Hi. Two days ago I upgraded from Debian 10 to Debian 11 to Debian 12. I performed a full upgrade from Debian 10 to Debian 11 before proceeding to Debian 12. I followed the guidelines here: https://www.howtoforge.com/update-the-ispconfig-perfect-server-from-debian-10-to-debian-11/ https://www.howtoforge.com/update-the-ispconfig-perfect-server-from-debian-11-to-debian-12/ Now, I can no longer create certificates for a website by ticking "Let's Encrypt SSL" and "SSL" in the configuration. Also, certificates are no longer renewed every night. `cat /var/log/letsencrypt/letsencrypt.log` show log entries dating two days back. According to the most recent version of "The perfect server" guide for Debian 12 (https://www.howtoforge.com/perfect-server-debian-12-buster-apache-bind-dovecot-ispconfig-3-2/), ISPConfig now uses the Acme client from https://get.acme.sh. Is it intentional that this is not covered by the upgrade guidelines ? Should it have been installed automatically when force updating ISPConfig ? Or do I need to install it manually now, as described on https://www.howtoforge.com/perfect-...-dovecot-ispconfig-3-2/#-install-lets-encrypt ?
Please follow the Let's Encrypt error FAQ to find the reason for your issue. https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/ Yes, because switching from certbot to Acme would break your server. Your system, which initially used certbot, will continue using certbot, not Acme.sh.
Thanks @till for a quick response. Turns out the client is no longer supported or is broken somehow. Code: root@isp:/# certbot-auto --version Your system is not supported by certbot-auto anymore. certbot-auto and its Certbot installation will no longer receive updates. You will not receive any bug fixes including those fixing server compatibility or security problems. Please visit https://certbot.eff.org/ to check for other alternatives. Could not find platform dependent libraries <exec_prefix> Consider setting $PYTHONHOME to <prefix>[:<exec_prefix>] Traceback (most recent call last): File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 7, in <module> from certbot.main import main File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/main.py", line 2, in <module> from certbot._internal import main as internal_main File "/opt/eff.org/certbot/venv/local/lib/python2.7/site-packages/certbot/_internal/main.py", line 3, in <module> from __future__ import print_function ImportError: No module named __future__ I'm not sure what the right solution is. If I understood you correctly, then Certbot should still work with ISPConfig - so I would assume any steps needed to keep it updated would have been part of the upgrade guidelines. So perhaps Certbot is broken rather than unsupported? Not sure how that happened. Perhaps a "soft" dependency was removed with `apt-get autoremove` ? And just to verify - this is Debian 12: Code: root@isp:/# lsb_release -a No LSB modules are available. Distributor ID: Debian Description: Debian GNU/Linux 12 (bookworm) Release: 12 Codename: bookworm Any suggestions ?
It's a long time ago, but I think Certbot was installed manually. Not 100% sure though - I would need to get through all the old guides. The certbot is available from the repository now. Should I install that instead? If so, how do I get rid of the old client without removing any configuration still required ?
Install a new Certbot version as described on Certbot homepage. Just ensure you only install the software and not manually issue a cert.
Thanks @till But it actually does seem that Certbot is no longer supported on Debian using the certbot-auto installer. https://community.letsencrypt.org/t/install-certbot-on-debian-12-with-apache/211079/5 https://community.letsencrypt.org/t/certbot-auto-no-longer-works-on-debian-based-systems/139702/7 As mentioned, it's available through apt-get. I'd prefer using apt-get to install Certbot, rather than installing snap and use that to install packages. Are you aware of problems installing certbot using apt-get ? Code: root@isp:/# apt-cache show certbot Package: certbot Source: python-certbot Version: 2.1.0-4 Installed-Size: 159 Maintainer: Debian Let's Encrypt <[email protected]> Architecture: all Replaces: letsencrypt Provides: letsencrypt Depends: python3-certbot (= 2.1.0-4), debconf (>= 0.5) | debconf-2.0, python3:any Suggests: python-certbot-doc, python3-certbot-apache, python3-certbot-nginx Description-en: automatically configure HTTPS using Let's Encrypt The objective of Certbot, Let's Encrypt, and the ACME (Automated Certificate Management Environment) protocol is to make it possible to set up an HTTPS server and have it automatically obtain a browser-trusted certificate, without any human intervention. This is accomplished by running a certificate management agent on the web server. . This agent is used to: . - Automatically prove to the Let's Encrypt CA that you control the website - Obtain a browser-trusted certificate and set it up on your web server - Keep track of when your certificate is going to expire, and renew it - Help you revoke the certificate if that ever becomes necessary. . This package contains the main application, including the standalone and the manual authenticators. Description-md5: deb7e404ce1b150b59379c3f9a73ac1a Homepage: https://certbot.eff.org/ Section: web Priority: optional Filename: pool/main/p/python-certbot/certbot_2.1.0-4_all.deb Size: 121780 MD5sum: 7ffab2d3f3fc3e1c6cbfb066781a6ba1 SHA256: c39721449ddbd5c2252e92df92cf4dfcbecc97b0b8a5df0ccf6df2d48265eddc Would it work out of the box with ISPConfig ? How exactly do ISPConfig know the path to certbot? On this server it is currently installed to /opt/eff.org/certbot - but perhaps that's the default path to which certbot-auto installs it - I don't remember. I would appreciate a bit more help if possible. I'm just not sure what approach will work with ISPConfig.
Thanks @till I removed the manually installed certbot-auto script (as suggested here: https://eff-certbot.readthedocs.io/en/stable/install.html#certbot-auto-deprecated). Code: rm /usr/local/bin/certbot-auto rm -rf /opt/eff.org And installed the certbot shipping with debian: Code: apt-get install certbot Ticking "Let's Encrypt SSL" now works
@till I have a couple of websites still causing renewal of certificates to throw errors in /var/log/letsencrypt/letsencrypt.log because the domains have been disabled due to lack of renewal, so they are currently not accessible. I have unticked the "SSL" and "Let's Encrypt SSL" checkboxes in ISPConfig but the certificates remain in /etc/letsencrypt/live/ and /var/www/example.com/ssl/ - how can I get rid of them without causing new problems? I can't just remove the websites from ISPConfig - at least not until the customers have confirmed that they don't plan on renewing the domain names. Also, would it be possible to manually trigger the renewal process so I can see that everything is brought back to normal, without waiting for the Certbot job to run at night? I have a script that monitors the let's encrypt log and shows and error on our status page for as long as the log contain errors.
In this case, you must delete the certs manually using certbot command. You can manually run certbot renew command.
Thanks @till For anyone else - and myself in the future if this happens again - I simply did: Code: certbot delete --cert-name=example.com certbot delete --cert-name=sub.example.com .... certbot renew
A simple force renew should work too without deleting them before: Code: certbot renew --force-renewal