Good Day, I have a fresh install of Debian 11 which was configured with the ispconfig auto install script and I am having issues with SSL. I am not getting a cert for the server itself or any domain I add to the machine. I have followed the troubleshooting procedure disabling the cronjob and running the server looking for errors. I don't see any. I am hoping someone can assist. Here are the server particulars: Code: root@dinero-1-us-southeast:~# hostname dinero-1-us-southeast root@dinero-1-us-southeast:~# hostname -f dinero-1-us-southeast.acmealliedllc.com root@dinero-1-us-southeast:~# root@dinero-1-us-southeast:~# ifconfig eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 170.187.155.15 netmask 255.255.255.0 broadcast 170.187.155.255 inet6 fe80::f03c:93ff:fef1:f8c8 prefixlen 64 scopeid 0x20<link> inet6 2600:3c02::f03c:93ff:fef1:f8c8 prefixlen 64 scopeid 0x0<global> Code: root@dinero-1-us-southeast:~# cat htf_report.txt | more ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Debian GNU/Linux 11 (bullseye) [INFO] uptime: 08:51:52 up 16 min, 1 user, load average: 0.07, 0.58, 0.59 [INFO] memory: total used free shared buff/cache available Mem: 976Mi 267Mi 315Mi 29Mi 393Mi 536Mi Swap: 511Mi 275Mi 236Mi [INFO] systemd failed services status: UNIT LOAD ACTIVE SUB DESCRIPTION ● clamav-daemon.service loaded failed failed Clam AntiVirus userspace daemon LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 1 loaded units listed. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.2.7p1 ##### VERSION CHECK ##### [INFO] php (cli) version is 7.4.28 [INFO] php-cgi (used for cgi php in default vhost!) is version 7.4.28 ##### PORT CHECK ##### ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 176285) [INFO] I found the following mail server(s): Postfix (PID 176225) [INFO] I found the following pop3 server(s): Dovecot (PID 176243) [INFO] I found the following imap server(s): Dovecot (PID 176243) [INFO] I found the following ftp server(s): PureFTP (PID 176445) ##### LISTENING PORTS ##### (only () Local (Address) [anywhere]:993 (176243/dovecot) [anywhere]:995 (176243/dovecot) [localhost]:11332 (176232/rspamd:) [localhost]:11333 (176232/rspamd:) [localhost]:11334 (176232/rspamd:) [localhost]:10023 (34427/postgrey) [anywhere]:587 (176225/master) [localhost]:11211 (140306/memcached) [localhost]:6379 (34183/redis-server) [anywhere]:110 (176243/dovecot) [anywhere]:143 (176243/dovecot) [anywhere]:465 (176225/master) ***.***.***.***:53 (176452/named) [localhost]:53 (176452/named) [anywhere]:21 (176445/pure-ftpd) [anywhere]:22 (454/sshd:) [localhost]:953 (176452/named) [anywhere]:25 (176225/master) [anywhere]:4190 (176243/dovecot) *:*:*:*::*:993 (176243/dovecot) *:*:*:*::*:995 (176243/dovecot) *:*:*:*::*:11332 (176232/rspamd:) *:*:*:*::*:11333 (176232/rspamd:) *:*:*:*::*:11334 (176232/rspamd:) *:*:*:*::*:10023 (34427/postgrey) *:*:*:*::*:3306 (175584/mariadbd) *:*:*:*::*:587 (176225/master) *:*:*:*::*:6379 (34183/redis-server) [localhost]10 (176243/dovecot) [localhost]43 (176243/dovecot) *:*:*:*::*:8080 (176285/apache2) *:*:*:*::*:80 (176285/apache2) *:*:*:*::*:8081 (176285/apache2) *:*:*:*::*:465 (176225/master) *:*:*:*::*:21 (176445/pure-ftpd) *:*:*:*::*:53 (176452/named) *:*:*:*::*f03c:93ff:53 (176452/named) *:*:*:*::*f03c:93ff:fef1:53 (176452/named) *:*:*:*::*:22 (454/sshd:) *:*:*:*::*:25 (176225/master) *:*:*:*::*:953 (176452/named) *:*:*:*::*:443 (176285/apache2) *:*:*:*::*:4190 (176243/dovecot) ##### IPTABLES ##### Chain INPUT (policy DROP) target prot opt source destination f2b-sshd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22 ufw-before-logging-input all -- [anywhere]/0 [anywhere]/0 ufw-before-input all -- [anywhere]/0 [anywhere]/0 ufw-after-input all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-input all -- [anywhere]/0 [anywhere]/0 ufw-reject-input all -- [anywhere]/0 [anywhere]/0 ufw-track-input all -- [anywhere]/0 [anywhere]/0 Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward all -- [anywhere]/0 [anywhere]/0 ufw-before-forward all -- [anywhere]/0 [anywhere]/0 ufw-after-forward all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-forward all -- [anywhere]/0 [anywhere]/0 ufw-reject-forward all -- [anywhere]/0 [anywhere]/0 ufw-track-forward all -- [anywhere]/0 [anywhere]/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- [anywhere]/0 [anywhere]/0 ufw-before-output all -- [anywhere]/0 [anywhere]/0 ufw-after-output all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-output all -- [anywhere]/0 [anywhere]/0 ufw-reject-output all -- [anywhere]/0 [anywhere]/0 ufw-track-output all -- [anywhere]/0 [anywhere]/0 Chain f2b-sshd (1 references) target prot opt source destination REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unr eachable RETURN all -- [anywhere]/0 [anywhere]/0 Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:1 37 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:1 38 ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:1 39 ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:4 45 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:6 7 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:6 8 ufw-skip-to-policy-input all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 1 0 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 1 0 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLIS HED ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8 ufw-user-forward all -- [anywhere]/0 [anywhere]/0 Chain ufw-before-input (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLIS HED ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 ctstate INVALID DROP all -- [anywhere]/0 [anywhere]/0 ctstate INVALID ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp spt:67 dpt:68 ufw-not-local all -- [anywhere]/0 [anywhere]/0 ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:5353 ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:1900 ufw-user-input all -- [anywhere]/0 [anywhere]/0 Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLIS HED ufw-user-output all -- [anywhere]/0 [anywhere]/0 Chain ufw-logging-allow (0 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 1 0 LOG flags 0 level 4 prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 ctstate INVALID limit: a vg 3/min burst 10 LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 1 0 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type LOCAL RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type MULTICAST RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 Chain ufw-track-forward (1 references) target prot opt source destination Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination ACCEPT tcp -- [anywhere]/0 [anywhere]/0 ctstate NEW ACCEPT udp -- [anywhere]/0 [anywhere]/0 ctstate NEW Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:21 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:22 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:25 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:53 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:80 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:110 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:143 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:443 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:465 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:587 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:993 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:995 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:3306 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:4190 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8080 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8081 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 multiport dports 40110:4 0210 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:53 Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] " REJECT all -- [anywhere]/0 [anywhere]/0 reject-with icmp-port-un reachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination ##### LET'S ENCRYPT ##### acme.sh is installed in /root/.acme.sh/acme.sh
Also the let's encrypt log looks like: Code: [Fri 04 Mar 2022 09:06:13 AM UTC] Lets find script dir. [Fri 04 Mar 2022 09:06:13 AM UTC] _SCRIPT_='/root/.acme.sh/acme.sh' [Fri 04 Mar 2022 09:06:13 AM UTC] _script='/root/.acme.sh/acme.sh' [Fri 04 Mar 2022 09:06:13 AM UTC] _script_home='/root/.acme.sh' [Fri 04 Mar 2022 09:06:13 AM UTC] Using default home:/root/.acme.sh [Fri 04 Mar 2022 09:06:13 AM UTC] Using config home:/root/.acme.sh [Fri 04 Mar 2022 09:06:13 AM UTC] Running cmd: installcert [Fri 04 Mar 2022 09:06:13 AM UTC] Using config home:/root/.acme.sh [Fri 04 Mar 2022 09:06:13 AM UTC] default_acme_server='https://acme-v02.api.letsencrypt.org/directory' [Fri 04 Mar 2022 09:06:13 AM UTC] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Fri 04 Mar 2022 09:06:13 AM UTC] DOMAIN_PATH='/root/.acme.sh/acmealliedllc.com' [Fri 04 Mar 2022 09:06:13 AM UTC] Installing key to: /var/www/clients/client1/web1/ssl/acmealliedllc.com-le.key [Fri 04 Mar 2022 09:06:13 AM UTC] Installing full chain to: /var/www/clients/client1/web1/ssl/acmealliedllc.com-le.crt [Fri 04 Mar 2022 09:06:13 AM UTC] Run reload cmd: systemctl force-reload apache2.service [Fri 04 Mar 2022 09:06:13 AM UTC] Reload success
Your acme log shows a certificate was obtained for a website acmealliedllc.com, by chance did you add the server's hostname (dinero-1-us-southeast.acmealliedllc.com) as a subdomain there? If so, remove the symlinks in /usr/local/ispconfig/ssl/ and recreate them pointing to the files in /var/www/clients/client1/web1/ssl/.
The instructions for the installation script call for the addition of the fqdn of the server to the hosts file. I assume that is how it knows how to get a cert for that domain? After the install I added the website for that domain as well as dns. I haven't a clue how to symlink anything but I'll root around for a method. Thanks.
The hostname of a server must be a subdomain, something like server1.yourdomain.tld. Do not use just the domain name, e.g. yourdomain.tld, as server hostname. If you would use just the domain, SSL for ISPConfig and even mail delivery will fail.
Hi Till thanks for the reply. Here is how I have it set up: Code: root@dinero-1-us-southeast:~# hostname dinero-1-us-southeast root@dinero-1-us-southeast:~# hostname -f dinero-1-us-southeast.acmealliedllc.com
There is no A record dinero-1-us-southeast.acmealliedllc.com, so creating a certificate is not possible.
Hey Thom, Thanks for pointing that out. Seems obvious now that I look at it. It solved the problem for any sites I add to the ispconfig. But I can't use ssl to get to https:acmealliedllc.com:8080. I am happy with this success however thanks again. I have reissued the cert manually with acme.sh but It has not solved the last little problem.
If your server hostname is dinero-1-us-southeast.acmealliedllc.com, then ISPConfig is accessed through that hostname only and not acmealliedllc.com. using acmealliedllc.com must return an SSL error as its the wrong URL to access ISPConfig.
ISPConfig should not be accessed through acmealliedllc.com, so this SSL error must occur when you use a wrong URL. The only URL that should be used to access ISPConfig is the server hostname.
