Ubuntu+18.04.3+ISPConfig3.1.15p2+certbot027.0 need upgrade [SOLVED]

Discussion in 'Installation/Configuration' started by McLure, Jan 16, 2020.

  1. McLure

    McLure Member

    I have installed Certbot by this instruction:
    https://www.howtoforge.com/tutorial...pureftpd-bind-postfix-doveot-and-ispconfig/2/
    Ubuntu 18.04
    Command
    : apt-get -y install certbot
    certbot --version = certbot 0.27.0
    python3-certbot/bionic-updates,bionic-updates,bionic-updates,bionic-updates,now 0.27.0-1~ubuntu18.04.1 all [installed,automatic]
    I need to upgrade to ACMEv2 version of Certbot.
    Is there a standard command for this?
    This is for Ubuntu 16.04 - is it something similar? I do not want to break something.
    sudo apt-get update
    sudo apt-get install software-properties-common
    sudo add-apt-repository universe <- Bionic
    sudo add-apt-repository ppa:certbot/certbot
    sudo apt-get update
    sudo apt-get install certbot python-certbot-apache

    I got this message from @letsencrypt.org
    Beginning June 1, 2020, we will stop allowing new domains to validate using
    the ACMEv1 protocol. You should upgrade to an ACMEv2 compatible client before
    then, or certificate issuance will fail. For most people, simply upgrading to
    the latest version of your existing client will suffice.​
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Are you sure the current cerbot does not support Acmev2? I can not find info on which version started supporting Acmev2, but I believe it has been available since 2018.
     
    McLure likes this.
  3. McLure

    McLure Member

    No I'm not sure it not support v2, but I got this message:
    According to our records, the software client you're using to get Let's
    Encrypt TLS/SSL certificates issued or renewed at least one HTTPS certificate
    in the past two weeks using the ACMEv1 protocol. Your client's IP address was:

    2a01:4f8:xxxxxxxxxxxxxx:279a::2

    After reading a lot on www - I understand that I should have version 0.28.x at least..
    Is this a Debian or Ubuntu command? And what does it?
    apt update && apt install --only-upgrade python3-certbot
     
    Last edited: Jan 16, 2020
  4. McLure

    McLure Member

    root@xxxxx ~ # dpkg -l python3-acme
    Desired=Unknown/Install/Remove/Purge/Hold
    | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
    |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
    ||/ Name Version Architecture Description
    +++-==========================-==================-
    ii python3-acme 0.31.0-2~ubuntu18. all ACME protocol library for Python 3
    root@xxxxx ~ # dpkg -l python3-certbot
    Desired=Unknown/Install/Remove/Purge/Hold
    | Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
    |/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
    ||/ Name Version Architecture Description
    +++-==========================-==================-
    ii python3-certbot 0.27.0-1~ubuntu18. all main library for certbot
    root@xxxxx ~ # apt list --upgradeable
    Listing... Done
     
  5. Steini86

    Steini86 Active Member

    Your certbot version already supports ACMEv2
    Use "certbot --dry-run -v renew" to see if is connecting to "https://acme-staging-v02.api.letsencrypt.org"
    If not, you have probably done something (wrong) to your configuration file.
     
    McLure likes this.
  6. McLure

    McLure Member

    ahrasis and Steini86 like this.
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    This should already support v02. Problems may vary from double account, old config etc. I personally use certbot-auto for latest version but there is no need to do the same.
     
    Last edited: Jan 17, 2020
    McLure likes this.
  8. elmacus

    elmacus Active Member

    Is certbot (repo installed) and certbot-auto (manually) interchangable, ie using same files and certificates for ispconfig ?
    Can you just switch versions ?
    Becouse my own test 1 year ago showed that certbot broke.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, you can just uninstall certbot package of your distribution (but don't use purge option so the certs and their config files do not get removed, maybe even do a backup of /etc/letsencrypt first to be on the safe side) and then install the latest version from certbot website.
     
    McLure and elmacus like this.
  10. elmacus

    elmacus Active Member

    To OP, maybee old expired cert is still called for with v01, check with:
    certbot certificates
    or
    certbot certificates | grep -i expired
    Then delete files with:
    (make sure LetsEncrypt is turned off for expired-domain.test in Apache FIRST, else Apache dies)
    certbot delete --cert-name expired-domain.test
     
    suther, ahrasis and McLure like this.
  11. McLure

    McLure Member

    This was helpful - thanx!
     
    elmacus likes this.
  12. elmacus

    elmacus Active Member

    Thanks.
    I wonder what happens when i unclick the LetsEncrypt i GUI ?
    Some domains have domain.test-0001, domain.test-0002 as name.
    Should the GUI code delete all files with certbot delete --cert-name expired-domain.test when inactivating ? and certbot delete --cert-name expired-domain.test-0001 ?
    I like my servers cleaned properly.

    Sorry for being out of thread now ;-)
     
    McLure likes this.
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    No, the GUI will not remove old certs as it can not know if a cert is used by any other service on your server.
     
    elmacus, McLure and ahrasis like this.
  14. McLure

    McLure Member

    I have done a cleaning on server.
    certbot delete --cert-name expired-domain.test
    Restarted Apache - and still running.
     
    elmacus likes this.
  15. McLure

    McLure Member

    Not running after reboot

    Jan 21 15:07:51 mail0 systemd[1]: Starting The Apache HTTP Server...
    Jan 21 15:07:51 mail0 apachectl[6359]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:73
    Jan 21 15:07:51 mail0 apachectl[6359]: AH00526: Syntax error on line 63 of /etc/apache2/sites-enabled/000-ispconfig.vhost:
    Jan 21 15:07:51 mail0 apachectl[6359]: SSLCertificateFile: file '/usr/local/ispconfig/interface/ssl/ispserver.crt' does not exist or is empty
    Jan 21 15:07:51 mail0 apachectl[6359]: Action 'start' failed.
    Jan 21 15:07:51 mail0 apachectl[6359]: The Apache error log may have more information.
    Jan 21 15:07:51 mail0 systemd[1]: apache2.service: Control process exited, code=exited status=1
    Jan 21 15:07:51 mail0 systemd[1]: apache2.service: Failed with result 'exit-code'.
    Jan 21 15:07:51 mail0 systemd[1]: Failed to start The Apache HTTP Server.
    root@mail0 ~ #
    cd /usr/local/ispconfig/interface/ssl/
    root@mail0 /usr/local/ispconfig/interface/ssl # ls -l
    total 56
    -rwxr-x--- 1 root root 45 Oct 16 19:17 empty.dir
    lrwxrwxrwx 1 root root 62 Oct 4 2018 ispserver-crt-181004041617.bak -> /etc/letsencrypt/live/mail0.myserver-0005/fullchain.pem
    lrwxrwxrwx 1 root root 62 Oct 4 2018 ispserver.crt -> /etc/letsencrypt/live/mail0.myserver-0006/fullchain.pem
    lrwxrwxrwx 1 root root 63 Sep 24 2018 ispserver.crt-181004041617.bak -> /var/www/mail0.myserver/ssl/mail0.myserver-le.crt
    lrwxrwxrwx 1 root root 57 Oct 4 2018 ispserver.crt-181004042407.bak -> /etc/letsencrypt/live/mail0.myserver/fullchain.pem
    lrwxrwxrwx 1 root root 57 Oct 4 2018 ispserver.crt-181004043542.bak -> /etc/letsencrypt/live/mail0.myserver/fullchain.pem
    lrwxrwxrwx 1 root root 63 Oct 4 2018 ispserver.crt-181004095456.bak -> /var/www/mail0.myserver/ssl/mail0.myserver-le.crt
    lrwxrwxrwx 1 root root 62 Oct 4 2018 ispserver.crt-181004102147.bak -> /etc/letsencrypt/live/mail0.myserver-0005/fullchain.pem
    lrwxrwxrwx 1 root root 57 Oct 4 2018 ispserver.crt-181004104441.bak -> /etc/letsencrypt/live/mail0.myserver/fullchain.pem
    lrwxrwxrwx 1 root root 57 Oct 4 2018 ispserver.crt-181004154659.bak -> /etc/letsencrypt/live/mail0.myserver/fullchain.pem
    -rwxr-x--- 1 root root 1805 Oct 4 2018 ispserver.csr
    lrwxrwxrwx 1 root root 60 Oct 4 2018 ispserver.key -> /etc/letsencrypt/live/mail0.myserver-0006/privkey.pem
    lrwxrwxrwx 1 root root 63 Sep 24 2018 ispserver.key-181004041617.bak -> /var/www/mail0.myserver/ssl/mail0.myserver-le.key
    lrwxrwxrwx 1 root root 55 Oct 4 2018 ispserver.key-181004042407.bak -> /etc/letsencrypt/live/mail0.myserver/privkey.pem
    lrwxrwxrwx 1 root root 55 Oct 4 2018 ispserver.key-181004043811.bak -> /etc/letsencrypt/live/mail0.myserver/privkey.pem
    lrwxrwxrwx 1 root root 60 Oct 4 2018 ispserver.key-181004102147.bak -> /etc/letsencrypt/live/mail0.myserver-0005/privkey.pem
    -rwxr-x--- 1 root root 3243 Oct 4 2018 ispserver.key-181004154659.bak
    lrwxrwxrwx 1 root root 55 Oct 4 2018 ispserver.key.secure -> /etc/letsencrypt/live/mail0.myserver/privkey.pem
    -rwxr-x--- 1 root root 7435 Oct 4 2018 ispserver.pem
    lrwxrwxrwx 1 root root 63 Oct 4 2018 ispserver.pem-181004095459.bak -> /var/www/mail0.myserver/ssl/mail0.myserver-le.crt

    Any way of regenerate CERTS ? ---- I have backup of the etc folder..
     
    Last edited: Jan 21, 2020
  16. McLure

    McLure Member

    How do I find the password?
    service apache2 restart
    Enter passphrase for SSL/TLS keys for mail0.myserver.net:8080 (RSA):
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    You must have set a password for that SSL cert at the time you created it if it asks for one. SSL certs for system daemons should not have a password as your system will fail at boot time if a password is requested. Create a new ssl cert and don't set a password or decrypt the key of the current one and store the key without password protection.
     
  18. McLure

    McLure Member

    Hmm
    I think I remember that password - but not accepted.
    Remake CERT ?
     
  19. McLure

    McLure Member

    Apache error-log
    [Tue Jan 21 16:29:50.179031 2020] [ssl:emerg] [pid 5748] AH02580: Init: Pass phrase incorrect for key mail0.myserver:8080:0
    [Tue Jan 21 16:29:50.179130 2020] [ssl:emerg] [pid 5748] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
    [Tue Jan 21 16:29:50.179150 2020] [ssl:emerg] [pid 5748] SSL Library Error: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
    [Tue Jan 21 16:29:50.179165 2020] [ssl:emerg] [pid 5748] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
    [Tue Jan 21 16:29:50.179181 2020] [ssl:emerg] [pid 5748] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=RSAPrivateKey)
    [Tue Jan 21 16:29:50.179197 2020] [ssl:emerg] [pid 5748] SSL Library Error: error:04093004:rsa routines:eek:ld_rsa_priv_decode:RSA lib
    [Tue Jan 21 16:29:50.179210 2020] [ssl:emerg] [pid 5748] SSL Library Error: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
    [Tue Jan 21 16:29:50.179225 2020] [ssl:emerg] [pid 5748] SSL Library Error: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error (Type=PKCS8_PRIV_KEY_INFO)
    [Tue Jan 21 16:29:50.179234 2020] [ssl:emerg] [pid 5748] AH02312: Fatal error initialising mod_ssl, exiting.
    [Tue Jan 21 16:29:50.179241 2020] [ssl:emerg] [pid 5748] AH02564: Failed to configure encrypted (?) private key mail0.myserver:8080:0, check /usr/local/ispconfig/interface/ssl/ispserver.key
    AH00016: Configuration Failed
     
  20. McLure

    McLure Member

    do ISPConfig update - and regenerate CERT ?
    There are no updates available for ISPConfig 3.1.15p2 ...

    Password entry required for 'Enter passphrase for SSL/TLS keys for mail0.myserver:8080 (RSA):' (PID 4687).
    Please enter password with the systemd-tty-ask-password-agent tool!
     
    Last edited: Jan 21, 2020

Share This Page