I still have trouble showing cert expired, it wouldn't be annoying but it ask me every time if I'm sure i want to accept it in Thunderbird. After these steps do I need to do something else to renew the certs? I don't know if it's ok or not to post all details so I blurred some parts of the screenshot.
Sounds like a client side issue, not server. Try searching for Thunderbird specific methods, it seems like Mozilla had is own certificate store, Thunderbird very well may as well.
Looking further more I am not sure that everything is correct on the server side. The server ns is ns3.domain.tld and ns4.domain.tld and for some reason it seems that ns3.domain.tld have self signed certificate which is incorrect
Does that server have two hostnames and you want both included in the certificate? In what way is it incorrect?
Yes the server have two hostnames and i want them both to be included in certificate and working properly (so when i want to connect via ftp i can use either of hostnames, or when i access /webmail or ispconfig, and so on... The certificate on ns3 is invalid, it's self signed and it says that the certificate issuer is ns1.domain.tld, something seems to be wrong there. The server hostnames are ns3.domain.tld and ns4.domain.tld ns1 and ns2 don't exist. When I open one of these: domain.tld, domain.tld/webmail, domain.tld/phpmyadmin, ns4.domain.tld, ns4.domain.tld/webmail, ns4.domain.tld/phpmyadmin everything works fine, certificate is valid. However when I open these: ns3.domain.tld, ns3.domain.tld/webmail, ns3.domain.tld/phpmyadmin certificate is not valid and it opens apache default page.
What shows Code: hostname hostname -f Are all of ns3.domain.tld, ns4.domain.tld and domain.tld pointing in name service to the same IP? Perhaps create website ns3.domain.tld and LE certificate for that? This may prevent using ns3 with /webmail and /phpmyadmin.
ns3 and ns4 have different IP addresses Both Code: hostname hostname -f return ns3.domain.tld /etc/hosts have both ns3.domain.tld and ns4.domain.tld with their IP's included /etc/hostname have ns3.domain.tld but shouldn't that one have just ns3 text in there without domain.tld ? Under ispconfig interface i added both ns3 and ns4 as subdomains to the domain.tld there's even one alias domain added there and it's working fine. I checked the /.acme.sh/domain.tld/domain.tld.conf file and they are all there Code: Le_Domain='domain.tld' Le_Alt='www.domain.tld,ns3.domain.tld,ns4.domain.tld,domain.rs'
I'm out of ideas. I assume your setup should work. Have you examined acme.sh log to see what certificate with which domains it renews? Have you examined the certificates, is your host using one certificate for ns3 and another for ns4?
The certificate is one for all of the following: domain.tld, www.domain.tld, ns3.domain.tld, ns4.domain.tld, aliasdomain.tld acme.sh logs show everything fine and certificate renews. It looks like the host could be using 2 different certificates for ns3 and ns4. Looking further i have found there is .conf file under "/etc/apache2/sites-available/default-ssl.conf" which is in use, and there is specific line pointing to self signed certificate Code: # Enable/Disable SSL for this virtual host. SSLEngine on # A self-signed (snakeoil) certificate can be created by installing # the ssl-cert package. See # /usr/share/doc/apache2/README.Debian.gz for more info. # If both key and certificate are stored in the same file, only the # SSLCertificateFile directive is needed. SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key So by changing the SSLCertificateFile line to point to different pem file Code: SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.pem This seems to make the certificate valid, the ispserver.pem file is generated from /.acme.sh/domain.tld/fullchain.cer and /.acme.sh/domain.tld/domain.tld.key files However this looks like a complete mess and one more thing is confusing. While services like ns3.domain.tld/webmail ns3.domain.tld/phpmyadmin or ispconfig interface works and certificate is now valid under ns3.domain.tld. When I browse ns3.domain.tld it shows default apache page but when I open ns4.domain.tld it loads the domain.tld website. And i still have the error invalid root certificate with filezilla, thunderbird, atom.io ...
It sounds like you don't have any sites with the name/alias of ns3; 'apachectl -S' could confirm that.
The content of apachectl -S Code: root@ns3 ~ # apachectl -S AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.vhost:7 VirtualHost configuration: *:8080 ns3.domain.tld (/etc/apache2/sites-enabled/000-ispconfig.vhost:9) *:80 is a NameVirtualHost default server ns3.domain.tld (/etc/apache2/sites-enabled/000-default.conf:1) port 80 namevhost ns3.domain.tld (/etc/apache2/sites-enabled/000-default.conf:1) port 80 namevhost domain.tld (/etc/apache2/sites-enabled/100-domain.tld.vhost:7) alias www.domain.tld alias ns3.domain.tld alias ns4.domain.tld alias aliasdomain.tld *:443 is a NameVirtualHost default server ns3.domain.tld (/etc/apache2/sites-enabled/1.conf:2) port 443 namevhost ns3.domain.tld (/etc/apache2/sites-enabled/1.conf:2) port 443 namevhost domain.tld (/etc/apache2/sites-enabled/100-domain.tld.vhost:132) alias www.domain.tld alias ns3.domain.tld alias ns4.domain.tld alias aliasdomain.tld ServerRoot: "/etc/apache2" Main DocumentRoot: "/var/www/html" Main ErrorLog: "/var/log/apache2/error.log" Mutex ssl-stapling: using_defaults Mutex proxy: using_defaults Mutex ssl-cache: using_defaults Mutex default: dir="/var/run/apache2/" mechanism=default Mutex fcgid-pipe: using_defaults Mutex authdigest-opaque: using_defaults Mutex watchdog-callback: using_defaults Mutex rewrite-map: using_defaults Mutex ssl-stapling-refresh: using_defaults Mutex authdigest-client: using_defaults Mutex fcgid-proctbl: using_defaults PidFile: "/var/run/apache2/apache2.pid" Define: DUMP_VHOSTS Define: DUMP_RUN_CFG Define: MODPERL2 Define: ENABLE_USR_LIB_CGI_BIN 1.conf is symlink to before mentioned /sites-available/default-ssl.conf I guess i could just symlink /etc/ssl/certs/ssl-cert-snakeoil.pem to valid one that is ispconfig using /usr/local/ispconfig/interface/ssl/ispserver.pem and this could solve the invalid cert ?
You have two sites with the name "ns3.domain.tld", and the certificate you see presented is from the first, while what you want is that of the second. I'm a little surprised that's not an error that would prevent apache from starting.
