Just bought the migration tool. Reading the doc it says if you have acme.sh, the new server needs to use that as well. How do you tell which one? I've had ispconfig installed for a while, since 2019. I would assume it's certbot as i see certbot 1.11 installed.
do a search: $ locate acme.sh $ locate certbot in case there is no locate command, install it and then index: $ apt-get install mlocate $ updatedb
You can also check it like this: if SSL certs are in subfolders under /etc/letsencrypt/ then your system uses certbot. If there is no /etc/letsencrypt folder and certs are stored in subfolders of /root/.acme.sh/ then you have acme.sh. But for a system from 2019, ist quite likely that it uses certbot.
new issue... following the multi server setup guide, it didn't pull a valid cert for the panel (8080). did force update and it switched to acme.sh. Found a thread that mentions this feature request as implemented... so i'm guessing i'm missed a step somewhere. How do I undo acme.sh or should i just reinstall?
The update should only download and use acme.sh if it can't find certbot on the server. How did you install the system? That's unrelated.
https://www.howtoforge.com/tutorial/ispconfig-multiserver-setup-debian-ubuntu/2/ i have an old server running centos 7 and i'm moving to ubuntu 22.04 lts. the install didn't ask anything about if i planned to migrate or if i wanted to use certbot vs acme.sh.
if it's easier, i can just reinstall the OS, certbot, and then ispconfig. Or i can switch the install to use certbot since there aren't any sites hosted on it yet.
If you want to use certbot, then you must instruct the installer to use it. If you do not do that, it defaults to acme.sh. See e.g. command line options here in chapter 6: https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/ So you must add --use-certbot to the command. E.g.: Code: wget -O - https://get.ispconfig.org | sh -s -- --no-mail --no-dns --interactive --use-certbot You can try that, the steps are: 1) Delete /root/acme.sh folder. 2) Install certbot via snap as described on certbot website https://certbot.eff.org/ but do not create a SSL cert. 3) Run ispconfig_update.sh --force and let the updater create a new cert. If this does not work, then you might have to reinstall.
Basically I tried the steps several times and so I can help confirming it works though there should be some extra(s) to delete to remove warnings (I can't remember it for now but do share if you see one). Basically you can do this vice versa i.e. certbot to acme.sh as well but I do not want to encourage this because it is best to train to get it right at the command line, but we all things happened.
This worked. Certs are from certbot I didn't install the snap, as I'm not a big fan of snaps. I installed certbot, python3 certbot apache using apt.
One last question, I do appreciate all the assistance. My last question, my old setup is multi-server. I had thought it would be easier to migrate the primary server. Then, create a secondary server and let it sync to the primary OR should the secondary already be setup and syncing to the primary before i migrate. Or does this even matter. The old servers were hosting.domain.com and the new servers are panel.domain.com if that helps answer the question in anyway.
What is the question? The only phrase written as a question (but question mark missing) is "Or does this even matter." But I do not fully understand what this is referring to. Just as a guess: if you plan to migrate old ISPConfig system to new, you can migrate a multiserver system to a multiserver system or to a single server system. Or migrate a single server system to a multiserver system. Create the new ISPConfig system first, single server or multi server, whatever you desire, then do the migration. I would practice first with a test migration to see how it works, to avoid big mistakes on a production system.
I did the 3 steps to change using certbot, at the end of the forced ispconfig update it showed: Code: Reconfigure Services? (yes,no,selected) [yes]: The following custom templates were found: /usr/local/ispconfig/server/conf-custom/nginx_vhost.conf.master /usr/local/ispconfig/server/conf-custom/sieve_filter.master Do you want to rename these conf-custom templates now so the default templates are used? (yes,no) [no]: The following local config override templates were found, be sure to incorporate upstream changes if needed: /usr/local/ispconfig/server/conf-custom/install/dovecot_custom.conf.master Configuring Postfix Configuring Dovecot Configuring Spamassassin Configuring Rspamd Configuring Getmail Configuring Pureftpd Configuring nginx Configuring Apps vhost Configuring Jailkit Configuring AppArmor Configuring Database Updating ISPConfig ISPConfig Port [8080]: Create new ISPConfig SSL certificate (yes,no) [no]: yes PHP Warning: Undefined array key "ip" in /tmp/update_runner.sh.MQXkxglcyo/install/lib/installer_base.lib.php on line 2995 Checking / creating certificate for my.somedomain.net Using certificate path /etc/letsencrypt/live/my.somedomain.net sh: 1: cannot open /dev/tcp/127.0.0.1/80: No such file Using nginx for certificate validation Saving debug log to /var/log/letsencrypt/letsencrypt.log Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: Reconfigure Crontab? (yes,no) [yes]: Updating Crontab Restarting services ... Update finished. Perhaps the warnings are related to the custom templates? The /var/log/letsencrypt/letsencrypt.log looks fine, it does work with certbot now. Thanks for that!
Code: -bash: /root/.acme.sh/acme.sh.env: No such file or directory certbot works fine, but I keep getting the above on the shell when I log in (via ssh). Looked for cron-jobs that would maybe still be trying stuff with that .acme.sh dir, but that's not the case. Any idea?
Switching from acme.sh to certbot (and vice versa) is not supported and will result in a broken system.
I already reminded that earlier, because other than deleting its folder, the right clean way to delete acme.sh is to use its uninstall command as Neilpang himself said: This uninstall command remove the line from the root ".bashrc" file. That said, since you already remove the acme.sh by deleting its folder, you may avoid that warning from occurring again by removing it manually from that file (at the last line). I would suggest removing certbot that was installed by apt and re-install it via snap (or pip) as suggested by certbot website for the latest stable non-deprecated features.
How do you mean that? In sofar as my system isn't already 'broken', since I'm using cloudflare for DNS, and for letsencrypt name verification. The only thing I need to do manually, is create and maintain the certificates. ISPconfig also does not create DANE/TLSA verification, so I'm *already* running a 'broken' system, as long as I override ispconfig regarding certs things will be fine. Strangely, this was not the last line in my .bashrc, I'd overlooked that earlier. Thanks for making me look again, because now I did see it and deleted it.
If you do a manual switch and nothing after then yes. Let's say you want to switch from certbot to acme.sh. Just uninstall certbot and do a force update of ISPConfig. Acme.sh will be installed by ISPConfig as certbot is no longer there. After that you do need to re-issue your certificates within ISPConfig (and update your dane/tlsa records if you have those). Then you won't have a broken system. Vice versa I guess you uninstall acme.sh and install certbot before force updating ISPConfig as ISPConfig favors acme.sh when none are installed.