Acme refreshed certificate but doesnt copy it to location for webserver

Discussion in 'Installation/Configuration' started by Stefan Schumacher, Jan 26, 2022.

  1. Hi everybody,

    my mailserver, uses a let's encrypt certificate generated by to provide tls for the webinterface on port 8080 and other services. When I open it in Chrome I get an error message that my certificate is not valid anymore. The "original" copy of the certificate rests in /root/ The file fullchain.cer has the complete chain and the first certificate is Valid To: April 2, 2022. If I go to /usr/local/ispconfig/interface/ssl (This version of the certificate is used for the web interface, postfix and dovecot) and open ispserver.crt and decode it it says its Valid To: January 19, 2022. Why hasnt the refreshed copy been copied to the ispconfig directory - Acme is obviously working? And why didnt I get a storm of of calls by users who complain that the certificate of their mail server is not valid anymore and they can neither send nor receive mail? (I am going to manually copy the files in question now, but I am looking of course for a long-term solution)

    Yours sincerely
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you create a website for in ISPConfig? if yes, then this might causing the refresh issue as can copy certs to one location only, if there is a website for the hostname, then the refreshed certs might have ended up in the SSL dir of that site instead of the ISPConfig SSL directory. Just as an idea.
    Stefan Schumacher likes this.
  4. @till: Yes, I did. The Telekom forced me to because my mailserver needs a proper German Impressum. We wouldn't want to send Emails without a proper Impressum, wouldn't we?
    So, what do I do? Create the files under /usr/local/ispconfig/interface/ssl as Symlinks to the files of the Website? Seems to work so far. The real trial of of course comes on the second of April when the certificate expires. And whenever I update ISPConfig because I very much fear that this rather delicate setup will be broken by it.

    Last edited: Jan 26, 2022
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, that:s probably the best option. But one issue will probably be that postfix and dovecot and pure-ftpd will not be restarted automatically then if no cert change in the ISPConfig SSL folder is detected.
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Or you copy the certs to the ISPConfig ssl folder and create symlinks in the website's SSL folder. But you will have to find the SSL path in the config files of that cert then and change them back to the ispconfig folder, so that future renewals end up in the ispconfig SSL folder again. The benefit would be that other services get restarted automatically then.
  7. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Yes, and also ensure there isn't a second certificate for the same hostname created by the installer. When renews the certificate, it will place a copy of the files in the website ssl/ directory, and the symlinks to those files will continue working. You will need to arrange something to restart services (mail and ftp) after this certificate renews/changes, as I believe the renew hook for websites only restarts the webserver itself.
  8. That makes sense. I will change my setup accordingly: This is from the file /root/ : (Cleaned up a bit before posting)
    Lots of vars. Which do I have to change? RealKeyPath, RealFullChainPath - anything else? And what does Le_ForceNewDomainKey=1 do?


    Le_CertCreateTimeStr='So 2. Jan 23:17:23 UTC 2022'
    Le_NextRenewTimeStr='Do 3. Mär 23:17:23 UTC 2022'
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, I would say these two.

    Without having looked at the docs, I would say it enforces that a new key is created for each renewal instead of reusing the existing key.

Share This Page