Server: Debian 10 Apache it's been built according to : https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/ we're trying to issue a certificate for subdomain.mydomain.com so, we checked ssl and let's encrypt and saved but it doesn't create anything and we still see both are unchecked. we can open the site subdomain.mydomain.com normally though. we cannot find the subdomain in /etc/letsencrypt/renewal we ran the below cmd to check certbot installation and we got (Installed "non") apt-cache policy certbot | grep -i Installed Please advise. Thanks! Here is the log less /var/log/ispconfig/ispconfig.log Code: 28.10.2019-20:39 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 28.10.2019-20:39 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 28.10.2019-20:39 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client7/web18' - return code: 0 28.10.2019-20:39 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client7/web18' - return code: 0 28.10.2019-20:39 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client7/web18'|awk 'END{print $2,$NF}' - return code: 0 28.10.2019-20:39 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0 28.10.2019-20:39 - DEBUG - safe_exec cmd: setquota -u 'web18' '0' '0' 0 0 -a &> /dev/null - return code: 0 28.10.2019-20:39 - DEBUG - safe_exec cmd: setquota -T -u 'web18' 604800 604800 -a &> /dev/null - return code: 0 28.10.2019-20:39 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client7/web18' - return code: 0 28.10.2019-20:39 - DEBUG - Migration mode active, skipping Let's Encrypt SSL Cert creation for: subdomain.mydomain.com 28.10.2019-20:39 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 28.10.2019-20:39 - DEBUG - Let's Encrypt Cert file: does not exist. 28.10.2019-20:39 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 28.10.2019-20:39 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/subdomain.mydomain.com.vhost 28.10.2019-20:39 - DEBUG - Processed datalog_id 1519 28.10.2019-20:39 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 28.10.2019-20:39 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 28.10.2019-20:39 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client1/web19' - return code: 0 28.10.2019-20:39 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web19' - return code: 0 28.10.2019-20:39 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client1/web19'|awk 'END{print $2,$NF}' - return code: 0 28.10.2019-20:39 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0 28.10.2019-20:39 - DEBUG - safe_exec cmd: setquota -u 'web19' '0' '0' 0 0 -a &> /dev/null - return code: 0 28.10.2019-20:39 - DEBUG - safe_exec cmd: setquota -T -u 'web19' 604800 604800 -a &> /dev/null - return code: 0 28.10.2019-20:39 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web19' - return code: 0 28.10.2019-20:39 - DEBUG - Migration mode active, skipping Let's Encrypt SSL Cert creation for: subdomain.mydomain.com 28.10.2019-20:39 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 28.10.2019-20:39 - DEBUG - Let's Encrypt Cert file: does not exist. 28.10.2019-20:39 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 28.10.2019-20:39 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/subdomain.mydomain.com.vhost 28.10.2019-20:39 - DEBUG - Processed datalog_id 1520 28.10.2019-20:39 - DEBUG - Calling function 'restartHttpd' from module 'web_module'. 28.10.2019-20:39 - DEBUG - Restarting httpd: systemctl reload apache2.service 28.10.2019-20:39 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock 28.10.2019-20:40 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 28.10.2019-20:40 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock 28.10.2019-20:41 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 28.10.2019-20:41 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
You have the migration mode enabled which disables the creation of LE certs. Disable migration mode under System > server config.
Thanks Till, it seems we are progressing but still cannot get LE to work. here is the debug after disabling the migration mode. Code: 29.10.2019-06:44 - DEBUG - Found 1 changes, starting update process. 29.10.2019-06:44 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 29.10.2019-06:44 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 29.10.2019-06:44 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client7/web18' - return code: 0 29.10.2019-06:44 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client7/web18' - return code: 0 29.10.2019-06:44 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client7/web18'|awk 'END{print $2,$NF}' - return code: 0 29.10.2019-06:44 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0 29.10.2019-06:44 - DEBUG - safe_exec cmd: setquota -u 'web18' '0' '0' 0 0 -a &> /dev/null - return code: 0 29.10.2019-06:44 - DEBUG - safe_exec cmd: setquota -T -u 'web18' 604800 604800 -a &> /dev/null - return code: 0 29.10.2019-06:44 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client7/web18' - return code: 0 29.10.2019-06:44 - DEBUG - Create Let's Encrypt SSL Cert for: subdomain.domain.com 29.10.2019-06:44 - DEBUG - Let's Encrypt SSL Cert domains: --domains subdomain.domain.com --domains www.subdomain.domain.com 29.10.2019-06:44 - DEBUG - LE version is 0.39.0, so using certificates command 29.10.2019-06:44 - DEBUG - exec: /opt/eff.org/certbot/venv/bin/certbot certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v02.api.letse ncrypt.org/directory --rsa-key-size 4096 --email [email protected] --webroot-map '{"subdomain.domain.com":"\/usr\/local\/ispconfig\/interface\/acme","www.subdomain .domain.com":"\/usr\/local\/ispconfig\/interface\/acme"}' 29.10.2019-06:44 - DEBUG - LE CERT OUTPUT: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 29.10.2019-06:44 - DEBUG - LE CERT OUTPUT: Found the following matching certs: 29.10.2019-06:44 - DEBUG - LE CERT OUTPUT: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 29.10.2019-06:44 - DEBUG - LE CERT OUTPUT: 29.10.2019-06:44 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 29.10.2019-06:44 - WARNING - Let's Encrypt SSL Cert for: subdomain.domain.com could not be issued. 29.10.2019-06:44 - WARNING - /opt/eff.org/certbot/venv/bin/certbot certificates --domains subdomain.domain.com --domains www.subdomain.domain.com 29.10.2019-06:44 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 29.10.2019-06:44 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/subdomain.domain.com.vhost 29.10.2019-06:44 - DEBUG - Processed datalog_id 1674 29.10.2019-06:44 - DEBUG - Calling function 'restartHttpd' from module 'web_module'. 29.10.2019-06:44 - DEBUG - Restarting httpd: systemctl reload apache2.service 29.10.2019-06:44 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock Code: less /etc/letsencrypt/renewal/subdomain.domain.com.conf ... [[webroot_map]] subdomain.domain.com = /usr/local/ispconfig/interface/acme Thanks in advance
Do you really want to use a domain www.subdomain.domain.com? I guess you want to use subdomain.domain.com? If yes, then disable auto subdomain www in the website settings.
Agreed, we do not need the www. After disabling it still cannot generate the certificate. Code: 29.10.2019-09:53 - WARNING - Let's Encrypt SSL Cert for: subdomain.domain.com could not be issued. 29.10.2019-09:53 - WARNING - /opt/eff.org/certbot/venv/bin/certbot certificates --domains subdomain.domain.com 29.10.2019-09:53 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
Code: 2019-10-29 10:04:05,827:DEBUG:certbot.main:certbot version: 0.39.0 2019-10-29 10:04:05,828:DEBUG:certbot.main:Arguments: ['--domains', 'subdomain.domain.com'] 2019-10-29 10:04:05,828:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2019-10-29 10:04:05,852:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. The letsencrypt client has also been renamed to Certbot. We recommend upgrading to the latest certbot-auto script, or using native OS packages. 2019-10-29 10:04:05,852:DEBUG:certbot.cli:Deprecation warning circumstances: /opt/eff.org/certbot/venv/bin/certbot / {'LANG': 'en_US.UTF-8', 'SHELL': '/bin/sh', 'SHLVL': '1', 'OLDPWD': '/root', 'PWD': '/usr/local/ispconfig/server', 'LOGNAME': 'root', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'HOME': '/root', '_': '/opt/eff.org/certbot/venv/bin/certbot'} 2019-10-29 10:04:05,888:DEBUG:certbot.log:Root logging level set at 20 2019-10-29 10:04:05,889:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
Is there a way to run the update for ISPCONFIG3 although it is up to date? I am thinking maybe the migration tool broke something.
You can do that, select git-stable as update source. But I don't think that this will change anything as the Migration tool does not alter the setup, so there is nothing broken by the tool. Check the letsencrypt.log again, there should be more inside than what you posted. What you might check though is if letsencrypt has more than one account now in /etc/letsencrypt accounts, if that#s the case then it would get mentioned in the log, that#s why I asked you to seaxh for errors in the log, but you can also check it manually. There should be just one account.
Thank you, I did git-stable update but nothing changed. i checked again but let's encrypt.log has only the below. Code: root@srv2:/var/log/letsencrypt# less letsencrypt.log 2019-10-29 14:24:04,880:DEBUG:certbot.main:certbot version: 0.39.0 2019-10-29 14:24:04,881:DEBUG:certbot.main:Arguments: ['--domains', 'subdomain.mydomain.com'] 2019-10-29 14:24:04,881:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2019-10-29 14:24:04,901:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. The letsencrypt client has also been renamed to Certbot. We recommend upgrading to the latest certbot-auto script, or using native OS packages. 2019-10-29 14:24:04,902:DEBUG:certbot.cli:Deprecation warning circumstances: /opt/eff.org/certbot/venv/bin/certbot / {'LANG': 'en_US.UTF-8', 'SHELL': '/bin/sh', 'SHLVL': '1', 'OLDPWD': '/root', 'PWD': '/usr/local/ispconfig/server', 'LOGNAME': 'root', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', 'HOME': '/root', '_': '/opt/eff.org/certbot/venv/bin/certbot'} 2019-10-29 14:24:04,927:DEBUG:certbot.log:Root logging level set at 20 2019-10-29 14:24:04,928:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log (END) Also, I found two accounts inside /etc/letsencrypt accounts like below. however the second folder "acme-v02" has only a link to the first one. i tried to keep the first account only by moving the second to /tmp but it didn't help. Code: root@srv2:/etc/letsencrypt/accounts# ls -l total 8 drwx------ 3 root root 4096 Oct 29 14:11 acme-v01.api.letsencrypt.org drwx------ 2 root root 4096 Oct 29 14:07 acme-v02.api.letsencrypt.org root@srv2:/etc/letsencrypt/accounts# Also, i have to confess that before we disable the migration mode, i tried to reinstall certbot again and i don't know if that caused any issues!
The account should be ok, it's just one. Please check in /etc/letsencrypt folders if there is a certificate already for this subdomain.
Thanks for the quick reply, no I could not find anything for this subdomain in live, renew or archive. running the below while in /etc/letsencrypt Code: grep -R subdomain.domain.com got nothing
Have you tried disabling the "LE check" in the server settings? The LE checks tries to access the domain but if the local access is handled different than the remote access done by LE it might be that a domain is excluded although it could be verified.
I just see that LE is called so this is not the cause. Have you updated certbot to the latest version already? I had difficulties with a earlier version although it was only a few weeks old.
And the subdomain exist in DNS i guess ? Also reinstall certbot, helped me once: https://community.letsencrypt.org/t...-cannot-import-name-remove-dead-weakref/58148
I have tried to test the site under. https://letsdebug.net/ The results came green. and says OK. It looks like we are coming to the conclusion that we may need to uninstall certbot and install it again. I do not want to miss up this setup more than what we have, so I need help on 1- what is the proper way to remove certbot and install the latest? 2- Any thoughts of python-certbot-apache ? Do we need to install it? In certbot website, they said it is highly recommended which means you may run without it. So I am not sure if we have it or not?
I have not uninstalled it yet on a system, so not 100% sure. Did you install it as package from the Linux distribution or did you download it from certbot website and instaleld it by using certbot-auto? That's not needed. Its the part which automatically modifies apache config files and that's exactly what should not happen as certbot duplicates existing config which then causes issues, so you don't need that package. It does not hurt when you installed it though unless you would actually use it.
So, read the link i sent, worked for me: >First, I’d try running sudo rm -rf /opt/eff.org and running letsencrypt-auto again. After that, follow howto guide for install again: https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/ 11 Install Let's Encrypt ISPConfig 3.1 has support for the free SSL Certificate authority Let's encrypt. The Let's Encrypt function allows you to create free SSL certificates for your website from within ISPConfig. Now we will add support for Let's encrypt. cd /usr/local/bin wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto ./certbot-auto --install-only There are no further steps required than installing LE. The website SSL certificates are created by ISPConfig when you add the web sites. After that, try as root: certbot-auto renew
Ok, in that case I would try this: 1) Rename or remove and backup /etc/letsencrypt folder 2) Rename or remove /usr/local/bin/certbot-auto 3) Remove and backup or rename /opt/eff.org folder. 4) Reinstall by using the procedure from the tutorial.
