search

plesk / letsencrypt-plesk

Let’s Encrypt extension for Plesk gives all Plesk users the power to get a free Let’s Encrypt certificate with just a couple of clicks.
https://www.plesk.com/extensions/letsencrypt/
180 stars 25 forks source link

If mailservice for a domain is switched of plesk is still trying to get a Let's Encrypt Cert for webmail.example.com #193

Open holzhannes opened 6 years ago

holzhannes commented 6 years ago

I have some Domains where E-Mail-Service is switched of but in the inactive dropdown roundcube is still selected. In the logs you can see that the Cert for the Domain example.com is still valid but later at the same day LE-Plugin is trying to get a Cert again. Which will end in Status: 429 Detail: Error creating new authz :: too many currently pending authorizations: see because it is done every day again and again.

I switched on the E-Mail-Service for the Domains and selected 'none' as webmail service. Afterwards I switched the E-Mail-Service of again. Maybe this helps to solve the issue first of all. 

[2018-01-15 09:10:09] DEBUG [extension/letsencrypt] Skip certificate renewal of domain 'example.com': the certificate will expire in more than 30 days at 2018-04-13.

[...]

[2018-01-15 10:10:05] DEBUG [extension/letsencrypt] Domain is secured by valid Let's Encrypt certificate, all subjects are secured.
[2018-01-15 10:10:05] DEBUG [extension/letsencrypt] Keep domain secured: 'example.com'...
[2018-01-15 10:10:05] DEBUG [api-rpc] Incoming API-RPC request [ac89561954042f714773522e439d82eb]:
<?xml version="1.0" encoding="UTF-8"?>
<packet version="1.6.9.0">
  <mail>
    <get_prefs>
      <filter>
        <site-id>29</site-id>
      </filter>
    </get_prefs>
  </mail>
</packet>

[2018-01-15 10:10:05] DEBUG [panel] Protocol version: 1.6.9.0
[2018-01-15 10:10:05] DEBUG [panel] run operator mail
[2018-01-15 10:10:05] DEBUG [api-rpc] API-RPC response [ac89561954042f714773522e439d82eb]:
<?xml version="1.0" encoding="UTF-8"?>
<packet version="1.6.9.0">
  <mail>
    <get_prefs>
      <result>
        <status>ok</status>
        <site-id>29</site-id>
        <prefs>
          <nonexistent-user>
            <forward>anna@example.com</forward>
          </nonexistent-user>
          <webmail>roundcube</webmail>
          <spam-protect-sign>false</spam-protect-sign>
          <mailservice>false</mailservice>
        </prefs>
      </result>
    </get_prefs>
  </mail>
</packet>

[2018-01-15 10:10:05] DEBUG [extension/letsencrypt] Domain is secured by valid Let's Encrypt certificate, try to secure missed subjects: webmail.example.com
[2018-01-15 10:10:05] DEBUG [api-rpc] Incoming API-RPC request [ac89561954042f714773522e439d82eb]:
<?xml version="1.0" encoding="UTF-8"?>
<packet version="1.6.9.0">
  <server>
    <get>
      <certificates/>
    </get>
  </server>
</packet>

[2018-01-15 10:10:05] DEBUG [panel] Protocol version: 1.6.9.0
[2018-01-15 10:10:05] DEBUG [panel] run operator server
[2018-01-15 10:10:05] DEBUG [api-rpc] API-RPC response [ac89561954042f714773522e439d82eb]:
<?xml version="1.0" encoding="UTF-8"?>
<packet version="1.6.9.0">
  <server>
    <get>
      <result>
        <status>ok</status>
        <certificates>
          <panel>
            <name>*.my-pleskpanel.com</name>
            <admin/>
          </panel>
          <mail-server>
            <name>*.my-pleskpanel.com</name>
            <admin/>
          </mail-server>
        </certificates>
      </result>
    </get>
  </server>
</packet>

[2018-01-15 10:10:05] DEBUG [extension/letsencrypt] Search latest certificate in certificate storage: 'example.com'...
[2018-01-15 10:10:05] DEBUG [extension/letsencrypt] Certificate is found in certificate storage, serial number: 307036086536873038790578170741301075073850.
[2018-01-15 10:10:05] DEBUG [extension/letsencrypt] Found certificate is equal with current certificate.
[2018-01-15 10:10:05] INFO [extension/letsencrypt] Register to ACME server 'https://acme-v01.api.letsencrypt.org/directory' using e-mail 'mail@my-pleskpanel.com'
[2018-01-15 10:10:05] INFO [extension/letsencrypt] Validate ACME server using custom CA bundle: '/opt/psa/admin/plib/modules/letsencrypt/resources/ca/cacert.pem'.
[2018-01-15 10:10:05] DEBUG [extension/letsencrypt] Use existing registration from /opt/psa/var/modules/letsencrypt/registrations/90012fc18999cb6e6d0a00215826330f30497680.json
[2018-01-15 10:10:05] INFO [extension/letsencrypt] Solve challenges for domains: example.com, www.example.com, webmail.example.com...
[2018-01-15 10:10:08] WARN [extension/letsencrypt] Cannot issue certificate to keep secured domain 'example.com'. Invalid response from https://acme-v01.api.letsencrypt.org/acme/new-authz.
Details:
Type: urn:acme:error:rateLimited
Status: 429
Detail: Error creating new authz :: too many currently pending authorizations: see https://letsencrypt.org/docs/rate-limits/
[2018-01-15 10:10:08] DEBUG [extension/letsencrypt] PleskExt\Letsencrypt\Acme\Exception\BadResponseException: Invalid response from https://acme-v01.api.letsencrypt.org/acme/new-authz.
Details:
Type: urn:acme:error:rateLimited
Status: 429
Detail: Error creating new authz :: too many currently pending authorizations: see https://letsencrypt.org/docs/rate-limits/
file: /opt/psa/admin/plib/modules/letsencrypt/library/Acme/Exception/BadResponseException.php
line: 38
code: 0
trace: #0 /opt/psa/admin/plib/modules/letsencrypt/library/Acme/Challenge.php(140): PleskExt\Letsencrypt\Acme\Exception\BadResponseException::create(object of type GuzzleHttp\Psr7\Response)
#1 /opt/psa/admin/plib/modules/letsencrypt/library/Acme/Challenge.php(34): PleskExt\Letsencrypt\Acme\Challenge->requestChallenges(string 'example.com')
#2 /opt/psa/admin/plib/modules/letsencrypt/library/Acme.php(413): PleskExt\Letsencrypt\Acme\Challenge->solve(object of type PleskExt\Letsencrypt\ChallengeSolver\DomainDocRootHttpSolver, boolean false)
#3 /opt/psa/admin/plib/modules/letsencrypt/library/Acme.php(320): PleskExt\Letsencrypt\Acme->solveDomainChallenge(object of type PleskExt\Letsencrypt\Acme\Registration, string 'example.com', object of type PleskExt\Letsencrypt\ChallengeSolver\DomainDocRootHttpSolver)
#4 /opt/psa/admin/plib/modules/letsencrypt/library/Acme.php(287): PleskExt\Letsencrypt\Acme->solveDomainChallenges(object of type PleskExt\Letsencrypt\Acme\Registration, array, object of type PleskExt\Letsencrypt\ChallengeFailed\LogChallengeFailedStrategy)
#5 /opt/psa/admin/plib/modules/letsencrypt/library/Acme.php(255): PleskExt\Letsencrypt\Acme->obtainCertificate(string 'mail@my-pleskpanel.com', array, object of type PleskExt\Letsencrypt\ChallengeFailed\LogChallengeFailedStrategy, object of type PleskExt\Letsencrypt\CertificateIssuance\FailIfAnyRequiredChallengesFailedStrategy)
#6 /opt/psa/admin/plib/modules/letsencrypt/library/Acme.php(535): PleskExt\Letsencrypt\Acme->obtainCertificateWithinTimeout(string 'mail@my-pleskpanel.com', array, object of type PleskExt\Letsencrypt\ChallengeFailed\LogChallengeFailedStrategy, object of type PleskExt\Letsencrypt\CertificateIssuance\FailIfAnyRequiredChallengesFailedStrategy)
#7 /opt/psa/admin/plib/modules/letsencrypt/library/SecureDomain/SecureDomainService.php(233): PleskExt\Letsencrypt\Acme->keepDomainSecured(object of type PleskExt\Letsencrypt\Bridge\Domain, array, object of type PleskExt\Letsencrypt\CertificateIssuance\FailIfAnyRequiredChallengesFailedStrategy, boolean true, boolean true, boolean false, boolean false)
#8 /opt/psa/admin/plib/modules/letsencrypt/library/SecureDomain/SecureDomainService.php(56): PleskExt\Letsencrypt\SecureDomain\SecureDomainService->keepDomainSecured(object of type PleskExt\Letsencrypt\Bridge\Domain, object of type PleskExt\Letsencrypt\SecureDomain\CertificateValidator, object of type PleskExt\Letsencrypt\Bridge\CertificateManipulator, object of type PleskExt\Letsencrypt\KeepSecured\KeepSecuredNotifier)
#9 /opt/psa/admin/plib/modules/letsencrypt/library/KeepSecured/KeepSecuredService.php(128): PleskExt\Letsencrypt\SecureDomain\SecureDomainService->keepDomainsSecured(object of type PleskExt\Letsencrypt\SecureDomain\CertificateValidator, object of type PleskExt\Letsencrypt\Bridge\CertificateManipulator, object of type PleskExt\Letsencrypt\KeepSecured\KeepSecuredNotifier)
#10 /opt/psa/admin/plib/modules/letsencrypt/library/KeepSecured/KeepSecuredService.php(75): PleskExt\Letsencrypt\KeepSecured\KeepSecuredService->keepDomainsSecured(object of type PleskExt\Letsencrypt\KeepSecured\KeepSecuredNotifier)
#11 /opt/psa/admin/plib/modules/letsencrypt/scripts/keep-secured.php(19): PleskExt\Letsencrypt\KeepSecured\KeepSecuredService->keepAllSecured()
holzhannes commented 6 years ago

Workaround: Let's encrypt notifications: Missed domain names failed to pass validation: webmail.example.com

oliver-graetz commented 6 years ago

I have the same problem. The DNS for the webmail subdomain was changed. Naturally, the certificate renewal started failing fo that subdomain. So I went into the Let's Encrypt settings for the domain, removed the checkmark for "secure webmail for this domain" and requested certificate renewal. That worked, and should have been the end of the story.

But when going into the certificate settings, then there's still a note saying "This certificate is used for securing webmail". And every day I get a mail where it says that renewal for the webmail subdomain has failed, even though Plesk shouldn't even try that anymore.