I just noticed that the server SSL did not auto-update. The individual website SSLs are updating fine but when I FTP in it says the cert expired on July 4, 2022. What's the best way to configure the server to auto-update the SSL cert? Thanks!
ISPConfig server autoupdates certificate automatically. How was this system installed? Use this to get some info, there is part about FAQ Let's Encrypt errors, if you use LE to get the server certificate. https://forum.howtoforge.com/threads/please-read-before-posting.58408/
If you use certbot and installed it using apt beware that you need to uninstall it, install snap and then install certbot using snap. Other than that, as @Taleman said, follow LE FAQ to troubleshoot. Provide more info for us to help if that doesn't work either.
I used the perfect server - Ubuntu 20.04 to install. I'm going through the FAQs now. Thanks for the info!
Did a couple of tests and they show that certbot is not installed. I ran: apt-cache policy certbot | grep Installed Result: Installed: (none) and certbot --version result: Command 'certbot' not found, but can be installed with: apt install certbot Please ask your administrator. If I install certbot using the install instructions here: https://certbot.eff.org/instructions?ws=apache&os=ubuntufocal will that mess anything up with my websites that are updating properly? I'm on Ubuntu 20.04 ISPConfig 3.2.8p1
Current ISPConfig versions use acme.sh and not Certbot, so do not install Certbot as it would break your server. Instead, check if acme.sh is installed: ls /root/.acme.sh Do you have a website with the exact same name as the hostname of your server which ahs SSL enabled too?
Based on his response that he followed Ubuntu 20.04 PST he most probably was using certbot and not acme.sh, as that tutorial never mentioned about installing the latter, unless he means other tutorial instead. If he did setup his server via that tutorial we do not know why certbot was missing but to check for acme.sh is the right thing to do but installing acme.sh might not. Even if there is now acme.sh as LE client, which we are not sure how he get that installed, if he confirmed following Ubuntu 20.04 PST, he will have to remove that and reinstall certbot via snap.
We have two tutorials for installing ISPConfig on Ubuntu 20.04, one uses acme.sh (the currently recommended guide which is based on the auto installer) and the other certbot (the old perfect server guide). So if he followed the latest guide for Ubuntu 20.04, then his setup uses acme.sh. That is entirely wrong, never change the installed Le client. If he followed the most recent ubuntu guide, then he is using acme.sh and he should keep using that. And even if he would have used the 'old' perfect server guide and left out the certbot install step, then acme.sh was installed automatically. And has he just has issue switch renewals, it is quite likely that he just hit the acme.sh issue where acme.,sh can not update the ISPConfig LE cert when there is a website with the same name as the hostname as acme.sh will copy the renewed SSL cert only to the site and not the ISPConfig SSL folder. So let's just wait until he confirms which LE client is used by answering my question from above as it#s impossible to give him the right recommendation for the fix without knowing the LE client of the system.
Thanks for all the info! Yes acme.sh is installed. There is account.conf, acme.sh, acme.sh.env, ca, deploy, etc. And all the website names. I don't have a website name with the exact name as the host name. I added 'vps' to the main domain name. vps.xxxx.com This is the Lets Encrypt log, (x'ing out the actual domain name) [Fri Jul 15 00:32:02 UTC 2022] di='/root/.acme.sh/vps.xxx.com/' [Fri Jul 15 00:32:02 UTC 2022] d='vps.xxx.com' [Fri Jul 15 00:32:02 UTC 2022] _renewServer [Fri Jul 15 00:32:02 UTC 2022] Using config home:/root/.acme.sh [Fri Jul 15 00:32:02 UTC 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Fri Jul 15 00:32:02 UTC 2022] DOMAIN_PATH='/root/.acme.sh/vps.xxx.com' [Fri Jul 15 00:32:02 UTC 2022] Renew: 'vps.xxx.com' [Fri Jul 15 00:32:02 UTC 2022] Le_API='https://acme-v02.api.letsencrypt.org/directory' [Fri Jul 15 00:32:02 UTC 2022] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory [Fri Jul 15 00:32:02 UTC 2022] Using config home:/root/.acme.sh [Fri Jul 15 00:32:02 UTC 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Fri Jul 15 00:32:02 UTC 2022] Skip, Next renewal time is: 2022-08-04T00:32:46Z [Fri Jul 15 00:32:02 UTC 2022] Add '--force' to force to renew. [Fri Jul 15 00:32:02 UTC 2022] Return code: 2 [Fri Jul 15 00:32:02 UTC 2022] Skipped vps.xxx.com [Fri Jul 15 00:32:02 UTC 2022] _error_level='3' [Fri Jul 15 00:32:02 UTC 2022] _set_level='2' [Fri Jul 15 00:32:02 UTC 2022] ===End cron=== Now I'm confused. On the ISPConfig admin webpage I click the lock next to the URL and it shows a current cert not expiring until Sep 2. But when I use CyberDuck to FTP in it shows the cert to the vps.xxx.com expired on July 4, 2022, I also just tried a new connection with FileZilla and it's showing expired cert of July 4, 2022.
Try to restart the ftp server to see if your FTP clients show the correct cert then as well: sudo service pure-ftpd-mysql restart
Please try to run these commands: Code: cd /usr/local/ispconfig/interface/ssl/ mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak cat ispserver.{key,crt} > ispserver.pem chmod 600 ispserver.pem chmod 600 /etc/ssl/private/pure-ftpd.pem service pure-ftpd-mysql restart
I am sure that solved the problem temporarily as the main problem is that the LE certs for the server were not automatically renewed or they were not automatically extended to other services in that server (in this case FTP). Can't properly help simply by checking whether acme.sh or certbot was installed but rather need to know which one was first installed and used in that server. A switch of these LE clients could be the cause but can't know for sure unless the above is confirmed and if needed, fixed. If truly acme.sh is installed first, then running ISPConfig force update is the best to fix it, otherwise, if there was a switch, cleanly reverting back to the original LE client then running ISPConfig force update is the best to fix it.
So we know now that the LE cert was renewed properly, so there is no issue with the cert renewal. But the combined SSL cert which is used by pure-ftpd was not built automatically. As @ahrasis is still not convinced that you are not using certbot, please post the output of: ls /etc/letsencrypt
Here is the output: sudo ls /etc/letsencrypt ls: cannot access '/etc/letsencrypt': No such file or directory
