Hello, # certbot --version certbot 0.28.0 # certbot certonly -d herramientasdecorte.com.ar Saving debug log to /var/log/letsencrypt/letsencrypt.log How would you like to authenticate with the ACME CA? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Spin up a temporary webserver (standalone) 2: Place files in webroot directory (webroot) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for herramientasdecorte.com.ar Input the webroot for herramientasdecorte.com.ar: (Enter 'c' to cancel): /var/www/ Waiting for verification... Cleaning up challenges IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/herramientasdecorte.com.ar-0001/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/herramientasdecorte.com.ar-0001/privkey.pem Your cert will expire on 2020-10-31. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le Looks fine ... but And, after that https://www.ssllabs.com/ssltest/analyze.html?d=mail.herramientasdecorte.com.ar SSL Report: mail.herramientasdecorte.com.ar Certificate name mismatch What's maybe wrong ??? Configuration Server or ISPConfig Configuration ?? If I use mail.herramientasdecorte.com.ar in the E-Mail accounts the pop3 server name or smtp server name All sendings say Could No Connect to SMTP over 587 or 465 port because the certificate is mismatch Thanks for All Nestor Mazza I'll appreciate your cooperation
The SSL Labs test you run is for a web server running on that system, and not the mail system. Please see here for the steps to configure SSL for all services inkl mail system on an ISPConfig server: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ One more note, your certbot version is ancient and will probably not fully work anymore, get a current version from certbot.org
Hello, till Thanks for your answer This guide was implemented some long time ago. Now, I seeing the ISPConfig manual and I'll install, for some packages dependecies. mkdir /opt/certbot cd /opt/certbot wget https://dl.eff.org/certbot-auto chmod a+x ./certbot-auto Am I ok ?? Thanks, again Nestor Mazza
Hello, again Till, as you say before apt-get install certbot python-certbot-apache certbot certonly --apache certbot renew --dry-run - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates below have not been saved.) Congratulations, all renewals succeeded. The following certs have been renewed: /etc/letsencrypt/live/herramientasdecorte.com.ar/fullchain.pem (success) /etc/letsencrypt/live/sutiendaonline.com.ar/fullchain.pem (success) /etc/letsencrypt/live/herramientasdecorte.com.ar-0001/fullchain.pem (success) /etc/letsencrypt/live/mail.sutiendaonline.com.ar/fullchain.pem (success) ** DRY RUN: simulating 'certbot renew' close to cert expiry ** (The test certificates above have not been saved.) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Running post-hook command: echo '1' > /usr/local/ispconfig/server/le.restart Am I right now ??? or not ??? Thanks again Nestor Mazza
Never use certbot certonly --apache on an ispconfig server, it destroys the config of the website where you run it on. Just install certbot, and the version you get with apt is probably outdated, that's why you can find these instructions in recent ISPConfig install tutorials: Code: cd /usr/local/bin wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto ./certbot-auto --install-only
Hello, Thanks I installed certbot-auto as you write me cd /usr/local/bin wget https://dl.eff.org/certbot-auto chmod a+x certbot-auto ./certbot-auto --install-only And then ... # certbot --version certbot 0.28.0 After that .. ================================================================ # certbot -d sutiendaonline.com.ar -d www.sutiendaonline.com.ar Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Cert not yet due for renewal You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry. (ref: /etc/letsencrypt/renewal/sutiendaonline.com.ar.conf) What would you like to do? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Attempt to reinstall this existing certificate 2: Renew & replace the cert (limit ~5 per 7 days) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 Keeping the existing certificate Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/100-sutiendaonline.com.ar.vhost Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/100-sutiendaonline.com.ar.vhost Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://sutiendaonline.com.ar and https://www.sutiendaonline.com.ar You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=sutiendaonline.com.ar https://www.ssllabs.com/ssltest/analyze.html?d=www.sutiendaonline.com.ar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/sutiendaonline.com.ar/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/sutiendaonline.com.ar/privkey.pem Your cert will expire on 2020-09-30. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le ================================================================ # certbot -d herramientasdecorte.com.ar -d www.herramientasdecorte.com.ar Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Cert not yet due for renewal You have an existing certificate that has exactly the same domains or certificate name you requested and isn't close to expiry. (ref: /etc/letsencrypt/renewal/herramientasdecorte.com.ar.conf) What would you like to do? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: Attempt to reinstall this existing certificate 2: Renew & replace the cert (limit ~5 per 7 days) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 Keeping the existing certificate Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/100-herramientasdecorte.com.ar.vhost Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/100-herramientasdecorte.com.ar.vhost Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Congratulations! You have successfully enabled https://herramientasdecorte.com.ar and https://www.herramientasdecorte.com.ar You should test your configuration at: https://www.ssllabs.com/ssltest/analyze.html?d=herramientasdecorte.com.ar https://www.ssllabs.com/ssltest/analyze.html?d=www.herramientasdecorte.com.ar - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/herramientasdecorte.com.ar/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/herramientasdecorte.com.ar/privkey.pem Your cert will expire on 2020-11-01. To obtain a new or tweaked version of this certificate in the future, simply run certbot again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le I hope now. Am I ok and in the right way ?? Thanks for all Nestor Mazza
Not really, you just destroyed the config of several websites. Everything that you have done "After that .." is completely wrong, with each domain that you selected, you destroyed another site config. You never run certbot on the shell manually on an ISPConfig system for any domain that you plan to manage with ISPConfig. I posted a link in #2 which describes how to secure the services on a server and nothing that you did now is described in that guide. You have two options now, either stop using ISPConfig for all domains where you run that commands for, the domains are completely unmanageable now. Or you undo everything that the certbot commands you used did with the apache config and then start to follow the guide that I posted.
Besides, you still use the same old version of certbot: What show commands Code: which certbot type -a certbot
Till, hello one more again, Thank you for your support. I left this server, mail.sutiendaonline.com.ar, until write these message to you. I took my principal server, mail.sofihacloud.com.ar, and ... Installed certbot as you explain me before. certbot still in 0.10 version and so apt-get upgrade keep packages certbot clamav clamav-base clamav-daemon clamav-freshclam clamdscan linux-image-amd64 mariadb-client mariadb-client-10.1 mariadb-server mariadb-server-10.1 mariadb-server-core-10.1 python-acme and now cerbot is 0.28 version and certbot-auto is in 1.26 version. After that .... I'm only use the ISPConfig Control panel for depor.com.ar Domain and check Let's Encrypt and now https://www.depor.com.ar/ is working. I didn't touch anything using shell commands. Please Let me ask you two things ? 1)- Am I Ok now , after September 30 for certificates renews ??? 2)- and for Other server, mail.sofihacloud.com is it possible get pay support for "destroyed the config of several websites" Thanks again Nestor Mazza I'll appreciate your cooperation again. I'll waiting for your answer
Hello, # certbot --version certbot 0.28.0 # type -a certbot certbot is /usr/bin/certbot Thanks Nestor Mazza
Looks like /usr/local/bin is not in your PATH environment variable. Code: /usr/local/bin/certbot --version should show the new version you installed. Add that directory to your path or use the full pathname always.
You'll probably have to uninstall the certbot package that was installed with apt command. Try: apt-get remove certbot There must be a new certbot version in this path, check with: /opt/eff.org/certbot/venv/bin/certbot --version If this certbot version is there, then create a symlink in /usr/local/bin/ folder for it: ln -s /opt/eff.org/certbot/venv/bin/certbot /usr/local/bin/certbot Then the certbot install on the system should be up to date.
Hello, good morning I did all the changes and ... apt-get remove certbot apt autoremove /opt/eff.org/certbot/venv/bin/certbot --version certbot 1.6.0 /usr/local/bin/certbot --version -su: /usr/local/bin/certbot: No such file or director ln -s /opt/eff.org/certbot/venv/bin/certbot /usr/local/bin/certbot And now ... /usr/local/bin/certbot --version certbot 1.6.0 apt-get update apt-get upgrade The following packages will be upgraded: libx11-6 libx11-data and the last check of apt apt-get update apt-get upgrade Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done 0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded. I hope in right way now ??? Thanks for all Nestor Mazza