how do i know if my server uses certbot or acme.sh?

Just bought the migration tool. Reading the doc it says if you have acme.sh, the new server needs to use that as well.
How do you tell which one? I've had ispconfig installed for a while, since 2019. I would assume it's certbot as i see certbot 1.11 installed.

 

do a search:
$ locate acme.sh
$ locate certbot

in case there is no locate command, install it and then index:
$ apt-get install mlocate
$ updatedb

 

didn't even think about locate. looks like my server uses certbot.

 

probably a more solid way to check it. thanks for the extra info!

 

new issue... following the multi server setup guide, it didn't pull a valid cert for the panel (8080). did force update and it switched to acme.sh.
Found a thread that mentions this feature request as implemented... so i'm guessing i'm missed a step somewhere.
How do I undo acme.sh or should i just reinstall?

 

https://www.howtoforge.com/tutorial/ispconfig-multiserver-setup-debian-ubuntu/2/

i have an old server running centos 7 and i'm moving to ubuntu 22.04 lts. the install didn't ask anything about if i planned to migrate or if i wanted to use certbot vs acme.sh.

 

if

it's easier, i can just reinstall the OS, certbot, and then ispconfig.
Or i can switch the install to use certbot since there aren't any sites hosted on it yet.

 

Basically I tried the steps several times and so I can help confirming it works though there should be some extra(s) to delete to remove warnings (I can't remember it for now but do share if you see one).

Basically you can do this vice versa i.e. certbot to acme.sh as well but I do not want to encourage this because it is best to train to get it right at the command line, but we all things happened.

 

This worked. Certs are from certbot
I didn't install the snap, as I'm not a big fan of snaps. I installed certbot, python3 certbot apache using apt.

 

One last question,

I do appreciate all the assistance. My last question, my old setup is multi-server. I had thought it would be easier to migrate the primary server. Then, create a secondary server and let it sync to the primary OR should the secondary already be setup and syncing to the primary before i migrate. Or does this even matter. The old servers were hosting.domain.com and the new servers are panel.domain.com if that helps answer the question in anyway.

 

What is the question?
The only phrase written as a question (but question mark missing) is "Or does this even matter." But I do not fully understand what this is referring to.
Just as a guess: if you plan to migrate old ISPConfig system to new, you can migrate a multiserver system to a multiserver system or to a single server system. Or migrate a single server system to a multiserver system. Create the new ISPConfig system first, single server or multi server, whatever you desire, then do the migration.
I would practice first with a test migration to see how it works, to avoid big mistakes on a production system.

 

I did the 3 steps to change using certbot, at the end of the forced ispconfig update it showed:

Code:

Reconfigure Services? (yes,no,selected) [yes]:

The following custom templates were found:

/usr/local/ispconfig/server/conf-custom/nginx_vhost.conf.master
/usr/local/ispconfig/server/conf-custom/sieve_filter.master

Do you want to rename these conf-custom templates now so the default templates are used? (yes,no) [no]:

The following local config override templates were found, be sure to incorporate upstream changes if needed:

/usr/local/ispconfig/server/conf-custom/install/dovecot_custom.conf.master

Configuring Postfix
Configuring Dovecot
Configuring Spamassassin
Configuring Rspamd
Configuring Getmail
Configuring Pureftpd
Configuring nginx
Configuring Apps vhost
Configuring Jailkit
Configuring AppArmor
Configuring Database
Updating ISPConfig
ISPConfig Port [8080]:

Create new ISPConfig SSL certificate (yes,no) [no]: yes

PHP Warning:  Undefined array key "ip" in /tmp/update_runner.sh.MQXkxglcyo/install/lib/installer_base.lib.php on line 2995
Checking / creating certificate for my.somedomain.net
Using certificate path /etc/letsencrypt/live/my.somedomain.net
sh: 1: cannot open /dev/tcp/127.0.0.1/80: No such file
Using nginx for certificate validation
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Symlink ISPConfig SSL certs to Postfix? (y,n) [y]:

Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]:

Reconfigure Crontab? (yes,no) [yes]:

Updating Crontab
Restarting services ...
Update finished.

Perhaps the warnings are related to the custom templates? The /var/log/letsencrypt/letsencrypt.log looks fine, it does work with certbot now. Thanks for that!

 

Code:

-bash: /root/.acme.sh/acme.sh.env: No such file or directory

certbot works fine, but I keep getting the above on the shell when I log in (via ssh). Looked for cron-jobs that would maybe still be trying stuff with that .acme.sh dir, but that's not the case. Any idea?

 

I already reminded that earlier, because other than deleting its folder, the right clean way to delete acme.sh is to use its uninstall command as Neilpang himself said:

This uninstall command remove the line from the root ".bashrc" file. That said, since you already remove the acme.sh by deleting its folder, you may avoid that warning from occurring again by removing it manually from that file (at the last line).

I would suggest removing certbot that was installed by apt and re-install it via snap (or pip) as suggested by certbot website for the latest stable non-deprecated features.

 

How do you mean that? In sofar as my system isn't already 'broken', since I'm using cloudflare for DNS, and for letsencrypt name verification. The only thing I need to do manually, is create and maintain the certificates.
ISPconfig also does not create DANE/TLSA verification, so I'm *already* running a 'broken' system, as long as I override ispconfig regarding certs things will be fine.

Strangely, this was not the last line in my .bashrc, I'd overlooked that earlier. Thanks for making me look again, because now I did see it and deleted it.

 

If you do a manual switch and nothing after then yes.

Let's say you want to switch from certbot to acme.sh.
Just uninstall certbot and do a force update of ISPConfig.
Acme.sh will be installed by ISPConfig as certbot is no longer there.
After that you do need to re-issue your certificates within ISPConfig (and update your dane/tlsa records if you have those).
Then you won't have a broken system.

Vice versa I guess you uninstall acme.sh and install certbot before force updating ISPConfig as ISPConfig favors acme.sh when none are installed.