Well, the topic says it all... I recently installed ispconfig 3.2.8p1 and tried to have let's encrypt working on a website. I see the acme script does its job and place the files in /root/.acme(etc...) however in the /var/www/[website]/ssl/ there is no symlink created. also doesn't seem to have the listen 443 added to the vhost... something's wrong somewhere I can't figure out what? and where to start... if someone can help, give some tips ? thanks
https://www.howtoforge.com/community/threads/please-read-before-posting.58408/ https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
Thanks @Taleman but I allready read that.. and the problem is not "let's encrypt not working" ... as the logs show : [Wed 30 Mar 2022 04:55:17 PM UTC] Cert success. [Wed 30 Mar 2022 04:55:17 PM UTC] Your cert is in: /root/.acme.sh/xxxxxxxxxxxxxxxxxxxxxxxxxxx but the fact that "once the certs" are stored in the /root/.acme.sh .. they are not "symlinked" to the /var/www/xxx/ssl though https on site is not working
Try unchecking (save) and rechecking (save) the LE SSL box. Since the LE certs already created, it should attempt to install the the LE certs to that web ssl folder again. Yeah, the LE certs are installed and not symlinked if you use acme.sh as LE client in your ISPConfig server, so far that I know that is.
There should not be any symlinks as certbot does not use symlinks at all. acme.sh copies the SSL cert to the SSL folder of the site instead. So the absence of symlinks is not an indication of a failure, it's actually the opposite. A link to the let's encrypt FAQ was already posted, it contains all steps you have to follow to find the reason for your issue and you did not seem to have done the last step yet which would have shown you the reason for your problem,
I think you put certbot here, but intended to say acme.sh, as it is certbot which uses symlinks, and acme.sh does not (which the OP is using).
Ok thanks, I'll recheck the link ... perhaps missing configuration in the acme.sh as it doesn't copy the files to the SSL of the site... Is it also this script which is supposed to make sure the site-enable/900 vhost file is updated with listen to 443 ? because for some reason I didn't see either that file updated.
The answer to both questions is to use debug mode, see the link to the tutorial on how to activate debug mode in Let's Encrypt FAQ.
After following the "debug" procedure, it seems the issue comes from there ... below in bold .. however, i'm not sure what to modify to fix it... 31.03.2022-18:20 - DEBUG [system.inc:2399] - safe_exec cmd: setquota -T -u 'web1' 604800 604800 -a &> /dev/null - return code: 0 31.03.2022-18:20 - DEBUG [system.inc:2399] - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0 31.03.2022-18:20 - DEBUG [letsencrypt.inc:391] - Verified domain xxxxxx.com should be reachable for letsencrypt. 31.03.2022-18:20 - DEBUG [letsencrypt.inc:391] - Verified domain www.xxxxxx.com should be reachable for letsencrypt. 31.03.2022-18:20 - DEBUG [system.inc:2399] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 31.03.2022-18:20 - DEBUG [system.inc:2082] - Trying to use Systemd to restart service 31.03.2022-18:20 - DEBUG [system.inc:2399] - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0 31.03.2022-18:20 - DEBUG [letsencrypt.inc:430] - Create Let's Encrypt SSL Cert for: xxxxx.com 31.03.2022-18:20 - DEBUG [letsencrypt.inc:431] - Let's Encrypt SSL Cert domains: 31.03.2022-18:20 - DEBUG [system.inc:1819] - exec: R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue -d xxxxxx.com -d www.xxxxxx.com -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [[ $R -eq 0 || $R -eq 2 ]] ; then /root/.acme.sh/acme.sh --install-cert -d xxxxxx.com -d www.xxxxxx.com --key-file '/var/www/clients/client1/web1/ssl/xxxxxx.com-le.key' --fullchain-file '/var/www/clients/client1/web1/ssl/xxxxxx.com-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [[ $C -eq 0 ]] ; then exit $R ; else exit $C ; fi sh: 1: [[: not found sh: 1: 2: not found sh: 1: [[: not found 31.03.2022-18:20 - DEBUG [system.inc:2399] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
I ran this manually : /root/.acme.sh/acme.sh --issue -d xxxxxx.com -d www.xxxxxx.com -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096 then this : /root/.acme.sh/acme.sh --install-cert -d xxxxxx.com -d www.xxxxxx.com --key-file '/var/www/clients/client1/web1/ssl/xxxxxx.com-le.key' --fullchain-file '/var/www/clients/client1/web1/ssl/xxxxxx.com-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log' and the SSL files are stored correctly ... weird though... still missing the modification of the /etc/apache2/sites-enabled/900-xxx.com.vhost file which doesn't contains : <VirtualHost *:443> (sorry, still bothering you ) ... i guess there might be something else wrong
This means you replaced bash shell with a less capable alternative on your system, the dash shell. Run: dpkg-reconfigure dash and choose 'no' in the dialogue that appears. Btw. This command is run if you followed any of our install guides for ISPConfig, so you must have skipped that important part of the installation.
Don't run this command to not break your setup. The site won't get SSL by running this command plus renewals might fail in future, so more repair work needs to be done if you really ran this on a server. The simple rule is, never run a certbot or acme.sh command for any site created in ISPConfig manually.
I miss-read and answered "yes" instead of "no" ... answering "no" works much better (english's not my natural language as you might have noticed... it requires me to be more focused..) no more "error" in the debug process. Certificat is there, in the correct SSL directory... however for some reason when access the website it redirects to no http and says that the certificate is not validate for (https://www.domaine.com) ... (as the site in ispconfig is defined to "domain.com" with "*" in auto subdomain) I'm sure it worked with the same site configuration in the previous server...
Adding "*" as subdomain won't work with Let's Encrypt, so you'll only have a valid cert for the main domain without www. So change the subdomain setting to www
Thanks to all for you help & support and patience ^^ it finally works. (btw it work with subdomain to (*) not sure how but the developpers had to finalise something once the certificate was finally correctly setup .... so that the https redir works correctly.) Thanks all again.