Hello, This morning I saw that the Let's Encrypt certificate on my server's host (host.ispconfigserver.com) had expired (April 30th). I am unable to renew the certificate. This is a debian 11 (Apache) ispconfig server (automatic install) running a few months now. Never had issues with it. acme.sh --renew -d host.ispconfigserver.com in my opinion doesn't give an error. I don't know how to solve this problem. Please help.
You can help us solve the problem by doing this: https://www.howtoforge.com/community/threads/please-read-before-posting.58408/ Then follow instructions in https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/ to find out why certificate is not renewed.
Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Debian GNU/Linux 11 (bullseye) [INFO] uptime: 08:44:18 up 6 min, 1 user, load average: 0.01, 0.08, 0.06 [INFO] memory: total used free shared buff/cache available Mem: 15Gi 11Gi 3.2Gi 48Mi 1.1Gi 4.0Gi Swap: 974Mi 0B 974Mi [INFO] systemd failed services status: UNIT LOAD ACTIVE SUB DESCRIPTION 0 loaded units listed. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.2.8p1 ##### VERSION CHECK ##### [INFO] php (cli) version is 7.4.29 [INFO] php-cgi (used for cgi php in default vhost!) is version 7.4.29 ##### PORT CHECK ##### ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 846) [INFO] I found the following mail server(s): Postfix (PID 1930) [INFO] I found the following pop3 server(s): Dovecot (PID 585) [INFO] I found the following imap server(s): Dovecot (PID 585) [INFO] I found the following ftp server(s): PureFTP (PID 1401) ##### LISTENING PORTS ##### (only () Local (Address) [anywhere]:995 (585/dovecot) [localhost]:11332 (622/rspamd:) [localhost]:11333 (622/rspamd:) [localhost]:11334 (622/rspamd:) [localhost]:10023 (676/postgrey) [anywhere]:587 (1930/master) [localhost]:6379 (619/redis-server) [localhost]:11211 (589/memcached) [anywhere]:110 (585/dovecot) [anywhere]:143 (585/dovecot) [anywhere]:465 (1930/master) [anywhere]:21 (1401/pure-ftpd) ***.***.***.***:53 (590/named) ***.***.***.***:53 (590/named) ***.***.***.***:53 (590/named) ***.***.***.***:53 (590/named) [localhost]:53 (590/named) [localhost]:53 (590/named) [localhost]:53 (590/named) [localhost]:53 (590/named) [anywhere]:22 (658/sshd:) [anywhere]:25 (1930/master) [localhost]:953 (590/named) [anywhere]:4190 (585/dovecot) [anywhere]:993 (585/dovecot) *:*:*:*::*:995 (585/dovecot) *:*:*:*::*:11332 (622/rspamd:) *:*:*:*::*:11333 (622/rspamd:) *:*:*:*::*:11334 (622/rspamd:) *:*:*:*::*:10023 (676/postgrey) *:*:*:*::*:3306 (750/mariadbd) *:*:*:*::*:587 (1930/master) *:*:*:*::*:6379 (619/redis-server) [localhost]10 (585/dovecot) [localhost]43 (585/dovecot) *:*:*:*::*:8080 (846/apache2) *:*:*:*::*:80 (846/apache2) *:*:*:*::*:465 (1930/master) *:*:*:*::*:8081 (846/apache2) *:*:*:*::*:21 (1401/pure-ftpd) *:*:*:*::*:53 (590/named) *:*:*:*::*:53 (590/named) *:*:*:*::*:53 (590/named) *:*:*:*::*:53 (590/named) *:*:*:*::**:*:*:*::*53 (590/named) *:*:*:*::**:*:*:*::*53 (590/named) *:*:*:*::**:*:*:*::*53 (590/named) *:*:*:*::**:*:*:*::*53 (590/named) *:*:*:*::*:22 (658/sshd:) *:*:*:*::*:25 (1930/master) *:*:*:*::*:953 (590/named) *:*:*:*::*:443 (846/apache2) *:*:*:*::*:4190 (585/dovecot) *:*:*:*::*:993 (585/dovecot) ##### IPTABLES ##### Chain INPUT (policy DROP) target prot opt source destination f2b-sshd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22 f2b-postfix-sasl tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25 ufw-before-logging-input all -- [anywhere]/0 [anywhere]/0 ufw-before-input all -- [anywhere]/0 [anywhere]/0 ufw-after-input all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-input all -- [anywhere]/0 [anywhere]/0 ufw-reject-input all -- [anywhere]/0 [anywhere]/0 ufw-track-input all -- [anywhere]/0 [anywhere]/0 Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward all -- [anywhere]/0 [anywhere]/0 ufw-before-forward all -- [anywhere]/0 [anywhere]/0 ufw-after-forward all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-forward all -- [anywhere]/0 [anywhere]/0 ufw-reject-forward all -- [anywhere]/0 [anywhere]/0 ufw-track-forward all -- [anywhere]/0 [anywhere]/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- [anywhere]/0 [anywhere]/0 ufw-before-output all -- [anywhere]/0 [anywhere]/0 ufw-after-output all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-output all -- [anywhere]/0 [anywhere]/0 ufw-reject-output all -- [anywhere]/0 [anywhere]/0 ufw-track-output all -- [anywhere]/0 [anywhere]/0 Chain f2b-postfix-sasl (1 references) target prot opt source destination REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable RETURN all -- [anywhere]/0 [anywhere]/0 Chain f2b-sshd (1 references) target prot opt source destination REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable RETURN all -- [anywhere]/0 [anywhere]/0 Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:137 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:138 ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:139 ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:445 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:67 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:68 ufw-skip-to-policy-input all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8 ufw-user-forward all -- [anywhere]/0 [anywhere]/0 Chain ufw-before-input (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 ctstate INVALID DROP all -- [anywhere]/0 [anywhere]/0 ctstate INVALID ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp spt:67 dpt:68 ufw-not-local all -- [anywhere]/0 [anywhere]/0 ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:5353 ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:1900 ufw-user-input all -- [anywhere]/0 [anywhere]/0 Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ufw-user-output all -- [anywhere]/0 [anywhere]/0 Chain ufw-logging-allow (0 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 ctstate INVALID limit: avg 3/min burst 10 LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type LOCAL RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type MULTICAST RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 Chain ufw-track-forward (1 references) target prot opt source destination Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination ACCEPT tcp -- [anywhere]/0 [anywhere]/0 ctstate NEW ACCEPT udp -- [anywhere]/0 [anywhere]/0 ctstate NEW Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:21 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:22 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:25 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:53 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:80 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:110 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:143 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:443 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:465 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:587 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:993 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:995 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:3306 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:4190 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8080 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8081 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 multiport dports 40110:40210 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:53 Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] " REJECT all -- [anywhere]/0 [anywhere]/0 reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination ##### LET'S ENCRYPT ##### acme.sh is installed in /root/.acme.sh/acme.sh
sorry for the lack of information. But https://host.ispconfigserver.com gives no problem and the certificate is correct, but https://host.ispconfigserver.com:8080 gives an invalid certificate: NET::ERR_CERT_DATE_INVALID
I also deselect SSL and Let's Encrypt on host.ispconfigserver.com and select is again. Now I get an output from acme.log Code: [Sun 01 May 2022 09:17:01 AM CEST] Running cmd: issue [Sun 01 May 2022 09:17:01 AM CEST] _main_domain='host.ispconfigserver.com' [Sun 01 May 2022 09:17:01 AM CEST] _alt_domains='no' [Sun 01 May 2022 09:17:01 AM CEST] Using config home:/root/.acme.sh [Sun 01 May 2022 09:17:01 AM CEST] default_acme_server='https://acme-v02.api.letsencrypt.org/directory' [Sun 01 May 2022 09:17:01 AM CEST] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Sun 01 May 2022 09:17:01 AM CEST] DOMAIN_PATH='/root/.acme.sh/host.ispconfigserver.com' [Sun 01 May 2022 09:17:01 AM CEST] Le_NextRenewTime='1653778139' [Sun 01 May 2022 09:17:01 AM CEST] _saved_domain='host.ispconfigserver.com' [Sun 01 May 2022 09:17:01 AM CEST] _saved_alt='no' [Sun 01 May 2022 09:17:01 AM CEST] _normized_saved_domains='no,host.ispconfigserver.com,' [Sun 01 May 2022 09:17:01 AM CEST] _normized_domains='no,host.ispconfigserver.com,' [Sun 01 May 2022 09:17:01 AM CEST] Domains not changed. [Sun 01 May 2022 09:17:01 AM CEST] Skip, Next renewal time is: Sun 29 May 2022 10:48:59 PM UTC [Sun 01 May 2022 09:17:01 AM CEST] Add '--force' to force to renew. [Sun 01 May 2022 09:17:01 AM CEST] Lets find script dir. [Sun 01 May 2022 09:17:01 AM CEST] _SCRIPT_='/root/.acme.sh/acme.sh' [Sun 01 May 2022 09:17:01 AM CEST] _script='/root/.acme.sh/acme.sh' [Sun 01 May 2022 09:17:01 AM CEST] _script_home='/root/.acme.sh' [Sun 01 May 2022 09:17:01 AM CEST] Using default home:/root/.acme.sh [Sun 01 May 2022 09:17:01 AM CEST] Using config home:/root/.acme.sh [Sun 01 May 2022 09:17:01 AM CEST] Running cmd: installcert [Sun 01 May 2022 09:17:01 AM CEST] Using config home:/root/.acme.sh [Sun 01 May 2022 09:17:01 AM CEST] default_acme_server='https://acme-v02.api.letsencrypt.org/directory' [Sun 01 May 2022 09:17:01 AM CEST] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Sun 01 May 2022 09:17:01 AM CEST] DOMAIN_PATH='/root/.acme.sh/host.ispconfigserver.com' [Sun 01 May 2022 09:17:02 AM CEST] Installing key to: /var/www/clients/client1/web6/ssl/host.ispconfigserver.com-le.key [Sun 01 May 2022 09:17:02 AM CEST] Installing full chain to: /var/www/clients/client1/web6/ssl/host.ispconfigserver.com-le.crt [Sun 01 May 2022 09:17:02 AM CEST] Run reload cmd: systemctl force-reload apache2.service [Sun 01 May 2022 09:17:02 AM CEST] Reload success
It is normally because you created a website using that FQDN and then ask for LE SSL which would install the certs in that website's ssl folder leaving the certs in ISPConfig web ssl folder not updated. If this is true, this is a common error that can only be fixed by creating a symlink which you can search in this forum. I would suggest the ISPConfig developer not to use this "install approach" suggested by acme.sh for all websites but use a "symlink approach" from acme.sh folder to the websites and/or ISPConfig web ssl folder. OR may be the combination of both but preferably install in /etc/acme.sh/live/fqdn/ and then symlink them to the website and/or ISPConfig SSL folder. The last suggested way is for the ISPConfig installer to check the website ssl folder and if the LE certs existed then symlink that to ISPConfig web ssl folder which also possible. My preference is not to use install approach at all and just symlink but combination of both way may work as well as suggested above but I leave all that to the developer.
thanks! So if I understand correctly I have 2 choices: 1) don't create a website for host.ispconfigserver.com or 2) create a symlink.
See https://www.howtoforge.com/communit...encrypt-certificate-when-using-acme-sh.86950/ Needs updating to be compatible with Debian 11
