Hello, When I access ISPCOnfig via https://FQDN-of-host:8080 I get a warning of faulty certificate. https://FQDN-of-host website however has valid certificate. I welcome advice on what I need to do to get the :8080 version to have a valid certificate.
Okay, so you created a website for the hostname? This would mean you no longer use the central system certificate for the other services incl. ISPConfig.
That's why you NEVER name your host the same name as you're using for a website on that host, any name. It wil ALWAYS create conflicts in LE/ACME issued certificates within ISPC.
Ah , OK. It was a mistake. I don't need a website with the hostname. How do I reverse things to sort it out? Do I simply delete it as an subdomain? Is there anything else I need to do?
Thank you everyone. I realise this is something I don't understand hardly at all. I was thinking of it rather naively. . I had a site created (no content) with the domainname and a also a subdomain with host.domainname. There was no web content on either. The email server uses mail.domainname, imap.domainname and smtp.domainneame so presumably I need to have the domainname site ? .
If you use that site for handling the SSL cert of the other services, then you need it. the question is how you set that all up, as acme.sh can only have one target for an SSL cert. If the SSL cert for that subdomain is now the website certificate, then you must symlink the ISPConfig SSL certificate in /usr/local/ispconfig/interface/ssl/ to the website certificate now. Do you remember how you set up your current config?
Thank you Till. The original setup was many years ago. I remember following a HOWTFORGE tutorial on setting up the email server following instructions on how to get certificates working for imap and smtp which is why the domain of the server was registered as a site. Until this week, admin access to ISPCOnfig server has been totally on internal network. Now its necessary to securely access remotely over the web - hence the issues emerging now. I'm unclear on how to make the necessary symlinks from the ipserver.crt to the letsencrypt domain certificates which are all .pem files rather than .crt/.key/.pem Also do I make the simlink to the domain pems or the host.domain pems?
@till I just realised the meaning of your your question To set up ISPCOnfig I used the ubuntu perfect server howto starting (I think) from about ISPCONFIG 3.1 and Ubuntu16.04 and upgrading over the years to ISPConfig 3.2.3 and Ubuntu 22.04. The email howto was on top of that.
Then you're probably not using acme.sh but certbot for your LE certificates. Though that changes noting to @till 's story, only the location where the certificates are located. Which for certbot would be in /etc/letsencrypt/, where acme.sh uses /root/.acme.sh/
Maybe we should start a bit more systematic, please run these commands and post the result: Code: cd /usr/local/ispconfig/interface/ssl/ ls -la As you said it worked before, try to restart apache or nginx and check if it starts working then.
Till, I'm sorry for the delay in replying, I'm in Western Australiia and it was middle of night. ls -la of /usr/local/ispconfig/interface/ssl is total 32 drwxr-x--- 2 root root 4096 Dec 1 2022 . drwxr-x--- 9 ispconfig ispconfig 4096 Dec 1 2022 .. -rwxr-x--- 1 root root 768 Sep 8 21:22 dhparam4096.pem -rwxr-x--- 1 root root 45 Sep 8 21:22 empty.dir -rwxr-x--- 1 root root 2025 Dec 1 2022 ispserver.crt -rwxr-x--- 1 root root 3272 Dec 1 2022 ispserver.key -rwxr-x--- 1 root root 5297 Dec 1 2022 ispserver.pem(2022 was date of server migration to new hardware) Restarted apache2 and for both https://domainname and https://host.domainname I get message 'Secure connection failed' The letsencrypt certificate locations for all the domains appear to be symlinks in /etc/letsencrypt/live pointing to certificates in /etc/letsencrypt/archive ls -la of /etc/letsencrypt contains total 192 drwxr-xr-x 9 root root 4096 Nov 19 05:11 . drwxr-xr-x 132 root root 12288 Nov 19 06:16 .. drwx------ 4 root root 4096 Oct 19 21:29 accounts drwx------ 18 root root 4096 Sep 3 2022 archive -rw-r--r-- 1 root root 121 Oct 11 2019 cli.ini drwxr-xr-x 2 root root 69632 Nov 19 03:08 csr drwx------ 2 root root 69632 Nov 19 03:08 keys drwx------ 18 root root 4096 Sep 3 2022 live -rw-r--r-- 1 root root 952 May 7 2024 options-ssl-apache.conf drwxr-xr-x 2 root root 4096 Nov 18 22:57 renewal drwxr-xr-x 5 root root 4096 Apr 8 2020 renewal-hooks -rw-r--r-- 1 root root 64 May 7 2024 .updated-options-ssl-apache-conf-digest.txt
The ISPConfig ssl cert and key are not symlinks, so they likely got created by acme.sh at install time. But your system use certbot now and that's why the SSL cert is not getting renewed anymore. You must replace the ispserver.crt and ispserver.key file with a symlink to the key and cert in /etc/letsencrypt/live and then restart Apache.
Many thanks Till, I can now login to ISPConfig securely on https://domain.org:8080! I created the simlinks below restarted apache2 and success! /usr/local/ispconfig/interface/ssl ls -al -rwxr-x--- 1 root root 768 Sep 8 21:22 dhparam4096.pem -rwxr-x--- 1 root root 45 Sep 8 21:22 empty.dir lrwxrwxrwx 1 root root 44 Nov 19 18:40 ispserver.crt -> /etc/letsencrypt/live/domain.org/cert.pem -rwxr-x--- 1 root root 2025 Dec 1 2022 ispserver.crt.old lrwxrwxrwx 1 root root 47 Nov 19 18:41 ispserver.key -> /etc/letsencrypt/live/domain.org/privkey.pem -rwxr-x--- 1 root root 3272 Dec 1 2022 ispserver.key.old lrwxrwxrwx 1 root root 49 Nov 19 18:51 ispserver.pem -> /etc/letsencrypt/live/domain.org/chain.pem -rwxr-x--- 1 root root 5297 Dec 1 2022 ispserver.pem.old
