Hi, I have an ISPConfig installation running on Ubuntu 18.04. I installed it following the perfect server guide about a year ago. I have LetsEncrypt enabled for a bunch of domains and subdomains, they all work fine. My ISPConfig is installed on server.X.com but when I am connecting with FileZilla it gives an error saying certificate is expired. Troubleshooting I tried: When I go to that subdomain on the browser it says the certificate is valid, I tried "sudo certbot renew" and it said no renewals attempted because none of the certificates are due for one. In the list I can see server.X.com and its expiration date which is in the future. Can anyone tell me what I am missing here? Is there something I need to do to make sure ftp service recognizes the current valid certificate? Thank you.
If browser shows you certificate is valid, it shows the sertificate web server is using. Probably your FTP server is using another certificate? Tutorial by @ahrasis explains how to get FTP use same certificate as other services. https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
The LetsEncrypt setting in ISPC only installs the certificates for the web service. For all other services (like mail, ftp, ..) you have to do that by hand (some of the services do not support SNI, so only a single certificate is used and the service needs to know which of the many it should use). Basically: Activate letsencrypt for your main domain. Then link the certificates of the other services to that cert. See https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ For pureftpd: Code: cd /etc/ssl/private/ mv pure-ftpd.pem pure-ftpd.pem-$(date +"%y%m%d%H%M%S").bak ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem pure-ftpd.pem chmod 600 pure-ftpd.pem service pure-ftpd-mysql restart Depends on your setup, you could also link directly to /etc/letsencrypt/live/domain/fullchain.pem ... [edit] Should refresh the page before answering ;-) @Taleman was faster
I don't know why but /usr/local/ispconfig/interface/ssl/ispserver.pem is not automatically renewed on my server. I now realized that I set up a symlink to that when I first installed the server but, because it is not renewed, it started giving this error after it expired. /etc/letsencrypt/live/domain/fullchain.pem is the renewed certificate but I could not link to that either, somehow FTP requests are denied when I do that. Quick and dirty fix I did for now is to copy the contents of /etc/letsencrypt/live/domain/fullchain.pem and /etc/letsencrypt/archive/server.cansin.net/privkey5.pem into /usr/local/ispconfig/interface/ssl/ispserver.pem and linking to that as you and the guide suggested. This works for now, filezilla recognizes the renewed certificate; but I will have the same issue in a couple of months because the certificate on my /usr/local/ispconfig/interface/ssl/ispserver.pem is not updated when the certificate is renewed. Do you have any idea why my /usr/local/ispconfig/interface/ssl/ispserver.pem is not updated automatically?
Certbot only updates the files in /etc/letsencrypt You have to do that by yourself. You can: Use a cronjob to create the ispserver.pem file regularly (does no harm, if the file contents are the same) Use a symlink to /etc/letsencrypt/... I don't know, why this didn't work for you. Maybe the software does not like several symlinks. You could directly link to the /etc/letsencrypt/live file In the linked article is a solution via incron (Chapter: "Create Auto Renewal Script For Your ISPConfig Pem File (ispserver.pem)"
Thank you for your help. I will create a crobjob as you said. I must have missed that last part about Auto Renewal Script the first time I've installed it.