Hi all, I found out recently that the server-wide Let's Encrypt SSL certificate was not renewed automatically on my slave server. Despite not having an ISPConfig web interface installed on the server, it's still important to have the Let's Encrypt certificate renewed as it's used for securing the FTP server and other tools (monitoring etc). To solve the issue, I needed to re-issue the certificate manually: Code: # Remove the expired certificate first rm -rf /etc/letsencrypt/live/SERVER.HOSTNAME* rm -rf /etc/letsencrypt/archive/SERVER.HOSTNAME* rm -f /etc/letsencrypt/renewal/SERVER.HOSTNAME* rm -f /usr/local/ispconfig/interface/ssl/* # Force update ispconfig_update.sh --force # Fix wrong file permissions chmod 0600 /usr/local/ispconfig/interface/ssl/ispserver.pem Is there any way to automate this so that the certificate gets renewed automatically like it does on the ISPConfig master server?
The Let's Encrypt client should renew the certificate automatically when it has less than 30 days left. You need to find why renew failed: There is link to LE Error FAQ in https://www.howtoforge.com/community/threads/please-read-before-posting.58408/
Have a look at the following post, https://www.howtoforge.com/communit...encrypt-certificate-when-using-acme-sh.86950/ The article is referring to acme.sh, you seem to use certbot, but the principle should be the same. I am not familiar with ispconfig/certbot and hence dont know where the web site certs reside, but, I believe the article is applicable, with some changes.
Thank you both, you pointed me to the right direction. Still, there's the issue with the wrong permissions on the .pem file. They should be set correctly when creating/updating the certificate.
That actually shouldn't matter, the function (make_ispconfig_ssl_cert()) is not overwritten in any OS-specific files. So no idea why you would have any different permission, unless the file isn't created by the installer. You could put debug messages just ahead of and after that to ensure that's getting run, and "ls -l /usr/local/ispconfig/interface/ssl" before and after as well.
is that a recent (nightly) change?. i used the autoinstaller to install a new ispconfig server on ubuntu 20.04 on a digital ocean droplet last week. it created the cert files using acme.sh. all the cert files in /root/.acme.sh/<fqdn>/ had permissions 644. ownership root:root the crt, key and pem files in /usr/local/ispconfig/interface/ssl all add permissions 750. ownership root:root i link to this ispserver.pem file for monit, i had to manually change it's permissions to 600 to get the monit service to start.
