Where does the acme.sh script get the installation folder? On one of our servers we get this output: Code: root@mail:~/.acme.sh# acme.sh -f -r -d mail.thompson.id [Tue Dec 31 11:05:10 EET 2024] Renewing: 'mail.thompson.id' [Tue Dec 31 11:05:10 EET 2024] Renewing using Le_API=https://acme-v02.api.letsencrypt.org/directory [Tue Dec 31 11:05:10 EET 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory [Tue Dec 31 11:05:10 EET 2024] Using pre-generated key: /root/.acme.sh/mail.thompson.id/mail.thompson.id.key.next [Tue Dec 31 11:05:10 EET 2024] Generating next pre-generate key. [Tue Dec 31 11:05:13 EET 2024] Single domain='mail.thompson.id' [Tue Dec 31 11:05:15 EET 2024] Getting webroot for domain='mail.thompson.id' [Tue Dec 31 11:05:15 EET 2024] mail.thompson.id is already verified, skipping http-01. [Tue Dec 31 11:05:15 EET 2024] Verification finished, beginning signing. [Tue Dec 31 11:05:15 EET 2024] Let's finalize the order. [Tue Dec 31 11:05:15 EET 2024] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1383673766/339175796635' [Tue Dec 31 11:05:16 EET 2024] Downloading cert. [Tue Dec 31 11:05:16 EET 2024] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/036c1cb22f219b7ed2654705ba8366804d94' [Tue Dec 31 11:05:16 EET 2024] Cert success. -----BEGIN CERTIFICATE----- ***snipped*** -----END CERTIFICATE----- [Tue Dec 31 11:05:16 EET 2024] Your cert is in: /root/.acme.sh/mail.thompson.id/mail.thompson.id.cer [Tue Dec 31 11:05:16 EET 2024] Your cert key is in: /root/.acme.sh/mail.thompson.id/mail.thompson.id.key [Tue Dec 31 11:05:16 EET 2024] The intermediate CA cert is in: /root/.acme.sh/mail.thompson.id/ca.cer [Tue Dec 31 11:05:16 EET 2024] And the full-chain cert is in: /root/.acme.sh/mail.thompson.id/fullchain.cer [Tue Dec 31 11:05:16 EET 2024] Your pre-generated key for future cert key changes is in: /root/.acme.sh/mail.thompson.id/mail.thompson.id.key.next [Tue Dec 31 11:05:17 EET 2024] Installing key to: /usr/local/ispconfig/interface/ssl/ispserver.key [Tue Dec 31 11:05:17 EET 2024] Installing full chain to: /usr/local/ispconfig/interface/ssl/ispserver.crt And on another identical server we get this: Code: root@mail:/var/log# acme.sh -f -r -d mail.rossi.id [Tue Dec 31 09:56:27 EET 2024] Renewing: 'mail.rossi.id' [Tue Dec 31 09:56:27 EET 2024] Renewing using Le_API=https://acme-v02.api.letsencrypt.org/directory [Tue Dec 31 09:56:28 EET 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory [Tue Dec 31 09:56:27 EET 2024] Renewing: 'mail.rossi.id' [Tue Dec 31 09:56:27 EET 2024] Renewing using Le_API=https://acme-v02.api.letsencrypt.org/directory [Tue Dec 31 09:56:28 EET 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory [Tue Dec 31 09:56:28 EET 2024] Single domain='mail.rossi.id' [Tue Dec 31 09:56:30 EET 2024] Getting webroot for domain='mail.rossi.id' [Tue Dec 31 09:56:30 EET 2024] Verifying: mail.rossi.id [Tue Dec 31 09:56:31 EET 2024] Pending. The CA is processing your order, please wait. (1/30) [Tue Dec 31 09:56:35 EET 2024] Success [Tue Dec 31 09:56:35 EET 2024] Verification finished, beginning signing. [Tue Dec 31 09:56:35 EET 2024] Let's finalize the order. [Tue Dec 31 09:56:35 EET 2024] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/1383673766/339158049195' [Tue Dec 31 09:56:36 EET 2024] Downloading cert. [Tue Dec 31 09:56:36 EET 2024] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/03f0e07eadbe8913fc98201fd7d775fd42c5' [Tue Dec 31 09:56:36 EET 2024] Cert success. -----BEGIN CERTIFICATE----- ***snipped*** -----END CERTIFICATE----- [Tue Dec 31 09:56:36 EET 2024] Your cert is in: /root/.acme.sh/mail.rossi.id/mail.rossi.id.cer [Tue Dec 31 09:56:36 EET 2024] Your cert key is in: /root/.acme.sh/mail.rossi.id/mail.rossi.id.key [Tue Dec 31 09:56:36 EET 2024] The intermediate CA cert is in: /root/.acme.sh/mail.rossi.id/ca.cer [Tue Dec 31 09:56:36 EET 2024] And the full-chain cert is in: /root/.acme.sh/mail.rossi.id/fullchain.cer [Tue Dec 31 09:56:36 EET 2024] Installing key to: /var/www/clients/client0/web2/ssl/mail.rossi.id-le.key [Tue Dec 31 09:56:36 EET 2024] Installing full chain to: /var/www/clients/client0/web2/ssl/mail.rossi.id-le.crt [Tue Dec 31 09:56:37 EET 2024] Running reload cmd: systemctl force-reload apache2.service [Tue Dec 31 09:56:37 EET 2024] Reload successful [Tue Dec 31 09:56:37 EET 2024] Running renew hook: 'letsencrypt_renew_hook.sh' Why does ISPConfig decide to use different installation folders for acme certs and where is it chosen?
The installation folder of a certificate is chosen at the time the certificate is created. Acme.sh will install a cert in only one folder, which will be the folder that was chosen at the time the cert was created. The difference you see comes from the fact that you likely created a website with the exact name of the system hostname, in this case the website captures the SSL cert and overrides it, so the system SSL cert will not get renewed or installed anymore as a certificate can have only one target folder in acme.sh. The solution for your issue is to symlink the ISPConfig SSL certificate and key to the one of the website. See also here for using a website SSL cert for the main system: https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/
ISPConfig does not customize acme.sh and only use the default command for obtaining LE SSL certs, so you should be able to find them in /root/.acme.sh/domain.tld/ as you can see from your logs. The install command for acme.sh is actually a copy command, that copies them to standard / default ISPConfig website's ssl folder to be used by that site, while the original always remains in acme.sh default folder. To note that it is different than cerbot that uses symlink to website's ssl folder, instead of copying them. It is possible not to use that install (copy) command, and instead use symlink, but I believe that it is the developers' preference to maintain the use of default built in command install for acme.sh, instead of other command like symlink. One of the benefit I can see is, it will separate the website's ssl folder from root folder, while keeping the original copies intact and without possible harm. The problem is like what you are facing as it is not possible to have multiple install (copy) locations of that certs when you want them for both the server and its website which can be resolved as suggested in the given link above. Using certbot with symlink in my experience however will not face the same issue.
