Hi, In a bit of a pickle and hoping for some assistance. I've an old server that's been sat quietly hosting some email/websites for a few years. Not done much with it other than keeping it updated. For some reason a few days ago it stopped loading website or delivering mail, though I can still SSH in fine. Checked the apache error log and found the follows: Code: [Tue May 12 11:27:21.147403 2020] [ssl:emerg] [pid 4192] AH02565: Certificate and private key <DOMAIN:PORT> from /usr/local/ispconfig/interface/ssl/ispserver.crt and /usr/local/ispconfig/interface/ssl/ispserver.key do not match Can I get some help with debug and resolution? Am unsure how to address this without access to the ispconfig web admin.
Can you find out what operation system is running on that host? Oh, you are running ISPConfig? What version? Any error messages on logs? You did examine the logs, I hope? Any more exact info on what happens when you try to load websites or send or receive e-mail? For the problem, my first quess is some service is not running. But not knowing what OS you have, I can offer no help on how to check that.
ISPConfig version: 3.1.15p3 Server: Debian 8.11 Apache Error log: Code: [Tue May 12 11:27:21.147403 2020] [ssl:emerg] [pid 4192] AH02565: Certificate and private key <DOMAIN:PORT> from /usr/local/ispconfig/interface/ssl/ispserver.crt and /usr/local/ispconfig/interface/ssl/ispserver.key do not match
The error in the log appears when attempting to start apache, so my assumption is that apache is not running because of it. Is there any additional info you need? My guess is that there is some issue due to the mismatch of certificate and private key, probably due to something with LetsEncrypt, but I don't know how to confirm that's the case, or fix it if so.
I suspect your web server is not restarting due to ISPConfing SSL certs mismatched. Are you using Let's Encrypt in securing your server based on this tutorial: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ ?
I believe I did follow that, or something similar, but quite some time ago - the server has been running for some years without much issue, this problem has only occured in the last couple of days without me changing anything manually. If I attempt to run ispconfig_update.sh now I get the message "There are no updates available for ISPConfig 3.1.15p3"
This is just a hunch, check the SSL certs in the ispconfig interface ssl folder whether they are properly link to the right LE SSL certs. Then, check that LE SSL certs whether they have been renewed and are still valid. Many services on server that were secured following that tutorial might fail to work if its main LE SSL certs renewal failed.
Would be grateful for some further pointers - unsure which folders those certs are in, how to know whether they're linked properly, or how to check they've been renewed/are valid.
Contents of ispconfig interface ssl folder: Code: -rwxr-x--- 1 root root 45 Mar 28 21:04 empty.dir lrwxrwxrwx 1 root root 53 Jan 18 2018 ispserver.crt -> /etc/letsencrypt/live/sub.domain.com/fullchain.pem -rwxr-x--- 1 root root 1879 Jan 17 2018 ispserver.crt-180118112616.bak -rwxr-x--- 1 root root 1651 Mar 28 21:04 ispserver.csr -rwxr-x--- 1 root root 3243 Mar 28 21:04 ispserver.key -rwxr-x--- 1 root root 3243 Jan 17 2018 ispserver.key-180118112616.bak lrwxrwxrwx 1 root root 51 Jan 18 2018 ispserver.key.secure -> /etc/letsencrypt/live/sub.domain.com/privkey.pem -rwxr-x--- 1 root root 7066 Jan 18 2018 ispserver.pem Contents of LE domain folder: Code: lrwxrwxrwx 1 root root 42 May 8 03:00 cert.pem -> ../../archive/sub.domain.com/cert15.pem lrwxrwxrwx 1 root root 43 May 8 03:00 chain.pem -> ../../archive/sub.domain.com/chain15.pem lrwxrwxrwx 1 root root 47 May 8 03:00 fullchain.pem -> ../../archive/sub.domain.com/fullchain15.pem lrwxrwxrwx 1 root root 45 May 8 03:00 privkey.pem -> ../../archive/sub.domain.com/privkey15.pem -rw-r--r-- 1 root root 543 Jan 18 2018 README
From what I gather from your info, ispserver.key.secure should not be symlinked, instead ispserver.key should. So I think the best is for you to follow that tutorial again on the cli parts since your LE SSL certs seem to have been successfully renewed but ispserver.key is not symlinked and ispserver.pem has not been recreated.
Re-linking the LE certs in the interface ssl folder seems to have done the trick! Thanks so much for your help, it's really appreciated
Don't neglect the recreation of ispserver.pem too as other services might rely on its renewal and symlinks as well. Code: cd /usr/local/ispconfig/interface/ssl/ mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak cat ispserver.{key,crt} > ispserver.pem chmod 600 ispserver.pem Running through the tutorial once again is the safest way to ensure everything is in good order.
