Fresh install of Sympl on Debian 11, Digital ocean VPS. Create new site and then run sympl-ssl. On the base install site and additional ones, the SSL command fails as it cannot find the acme-challenge. When I cd into /srv/site.com/public/htdocs/.well-known/acme-challenges it is empty. It looks like Sympl is not creating the challenge files in the directory and that is why certificate request fails.
Would appreciate any pointers.
Any Error Messages
* Examining certificates for invoicing.xxxxxxx.com
No valid certificate sets found.
Fetching a new certificate from LetsEncrypt.
Requesting verification for invoicing.xxxxxxx.com from https://acme-v02.api.letsencrypt.org/directory
!! Unable to verify invoicing.xxxxxxxx.com (status: invalid)
!! Check http://invoicing.xxxxxxxx.com/.well-known/acme-challenge/NTcgEvODYGi8UMkpolBjNj_RtfzviY7eoM1nLuPzyM8 works.
Requesting verification for www.invoicing.xxxxxxxxx.com from https://acme-v02.api.letsencrypt.org/directory
!! Unable to verify www.invoicing.xxxxxxxxx.com (status: invalid)
!! Check http://www.invoicing.xxxxxxxxx.com/.well-known/acme-challenge/3eyTFEl1a9T0XuOVyJ9iayOhb9sNIF7kQ7qlucfTbPQ works.
!! Failed: Failed to fetch certificate
Environment
Sympl Version [9.0/10.0]: 11
Sympl Testing Version? [Yes/No] No
Debian Version [Buster/Stretch]: 11 Bullseye (although same on 10)
The .well-known/acme-challenge directory is normally empty. It only gets a file written to it during the LetsEncrypt verification and I think the file is then immediately removed.
Does the domain in question have a correct public DNS record? LetsEncrypt has to be able to find it via DNS. I only ask because I’ve occasionally tripped up on that.
Thanks for the reply. The domain is correct as it resolves to the server. I can browse to site being served with no issues. It is a fairly new server so perhaps just dns propagation. I will try again tomorrow in case it’s just slow dns updates
Let’s Encrypt checks gets the DNS for the site from the authoritative servers when checking from multiple locations, so assuming they are all up to date, there’s little to no DNS caching involved.
It is worth checking you updated both A and AAAA records however, as that can be a common cause of this kind of issue.
OK so the default apache page I am seeing is the default one at /var/www/html and not one in the site
It looks like the sites are not being directed to the hosts in the srv folder. All traffic is being directed to the root apache default index page. Not sure what I am doing wrong. Made the folders in /srv as directed in the wiki, ran web-configure etc
Make sure you’ve created /srv/example.com/public/htdocs rather than any other path or try using sympl web create example com to create the relevant paths.
You typically shouldn’t see the default Apache page with Sympl, so if you’re still seeing that, check the server’s IP address you have set in the DNS matches the output of sympl-ip.
If you’re still seeing the Apache site, it’s worth creating another file in /var/www/html and seeing if you can browse to it.
I just came back to say this!! It is an IP issue. The server seems to have been set up with two interfaces and sympl is taking the internal address as the primary.
How can I tell sympl to use the external IP for all sites? I know I can place a file in /config for each site but is there a way to tell sympl to configure the external address as the default?
Theres a feature request for that functionality that the moment, for instances when you’re behind NAT, but not at present - it should default to the primary address bound to the interface, so if there’s other addresses added for routing then you’ll need to specify them individually in config/ip for each domain.
The external ip is on the primary interface eth0, the address that Sympl is picking up is eth0:1 Is that expected behaviour?
UPDATE: I did ifconfig eth0:1 down and now everything works. Just confused as to why Sympl picks up eth0:1 as the primary IP and not eth0 ? Could that be a bug? Thanks for the help narrowing it down
Thanks everyone for the pointers. So the issue is the sympl-ip picks up eth0:1 as the primary and not eth0
However if I use digital ocean Floating IP then it means Sympl binding to the internal address doesn’t matter, as that address is the one the floating ip connects with. So if you are running Sympl on a Do droplet, enable the free floating IP and point your sites at that. The only caveat is that your email server is now a different ip so you need to take that into account when making SPF records etc.
