Hi everyone ! I know, I'm not the first to have problems with the certificats, but by trying to solve my problems, I think I've complicated them. I'm running a server on Ubuntu 20.04 with Apache & installed multiple php versions (had problems but solved issue here, thanks again to the team) and server worked fine EXCEPT that navigators we're complaining that websites were not secure. (This server was installed about 2 weeks ago following the perfect server guide. https://www.howtoforge.com/tutorial...l-pureftpd-bind-postfix-doveot-and-ispconfig/ ) Accessing ISPConfig admin interface was the ONLY secure connection I got from my server. This presented a problem, notably for a company's Nextcloud connection and globally isn't correct, so needed fixing. I looked around and tried to fix this issue following this post : https://www.howtoforge.com/communit...ot-available-after-upgrade.75540/#post-355688. The idea was to erase all keys and enabled sites, do an update of ISPConfig, and let the update recreate everything cleanly. I moved the info in /etc/apache/sites-enabled to a backup directory just in case, and did the same with /etc/letsencrypt Without surprise, Apache2 refused to restart, and I applied the update for ISPConfig. Here is update's output... Code: Reconfigure Services? (yes,no,selected) [yes]: yes Configuring Postfix Configuring Dovecot Configuring Mailman Configuring Spamassassin Configuring Amavisd Configuring Getmail Configuring BIND Configuring Pureftpd Configuring Apache Configuring vlogger Configuring Apps vhost Configuring Jailkit Configuring Ubuntu Firewall Configuring Database Updating ISPConfig ISPConfig Port [8080]: Create new ISPConfig SSL certificate (yes,no) [no]: yes Checking / creating certificate for ns310142.ip-188-165-201.eu Using certificate path /etc/letsencrypt/live/ns310142.ip-188-165-201.eu Using apache for certificate validation Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for ns310142.ip-188-165-201.eu Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains. Waiting for verification... Challenge failed for domain ns310142.ip-188-165-201.eu http-01 challenge for ns310142.ip-188-165-201.eu Cleaning up challenges Some challenges have failed. Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt Could not issue letsencrypt certificate, falling back to self-signed. Generating a RSA private key .............../ Generates Key, reconfigured Crontab, Restarted services and Update finished. Cerbot failed... So i go look at the log (excerpt for the beginning of file) : Code: 2021-12-17 10:16:10,674:DEBUG:certbot.main:certbot version: 0.40.0 2021-12-17 10:16:10,674:DEBUG:certbot.main:Arguments: ['--agree-tos', '--non-interactive', '--expand', '--rsa-key-si> 2021-12-17 10:16:10,674:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPo> 2021-12-17 10:16:10,691:DEBUG:certbot.log:Root logging level set at 20 2021-12-17 10:16:10,692:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2021-12-17 10:16:10,692:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2021-12-17 10:16:10,693:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot Description: Place files in webroot directory Interfaces: IAuthenticator, IPlugin Entry point: webroot = certbot.plugins.webroot:Authenticator Initialized: <certbot.plugins.webroot.Authenticator object at 0x7fbf431a2940> Prep: True 2021-12-17 10:16:10,693:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticato> 2021-12-17 10:16:10,693:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None 2021-12-17 10:16:10,967:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory. 2021-12-17 10:16:10,969:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org> 2021-12-17 10:16:11,396:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1> 2021-12-17 10:16:11,397:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Fri, 17 Dec 2021 10:16:11 GMT Content-Type: application/json Content-Length: 658 Connection: keep-alive Cache-Control: public, max-age=0, no-cache X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 { "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change", "mSYCQ6HAddc": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417", "meta": { "caaIdentities": [ "letsencrypt.org" ], "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf", "website": "https://letsencrypt.org" }, "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct", "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce", "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order", "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert" } 2021-12-17 10:16:11,397:DEBUG:acme.client:Requesting fresh nonce 2021-12-17 10:16:11,397:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonc> 2021-12-17 10:16:11,533:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce > 2021-12-17 10:16:11,534:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Date: Fri, 17 Dec 2021 10:16:11 GMT Connection: keep-alive Cache-Control: public, max-age=0, no-cache Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index" Replay-Nonce: 0002VbCVsbWFK7-E3iUAQz2HQk9YDyIL61JpO-tfo-Gv9Z8 X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 ---/ and so on... What bothers me here is that it says " Server: nginx " - I'm runing Apache... (is this normal or just a quirk in the script?) In any case, the certificats aren't generated correctly and now, no secure connection on anything... Chrome allows me to login to ISPConfig ignoring the security (Firefox won't). Going to hosted websites send me to Apache2 Ubuntu Default Page (I suppose the site-enabled links are down? I do have a backup of them, maybe just restore ?) Seems like I've screwed things up more than fixed them. Any ideas as to why the challenge failed for my server name and certbot failed ? Have I installed a wrong package somewhere making my install think it's on nginx when I added the multiple PHP versions? It's the only thing I did that isn't in the perfect server guide.... I don't want to goof things up more and could use a little guidance. Not yet in 'panic mode' here, but starting to feel the heat, yet unconfortable bugging you guys with yet another certificate problem. Thanks for any help. Enzo
I restored the site-enabled links, and now websites are showing, but still navigators are complaining that the connection is not secure. And now, the ISPConfig admin panel is also not secure. I've tried unchecking the LetsEncrypt box & SSL box, saving, and then rechecking the boxes, saving and then checked back on the website settings to be sure the box stayed checked (it does) and this, if I understood, should regenerate a new key. Yet, when I go to website, I still get message that site isn't secure. (I've cleared cache & cookies in both navigators to be sure...) I wonder if it wouldn't be best to manually erase all the certificates and do an ISPConfig update to have all regenerated ? What's the best way to do this ? Should I remove /usr/local/ispconfig/interface/ssl/ispserver.crt and /usr/local/ispconfig/interface/ssl/ispserver.key beforehand so that the ISPConfig interface will be secure after update or will the update overwrite it ? Should I delete other things before trying to update ISPConfig ? (i.e. clear out the /etc/letsencrypt/ and /etc/apache2/sites-enabled/ directory and restart apache like I did first time around)
My understanding is ISPConfig update does not regenerate website certificates. It only makes certificate for ISPCOnfig panel if so chosen. Start with this: https://www.howtoforge.com/community/threads/please-read-before-posting.58408/
Thankyou Taleman. Reading replys to older posts are getting me confused. Shoud I send a debug report for this ? I'll already just do an update without removing anything and see if the ISPConfig panel will get a secure connection. Thanks again
I did ispconfig_update.sh --force when asked to regenerate certificate, here's the output : Code: Create new ISPConfig SSL certificate (yes,no) [no]: yes Checking / creating certificate for ns310142.ip-188-165-201.eu Using certificate path /etc/letsencrypt/live/ns310142.ip-188-165-201.eu Using apache for certificate validation Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for ns310142.ip-188-165-201.eu Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains. Waiting for verification... Cleaning up challenges PHP Warning: symlink(): File exists in /tmp/update_runner.sh.jAW8QftkpT/install/lib/installer_base.lib.php on line 3135 PHP Warning: symlink(): File exists in /tmp/update_runner.sh.jAW8QftkpT/install/lib/installer_base.lib.php on line 3136 Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: Reconfigure Crontab? (yes,no) [yes]: Seems the certificate was generated, but some complaints about the php and symlinks already existing... I checked, my ISPConfig control pane is still not secure.
This is the report of the test script : Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Ubuntu 20.04.3 LTS [INFO] uptime: 14:28:50 up 4 days, 15:22, 1 user, load average: 0.28, 0.48, 0.46 [INFO] memory: total used free shared buff/cache available Mem: 31Gi 2.1Gi 20Gi 95Mi 9.2Gi 28Gi Swap: 2.0Gi 0B 2.0Gi [INFO] systemd failed services status: UNIT LOAD ACTIVE SUB DESCRIPTION ● snap.lxd.activate.service loaded failed failed Service for snap application lxd.activate LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 1 loaded units listed. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.2.7p1 ##### VERSION CHECK ##### [INFO] php (cli) version is 7.4.26 [INFO] php-cgi (used for cgi php in default vhost!) is version 7.4.26 ##### PORT CHECK ##### ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 1130573) [INFO] I found the following mail server(s): Postfix (PID 1130495) [INFO] I found the following pop3 server(s): Dovecot (PID 1130547) [INFO] I found the following imap server(s): Dovecot (PID 1130547) [INFO] I found the following ftp server(s): PureFTP (PID 1130615) ##### LISTENING PORTS ##### (only () Local (Address) ***.***.***.***:53 (1130622/named) ***.***.***.***:53 (1130622/named) ***.***.***.***:53 (1130622/named) ***.***.***.***:53 (1130622/named) ***.***.***.***:53 (1130622/named) ***.***.***.***:53 (1130622/named) ***.***.***.***:53 (1130622/named) ***.***.***.***:53 (1130622/named) ***.***.***.***:53 (1130622/named) ***.***.***.***:53 (1130622/named) ***.***.***.***:53 (1130622/named) ***.***.***.***:53 (1130622/named) ***.***.***.***:53 (1130622/named) ***.***.***.***:53 (1130622/named) ***.***.***.***:53 (1130622/named) ***.***.***.***:53 (1130622/named) ***.***.***.***:53 (1130622/named) [localhost]:53 (1130622/named) [anywhere]:21 (1130615/pure-ftpd) ***.***.***.***:53 (746/systemd-resolve) [anywhere]:22 (1019/sshd:) [localhost]:953 (1130622/named) [anywhere]:25 (1130495/master) [anywhere]:993 (1130547/dovecot) [anywhere]:995 (1130547/dovecot) [localhost]:10023 (1380/postgrey) [localhost]:10024 (1130529/amavisd-new) [localhost]:10025 (1130495/master) [localhost]:10026 (1130529/amavisd-new) [localhost]:10027 (1130495/master) [anywhere]:587 (1130495/master) [localhost]:11211 (821/memcached) [anywhere]:110 (1130547/dovecot) [anywhere]:143 (1130547/dovecot) [anywhere]:465 (1130495/master) *:*:*:*::**:*:*:*::*53 (1130622/named) *:*:*:*::*:53 (1130622/named) *:*:*:*::*:21 (1130615/pure-ftpd) *:*:*:*::*:22 (1019/sshd:) *:*:*:*::*:25 (1130495/master) *:*:*:*::*:953 (1130622/named) *:*:*:*::*:443 (1130573/apache2) *:*:*:*::*:993 (1130547/dovecot) *:*:*:*::*:995 (1130547/dovecot) *:*:*:*::*:10024 (1130529/amavisd-new) *:*:*:*::*:10026 (1130529/amavisd-new) *:*:*:*::*:3306 (1129698/mysqld) *:*:*:*::*:587 (1130495/master) [localhost]10 (1130547/dovecot) [localhost]43 (1130547/dovecot) *:*:*:*::*:8080 (1130573/apache2) *:*:*:*::*:80 (1130573/apache2) *:*:*:*::*:8081 (1130573/apache2) *:*:*:*::*:465 (1130495/master) ##### IPTABLES ##### Chain INPUT (policy ACCEPT) target prot opt source destination f2b-postfix tcp -- [anywhere]/0 [anywhere]/0 multiport dports 25 f2b-pure-ftpd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 21 f2b-sshd tcp -- [anywhere]/0 [anywhere]/0 multiport dports 22 Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain f2b-postfix (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 Chain f2b-pure-ftpd (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 Chain f2b-sshd (1 references) target prot opt source destination REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable REJECT all -- ***.***.***.*** [anywhere]/0 reject-with icmp-port-unreachable RETURN all -- [anywhere]/0 [anywhere]/0 ##### LET'S ENCRYPT ##### Certbot is installed in /usr/bin/letsencrypt Lots of listening ports...
Thank you Till for jumping in... Result for ls -la /usr/local/ispconfig/interface/ssl/ Code: total 52 drwxr-x--- 2 root root 4096 Dec 17 14:20 . drwxr-x--- 9 ispconfig ispconfig 4096 Nov 30 08:43 .. -rwxr-x--- 1 root root 45 Dec 17 14:20 empty.dir -rwxr-x--- 1 root root 2179 Dec 17 10:18 ispserver.crt lrwxrwxrwx 1 root root 62 Nov 30 08:41 ispserver.crt-20211217093756.bak -> /etc/letsencrypt/live/ns310142.ip-188-165-201.eu/fullchain.pem -rwxr-x--- 1 root root 2179 Dec 17 14:20 ispserver.crt-20211217142003.bak -rwxr-x--- 1 root root 3272 Dec 17 10:16 ispserver.key lrwxrwxrwx 1 root root 60 Nov 30 08:41 ispserver.key-20211217093756.bak -> /etc/letsencrypt/live/ns310142.ip-188-165-201.eu/privkey.pem -rwxr-x--- 1 root root 3272 Dec 17 14:20 ispserver.key-20211217142003.bak -rwxr-x--- 1 root root 5451 Dec 17 14:20 ispserver.pem -rwxr-x--- 1 root root 5451 Dec 17 14:20 ispserver.pem-20211217142003.bak
https://ns310142.ip-188-165-201.eu:8080/index.php This is the Ispconfig interface page... shows up non secured...
That is what the acme client recieved, ie. letsencrypt's verification servers are running nginx. What do you get from Code: ls -l /etc/letsencrypt/live/ns310142.ip-188-165-201.eu/ ls -l /etc/letsencrypt/archive/ns310142.ip-188-165-201.eu/
Hi Jesse, and thanks for helping! I get the following Code: root@ns310142:/tmp/ispconfig3_install/install# ls -l /etc/letsencrypt/live/ns310142.ip-188-165-201.eu/ total 4 -rw-r--r-- 1 root root 692 Dec 17 14:20 README lrwxrwxrwx 1 root root 50 Dec 17 14:20 cert.pem -> ../../archive/ns310142.ip-188-165-201.eu/cert1.pem lrwxrwxrwx 1 root root 51 Dec 17 14:20 chain.pem -> ../../archive/ns310142.ip-188-165-201.eu/chain1.pem lrwxrwxrwx 1 root root 55 Dec 17 14:20 fullchain.pem -> ../../archive/ns310142.ip-188-165-201.eu/fullchain1.pem lrwxrwxrwx 1 root root 53 Dec 17 14:20 privkey.pem -> ../../archive/ns310142.ip-188-165-201.eu/privkey1.pem root@ns310142:/tmp/ispconfig3_install/install# ls -l /etc/letsencrypt/archive/ns310142.ip-188-165-201.eu/ total 20 -rw-r--r-- 1 root root 2220 Dec 17 14:20 cert1.pem -rw-r--r-- 1 root root 3750 Dec 17 14:20 chain1.pem -rw-r--r-- 1 root root 5970 Dec 17 14:20 fullchain1.pem -rw------- 1 root root 3272 Dec 17 14:20 privkey1.pem root@ns310142:/tmp/ispconfig3_install/install# Is it normal that the live is pointing to the archive ?
Yes. Run Code: /usr/local/ispconfig/server/scripts/letsencrypt_renew_hook.sh and test the control panel again.
I did.... however, https://ns310142.ip-188-165-201.eu:8080/index.php (ISPConfig admin) is still showing up insecure... I've tried with Chrome, Firefox and Edge, all showing up insecure... just in case, could you test that URL ? I don't understand why it's not secure... unless it's on my side ?
There is a self-signed certificate on port 8080: Code: $ openssl s_client -connect ns310142.ip-188-165-201.eu:8080 -servername ns310142.ip-188-165-201.eu -showcerts CONNECTED(00000003) depth=0 C = FR, ST = AQUITAINE, L = PERIGUEUX, O = PERSONAL, OU = IT, CN = ns310142.ip-188-165-201.eu, emailAddress = [email protected] verify error:num=18:self signed certificate verify return:1 depth=0 C = FR, ST = AQUITAINE, L = PERIGUEUX, O = PERSONAL, OU = IT, CN = ns310142.ip-188-165-201.eu, emailAddress = [email protected] verify return:1 --- You might try restarting apache manually; the renewal script should have done that, but just to be sure. Post 'ls -la /usr/local/ispconfig/interface/ssl/ again, and also what do you get from 'openssl x509 -noout -text < /etc/letsencrypt/live/$(hostname -f)/fullchain.pem'
Restarted Apache, no change... here's the output of the 2 commands : Code: root@ns310142:/# ls -la /usr/local/ispconfig/interface/ssl/ total 36 drwxr-x--- 2 root root 4096 Dec 17 16:04 . drwxr-x--- 9 ispconfig ispconfig 4096 Nov 30 08:43 .. -rwxr-x--- 1 root root 45 Dec 17 14:20 empty.dir -rwxr-x--- 1 root root 2179 Dec 17 10:18 ispserver.crt -rwxr-x--- 1 root root 3272 Dec 17 10:16 ispserver.key -rw------- 1 root root 5451 Dec 17 16:04 ispserver.pem -rwxr-x--- 1 root root 5451 Dec 17 14:20 ispserver.pem-211217160457.bak root@ns310142:/# openssl x509 -noout -text < /etc/letsencrypt/live/$(hostname -f)/fullchain.pem Certificate: Data: Version: 3 (0x2) Serial Number: 04:5c:cb:7c:2b:7e:f0:39:25:55:b7:e7:29:a1:25:c1:17:1b Signature Algorithm: sha256WithRSAEncryption Issuer: C = US, O = Let's Encrypt, CN = R3 Validity Not Before: Dec 17 13:20:08 2021 GMT Not After : Mar 17 13:20:07 2022 GMT Subject: CN = ns310142.ip-188-165-201.eu Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public-Key: (4096 bit) Modulus: 00:b6:fa:99:f2:5e:85:dd:03:40:05:94:1c:e5:2c: 27:e8:5e:e3:91:a4:fd:d5:58:42:9f:4b:de:f3:fe: 29:97:03:cd:52:e0:77:b7:67:fd:ee:14:03:cf:25: 4b:0f:46:96:b7:f6:10:fb:39:a9:62:79:57:01:b5: b2:a8:1b:83:52:b8:e6:a7:ad:3b:e3:ba:84:82:27: 20:64:eb:b7:94:c9:c3:f0:1a:48:bb:70:3e:8f:52: 75:ea:99:81:f6:71:81:81:df:da:c5:91:1e:aa:6c: 27:b1:36:ea:83:d6:a9:c9:6f:28:d0:6c:d1:ca:58: 71:ff:0a:c8:c9:55:39:30:de:b4:b6:bf:e7:f1:86: cf:65:85:b9:7e:24:63:23:e0:33:bb:d1:0e:be:10: 06:7c:24:55:20:aa:27:46:41:9a:44:49:98:fe:fb: ef:54:59:fa:d2:79:f0:a2:ce:05:3a:88:c0:58:be: 51:45:80:36:4a:7d:d8:a3:14:d2:eb:67:0e:73:98: 17:12:fc:12:0c:a7:8d:cb:c4:7e:b4:18:f2:1d:99: 97:32:ff:0d:ce:4d:29:74:f1:8a:5b:1b:4d:f6:7e: 4c:85:ea:79:c0:4f:b8:f4:fc:4f:d5:b8:16:08:0b: da:a3:f2:45:82:fe:02:72:e0:90:2f:c9:cd:14:2c: ac:9c:3c:31:6f:d8:cd:9c:1a:b2:85:56:5d:b6:c8: 94:a8:4d:b3:1a:59:f4:a8:cb:d7:af:62:84:8c:84: bf:f0:66:1d:b1:55:44:3d:26:c8:ac:ca:6c:50:4e: ce:a0:93:ff:34:9a:69:20:7f:4b:92:e5:15:b5:0e: 7f:40:c3:b0:8a:ba:48:a5:e8:8d:e6:ac:56:05:82: 4b:7a:ae:42:97:d3:c3:5b:52:86:98:60:a1:95:d3: 7c:5c:e3:28:a6:ff:96:17:7e:87:9c:68:ce:0c:24: 55:a1:f4:97:c0:2a:38:d2:2a:8a:39:6c:56:a9:7b: c2:c0:9f:63:f6:3b:4e:d7:e4:4e:27:ff:49:ef:29: dd:6a:78:90:0a:5f:38:4d:f2:f5:32:4f:7f:32:04: 32:e9:bc:b8:76:f1:bf:be:b4:b3:db:c3:2e:8a:5b: 91:b0:34:a2:06:30:b6:97:83:11:03:9a:48:55:91: a5:7a:55:39:03:58:e0:e7:5f:6e:d8:7b:12:a4:9e: 18:03:95:09:55:06:b2:2f:95:3e:97:92:71:23:b7: a9:93:f4:50:7e:b6:bb:c5:4c:34:73:4d:36:69:53: f3:63:ad:be:b7:a6:e4:4d:78:f1:02:48:9b:32:6b: ce:b7:3f:30:55:d4:30:41:93:b8:0e:db:88:75:00: 06:52:e5 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Digital Signature, Key Encipherment X509v3 Extended Key Usage: TLS Web Server Authentication, TLS Web Client Authentication X509v3 Basic Constraints: critical CA:FALSE X509v3 Subject Key Identifier: CF:E6:69:A1:E6:86:0B:8B:ED:62:E8:55:03:ED:58:14:C7:65:BA:96 X509v3 Authority Key Identifier: keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6 Authority Information Access: OCSP - URI:http://r3.o.lencr.org CA Issuers - URI:http://r3.i.lencr.org/ X509v3 Subject Alternative Name: DNS:ns310142.ip-188-165-201.eu X509v3 Certificate Policies: Policy: 2.23.140.1.2.1 Policy: 1.3.6.1.4.1.44947.1.1.1 CPS: http://cps.letsencrypt.org CT Precertificate SCTs: Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D: 11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47 Timestamp : Dec 17 14:20:08.848 2021 GMT Extensions: none Signature : ecdsa-with-SHA256 30:46:02:21:00:D4:47:47:31:4B:74:21:5E:CF:45:7C: 4D:76:3E:3B:CF:D9:B9:A3:42:00:88:B6:53:29:BA:DF: 8F:AC:2E:4A:5A:02:21:00:E3:EB:56:D2:25:AB:DF:DA: 9B:C6:CA:ED:AD:E8:82:51:28:56:3E:D8:70:2A:97:F9: D9:DE:16:66:EF:39:39:8F Signed Certificate Timestamp: Version : v1 (0x0) Log ID : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77: 15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13 Timestamp : Dec 17 14:20:09.035 2021 GMT Extensions: none Signature : ecdsa-with-SHA256 30:45:02:20:63:28:76:DA:DE:0D:58:C4:7C:F9:42:08: 6A:06:0F:4E:C3:45:63:70:7D:54:81:1B:9C:F0:A1:B5: BB:68:DB:EF:02:21:00:BD:51:1C:85:D2:34:56:6D:00: C1:21:6A:3D:09:2F:F5:5F:E4:8F:97:2B:41:0C:4D:90: F7:C3:85:B5:1E:1C:06 Signature Algorithm: sha256WithRSAEncryption 7a:96:50:d3:5d:fa:a1:2d:3a:55:7d:0e:9e:bc:52:ed:30:b0: 2c:26:e3:db:b8:bc:27:3d:3b:36:90:05:c7:29:02:89:29:aa: 43:ab:e8:a0:d0:9d:a0:ad:64:a5:42:1c:10:ab:96:42:00:a1: b6:4a:ce:23:fe:8e:82:ba:36:19:ca:0e:18:96:37:dc:5f:c2: 0b:55:75:8f:8c:c1:36:2b:4e:02:8d:e0:fd:10:d2:24:b3:13: cf:f3:b9:63:73:29:a7:d6:59:3f:d0:96:70:6c:e1:e4:48:89: ab:8f:8a:25:09:7e:4b:a1:11:85:1d:b8:fe:d0:af:2e:1a:e4: 3d:9b:2a:41:93:29:d5:b4:52:53:fb:2b:8e:78:35:ba:cf:25: 0f:60:c6:94:eb:86:95:04:25:61:91:19:9f:bf:de:82:47:42: 64:3f:fc:0d:0b:cc:c4:7b:ca:3a:ea:b7:50:4e:26:fb:f5:1c: da:85:8f:2e:51:44:20:e9:a2:99:9a:dd:90:96:cb:f2:47:b3: 89:4e:33:ea:da:bb:55:61:a8:60:5b:9e:87:34:8b:77:df:c5: b4:f0:d8:db:93:94:01:6b:97:5c:e8:41:db:ba:66:dd:8c:f3: f7:13:54:f6:67:3f:39:f7:f4:ad:d4:5f:9a:fd:72:2a:32:43: b0:cd:04:92 root@ns310142:/#
hmmm... maybe this has to do when I filled in the FQDN field of the certificate generator when I updated ISPConfig... I put in the name ns310142.ip-188-165-201.eu. I had checked /etc/hosts that that name pointed to 127.0.0.1, and it does... so that should be ok... I just tried checking with a ssl validator site, ns310142.ip-188-165-201.eu doesn't reply if not on port 8080. Could this be related ? I'm really at a loss...
Ah, I thought the renew hook took care of all the cert files, but it doesn't; run: Code: rm /usr/local/ispconfig/interface/ssl/ispserver.{crt,key} ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem /usr/local/ispconfig/interface/ssl/ispserver.crt ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem /usr/local/ispconfig/interface/ssl/ispserver.key /usr/local/ispconfig/server/scripts/letsencrypt_renew_hook.sh
