Hi there. I think there is an issue with let's encrypt / ISPConfig integration. I have a perfect server https://www.howtoforge.com/tutorial...8-4-jessie-apache-bind-dovecot-ispconfig-3-1/ . The problem is that ISPConfig is not overriding SSL symlinks in /var/www/sub1.sub2.domain.bla/ssl/ after renewing the SSL certs. So here is what I have: Code: php -q cron_debug.php --cronjob=900-letsencrypt.inc.php Saving debug log to /var/log/letsencrypt/letsencrypt.log You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages. Cert not yet due for renewal Cert not yet due for renewal Cert not yet due for renewal Cert not yet due for renewal Cert not yet due for renewal Cert not yet due for renewal finished. Code: ls -la /etc/letsencrypt/archive/sub1.sub2.domain.bla/ total 72 drwxr-xr-x 2 root root 4096 Sep 16 03:02 . drwx------ 8 root root 4096 Sep 28 10:40 .. -rw-r--r-- 1 root root 2183 Mar 19 2017 cert1.pem -rw-r--r-- 1 root root 2183 May 19 03:00 cert2.pem -rw-r--r-- 1 root root 2183 Jul 18 03:00 cert3.pem -rw-r--r-- 1 root root 2183 Sep 16 03:02 cert4.pem -rw-r--r-- 1 root root 1647 Mar 19 2017 chain1.pem -rw-r--r-- 1 root root 1647 May 19 03:00 chain2.pem -rw-r--r-- 1 root root 1647 Jul 18 03:00 chain3.pem -rw-r--r-- 1 root root 1647 Sep 16 03:02 chain4.pem -rw-r--r-- 1 root root 3830 Mar 19 2017 fullchain1.pem -rw-r--r-- 1 root root 3830 May 19 03:00 fullchain2.pem -rw-r--r-- 1 root root 3830 Jul 18 03:00 fullchain3.pem -rw-r--r-- 1 root root 3830 Sep 16 03:02 fullchain4.pem -rw-r--r-- 1 root root 3272 Mar 19 2017 privkey1.pem -rw-r--r-- 1 root root 3272 May 19 03:00 privkey2.pem -rw-r--r-- 1 root root 3272 Jul 18 03:00 privkey3.pem -rw-r--r-- 1 root root 3272 Sep 16 03:02 privkey4.pem Code: ls -la /var/www/sub1.sub2.domain.bla/ssl/ total 80 drwxr-xr-x 2 root root 4096 Sep 28 21:45 . drwxr-xr-x 11 root root 4096 Sep 28 21:44 .. lrwxrwxrwx 1 root root 83 Sep 28 21:45 sub1.sub2.domain.bla-le.bundle -> ../../../../../../etc/letsencrypt/archive/sub1.sub2.domain.bla/chain1.pem -r-------- 1 root root 1647 Apr 1 07:52 sub1.sub2.domain.bla-le.bundle.old.20170401075207 -r-------- 1 root root 1647 Apr 5 18:52 sub1.sub2.domain.bla-le.bundle.old.20170405185245 -r-------- 1 root root 1647 Apr 5 18:54 sub1.sub2.domain.bla-le.bundle.old.20170405185452 -r-------- 1 root root 1647 Apr 5 18:54 sub1.sub2.domain.bla-le.bundle.old.20170405185458 -r-------- 1 root root 1647 Sep 28 21:45 sub1.sub2.domain.bla-le.bundle.old.20170928214503 lrwxrwxrwx 1 root root 87 Sep 28 21:45 sub1.sub2.domain.bla-le.crt -> ../../../../../../etc/letsencrypt/archive/sub1.sub2.domain.bla/fullchain1.pem -r-------- 1 root root 2183 Apr 1 07:52 sub1.sub2.domain.bla-le.crt.old.20170401075207 -r-------- 1 root root 2183 Apr 5 18:52 sub1.sub2.domain.bla-le.crt.old.20170405185245 -r-------- 1 root root 2183 Apr 5 18:54 sub1.sub2.domain.bla-le.crt.old.20170405185452 -r-------- 1 root root 2183 Apr 5 18:54 sub1.sub2.domain.bla-le.crt.old.20170405185458 -r-------- 1 root root 2183 Sep 28 21:45 sub1.sub2.domain.bla-le.crt.old.20170928214503 lrwxrwxrwx 1 root root 85 Sep 28 21:45 sub1.sub2.domain.bla-le.key -> ../../../../../../etc/letsencrypt/archive/sub1.sub2.domain.bla/privkey1.pem -r-------- 1 root root 3272 Apr 1 07:52 sub1.sub2.domain.bla-le.key.old.20170401075207 -r-------- 1 root root 3272 Apr 5 18:52 sub1.sub2.domain.bla-le.key.old.20170405185245 -r-------- 1 root root 3272 Apr 5 18:54 sub1.sub2.domain.bla-le.key.old.20170405185452 -r-------- 1 root root 3272 Apr 5 18:54 sub1.sub2.domain.bla-le.key.old.20170405185458 -r-------- 1 root root 3272 Sep 28 21:45 sub1.sub2.domain.bla-le.key.old.20170928214503 So as you can see, ISPConfig didn't update the symlink after Let's Encrypt created a new cert files. Is it a bug or am I doing something wrong?
That's correct so far as these symlinks shall not be altered. But, they should point to the live version and not the archive. You probably created this SSL cert in an older ISPConfig version which had a bug in that area, try to disable LE in the website, press save, enable LE again and press save.
Hi Till, Thank you for your input. I've updated ISPconfig and will give it a try. Could you point me to the bug please? So I can merge it into my other ISPConfig with custom modifications please?
That was not just a bugfix, the complete LE handling has been rewritten in 3.1.6 (if I remember corectly) and has been put in a separate file to remove duplicate code, so if your customized version use an older code base, then you might have to port the whole LE part.
@till on original version did exactly, what you explained. But still pointing to archive? mydomain.com-le.bundle -> ../../../../../../etc/letsencrypt/archive/mydomain.com/chain1.pem mydomain.com-le.crt -> ../../../../../../etc/letsencrypt/archive/mydomain.com/fullchain1.pem mydomain.com-le.key -> ../../../../../../etc/letsencrypt/archive/mydomain.com/privkey1.pem Because of this, auto-renew is also not working.
Works fine here. Maybe you enabled the 'make relative symlinks' option in ISPConfig under System > server config > web as LE won't probably work with that option enabled.
If you want to use LE on that server, then you'll have to disable it as it will cause the SSL certs to point to the archive folder.
