I added a website to one of my servers, with the auto-www subdomain. LE issed the cert but ONLY to the main domain - not www! the acme.log had: 23] Reload success [Tue Sep 26 14:17:03 EDT 2023] LE_WORKING_DIR='/root/.acme.sh' [Tue Sep 26 14:17:03 EDT 2023] Running cmd: issue [Tue Sep 26 14:17:03 EDT 2023] _main_domain='nechtanmarketing.com' [Tue Sep 26 14:17:03 EDT 2023] _alt_domains='no' [Tue Sep 26 14:17:03 EDT 2023] Using config home:/root/.acme.sh so why is alt_domains='no'? I had www saved! Also I got a notification from LE about another site needing renewal. I unchecked LE/SSL on that site, waited, and then checked them again and waited. checked the SSL - was it not supposed to issue a new cert in this process? it gave the same dates as before (august in fact). oddities!
Then the www subdomain does likely not point to the server and non existing subdomains must be excluded as bo cert will get issued otherwise. See Let's encrypt error FAQ, it's all covered there how to find out why LE refuses to include the subdomain. https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/
weirder. I just unchecked the ssl boxes, saved, waited, checked the same boxes again saved waited - and now the cert has both. nothing else changed! seems the process is a bit temperamental!
This typically just means that the www subdomain did not point to the new server at the time you first tried it and now, it points to the server. That's why the subdomain is now included in the cert.
just noticed something else - my server rebooted and I got a slew of named messages: ep 27 12:00:27 ns10 named[2209]: /var/named/pri.nardiashouse.com.signed:10: signature has expired Sep 27 12:00:27 ns10 named[2209]: /var/named/pri.contractorsadvisor.net.signed:10: signature has expired Sep 27 12:00:27 ns10 named[2209]: /var/named/pri.moleculepharm.com.signed:10: signature has expired Sep 27 12:00:27 ns10 named[2209]: /var/named/pri.pinnaclehealthcaredmv.com.signed:10: signature has expired Sep 27 12:00:27 ns10 named[2209]: /var/named/pri.waterservices-md.com.signed:10: signature has expired hmm. anything to be concerned about? geez my week keeps getting stranger! thanks till.
its an old well established one! and I intend to migrate it to ns11 the newer one! LOL and btw I was just setting up migtool and I'm getting: [ERROR] API call to login failed. See log file for details. Could not connect to api. Please check if the data you provided is correct. I seem to remember this was something to with with SSL connection from years ago and I had to give migration a parameter?
Ok, then it seems as if the key renewal for the DNSSEC keys failed. Which ISPConfig version do you use and is the cron.sh cronjob in the root crontab active?
ispconfig should be newest. * * * * * /usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done * * * * * /usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done 30 23 * * * /usr/local/ispconfig/server/scripts/handle_mailbox_soft_deleted.sh &> /dev/null seems to be. and one other migration question - on ns10 we are using letsencrypt/certbot. ns11 is acme. problem??
Is this only a name server, or do you run other services there? For a DNS server, the LE client does not matter as it is not used for DNS.
I run lots of services on both. and LOL I just remembered I set up google authenticator for ssh access. I suspect migration wont like that. host lots of websites email etc...
This looks fine so far. Try to change a setting in an affected zone and save it to see if this solve the issue for that zone.
Then old and new system should use the same LE client, or you would lose all certs during migration as acme.sh can not import certs from certbot and vice versa.
... and google authenticator LOL? guess I have to try and disable that at least temporarily... losing all the certs just means I have to go website by website and recheck the boxes? or things detonate? how about the certs linked to ftp etc. those stay unaffected?
Quite likely. Correct, but DNS must be pointed to the new system upfront, otherwise LE will not issue a cert. That#s the system wide cert, it gets created at the time you install ISPConfig. So it does not change during migration.
Do you have any websites on the server already? or is it just an empty system with ISPConfig installed?
ack ack just noticed my isppscan is failing; Fatal error: SourceGuardian Incompatible loader version. This protected script was encoded with a newer version of SourceGuardian. Please download and install the <A HREF="https://www.sourceguardian.com/loaders">latest loaders</A>. Error code [19] in /usr/local/ispprotect/ispp_scan.php on line 2
Delete the loader file in /usr/local/ispprotect/loader/ and ISPprotect will download a new version on its own.