ISPConfig + LetsEncrypt + ACMEV1 -> V2 Problem

Discussion in 'Installation/Configuration' started by NoFreak, Jul 9, 2021.

  1. NoFreak

    NoFreak New Member

    Hello,
    ISPConfig: Version 3.2.5 (latest version)
    I was today surprised by shut down the letsencrypt v1 interface.
    Now I have the problem to renew the ssl certificates.
    I delete the files /etc/letsencrypt/renew and live/ for the specific webpage.
    I deactivated/activated the ssl/letsencrypt in the admin panel.
    Both don't work ...
    The letsencrypt bin files are saved in the root/.local/share/letsencrypt directory.
    Are these the correct files or has the ispconfig3 software another files for letsencrypt?
    Do I have to update the letsencrypt files?

    Thanks for help!

    Best regards
    Frank
     
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    If that is truly your only problem, then you only need to simply upgrade your certbot and retry thereafter.

    Otherwise, read and follow the solutions in ISPConfig LE FAQ thread.
     
  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Looks like acme.sh is in use, not certbot. Do not install both on the same system.
    What interface exactly? How did you see it was shut down?
    Do this for starters: https://www.howtoforge.com/community/threads/please-read-before-posting.58408/
     
    ahrasis likes this.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    As @Taleman mentioned, when you have files in /root/.local/share/letsencrypt, then you use acme.sh now. If you had files earlier in /etc/letsencrypt/, then you were using certbot before. Switching from certbot to acme.sh breaks the LE config as they are incompatible with each other. My guess is that you removed certbot program instead of replacing it with an updated version that supports v2 protocol, this caused acme.sh as fallback to get downloaded. Now you have a real issue as you messed up the LE setup badly by mixing two incompatible LE clients.

    To find the right solution to repair your broken setup, it's important to know how many websites you have with active LE certificates in /etc/letsencrypt/ and how many certs you have now in /root issues by acme.sh. The solution is either to replace all of the old certs issued by certbot , which is quite some work as you have to clean up SSL directories manually etc. Or to remove acme.sh completely, install a recent certbot version and remove the certs you issued using acme.sh in the meantime.
     
  5. NoFreak

    NoFreak New Member

    Hello,
    thanks for your answers.

    The problem is, in the first time I updated my LetEncrypt Certificates manual, at least with the integrated ISPConfig - until yesterday: Than I noticed at the first time, that the certificates are out of date.

    So, i'm not sure, which tool is used by ISPConfig.

    I set the checkbox "SSL" and "Let's Encrypt SSL" but nothing happend ...

    So how do I figured out, where the problem is?
    I only found a log /var/log/letsencrypt/letsencrypt.log with this message, which show a problem:
    Error: urn:acme:error:serverInternal :: The server experienced an internal error :: ACMEv1 is deprecated and you can no longer get certificates from this endpoint. Please use the ACMEv2 endpoint, you may need to update your ACME client software to do so. Visit (LINK FORBIDDEN) for more information.

    Now, I try to find "the tool" which generates the scripts manual on the server, but I found nothing. Now I know certbot/acme.sh but I'm not sure which tool is used by ISPConfig.

    I need a hint, to find the cause of the malfunction (any logs? errors ...)

    Thanks for help
    Frank
     
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Did you do this? https://www.howtoforge.com/community/threads/please-read-before-posting.58408/
    It has info on Let's Encrypt problems.
    Code:
    Error: urn:acme:error:serverInternal :: The server experienced an internal error :: ACMEv1 is deprecated and you can no longer get certificates from this endpoint. Please use the ACMEv2 endpoint, you may need to update your ACME client software to do so. Visit (LINK FORBIDDEN) for more information.
    That means your let's encrypt client is too old version.
     
  7. NoFreak

    NoFreak New Member

    Hello,
    yes, it's crystal clear that the let's encrypt client is too old ...
    But I don't know what and how to update this client ...

    Now I ran a test script and found this message:

    acme.sh is installed in /root/.acme.sh/acme.sh
    [WARN] You have /etc/letsencrypt/live in place, although only acme.sh is installed. This might indicate a problem.

    Any hints?

    Best regards
    Frank
     
  8. NoFreak

    NoFreak New Member

    Hello,
    I don't understand the mechanismen for letsencrypt ... so I cannot find the problem ...

    Now I have created a test domain but in the directory ssl doesn't appear any files ...

    In my first problem domain the following files appears:
    xxx-le.bundle
    xxx-le.crt
    xxx-le.key

    But the checkbox Let's Enrypt is not checked ...
     
  9. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    @till wrote in #4 what to do.
    If you have less than 100 domains with certificates, you could remove all certificates (created with certbot in /etc/letsencryp/*/) and create new ones with acme.sh which it seems you are using now. Before removing, check you really have uninstalled certbot from your host and check acme is properly installed.
    If you do not want to do this yourself you can pay Schaal to have it done: https://www.ispconfig.org/get-support/
     
    NoFreak likes this.
  10. NoFreak

    NoFreak New Member

    So, I have "solved" the problem ... but don't ask me why ...
    I do a apachectr configtest and found two domains with delete certificate-files ...

    I repaired it and now it workes ...
     

Share This Page