Hello, today the ISPConfig control panel started throwing ERR_SSL_PROTOCOL_ERROR on Chrome and SSL_ERROR_RX_RECORD_TOO_LONG on Firefox. I tried the update script and selected to issue a new certificate but the problem persists, any ideas?
Try Internet Search Engines with those error messages and site:howtoforge.com. Finds for example this: https://forum.howtoforge.com/threads/ssl_error_rx_record_too_long-after-fresch-auto-install.89426/
I've been searching all morning but nothing has worked. Last time I setup SSL for this server was back in 3.1 so I had used this guide to set it up https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ Could this be interfering with the 3.2 cert procedure?
Yes. You will need to totally undo that process first, only then you can use ISPConfig installer to update your ispconfig and install LE certs. Otherwise, there will be some conflicts.
I renamed the old hostname directory to example.com.bak in /etc/letsencrypt/live and run the updater again. It now created a new certificate but its directory is named example.com-0001
You can use this to find out why LE fails to do its stuff: https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/
Why do you have to touch the LE certs folder? Now you have redundant LE certs for the same server hostname domain. The best way that I know if you do not want the old LE certs that have expired is to delete them all and to do that I would run "rm -rf /etc/letsencrypt/*/hostname.domain*". Do not do this unless you understand its consequences.
Redundant LE certs shouldn't be stopping the new ones from working though right? The hostname is a subdomain, should I have deleted the root domain cert as well? I run certbot certifications and got the following: Code: Renewal configuration file /etc/letsencrypt/renewal/hostname.domain.com.conf produced an unexpected error: expected /etc/letsencrypt/live/hostname.domain.com/cert.pem to be a symlink. Skipping. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Found the following certs: Certificate Name: hostname.domain.com-0001 Domains: hostname.domain.com Expiry Date: 2023-01-23 09:32:56+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/hostname.domain.com-0001/fullchain.pem Private Key Path: /etc/letsencrypt/live/hostname.domain.com-0001/privkey.pem Certificate Name: domain.com Domains: domain.com hostname.domain.com www.domain.com Expiry Date: 2023-01-16 02:01:48+00:00 (VALID: 82 days) Certificate Path: /etc/letsencrypt/live/domain.com/fullchain.pem Private Key Path: /etc/letsencrypt/live/domain.com/privkey.pem The following renewal configurations were invalid: /etc/letsencrypt/renewal/hostname.domain.com.conf
Correct, but the system might use the old ones, which means the problem will persist. It might have been better if you would have removed the old broken cert first using certbot delete command.
Hey there, just an update in case anyone screws this up like I did. I renamed the old cert back to its original name (removed .bak) and then deleted it and the one that had -0001 in the end using certbot delete --cert-name example.com Then after forcing an ispconfig update and creating a new cert through the process everything works fine.
