certbot to acme.sh: Can't get letsencrypt to work on a migrated server

Discussion in 'Installation/Configuration' started by fm41, Apr 25, 2021.

  1. fm41

    fm41 New Member

    Hi,
    I copied an existing server using the ispcopy-tool. The old one used certbot for letsencrypt, the new one has no certbot installed and uses the acme.sh script instead. I copied the server, force-upgraded ISPConfig and resynced everything.

    However, acme.sh doesn't know any of my domains. acme.sh --list shows no results. ISPConfig still seems to try to use certbot and the old letsencrypt-certs.
    Is there any way to switch this setup to acme.sh or do I have to install certbot and stick with this?

    Output from server.sh with debug logging:
    Code:
    25.04.2021-17:52 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    25.04.2021-17:52 - DEBUG - Found 1 changes, starting update process.
    25.04.2021-17:52 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    25.04.2021-17:52 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    25.04.2021-17:52 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client2/web17' - return code: 0
    25.04.2021-17:52 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client2/web17' - return code: 0
    25.04.2021-17:52 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client2/web17'|awk 'END{print $2,$NF}' - return code: 0
    25.04.2021-17:52 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
    25.04.2021-17:52 - DEBUG - safe_exec cmd: setquota -u 'web17' '0' '0' 0 0 -a &> /dev/null - return code: 0
    25.04.2021-17:52 - DEBUG - safe_exec cmd: setquota -T -u 'web17' 604800 604800 -a &> /dev/null - return code: 0
    25.04.2021-17:52 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client2/web17' - return code: 0
    25.04.2021-17:52 - WARNING - Could not verify domain EXAMPLE.COM, so excluding it from letsencrypt request.
    25.04.2021-17:52 - WARNING - Let's Encrypt SSL Cert for: EXAMPLE.COM could not be issued.
    25.04.2021-17:52 - WARNING - 
    25.04.2021-17:52 - DEBUG - NON-String given in escape function! (boolean)
    25.04.2021-17:52 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    25.04.2021-17:52 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/EXAMPLE.COM.vhost
    25.04.2021-17:52 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    25.04.2021-17:52 - DEBUG - Writing the PHP-FPM config file: /etc/php/7.3/fpm/pool.d/web17.conf
    25.04.2021-17:52 - DEBUG - Calling function 'restartPHP_FPM' from module 'web_module'.
    25.04.2021-17:52 - DEBUG - Restarting php-fpm: systemctl reload php7.3-fpm.service
    25.04.2021-17:52 - DEBUG - Apache status is: running
    25.04.2021-17:52 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    25.04.2021-17:52 - DEBUG - Restarting httpd: systemctl restart apache2.service
    25.04.2021-17:52 - DEBUG - Apache restart return value is: 0
    25.04.2021-17:52 - DEBUG - Apache online status after restart is: running
    25.04.2021-17:52 - DEBUG - Processed datalog_id 2878
    25.04.2021-17:52 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished server.php.
    
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    See https://www.howtoforge.com/community/threads/certbot-acme-sh.86385/ and https://www.howtoforge.com/community/threads/certbot-to-acme-first.86813/

    TL: DR: There is no easy way to switch, the only thing you can do is remove all current certificates, purge all certbot related things, and then enable LE in the panel so it gets a new cert using acme.sh. This is a risky procedure as you can easily miss deleting something or delete too much, it can lead to your webserver going down. And you risk hitting the Let's Encrypt rate limits.
    Just a note, never try issueing a cert from the command line, always let ISPConfig handle it. Many users messed around with this in the past and a lot of them experienced severe headaches ;)
     
    fm41 likes this.
  3. fm41

    fm41 New Member

    Well, that sounds very unpleasant :D
    Okay, I installed certbot and made sure the certs are up to date and then re-enabled the LE function in the website tab. It didn't work (probably because the server thought, I'm using acme.sh now) so I enabled it directly in the database and got ISPConfig to rewrite the vhost. It seems to work now, I now have to wait for the next cert to expire to check if it gets renewed.

    Thanks for pointing me in the right direction!
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Make sure to remove acme.sh completely from the server.
     
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    You can always test certbot renewal in advance using --dry-run parameter. So long you do not create or renew the certs manually, you should be fine.;)
     
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Some things can still go wrong, I had some cases where the dry run worked but the script bugged... So it's good to monitor it.
     

Share This Page