Trying to force ispconfig_upgrade to resolve problem wont work I have no way to make apache start and only error log i see is in the main domain (the one where ispconfig interface reply) Cheched if key and certificate match and it does root@hocus-02:~# openssl rsa -in /etc/letsencrypt/live/hocus-02.example.com/privkey.pem -noout -modulus Modulus=D50AE20C9FD3D182FB4FC3B5AF8682F609D5A9873E33A299D756649D5FD6761918405EC965A45DC829A0AEE3E34F10E09461DCE1710F9969365AD3369217CB0F364073A9E1132DC13FE715FB8F32E86A9964D085C18CFE0A1A7EFA68FE1C0D039544B4B8701158AE2C6F30A06A04FA2FB39B1A40EEA34BA1E7A00BAA2EB4DC10CB88CBE81AB69183F01FECBFE17C9C26588C1EB7E4D975AE0850640AE4BF3C637BBE347D987633DA3B072C7B05A08AB5ABFEDBAD253D1155F708F64F21D8F5617833BB1E6417ED9C3DFC9ED14FC5ED02447CA4502B5A39BB873E2982021CE9E00AAB0016F8533E18E99511A7F397631D0B780B2D41CE227796E918E86308A8C661A82C669F8DC461A0D9A13C5ED30A66F60D519E858168D70382196D5C264B1B56AA278102314DF52480D1F016FC19B77789C1DB919D071179D4CBD5F29B8330C5934DC61F9E5F7B9310038D9CD8550B8D7784FB6AAF8FE53958F895F5E5C4CD873D6BDC65AF2364F36126F4034A3E3311F5AE991D6FF3ED4B5786682858A0E046D7EDB19F60C3E72BACB25CEB8B486A7B0EBAD1775070BCCEAE06B98F0AD4980ACCE8187768B95F9F8EE90A11EE9B8B6DB14CAEC335C1E95600C11D68703C9E23DA0D48630C1C26AE5B1132C0B972F2BB6B13C479578B502E8445C0380277292F4F529117492C9AD4DF3ACE964B2A95BE0BAFFF3C4193A77993FBF55CEA7023 root@hocus-02:~# openssl x509 -in /etc/letsencrypt/live/hocus-02.example.com/cert.pem -noout -modulus Modulus=D50AE20C9FD3D182FB4FC3B5AF8682F609D5A9873E33A299D756649D5FD6761918405EC965A45DC829A0AEE3E34F10E09461DCE1710F9969365AD3369217CB0F364073A9E1132DC13FE715FB8F32E86A9964D085C18CFE0A1A7EFA68FE1C0D039544B4B8701158AE2C6F30A06A04FA2FB39B1A40EEA34BA1E7A00BAA2EB4DC10CB88CBE81AB69183F01FECBFE17C9C26588C1EB7E4D975AE0850640AE4BF3C637BBE347D987633DA3B072C7B05A08AB5ABFEDBAD253D1155F708F64F21D8F5617833BB1E6417ED9C3DFC9ED14FC5ED02447CA4502B5A39BB873E2982021CE9E00AAB0016F8533E18E99511A7F397631D0B780B2D41CE227796E918E86308A8C661A82C669F8DC461A0D9A13C5ED30A66F60D519E858168D70382196D5C264B1B56AA278102314DF52480D1F016FC19B77789C1DB919D071179D4CBD5F29B8330C5934DC61F9E5F7B9310038D9CD8550B8D7784FB6AAF8FE53958F895F5E5C4CD873D6BDC65AF2364F36126F4034A3E3311F5AE991D6FF3ED4B5786682858A0E046D7EDB19F60C3E72BACB25CEB8B486A7B0EBAD1775070BCCEAE06B98F0AD4980ACCE8187768B95F9F8EE90A11EE9B8B6DB14CAEC335C1E95600C11D68703C9E23DA0D48630C1C26AE5B1132C0B972F2BB6B13C479578B502E8445C0380277292F4F529117492C9AD4DF3ACE964B2A95BE0BAFFF3C4193A77993FBF55CEA7023 root@hocus-02:~# openssl x509 -in /etc/letsencrypt/live/hocus-02.example.com/chain.pem -noout -modulus Modulus=BB021528CCF6A094D30F12EC8D5592C3F882F199A67A4288A75D26AAB52BB9C54CB1AF8E6BF975C8A3D70F4794145535578C9EA8A23919F5823C42A94E6EF53BC32EDB8DC0B05CF35938E7EDCF69F05A0B1BBEC094242587FA3771B313E71CACE19BEFDBE43B45524596A9C153CE34C852EEB5AEED8FDE6070E2A554ABB66D0E97A540346B2BD3BC66EB66347CFA6B8B8F572999F830175DBA726FFB81C5ADD286583D17C7E709BBF12BF786DCC1DA715DD446E3CCAD25C188BC60677566B3F118F7A25CE653FF3A88B647A5FF1318EA9809773F9D53F9CF01E5F5A6701714AF63A4FF99B3939DDC53A706FE48851DA169AE2575BB13CC5203F5ED51A18BDB15 root@hocus-02:~# openssl x509 -in /etc/letsencrypt/live/hocus-02.example.com/fullchain.pem -noout -modulus Modulus=A5F34916E6274D4896ECA503F64AC9C6291E0E7D0BE5CDD41CB197AD70178DDBAFC7820680DA80470C88B110600DE7650E0E64CBB461653CAD2A6EA83FB6AE4F47519551904D518BC7E46CD2B406E50597A49C754FB706434266851F11F087AEC81D88B8F6444B0B440EA8068AC830F3665DB0992C75E6BAFC3BE11FA90ADAA0100321041D8681519566B7DA4CF5064C43153451C2D7D33D21412008622D04A7FD5C818A9DA9B9EE483D6F359A624B8A51B640356FC1851D11712CA0FFE09EDB8FCF81EFAF5B48099A77D854EEDAB0E01A7D53893EE2251928855C3211521E11EA8F05366835065B7CFABFA357CC82944774FC1CCE005BD19736F52A24352E3D12F5E3E24011E25176924BC3B90A9288AE587678919A07459C514AE3A13BDF0C9D2C50CA22BAB67433545E8FBFC7AEE34715B872126D2B4826291540D60420C2446140A9E2FCEE3916AF72C39DBFDF1459058F4C124BF8D1FE79E529A82E5E85ACCED661CDDEFA7DBF41090FBFCBBE36F1CC187CDE9F2CC3FCD001F5A7A20BAE7BE279AD4420F2751DBAD3DCAB4C47A2C0824783B3F828836B1246BCF59AA40E790485EF1DC914429A46F488C1A16BA50EA1218338E4FD2E4AB2F09ECD63F4556C5D5DFFE752409A5280E4273C88C22BFF4E66B46D670436ACA9CAE7F1B314BD62EF4E86B32B08BE5DAC23FBD30455FEC0F8C9D9DAAFB5BE13789D785F5BBDE7 The error I get is: [Wed Jan 05 14:04:07.422663 2022] [ssl:emerg] [pid 3269] AH02565: Certificate and private key hocus-02.example.com:443:0 from /var/www/clients/client0/web1/ssl/hocus-02.example.com-le.crt and /var/www/clients/client0/web1/ssl/hocus-02.example.com-le.key do not match Thanks for any idea on it
the .vhost file section: <IfModule mod_ssl.c> SSLEngine on SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 # SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES$ SSLHonorCipherOrder on # <IfModule mod_headers.c> # Header always add Strict-Transport-Security "max-age=15768000" # </IfModule> SSLCertificateFile /var/www/clients/client0/web1/ssl/hocus-02.example.com-le.crt SSLCertificateKeyFile /var/www/clients/client0/web1/ssl/hocus-02.example.com-le.key SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off </IfModule>
@Croydon wrote a script to find the real problem: To start the script, run the following command as root user on your server: Code: curl https://gitplace.net/pixcept/ispconfig-tools/-/raw/stable/cert_check.sh | sh Share the output here in code blocks please (insert -> code).
What does this return: Code: ls -l /var/www/clients/client0/web1/ssl/ ls -l /etc/letsencrypt/*/hocus-02.example.com ls -l /usr/local/ispconfig/interface/ssl/
Code: Checking /var/www/clients/client0/web1/ssl/hocus-02.example.com-le.crt OK Checking /var/www/clients/client0/web1/ssl/hocus-02.example.com-le.key OK Checking that key and certificate match FAILED! All the others vhost are ok
Maybe something... look at the date of the element 23... chain and fullchain have 10 december, cert and key have 4 january Looks strange, any idea to solve it? Code: -rw-r--r-- 1 root root 2277 ott 19 2019 cert10.pem -rw-r--r-- 1 root root 2277 dic 19 2019 cert11.pem -rw-r--r-- 1 root root 2277 feb 17 2020 cert12.pem -rw-r--r-- 1 root root 2277 apr 17 2020 cert13.pem -rw-r--r-- 1 root root 2277 giu 16 2020 cert14.pem -rw-r--r-- 1 root root 2277 ago 15 2020 cert15.pem -rw-r--r-- 1 root root 2277 ott 14 2020 cert16.pem -rw-r--r-- 1 root root 2208 dic 14 2020 cert17.pem -rw-r--r-- 1 root root 2208 feb 12 2021 cert18.pem -rw-r--r-- 1 root root 2208 apr 13 2021 cert19.pem -rw-r--r-- 1 root root 2516 apr 27 2018 cert1.pem -rw-r--r-- 1 root root 2208 giu 12 2021 cert20.pem -rw-r--r-- 1 root root 2208 ago 11 21:44 cert21.pem -rw-r--r-- 1 root root 2208 ott 11 03:00 cert22.pem -rw-r--r-- 1 root root 1923 gen 4 17:00 cert23.pem -rw-r--r-- 1 root root 2520 giu 26 2018 cert2.pem -rw-r--r-- 1 root root 2516 ago 25 2018 cert3.pem -rw-r--r-- 1 root root 2516 ott 24 2018 cert4.pem -rw-r--r-- 1 root root 2277 dic 23 2018 cert5.pem -rw-r--r-- 1 root root 2277 feb 21 2019 cert6.pem -rw-r--r-- 1 root root 2277 apr 22 2019 cert7.pem -rw-r--r-- 1 root root 2277 giu 21 2019 cert8.pem -rw-r--r-- 1 root root 2273 ago 20 2019 cert9.pem -rw-r--r-- 1 root root 1647 ott 19 2019 chain10.pem -rw-r--r-- 1 root root 1647 dic 19 2019 chain11.pem -rw-r--r-- 1 root root 1647 feb 17 2020 chain12.pem -rw-r--r-- 1 root root 1647 apr 17 2020 chain13.pem -rw-r--r-- 1 root root 1647 giu 16 2020 chain14.pem -rw-r--r-- 1 root root 1647 ago 15 2020 chain15.pem -rw-r--r-- 1 root root 1647 ott 14 2020 chain16.pem -rw-r--r-- 1 root root 1586 dic 14 2020 chain17.pem -rw-r--r-- 1 root root 1586 feb 12 2021 chain18.pem -rw-r--r-- 1 root root 1586 apr 13 2021 chain19.pem -rw-r--r-- 1 root root 1647 apr 27 2018 chain1.pem -rw-r--r-- 1 root root 3750 giu 12 2021 chain20.pem -rw-r--r-- 1 root root 3750 ago 11 21:44 chain21.pem -rw-r--r-- 1 root root 3750 ott 11 03:00 chain22.pem -rw-r--r-- 1 root root 3750 dic 10 03:00 chain23.pem -rw-r--r-- 1 root root 1647 giu 26 2018 chain2.pem -rw-r--r-- 1 root root 1647 ago 25 2018 chain3.pem -rw-r--r-- 1 root root 1647 ott 24 2018 chain4.pem -rw-r--r-- 1 root root 1647 dic 23 2018 chain5.pem -rw-r--r-- 1 root root 1647 feb 21 2019 chain6.pem -rw-r--r-- 1 root root 1647 apr 22 2019 chain7.pem -rw-r--r-- 1 root root 1647 giu 21 2019 chain8.pem -rw-r--r-- 1 root root 1647 ago 20 2019 chain9.pem -rw-r--r-- 1 root root 3924 ott 19 2019 fullchain10.pem -rw-r--r-- 1 root root 3924 dic 19 2019 fullchain11.pem -rw-r--r-- 1 root root 3924 feb 17 2020 fullchain12.pem -rw-r--r-- 1 root root 3924 apr 17 2020 fullchain13.pem -rw-r--r-- 1 root root 3924 giu 16 2020 fullchain14.pem -rw-r--r-- 1 root root 3924 ago 15 2020 fullchain15.pem -rw-r--r-- 1 root root 3924 ott 14 2020 fullchain16.pem -rw-r--r-- 1 root root 3794 dic 14 2020 fullchain17.pem -rw-r--r-- 1 root root 3794 feb 12 2021 fullchain18.pem -rw-r--r-- 1 root root 3794 apr 13 2021 fullchain19.pem -rw-r--r-- 1 root root 4163 apr 27 2018 fullchain1.pem -rw-r--r-- 1 root root 5958 giu 12 2021 fullchain20.pem -rw-r--r-- 1 root root 5958 ago 11 21:44 fullchain21.pem -rw-r--r-- 1 root root 5958 ott 11 03:00 fullchain22.pem -rw-r--r-- 1 root root 5958 dic 10 03:00 fullchain23.pem -rw-r--r-- 1 root root 4167 giu 26 2018 fullchain2.pem -rw-r--r-- 1 root root 4163 ago 25 2018 fullchain3.pem -rw-r--r-- 1 root root 4163 ott 24 2018 fullchain4.pem -rw-r--r-- 1 root root 3924 dic 23 2018 fullchain5.pem -rw-r--r-- 1 root root 3924 feb 21 2019 fullchain6.pem -rw-r--r-- 1 root root 3924 apr 22 2019 fullchain7.pem -rw-r--r-- 1 root root 3924 giu 21 2019 fullchain8.pem -rw-r--r-- 1 root root 3920 ago 20 2019 fullchain9.pem -rw-r--r-- 1 root root 3272 ott 19 2019 privkey10.pem -rw-r--r-- 1 root root 3272 dic 19 2019 privkey11.pem -rw-r--r-- 1 root root 3272 feb 17 2020 privkey12.pem -rw-r--r-- 1 root root 3272 apr 17 2020 privkey13.pem -rw-r--r-- 1 root root 3272 giu 16 2020 privkey14.pem -rw-r--r-- 1 root root 3268 ago 15 2020 privkey15.pem -rw-r--r-- 1 root root 3268 ott 14 2020 privkey16.pem -rw-r--r-- 1 root root 3272 dic 14 2020 privkey17.pem -rw-r--r-- 1 root root 3272 feb 12 2021 privkey18.pem -rw-r--r-- 1 root root 3272 apr 13 2021 privkey19.pem -rw-r--r-- 1 root root 3272 apr 27 2018 privkey1.pem -rw-r--r-- 1 root root 3272 giu 12 2021 privkey20.pem -rw-r--r-- 1 root root 3272 ago 11 21:44 privkey21.pem -rw-r--r-- 1 root root 3272 ott 11 03:00 privkey22.pem -rw-r--r-- 1 root root 3272 gen 4 17:00 privkey23.pem -rw-r--r-- 1 root root 3268 giu 26 2018 privkey2.pem -rw-r--r-- 1 root root 3272 ago 25 2018 privkey3.pem -rw-r--r-- 1 root root 3272 ott 24 2018 privkey4.pem -rw-r--r-- 1 root root 3272 dic 23 2018 privkey5.pem -rw-r--r-- 1 root root 3272 feb 21 2019 privkey6.pem -rw-r--r-- 1 root root 3272 apr 22 2019 privkey7.pem -rw-r--r-- 1 root root 3272 giu 21 2019 privkey8.pem -rw-r--r-- 1 root root 3272 ago 20 2019 privkey9.pem
Perhaps some files got overwritten with an errant openssl command? I would either try to renew from cli (I think "certbot renew --cert-name hocus-02.example.com --force-renewal" to force), or disable LetsEncrypt on the site, manually delete the certificate, then enable again.
Solved by moving the vhost certs archive folder, request new certificate and change symbolic links in live folder. Code: mv /etc/letsencrypt/archive/hocus-02.example.com /etc/letsencrypt/archive/hocus-02.example.com-bak certbot certonly ......... mv /etc/letsencrypt/archive/hocus-02.example.com-0001 /etc/letsencrypt/archive/hocus-02.example.com cd /etc/letsencrypt/live/hocus-02.example.com/ ls -sf ../../archive/hocus-02.example.com/cert1.pem cert.pem ls -sf ../../archive/hocus-02.example.com/chain1.pem chain.pem ls -sf ../../archive/hocus-02.example.com/fullchain1.pem fullchain.pem ls -sf ../../archive/hocus-02.example.com/privkey1.pem privkey.pem systemctl start apache2
