Hi, I‘m running the latest ISPConfig on an upgraded Debian 11, coming from Debian 6 or so. Initially I followed the Set-up guidelines for Debian and created my own self-signed certificates on my latest, longer running installation Debian 8, for pretty much everything, including a separately installed OpenVPN server with a couple of mobile clients. Given recent browser and OS (mobile) updates making the use of self-certified certificates pretty hard, I wanted to move to Let‘s Encrypt for ISPC Panel, Websites, Mail and FTP server. I run a box with all services running on a single machine. DNS is provided by my hoster from which I rented a full access, dedicated server. The hostname is pre-set by the hoster and the DNS entries for the host are managed by them, besides that, everything is open for configuration by myself. I ran the update with —force and configured all services (except DNS) newly and let the script create new certs. However the SSL certificates for the webserver are not getting created due to a ‚redirect loop detected‘ error, which I can see in the letsencrypt log. I tried to delete existing certs in acme.sh folder, played around with the DNS configuration on my hosters config page, changes the vhost entries in ISPC Panel, but nothing seems to work. If you have any further ideas how to at least narrow down the issue, please let me know which information I should provide - and how to post log information on this forum. Thanks in advance, AphX
Thank you for the fast response! Unfortunately it didn‘t help. I can reach the ISPC Panel using IP or hostname under port 8080 with https, so I guess getting a cert is not the problem. In addition I can reach the websites using domain.tld and www.domain.tld, so that is fine as well. However, in the log I still see the ‚redirect loop‘ problem. [Thu 20 Jan 2022 03:06:08 AM CET] Pending, The CA is processing your order, please just wait. (1/30) [Thu 20 Jan 2022 03:06:08 AM CET] sleep 2 secs to verify again [Thu 20 Jan 2022 03:06:10 AM CET] checking [Thu 20 Jan 2022 03:06:10 AM CET] url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/70009903130/l3pZ2w' [Thu 20 Jan 2022 03:06:10 AM CET] payload [Thu 20 Jan 2022 03:06:10 AM CET] POST [Thu 20 Jan 2022 03:06:10 AM CET] _post_url='https://acme-v02.api.letsencrypt.org/acme/chall-v3/70009903130/l3pZ2w' [Thu 20 Jan 2022 03:06:10 AM CET] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L ' [Thu 20 Jan 2022 03:06:11 AM CET] _ret='0' [Thu 20 Jan 2022 03:06:11 AM CET] code='200' [Thu 20 Jan 2022 03:06:11 AM CET] domain.tld:Verify error:Fetching eu?ref=domain.tld: Redirect loop detected [Thu 20 Jan 2022 03:06:11 AM CET] pid [Thu 20 Jan 2022 03:06:11 AM CET] No need to restore nginx, skip. [Thu 20 Jan 2022 03:06:11 AM CET] _clearupdns [Thu 20 Jan 2022 03:06:11 AM CET] dns_entries [Thu 20 Jan 2022 03:06:11 AM CET] skip dns. [Thu 20 Jan 2022 03:06:11 AM CET] _on_issue_err [Thu 20 Jan 2022 03:06:11 AM CET] Please check log file for more details: /var/log/ispconfig/acme.logIn addition I see postfix and dovecot having problems with ssl as well: Jan 20 02:42:09 85-31-186-17 dovecot: lmtp(1427671): Error: SSL context initialization failed, disabling SSL: Can't load DH parameters (ssl_dh setting): error:1408518A:SSL routines:ssl3_ctx_ctrl:dh key too small Postfix writes a warning to the syslog that /var/spool/postfix/etc/ssl/certs/ca-certificates.cert and /etc/ssl/certs/ca-certificates.cert differ Let me know, in case you need more output. Thanks, again. Highly appreciated! Cheers, AphX
Unless you assign mail LE certs manually, postfix and dovecot LE certs should use the same as the server itself. I think the error shows that you should check if you have proper dhparams file for them at /etc/dovecot/dh.pem. By default ISPConfig did create that file in 2048 bit. Try force update ISPConfig and see if that could solve your problem related to them. I am not sure about your loop problem though.
I had manually assigned self-certified certs in the past. Now I just ran a forced update and let ISPC do everything, including creating the symlinks for postfix and pureFTP, not sure, if dovecot just picks up the postfix ones in the process. If ISPC did create it with 2048 during the forced update, what would be the expected standard bit length for dovecot? I did not change anything - might have in the past. Thanks for your help.
Yes normally it should work but do check if the ISPConfig install logs say otherwise like failing to create it etc or test your server after you finished running the update.
Do you have a custom ispconfig vhost or nginx config? Those must be maintained with changes from the upstream templates, including the statement for how to handle acme-challenge requests. A redirect loop can happen when the acme-challenge doesn't get handled correctly.
I checked the ispconfig_install.log and it shows no obvious unregularities. Everythings seems to get properly ‚executed‘ and ‚configured‘. Which term should I grep for to detect deviations?
The parm file turns out to be empty? Zero bitlength. Might it be worthwile to reinstall postfix and dovecot to force „proper“ creation of those files or would it break ISPConfig?
No need to reinstall postfix or dovecot, just create a new dhparam file. e.g.: openssl dhparam -out /path/to/dhparam.file 2048 just replace /path/to/dhparam.file with the correct path to the file.
I also use nginx, and to make sure I don't need to update things in two places, my /etc/dovecot/dh.pem is actually just a symbolic link to /etc/nginx/cert/dhparam.pem That way, if one of them gets updated, so does the other...
That is good. On how to test your ISPConfig server, I just follow the Please read before posting instructions mostly; https://www.howtoforge.com/community/threads/please-read-before-posting.58408/ Mine is 4096 bit only at /etc/ssl/private/ where it is used via symbolic link for all services that need it like postfix, dovecot, pure-ftpd, nginx, etc, but I never update it so far. There may be a warning for using symbolic link but I think that is nothing to be worried about.
