon 4 Nov 11:23:50 CET 2019] Getting domain auth token for each domain [Mon 4 Nov 11:23:52 CET 2019] Getting webroot for domain='Westecheurope.eu' [error] Could not get Let's Encrypt certificate for Westecheurope.eu: [Mon 4 Nov 11:23:48 CET 2019] Creating domain key [Mon 4 Nov 11:23:49 CET 2019] The domain key is here: /root/.acme.sh/Westecheurope.eu/Westecheurope.eu.key [Mon 4 Nov 11:23:49 CET 2019] Multi domain='DNS:Westecheurope.eu,DNS:www.Westecheurope.eu' [Mon 4 Nov 11:23:50 CET 2019] Getting domain auth token for each domain [Mon 4 Nov 11:23:52 CET 2019] Getting webroot for domain='Westecheurope.eu' [information] No new certificates or certificates due for renewal found [notice] Checking system's last guid  
    • By nisamudeen97
      Hi,
      Our froxlor server is behiend NAT and it uses the local IP  192.168.73.40.  We have enabled letsencrypt module in froxlor and tried validating SSL for a domain in the server.  SSL generation is getting failed with 403 error.  See the debug log information.      Replaced domain name and main IP.    Can any one help me regarding the issue.
       
      [information] Updating Let's Encrypt certificates [information] Updating domain-name.com [information] Adding SAN entry: domain-name.com [information] Adding SAN entry: www.domain-name.com [information] letsencrypt-v2 Using 'https://acme-v02.api.letsencrypt.org' to generate certificate [information] letsencrypt-v2 Using existing account key [information] letsencrypt-v2 Starting certificate generation process for domains [information] letsencrypt-v2 Sending signed request to https://acme-v02.api.letsencrypt.org/acme/new-order [information] letsencrypt-v2 Requesting challenge for domain-name.com [information] letsencrypt-v2 Got challenge token for domain-name.com [information] letsencrypt-v2 Token for domain-name.com saved at /var/www/froxlor/.well-known/acme-challenge/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k and should be available at http://domain-name.com/.well-known/acme-challenge/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k [information] letsencrypt-v2 Sending request to challenge [information] letsencrypt-v2 Sending signed request to https://acme-v02.api.letsencrypt.org/acme/chall-v3/803008408/k46kFQ [information] letsencrypt-v2 Verification pending, sleeping 1s [information] letsencrypt-v2 Verification pending, sleeping 1s [error] Could not get Let's Encrypt certificate for domain-name.com: Verification ended with error: {"type":"http-01","status":"invalid","error":{"type":"urn:ietf:params:acme:error:unauthorized","detail":"Invalid response from http:\/\/domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k [212.224.xxx.xxx]: \"<!DOCTYPE html>\\n<html lang=\\\"en-CA\\\" class=\\\"html_stretched responsive av-preloader-active av-preloader-enabled av-default-lightbox\"","status":403},"url":"https:\/\/acme-v02.api.letsencrypt.org\/acme\/chall-v3\/803008408\/k46kFQ","token":"vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","validationRecord":[{"url":"http:\/\/www.domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","hostname":"www.domain-name.com","port":"80","addressesResolved":["212.224.xxx.xxx"],"addressUsed":"212.224.xxx.xxx"},{"url":"http:\/\/domain-name.com\/.well-known\/acme-challenge\/vkTyLi2ApfP9O9ou8GyDz6WQmB--HP4ULnU0fhjXI0k","hostname":"domain-name.com","port":"80","addressesResolved":["212.224.xxx.xxx"],"addressUsed":"212.224.xxx.xxx"}]} [information] Let's Encrypt certificates have been updated  
×
×
  • Create New...