I used ISPConfig Migration Tool to migrate to an new server. The old server uses certbot, the new one acme.sh. And, I read over the message, that certs aren't copied. The old server had been installed manually as Perfect Server on Debian 10 and has bee upgraded to Debian 11 a couple of weeks ago. The new on is Debian 11 and installed by the automatic install with apache and acme.sh Now for a couple of domains acme.sh can request new certs, and acme.sh --renew --force works fine. Several other domains don't get new certificates. The I remove the x for Letsencrypt in ISPC, save and set again, it stays set, but there is noch cert created. There is also no acme.sh process visible. Deleting and re-creating the domain does not help. When I use acme.sh manually with acme.sh --issue -d domain.xy -d www.domain.xy --apache it starts running, creates the directory domain.xy and leaves , csr, private key and two conf files. This is the output (domain name and IP address are correct and so set in dns): acme.sh --issue -d domain.xy -d www.domain.xy --apache [Mo 8. Aug 11:23:00 CEST 2022] Using CA: https://acme-v02.api.letsencrypt.org/directory [Mo 8. Aug 11:23:00 CEST 2022] Checking if there is an error in the apache config file before starting. [Mo 8. Aug 11:23:00 CEST 2022] OK [Mo 8. Aug 11:23:00 CEST 2022] JFYI, Config file /etc/apache2/apache2.conf is backuped to /root/.acme.sh/apache2.conf [Mo 8. Aug 11:23:00 CEST 2022] In case there is an error that can not be restored automatically, you may try restore it yourself. [Mo 8. Aug 11:23:00 CEST 2022] The backup file will be deleted on success, just forget it. [Mo 8. Aug 11:23:00 CEST 2022] Creating domain key [Mo 8. Aug 11:23:01 CEST 2022] The domain key is here: /root/.acme.sh/domain.xy/domain.xy.key [Mo 8. Aug 11:23:01 CEST 2022] Multi domain='DNS:domain.xy,DNS:www.domain.xy' [Mo 8. Aug 11:23:01 CEST 2022] Getting domain auth token for each domain [Mo 8. Aug 11:23:03 CEST 2022] Getting webroot for domain='domain.xy' [Mo 8. Aug 11:23:03 CEST 2022] Getting webroot for domain='www.domain.xy' [Mo 8. Aug 11:23:03 CEST 2022] Verifying: domain.xy [Mo 8. Aug 11:23:04 CEST 2022] Pending, The CA is processing your order, please just wait. (1/30) [Mo 8. Aug 11:23:08 CEST 2022] domain.xy:Verify error:xx.xxx.xxx.xx: Invalid response from http://domain.xy/.well-known/acme-challenge/OWsIjrgQGTSXet57J0KBjtrfKiw7zrMLj7bgYrKwLkE: 404 [Mo 8. Aug 11:23:08 CEST 2022] Please check log file for more details: /tmp/debug.log Any ideas on this? Thanks a lot
The recommended way to do such migration is to keep the same LE client, so as not to switch from certbot to acme.sh, but it's too late now for this recommended migration path. Never run acme.sh or certbot manually like this on an ISPConfig system as it destroys the config, ISPConfig might not fully work anymore afterward for this domain and website. To fix your setup, you will have to undo everything that the command you run did. Seems as if it replaced apache2.conf, so start with restoring the old config file: also, check the apache sites-enabled folder to ensure that acme.sh did not create any config file copies of ispconfig vhosts there. Then back to your original problem, follow the FAQ to find out why ISPConfig is not able to obtain a LE cert for this domain: https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/ and if the earlier steps do not resolve the problem, follow the final step to use debug mode and post the debug result.
Hi Till, thanks a lot for helping me with the hint on the Letsencrypt Error FAQ. It had been point #9, that made my day. After the last migration run, the migration toolkit did obviously not switch migration mode off again. My issue is solved now. Best Regards, Ralph
