Acme refreshed certificate but doesnt copy it to location for webserver

Discussion in 'Installation/Configuration' started by Stefan Schumacher, Jan 26, 2022.

Tags:
  1. Stefan Schumacher

    Stefan Schumacher Member

    Hi everybody,

    my mailserver, mail1.consulting1x1.info uses a let's encrypt certificate generated by acme.sh to provide tls for the webinterface on port 8080 and other services. When I open it in Chrome I get an error message that my certificate is not valid anymore. The "original" copy of the certificate rests in /root/.acme.sh/mail1.consulting1x1.info. The file fullchain.cer has the complete chain and the first certificate is Valid To: April 2, 2022. If I go to /usr/local/ispconfig/interface/ssl (This version of the certificate is used for the web interface, postfix and dovecot) and open ispserver.crt and decode it it says its Valid To: January 19, 2022. Why hasnt the refreshed copy been copied to the ispconfig directory - Acme is obviously working? And why didnt I get a storm of of calls by users who complain that the certificate of their mail server is not valid anymore and they can neither send nor receive mail? (I am going to manually copy the files in question now, but I am looking of course for a long-term solution)

    Yours sincerely
    Stefan
     
    Stefan Schumacher, Jan 26, 2022
    #1
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Taleman, Jan 26, 2022
    #2
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you create a website for mail1.consulting1x1.info in ISPConfig? if yes, then this might causing the refresh issue as acme.sh can copy certs to one location only, if there is a website for the hostname, then the refreshed certs might have ended up in the SSL dir of that site instead of the ISPConfig SSL directory. Just as an idea.
     
    till, Jan 26, 2022
    #3
    Stefan Schumacher likes this.
  4. Stefan Schumacher

    Stefan Schumacher Member

    @till: Yes, I did. The Telekom forced me to because my mailserver needs a proper German Impressum. We wouldn't want to send Emails without a proper Impressum, wouldn't we?
    So, what do I do? Create the files under /usr/local/ispconfig/interface/ssl as Symlinks to the files of the Website? Seems to work so far. The real trial of of course comes on the second of April when the certificate expires. And whenever I update ISPConfig because I very much fear that this rather delicate setup will be broken by it.

    Yours
    Stefan
     
    Last edited: Jan 26, 2022
    Stefan Schumacher, Jan 26, 2022
    #4
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, that:s probably the best option. But one issue will probably be that postfix and dovecot and pure-ftpd will not be restarted automatically then if no cert change in the ISPConfig SSL folder is detected.
     
    till, Jan 26, 2022
    #5
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Or you copy the certs to the ISPConfig ssl folder and create symlinks in the website's SSL folder. But you will have to find the SSL path in the acme.sh config files of that cert then and change them back to the ispconfig folder, so that future renewals end up in the ispconfig SSL folder again. The benefit would be that other services get restarted automatically then.
     
    till, Jan 26, 2022
    #6
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Yes, and also ensure there isn't a second certificate for the same hostname created by the installer. When acme.sh renews the certificate, it will place a copy of the files in the website ssl/ directory, and the symlinks to those files will continue working. You will need to arrange something to restart services (mail and ftp) after this certificate renews/changes, as I believe the renew hook for websites only restarts the webserver itself.
     
    Jesse Norell, Jan 26, 2022
    #7
  8. Stefan Schumacher

    Stefan Schumacher Member

    That makes sense. I will change my setup accordingly: This is from the file /root/.acme.sh/mail1.consulting1x1.info/mail1.consulting1x1.conf : (Cleaned up a bit before posting)
    Lots of vars. Which do I have to change? RealKeyPath, RealFullChainPath - anything else? And what does Le_ForceNewDomainKey=1 do?

    Yours
    Stefan

    Le_Domain='mail1.consulting1x1.info'
    Le_Alt='www.mail1.consulting1x1.info'
    Le_Webroot='/usr/local/ispconfig/interface/acme'
    Le_PreHook=''
    Le_PostHook=''
    Le_RenewHook=''
    Le_API='https://acme-v02.api.letsencrypt.org/directory'
    Le_Keylength='4096'
    Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/
    Le_LinkOrder='https://acme-v02.api.letsencrypt.org/acme/order/
    Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/
    Le_CertCreateTime='1641165443'
    Le_CertCreateTimeStr='So 2. Jan 23:17:23 UTC 2022'
    Le_NextRenewTimeStr='Do 3. Mär 23:17:23 UTC 2022'
    Le_NextRenewTime=''
    Le_RealCertPath=''
    Le_RealCACertPath=''
    Le_RealKeyPath='/var/www/clients/client0/web4/ssl/mail1.consulting1x1.info-le.key'
    Le_ReloadCmd='__ACME_BASE64__START_c3lzdGVtY3RsIGZvcmNlLXJlbG9hZCBhcGFjaGUyLnNlcnZpY2U=__ACME_BASE64__END_'
    Le_RealFullChainPath='/var/www/clients/client0/web4/ssl/mail1.consulting1x1.info-le.crt'
    Le_ForceNewDomainKey='1'
     
    Stefan Schumacher, Jan 31, 2022
    #8
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, I would say these two.

    Without having looked at the acme.sh docs, I would say it enforces that a new key is created for each renewal instead of reusing the existing key.
     
    till, Jan 31, 2022
    #9

Share This Page