Hello, I did a successful migration to debian 11 keeping Let's Encrypt. Now I see that ispserver.pem is not automatically updated resulting in certificate error with FTP. I have now solved this manually with: cd /usr/local/ispconfig/interface/ssl/ mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak cat ispserver.{key,crt} > ispserver.pem chmod 600 ispserver.pem chmod 600 /etc/ssl/private/pure-ftpd.pem service pure-ftpd-mysql restart I wonder how this is now handled with ispconfig 3.2 Is there a hook I can use to automatically update ispserver.pem again? Regards, Ben
Thanks for your reply. If this is supposed to work in 3.2 by default then it won't work. How can I check or reactivate this?
Try ispconfig_update.sh --force, and let it create certificate when it asks. ISPConfig 3.2 install creates automatically certificate for the hostname -f, it is Let's Encrypt certificate if the hostname -f can be resolved from name service (by LE) and points to this server. This certificate is linked to be used for other services running on that host and is used for ISPConfig panel.
Thanks, i will try this. Now i use a webdomain as servername (serverX.domein) to generate a certificate. Is that still the case or must i remove the webdomain? I think that could cause a conflict otherwise
serverx.domain:8080 uses an invalid security certificate. The certificate is not trusted because it is self-signed. Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT I think its a correct answer from mozilla. So ispconfig3 is not using letencrypt or acme? correct? PS: i use hsts
No, "MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT" is the error code of Firefox that the webbrowser does not trust the SSL Certificate. ISPConfig using certbot or acme for ssl certificate creation so it either uses let's encrypt or new version of acme use ZeroSSL by default
This is strange. I just did ispconfig_update.sh --force and then at the request to generate a certificate it starts the procedure for a self signed certificate. Please note I already have a certificate in the root/acme folder, but that should not be a problem, because the symlinks do not refer to those files. is it possible that the ispconfig_update.sh --force checks whether there is already a certificate? Then I would first have to manually remove the certificate via acme.sh --remove -d domain any idea?
A self-signed cert gets created when getting a let's encrypt cert has failed. Please post the output you received during update.
Hello Till, With which function can I generate that output or do you mean a screen dump? Then I will do the update again. PS: I can see in the log of acme Domain key exists, do you want to overwrite the key? [Thu 16 Mar 2023 10:44:21 AM CET] Add '--force', and try again. [Thu 16 Mar 2023 10:44:21 AM CET] Create domain key error.
Ok, then its probably best to try to remove the existing cert using acme.sh manually first, then check if it has been removed from /root/.acme.sh/.... and then run an ispconfig update with --force option to recreate it. I mean the output that you get on the screen while running ispconfig_update.sh --force
It worked, after I removed everything as hostname from the server. just removing the certificate is not enough.
