Hi I've installed the new server in April (with the migration-tool). Today I could not access the ISP-Mainpage because the cert had an invalid date. I've removed the cert using acme and removing the folder under '/root/.acme.sh/' then I've run 'ispconfig_update.sh --force' --> my ispc-website is again available Then I've checked the other sites (websites and rspamd etc): Allthough 'acme.sh --list' show all being updated between june 3rd and today, the website certs still use the original created certs from april and later: - rspamd shows created june 3rd in acmelist and april 5th on website --> will expire tomorrow!! - for other websites is seems to work OK Here's tonights log for rspamd (same results for the main ispc-site): Code: [Thu Jul 4 12:20:03 AM CEST 2024] di='/root/.acme.sh/rspamd.mydomain.com/' [Thu Jul 4 12:20:03 AM CEST 2024] d='rspamd.mydomain.com' [Thu Jul 4 12:20:03 AM CEST 2024] _renewServer [Thu Jul 4 12:20:03 AM CEST 2024] Using config home:/root/.acme.sh [Thu Jul 4 12:20:03 AM CEST 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Thu Jul 4 12:20:03 AM CEST 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Thu Jul 4 12:20:03 AM CEST 2024] _ACME_SERVER_PATH='directory' [Thu Jul 4 12:20:03 AM CEST 2024] DOMAIN_PATH='/root/.acme.sh/rspamd.mydomain.com' [Thu Jul 4 12:20:03 AM CEST 2024] Renew: 'rspamd.mydomain.com' [Thu Jul 4 12:20:03 AM CEST 2024] Le_API='https://acme-v02.api.letsencrypt.org/directory' [Thu Jul 4 12:20:03 AM CEST 2024] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory [Thu Jul 4 12:20:03 AM CEST 2024] initpath again. [Thu Jul 4 12:20:03 AM CEST 2024] Using config home:/root/.acme.sh [Thu Jul 4 12:20:03 AM CEST 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Thu Jul 4 12:20:03 AM CEST 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Thu Jul 4 12:20:03 AM CEST 2024] _ACME_SERVER_PATH='directory' [Thu Jul 4 12:20:03 AM CEST 2024] Skip, Next renewal time is: 2024-08-01T22:21:02Z [Thu Jul 4 12:20:03 AM CEST 2024] Add '--force' to force to renew. [Thu Jul 4 12:20:03 AM CEST 2024] Return code: 2 [Thu Jul 4 12:20:03 AM CEST 2024] Skipped rspamd.mydomain.com Any idea what caused that? How shall I proceed to fix rspamd?
Check in the website vhosts file to where the SSL cert points, does it point to a file in the SSL folder of the site, or does it maybe point to a symlink in the SSL folder of the site which then points to something in /etc/letsencrypt/.... ? Best is to check whats in the vhost file and then check with ls -la command in the SSL folder if that's a file or symlink.
correct. still the ones from april. I've checked now several website-ssl directories: There are many with still the april-ssl, but some are also from june... Don't see a logic yet. in /root/.acme.sh/ all certs are correct (update june/july)
Your wrote you used migration tool. Did the SOURCE server use certbot as LE client? If you now have acme.sh as LE client, did you prevent migration tool from copying the certificates from SOURCE?
not sure to be honest... I made further tests: I disabled LE in the website, waited for the update and reactivated it. The 2 files in the web-ssl-dir got updated, but acme still shows them as created in june. It seems acme and ISPC are not linked...
Does that host have certificate files both in /root/.acme.sh/ and /etc/letsencrypt/live/ directories?
This is fine I think and you are right acme and ISPConfig do not create link but if the certs are valid acme will still use it. Try clearing your browser caches if that could help.
It's definitely not browser related. I'm afraid that I will run into the same problems in 3 months and have to manually refresh all the certs...
Acme.sh should copy the certs to the website's SSL folder after renewal, so that's not what ISPConfig does. I'm not sure why it fails to do the installation part after it renews the certs.
Agreed. Unless acme.sh update itself and its new code caused this, which is very much unlikely, I also cannot see why it failed to copy the certs from its folder to the ssl folder. Or could there be an ownership / permission issue?
We might have to checks whats in the config for a specific domain in acme.sh, the info where to copy the SSL cert must be in there, maybe its missing for whatever reason?
Both seem to work: acme updates works in /root/acme.sh/ and ispc itself updates too directly into the ssh-webfolder. Where are thy linked? The logs in /var/log/ispconfig/acme show only the acme updates and not the ones initiated from the ispc web panel
What I meant is not about updating Acme.sh or ISPConfig, and it is also not that ISPConfig is initiating Acme.sh. As mentioned above, this is done by Acme.sh itself without ISPConfig being involved. ISPConfig just does the initial Acme.sh setup, and then calls Acme.sh one per day to let it do its job; everything else is done by Acme.sh on its own. That's why I meant you should check the Acme.sh config of a affected domain to see if it lacks the part that tells Acme.sh to install the SSL cert.
