ispconfig 3.2.8p1 fresh install (apache2) - Letsencrypt/Acme - no symlink in SSL

Discussion in 'General' started by Yickles, Mar 30, 2022.

  1. Yickles

    Yickles New Member

    Well, the topic says it all...
    I recently installed ispconfig 3.2.8p1 and tried to have let's encrypt working on a website.
    I see the acme script does its job and place the files in /root/.acme(etc...)

    however in the /var/www/[website]/ssl/ there is no symlink created.

    also doesn't seem to have the listen 443 added to the vhost...

    something's wrong somewhere I can't figure out what? and where to start...
    if someone can help, give some tips ?

    thanks
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. Yickles

    Yickles New Member

    Thanks @Taleman but I allready read that..
    and the problem is not "let's encrypt not working" ...

    as the logs show :
    [Wed 30 Mar 2022 04:55:17 PM UTC] Cert success.
    [Wed 30 Mar 2022 04:55:17 PM UTC] Your cert is in: /root/.acme.sh/xxxxxxxxxxxxxxxxxxxxxxxxxxx

    but the fact that "once the certs" are stored in the /root/.acme.sh .. they are not "symlinked" to the /var/www/xxx/ssl
    though https on site is not working
     
  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Try unchecking (save) and rechecking (save) the LE SSL box. Since the LE certs already created, it should attempt to install the the LE certs to that web ssl folder again. Yeah, the LE certs are installed and not symlinked if you use acme.sh as LE client in your ISPConfig server, so far that I know that is.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    There should not be any symlinks as certbot does not use symlinks at all. acme.sh copies the SSL cert to the SSL folder of the site instead. So the absence of symlinks is not an indication of a failure, it's actually the opposite. A link to the let's encrypt FAQ was already posted, it contains all steps you have to follow to find the reason for your issue and you did not seem to have done the last step yet which would have shown you the reason for your problem,
     
    Last edited: Mar 31, 2022
    Th0m likes this.
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    I think you put certbot here, but intended to say acme.sh, as it is certbot which uses symlinks, and acme.sh does not (which the OP is using).
     
    till likes this.
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, indeed. Thanks for correcting me. I've changed my post and made the word bold now.
     
  8. Yickles

    Yickles New Member

    Ok thanks, I'll recheck the link ... perhaps missing configuration in the acme.sh as it doesn't copy the files to the SSL of the site...

    Is it also this script which is supposed to make sure the site-enable/900 vhost file is updated with listen to 443 ?

    because for some reason I didn't see either that file updated.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    The answer to both questions is to use debug mode, see the link to the tutorial on how to activate debug mode in Let's Encrypt FAQ.
     
  10. Yickles

    Yickles New Member

    After following the "debug" procedure, it seems the issue comes from there ... below in bold .. however, i'm not sure what to modify to fix it...


    31.03.2022-18:20 - DEBUG [system.inc:2399] - safe_exec cmd: setquota -T -u 'web1' 604800 604800 -a &> /dev/null - return code: 0
    31.03.2022-18:20 - DEBUG [system.inc:2399] - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
    31.03.2022-18:20 - DEBUG [letsencrypt.inc:391] - Verified domain xxxxxx.com should be reachable for letsencrypt.
    31.03.2022-18:20 - DEBUG [letsencrypt.inc:391] - Verified domain www.xxxxxx.com should be reachable for letsencrypt.
    31.03.2022-18:20 - DEBUG [system.inc:2399] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    31.03.2022-18:20 - DEBUG [system.inc:2082] - Trying to use Systemd to restart service
    31.03.2022-18:20 - DEBUG [system.inc:2399] - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0
    31.03.2022-18:20 - DEBUG [letsencrypt.inc:430] - Create Let's Encrypt SSL Cert for: xxxxx.com
    31.03.2022-18:20 - DEBUG [letsencrypt.inc:431] - Let's Encrypt SSL Cert domains:
    31.03.2022-18:20 - DEBUG [system.inc:1819] - exec: R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue -d xxxxxx.com -d www.xxxxxx.com -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [[ $R -eq 0 || $R -eq 2 ]] ; then /root/.acme.sh/acme.sh --install-cert -d xxxxxx.com -d www.xxxxxx.com --key-file '/var/www/clients/client1/web1/ssl/xxxxxx.com-le.key' --fullchain-file '/var/www/clients/client1/web1/ssl/xxxxxx.com-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [[ $C -eq 0 ]] ; then exit $R ; else exit $C ; fi

    sh: 1: [[: not found
    sh: 1: 2: not found
    sh: 1: [[: not found

    31.03.2022-18:20 - DEBUG [system.inc:2399] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
     
  11. Yickles

    Yickles New Member

    I ran this manually :
    /root/.acme.sh/acme.sh --issue -d xxxxxx.com -d www.xxxxxx.com -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096


    then this :
    /root/.acme.sh/acme.sh --install-cert -d xxxxxx.com -d www.xxxxxx.com --key-file '/var/www/clients/client1/web1/ssl/xxxxxx.com-le.key' --fullchain-file '/var/www/clients/client1/web1/ssl/xxxxxx.com-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'

    and the SSL files are stored correctly ...

    weird though...

    still missing the modification of the /etc/apache2/sites-enabled/900-xxx.com.vhost file which doesn't contains : <VirtualHost *:443>

    (sorry, still bothering you :p) ... i guess there might be something else wrong
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    This means you replaced bash shell with a less capable alternative on your system, the dash shell. Run:

    dpkg-reconfigure dash

    and choose 'no' in the dialogue that appears. Btw. This command is run if you followed any of our install guides for ISPConfig, so you must have skipped that important part of the installation.
     
    Last edited: Mar 31, 2022
    Yickles likes this.
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Don't run this command to not break your setup. The site won't get SSL by running this command plus renewals might fail in future, so more repair work needs to be done if you really ran this on a server. The simple rule is, never run a certbot or acme.sh command for any site created in ISPConfig manually.
     
  14. Yickles

    Yickles New Member

    I miss-read and answered "yes" instead of "no" ... answering "no" works much better
    (english's not my natural language as you might have noticed... it requires me to be more focused..)

    no more "error" in the debug process.

    Certificat is there, in the correct SSL directory...


    however for some reason when access the website it redirects to no http and says that the certificate is not
    validate for (https://www.domaine.com) ... (as the site in ispconfig is defined to "domain.com" with "*" in auto subdomain)

    I'm sure it worked with the same site configuration in the previous server...
     
  15. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Adding "*" as subdomain won't work with Let's Encrypt, so you'll only have a valid cert for the main domain without www.
    So change the subdomain setting to www
     
  16. Yickles

    Yickles New Member

    Thanks to all for you help & support and patience ^^ :p

    it finally works.
    (btw it work with subdomain to (*) not sure how but the developpers had to finalise something once the certificate was finally correctly setup .... so that the https redir works correctly.)

    Thanks all again.
     
    Th0m likes this.

Share This Page