LE config lingering after site removal

Discussion in 'ISPConfig 3 Priority Support' started by Norman, Oct 11, 2021.

  1. Norman

    Norman Member HowtoForge Supporter

    Hi,

    I noticed that sometimes LE configs linger after deleting or inactivating sites. Letsencrypt log still displays daily renewal attempts (unauthorised).

    What's the recommended way to remove LE config to prevent renewal attempts on deleted or otherwise defunct sites?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Currently, you'll have to use certbot delete command (if you are using certbot). There is a feature request to remove old certs automatically in the issue tracker already.
     
  3. Norman

    Norman Member HowtoForge Supporter

    Hi, can you give me an example syntax?

    Also what could be the reason that let's encrypt sometimes get unclicked on some sites. Seen this happen on different servers recently. I don't think it's the x3 root cert debacle but not entirely sure.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    certbot delete --cert-name mydomain.tld

    Please see Let#s encrypt error FAQ: https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
     
  5. Norman

    Norman Member HowtoForge Supporter

    Thank you for the info.
    One more question regarding LE. Didn't see it in your FAQ. For some reason the let's encrypt chains report wrong cert.

    Example (I'm working on fixing it so if it's presenting as right then I solved the issue :))
    https://whatsmychaincert.com/?www.ojas.se

    What could be the issue with a cert from LE that isn't expiring until January presenting wrong chain?
    Site works fine on android and most browsers. But iPhone is having issues visiting it.
     
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Is the wrong certificate shown on all browsers or only on iPhone?
    Does your browser show the intended website and the certificate is for that website? Did you examine the certificate in browser?
    In what way is the chain wrong?
     
  7. Norman

    Norman Member HowtoForge Supporter

    Works fine in desktop browser.
    IPhones seem to get issues with the cert. Only thing I can see erranous is the chain. See test link above.
    When chains are wrong usually apple devices get issues.
     
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Is the issue the recent infamous root certificate expiry that some browsers can not deal with? There was discussion recently on this forum and elsewhere. And on LE website.
     
  9. florian030

    florian030 Well-Known Member HowtoForge Supporter

    Maybe you the have the expired root-cert still on your server? you can try
    Code:
    sed -i "s/^mozilla\/DST_Root_CA_X3\.crt/\!mozilla\/DST_Root_CA_X3\.crt/g" /etc/ca-certificates.conf
    update-ca-certificates
    
     
    ahrasis likes this.
  10. Norman

    Norman Member HowtoForge Supporter

    This seems to have done the trick. Thank you!
     

Share This Page