Can't Issue SSL

duy13

HI, In the current version of cyberpanel (with support for PHP 7.3) I can not use Issue SSL from CLI:

cyberpanel issueSSL --domainName cyberpanel.net

Issue SSL from webgui also does not work:

Cannot issue SSL. Error message: 0,283 Failed to obtain SSL for domain. [issueSSLForDomain]

I did not find any changes to the file httpd_config.conf; There is no declaration about the listener SSL {}, something like this:

listener SSL { map fb.vn fb.vn address 0.0.0.0:443 secure 1 keyFile /usr/local/lsws/admin/conf/webadmin.key certFile /usr/local/lsws/admin/conf/webadmin.crt }

With Cyberpanle old version, only have "PHP 5.3 -> 7.2", everything still works fine.

duy13

IN /serverstatus/cyberCPMainLogFile:

[08-57-26-Thu-Dec-2018] Failed to obtain SSL, issuing self-signed SSL for: locloc.club [08-58-52-Thu-Dec-2018] Trying to obtain SSL for: locloc.club and: www.locloc.com [08-59-08-Thu-Dec-2018] Failed to obtain SSL for: locloc.club and: www.locloc.com [08-59-08-Thu-Dec-2018] Trying to obtain SSL for: locloc.com [08-59-17-Thu-Dec-2018] Failed to obtain SSL, issuing self-signed SSL for: locloc.com

CyberPanel

Can you provide more information using the Second Way here https://cyberpanel.net/docs/troubleshooting-cyberpanel/ ?

duy13

Dec 20 15:06:08 s1 gunicorn[4625]: [Thu Dec 20 15:06:08 UTC 2018] locloc.com:Verify error:Invalid response from http://locloc.com/.well-known/acme-challenge/rgvqFe_ZGEgAcjFJNchQO4C0oIJKZ8VslFDZxIDONTU: Dec 20 15:06:08 s1 gunicorn[4625]: [Thu Dec 20 15:06:08 UTC 2018] Please add '--debug' or '--log' to check more details. Dec 20 15:06:08 s1 gunicorn[4625]: [Thu Dec 20 15:06:08 UTC 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh Dec 20 15:06:19 s1 gunicorn[4625]: [Thu Dec 20 15:06:19 UTC 2018] locloc.com:Verify error:Invalid response from http://locloc.com/.well-known/acme-challenge/Pfm95pSj7gxwBcjfiG3yMpKq6HVK8QwCt-QEH29fw2w: Dec 20 15:06:19 s1 gunicorn[4625]: [Thu Dec 20 15:06:19 UTC 2018] Please add '--debug' or '--log' to check more details. Dec 20 15:06:19 s1 gunicorn[4625]: [Thu Dec 20 15:06:19 UTC 2018] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh

CyberPanel

Verification file is not reachable, probably:

1. DNS.
2. Some rewrite rule is conflicting

duy13

Please do not care about getting ssl from Let's encrypt, I do not care about certificates, I need Cyberpanel can add an HTTPS website, i mean self certificate ssl can not be added to OpenLiteSpeed config file httpd_config.conf

Centos 7

The problem is in the command:

cyberpanel issueSSL --domainName locloc.com

It can not add HTTPS webs to Cyberpanel and Openlitespeed

CyberPanel

Oh, we canceled issuing self-signed SSL, is this what you want?

duy13

Oh, we canceled issuing self-signed SSL, is this what you want?

OMG, yes that's what I want. Why disable self-signed SSL, I feel it is very useful for sites that can not get a certificate from Let's Encrypt.
Besides, many websites use SSL from the cloudflare proxy and they just need a self-signed SSL in the backend Openlitespeed for thier site.

CyberPanel

The issue was people trying to get SSL and when Let's Encrypt failed we used to issue self-signed SSL and function return successfully, even though in the log it says failed to obtain SSL but most of the users were not comfortable as they assume SSL was success and when they load the site they get SSL error.

We can try to think of more good work around.

duy13

So, Will the self-signed SSL function come back?
For the problem you mentioned, you can create an additional function to automatically check the SSL certificate of the domain and when you discover an invalid certificate you can request again certificate from "Let's encrypt" cycle.

duy13

Or you can create a new command line with the function auto create a self-signed certificate, then add them to HTTPS of the specified domain. Or a certain command has the ability to create HTTPS web from the specified ssl certificate file (maybe they have purchased their own ssl certificate from Comodo, GoDaddy, Cloudflare ...)

duy13

cyberpanel issueSSL --domainName abc.com --privatekey /home/abc.com.key --publickey /home/abc.com.crt

CyberPanel

If you want I can add a cli function to only issue self-signed ssl?

duy13

Thanks, I really need that function

CyberPanel

Will be added soon, will update you.

CyberPanel

Pushed hotfix, the command is like

cyberpanel issueSelfSignedSSL --domainName cyberpanel.net

olalavui

[Thu Oct 17 17:19:30 UTC 2019] Register account Error: {"type":"urn:acmeunauthorized","detail":"Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.","status": 403} [Thu Oct 17 17:19:30 UTC 2019] Please add '--debug' or '--log' to check more details. [Thu Oct 17 17:19:30 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh [Thu Oct 17 17:19:33 UTC 2019] Register account Error: {"type":"urn:acmeunauthorized","detail":"Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.","status": 403} [Thu Oct 17 17:19:33 UTC 2019] Please add '--debug' or '--log' to check more details. [Thu Oct 17 17:19:33 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh 0,283 Failed to obtain SSL for domain. [issueSSLForDomain]

Can you help me?

hoangnguyenkt02

olalavui said:

[Thu Oct 17 17:19:30 UTC 2019] Register account Error: {"type":"urn:acmeunauthorized","detail":"Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.","status": 403} [Thu Oct 17 17:19:30 UTC 2019] Please add '--debug' or '--log' to check more details. [Thu Oct 17 17:19:30 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh [Thu Oct 17 17:19:33 UTC 2019] Register account Error: {"type":"urn:acmeunauthorized","detail":"Account creation on ACMEv1 is disabled. Please upgrade your ACME client to a version that supports ACMEv2 / RFC 8555. See https://community.letsencrypt.org/t/end-of-life-plan-for-acmev1/88430 for details.","status": 403} [Thu Oct 17 17:19:33 UTC 2019] Please add '--debug' or '--log' to check more details. [Thu Oct 17 17:19:33 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh 0,283 Failed to obtain SSL for domain. [issueSSLForDomain]

Can you help me?

Point your Domain DNS A record to the server IP and issue SSL.

nguyenduongmaxbuy

Cannot issue SSL. Error message: [Tue Oct 22 03:27:15 UTC 2019] vietladders.com:Verify error:Invalid response from http://vietladders.com/.well-known/acme-challenge/2zMt99k_CTHM9U_jIVPMyBTsZMcUOxFinuzPkHV_YOE [66.42.57.223]: [Tue Oct 22 03:27:15 UTC 2019] Please add '--debug' or '--log' to check more details. [Tue Oct 22 03:27:15 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh [Tue Oct 22 03:27:26 UTC 2019] vietladders.com:Verify error:Invalid response from http://vietladders.com/.well-known/acme-challenge/JJdQ6L_nDJbdOoNE-h-r7P78aCq-9P2hH85CDbq5LeE [66.42.57.223]: [Tue Oct 22 03:27:26 UTC 2019] Please add '--debug' or '--log' to check more details. [Tue Oct 22 03:27:26 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh 0,283 Failed to obtain SSL for domain. [issueSSLForDomain]
Can you help me?

nguyenduongmaxbuy

Cannot issue SSL. Error message: [Tue Oct 22 03:27:15 UTC 2019] vietladders.com:Verify error:Invalid response from http://vietladders.com/.well-known/acme-challenge/2zMt99k_CTHM9U_jIVPMyBTsZMcUOxFinuzPkHV_YOE [66.42.57.223]: [Tue Oct 22 03:27:15 UTC 2019] Please add '--debug' or '--log' to check more details. [Tue Oct 22 03:27:15 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh [Tue Oct 22 03:27:26 UTC 2019] vietladders.com:Verify error:Invalid response from http://vietladders.com/.well-known/acme-challenge/JJdQ6L_nDJbdOoNE-h-r7P78aCq-9P2hH85CDbq5LeE [66.42.57.223]: [Tue Oct 22 03:27:26 UTC 2019] Please add '--debug' or '--log' to check more details. [Tue Oct 22 03:27:26 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh 0,283 Failed to obtain SSL for domain. [issueSSLForDomain]
Can you help me?

nguyenduongmaxbuy

Cannot issue SSL. Error message: [Tue Oct 22 03:27:15 UTC 2019] vietladders.com:Verify error:Invalid response from http://vietladders.com/.well-known/acme-challenge/2zMt99k_CTHM9U_jIVPMyBTsZMcUOxFinuzPkHV_YOE [66.42.57.223]: [Tue Oct 22 03:27:15 UTC 2019] Please add '--debug' or '--log' to check more details. [Tue Oct 22 03:27:15 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh [Tue Oct 22 03:27:26 UTC 2019] vietladders.com:Verify error:Invalid response from http://vietladders.com/.well-known/acme-challenge/JJdQ6L_nDJbdOoNE-h-r7P78aCq-9P2hH85CDbq5LeE [66.42.57.223]: [Tue Oct 22 03:27:26 UTC 2019] Please add '--debug' or '--log' to check more details. [Tue Oct 22 03:27:26 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh 0,283 Failed to obtain SSL for domain. [issueSSLForDomain]
Can you help me?

nguyenduongmaxbuy

Cannot issue SSL. Error message: [Tue Oct 22 03:27:15 UTC 2019] vietladders.com:Verify error:Invalid response from http://vietladders.com/.well-known/acme-challenge/2zMt99k_CTHM9U_jIVPMyBTsZMcUOxFinuzPkHV_YOE [66.42.57.223]: [Tue Oct 22 03:27:15 UTC 2019] Please add '--debug' or '--log' to check more details. [Tue Oct 22 03:27:15 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh [Tue Oct 22 03:27:26 UTC 2019] vietladders.com:Verify error:Invalid response from http://vietladders.com/.well-known/acme-challenge/JJdQ6L_nDJbdOoNE-h-r7P78aCq-9P2hH85CDbq5LeE [66.42.57.223]: [Tue Oct 22 03:27:26 UTC 2019] Please add '--debug' or '--log' to check more details. [Tue Oct 22 03:27:26 UTC 2019] See: https://github.com/Neilpang/acme.sh/wiki/How-to-debug-acme.sh 0,283 Failed to obtain SSL for domain. [issueSSLForDomain]
Can you help me?

deltablue

Same problem here

olalavui

hoangnguyenkt02 said:

Point your Domain DNS A record to the server IP and issue SSL.

I already point domain to IP before, and today i try, have same error

jowestbrook

Type your comment> @olalavui said:
> (Quote)
> I already point domain to IP before, and today i try, have same error

I have a fix that worked for me. You can test it as you go.

Step 1 - Note your current cert timestamp with: `openssl x509 -noout -dates -in /etc/letsencrypt/live/YOURDOMAIN.COM/cert.pem`

- Note the timestamp for "notBefore"

Step 2 - Locate and manually edit your "acme.sh" script. Mine was in /home/cyberpanel, but yours may be in /root. Inside the file find and change the following lines:

Old Lines:
`DEFAULT_CA=$LETSENCRYPT_CA_V1`
`DEFAULT_STAGING_CA=$LETSENCRYPT_STAGING_CA_V1`

New Lines:
`DEFAULT_CA=$LETSENCRYPT_CA_V2`
`DEFAULT_STAGING_CA=$LETSENCRYPT_STAGING_CA_V2`

You're just changing the V1 to V2 for your defaults. It should work now when you force issue a cert on your domain in the next step.

Step 3 - Force issue new cert with:
`/root/.acme.sh/acme.sh --issue -d YOURDOMAIN.COM -d www.YOURDOMAIN.COM --cert-file /etc/letsencrypt/live/YOURDOMAIN.COM/cert.pem --key-file /etc/letsencrypt/live/YOURDOMAIN.COM/privkey.pem --fullchain-file /etc/letsencrypt/live/YOURDOMAIN.COM/fullchain.pem -w /home/YOURDOMAIN.COM/public_html --force --debug`

* Remember to change the paths in the above appropriately for your server

You should have a successful SSL install and can move on to double checking the date, by issuing the command from Step 1 and noting the timestamp, which should be just now.

Hope that helps!