hi, i'm installing ispconfig 3.2.2 on a new standalone server (ubuntu 20.04) for a client. i'm following the ubuntu 20.04 (apache) perfect server guide. everything i've seen in these forums suggested that acme.sh is installed by ispconfig if it doesn't find letsencrypt, so i skipped installed letsencrypt. i installed ispconfig. that was all fine, except it created a self-signed cert. i thought maybe it would just do that the first time, so i ran php -q update.php --force. chose reconfigure services, create a new certificate. it again went straight to creating a new self-signed cert. so i figured i'd install acme.sh manually. i ran: Code: git clone https://github.com/Neilpang/acme.sh.git cd ./acme.sh ./acme.sh --install source ~/.bashrc and ran a forced update again. this time it requested a new full cert. Code: Create new ISPConfig SSL certificate (yes,no) [no]: yes Checking / creating certificate for comptonhost.comptoncymru.com Using certificate path /etc/letsencrypt/live/comptonhost.comptoncymru.com Using apache for certificate validation Issuing certificate seems to have succeeded but /usr/local/ispconfig/interface/ssl/ispserver.crt seems to be missing. Falling back to self-signed. Generating RSA private key, 4096 bit long modulus (2 primes) .................................................................................................................................++++ ...............................................................................................................................................................................................................................................................................................................................................................++++ e is 65537 (0x010001) You are about to be asked to enter information that will be incorporated into your certificate request. i'm not sure why it's trying to use /etc/letsencrypt, that path doesn't exist, i thought it should be using ~/.acmh.sh/<domain name>/ or why it thinks /usr/local/ispconfig/interface/ssl/ispserver.crt seems to be missing seems to be missing. it isn't. acme.sh seems to have actually created the certificate ok: Code: root@comptonhost:~/.acme.sh/comptonhost.comptoncymru.com# ls -l total 32 drwxr-xr-x 2 root root 4096 Mar 8 12:03 backup -rw-r--r-- 1 root root 1587 Mar 8 12:03 ca.cer -rw-r--r-- 1 root root 1874 Mar 8 12:03 comptonhost.comptoncymru.com.cer -rw-r--r-- 1 root root 926 Mar 8 12:03 comptonhost.comptoncymru.com.conf -rw-r--r-- 1 root root 1013 Mar 8 12:03 comptonhost.comptoncymru.com.csr -rw-r--r-- 1 root root 223 Mar 8 12:03 comptonhost.comptoncymru.com.csr.conf -rw-r--r-- 1 root root 1675 Mar 8 12:03 comptonhost.comptoncymru.com.key -rw-r--r-- 1 root root 3461 Mar 8 12:03 fullchain.cer but it doesn't seem to remove the self-signed cert, and symlink to the new cert: Code: root@comptonhost:/usr/local/ispconfig/interface/ssl# ls -l total 44 -rwxr-x--- 1 root root 45 Mar 8 12:04 empty.dir -rwxr-x--- 1 root root 1939 Mar 8 12:04 ispserver.crt -rwxr-x--- 1 root root 1939 Mar 8 11:57 ispserver.crt-20210308120348.bak -rwxr-x--- 1 root root 1651 Mar 8 12:04 ispserver.csr -rwxr-x--- 1 root root 3247 Mar 8 12:04 ispserver.key -rwxr-x--- 1 root root 3247 Mar 8 11:57 ispserver.key-20210308120348.bak -rwxr-x--- 1 root root 3311 Mar 8 12:04 ispserver.key.secure -rwxr-x--- 1 root root 5186 Mar 8 12:04 ispserver.pem -rwxr-x--- 1 root root 5186 Mar 8 11:57 ispserver.pem-20210308120348.bak should i be doing that part manually? am i missing something obvious or do i have a problem somewhere? i could just remove all the acme.sh stuff and go back to using letsencrypt, which i've never had a problem with, but if the goal is to switch everything in ispconfig to acme.sh and drop letsencrypt, i might as well get problems like this resolved now. *just to be clear, this is just to secure the interface and services, i haven't attempted to create and secure any client website at this point.
This is a bug in 3.2.2, which will be fixed in 3.2.3. Undo the acme.sh install steps so the default acme.sh install is used, and then run a force update like this: Code: ispconfig_update.sh --force By the way, the difference is between acme.sh and certbot - they both create a Let's Encrypt cert for you
One more note, you can also use the official autoinstaller, which can do some additional work for you and follows the perfect server tutorial. See https://www.howtoforge.com/community/threads/ispconfig-3-autoinstaller.86078/
ok, so exactly when/how does acme.sh get installed then? i've done the ~/acme.sh/acme.sh --uninstall so it should be back to how it was before. i tried ispconfig_update.sh --force, that said no valid acme client (acme or certbot) so i remove the test client site (created after i opened this thread, and which created a cert for itself without problems). dropped the dbispconfig database, and ran rm -rf /usr/local/ispconfig i then re-installed a fresh copy of ispconfig (from the 3.2.2.tar.gz download) and attempted to secure the interface. it created a self-signed cert. i've now run ispconfig_update.sh --force against the new ispconfig install, and still i get: Code: Create new ISPConfig SSL certificate (yes,no) [no]: yes Checking / creating certificate for comptonhost.comptoncymru.com Using certificate path /etc/letsencrypt/live/comptonhost.comptoncymru.com Using apache for certificate validation Did not find any valid acme client (acme.sh or certbot) note i'm selecting the stable version when running ispconfig_update.sh --force, should i be using nightly or git-develop instead?
You must install acme.sh or certbot before you install ISPConfig 3.2.2, acme.sh is only installed automtically later if there is no LE client, but not at install time. So the steps to fix your system are: 1) Install acme.sh with the command: curl https://get.acme.sh | sh -s 2) then run: ispconfig_update.sh --force and chose to recreate the SSL cert to get a new LE cert.
It's odd that you would have a /etc/letsencrypt/ directory if this really is a new server setup, without certbot being installed. In addition to the preceding, you might also check all install paths for certbot (ie. packages and install via certbot-auto) and purge all that, and rename /etc/letsencrypt/ before re-running the installer.
No, you can use the stable version - creating the cert when updating should work. The installer can show the wrong path, so I'm not sure if the directory really exists - you should check that.
Surpirisngly. Just to confirm after revisiting https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1392, does this code means, in next 3.2.3 version of ISPConfig, if no LE client is installed, acme.sh will be automatically install (since in 3.2.2 and below this LE client must be installed in advance)?
ok. just to confirm, certbot was not installed. in any way whatsoever. and the /etc/letsencrypt folder definitely did not exist on the server. i was under the impression from previous comments on other threads here that acme.sh didn't need to be manually installed, ispconfig would add it if it didn't find any letsencrypt client installed. it appeared originally that the only issue was with securing the ispconfig interface, once acme.sh was installed, it would create the cert, but not remove the self-signed cert, or symlink to the letsencrypt cert. a test site was created and successfully secured. although it did create the actual cert files in /root/.acme.sh/<domain name> and a copy of the files were in /var/www/<domain name>/ssl/ is this correct? it's supposed to actually has a full copy of the files there and not symlinks to the files in ~/root/.acme.sh ? anyway, i had to go out for a couple of hours yesterday and after getting back, it all got strange. i couldn't ssh to the server from my main pc, but could from my laptop. (same ssh key, same public ip, and it definitely wasn't anything to do with fail2ban or ufw) and i saw messages about some issues at digitalocean, including with firewalls, and logins / console connections etc. so i couldn't do anything further. will try it again today.
Me too... I think so since last time I checked, if acme.sh ISPConfig do install certs to ssl folder while if certbot ISPConfig merely do a symlink to it.
This should happen when the installer tries to create a cert and no client is in place, so it should not be necessary, I thought...
I thought the same, but in fact, it happens only for websites in 3.2.2 and not at install time, this should be fixed in nightly and 3.2.3 though.
ok, after some fun and games with connectivity yesterday, that i thought was digitalocean issues continued this morning... and turned out to be malwarebytes interfering.. don't know why it has to get involved in blocking an outbound ssh connection i decided to start clean and rebuild the vps. i followed the perfect server ubuntu (apache) guide, skipped certbot, and installed acme.sh using the command shown by @till in his post above. then installed ispconfig 3.2.2 it created an acme.sh cert, didn't validate it, and failed back to a self-signed cert. than i ran ispconfig_update.sh --force, which isn't exactly clear if it created a new cert, or re-used the existing letsencrypt cert: Code: Create new ISPConfig SSL certificate (yes,no) [no]: yes Checking / creating certificate for comptonhost.comptoncymru.com Using certificate path /root/.acme.sh/comptonhost.comptoncymru.com Using apache for certificate validation but it did validate ok, and ir did replace the self-signed cert in /usr/local/ispconfig/interface/ssl and symlink the pure-ftpd certs in /etc/ssl/private to the ispserver files. so all working flawlessly this time, i've even created a test site and secured that ok, no problems anywhere. thanks everyone.
No, it does (or it should): PHP: if((!$acme || !is_executable($acme)) && (!$le_client || !is_executable($le_client))) { $success = $this->install_acme(); if(!$success) { swriteln('Failed installing acme.sh. Will not be able to issue certificate during install.'); } else { $acme = explode("\n", shell_exec('which /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh')); $acme = reset($acme); if($acme && is_executable($acme)) { swriteln('Installed acme.sh and using it for certificate creation during install.'); } else { swriteln('Failed installing acme.sh. Will not be able to issue certificate during install.'); } } } This is from the installer_base script. The only reason it currently fails is the issue that is already resolved in 3.2.3, I think.
The code to download acme.sh automatically is in develop branch and not in 3.2.2. So it is part of the current nightly build and it will be part of the 3.2.3 release. Until 3.2.3 gets released, the fix is to follow the procedure I've posted in #5 of this thread.
Check dns records of the moodle3 subdomain and ensure it points to your server with a DNS A-Record and that it's reachable from the internet and check that you do not block port 80 so that the system can be reached on port 80 from the internet.
Hi, moodle3.calbasi.net is reachable (you can do a ping to test it). In fact, this server is running for several years... It had several websites hosted, and for example you can access to: http://anticimex.campustecnic.com:80 So I guess it's not a problem with websites hosted in it. But I wonder, do I need to host a http://moodle3.calbasi.net website?? I can access to ISPconfig website, but it is done at port 8080. In fact, when trying to access http://moodle3.calbasi.net:80, a successful apache default page is shown.
