HTTPS Certificate Expiration

Discussion in 'General' started by mrbronz, Mar 11, 2021.

Tags:
  1. mrbronz

    mrbronz Member HowtoForge Supporter

    Hi there

    Hopefully, this question only requires a quick reply.

    Having checked the status of my server on mxtoolbox, I am getting a warning that might cause problems further down the line.
    this is the warning I get
    Code:
    A Certificate in the chain will expire within the month
    Is there a quick fix for this warning?

    If so what is it?
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    The certificate for your website https://gregson.me.uk/ will expire in 27 days. It should be renewed automatically, so take a look at the Let's Encrypt log to see what is going wrong. You can view this log in the panel -> Monitor -> Let's Encrypt log.
     
  3. mrbronz

    mrbronz Member HowtoForge Supporter

    The log is empty and I cannot find any let's encrypt log files
    upload_2021-3-11_11-47-46.png
    I've also checked the other two servers
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Are you using acme.sh or certbot?
     
  5. mrbronz

    mrbronz Member HowtoForge Supporter

    I'm using acme.sh as listed in the following guide

    Code:
    https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/#-install-lets-encrypt
     
    Last edited: Mar 11, 2021
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Does this file exist? /var/log/ispconfig/acme.log
     
  7. mrbronz

    mrbronz Member HowtoForge Supporter

    Yes but it's empty... there are rotated log files with entries in them but nothing stands out to me that says there has been a problem
     
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    If /var/log/ispconfig/acme.log is empty, read the second latest acme log file.
     
  9. mrbronz

    mrbronz Member HowtoForge Supporter

    Thanks Taleman but like I have said

     
  10. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Can you share it?
     
  11. mrbronz

    mrbronz Member HowtoForge Supporter

    I can figure out how to get it off the server...
    I've tried mounting a USB stick that a problem at the mo tried scp but that keeps timing out, ssh don't tx files, tried mind control and that's not working.
    I can copy and past or I can grep some keywords to find the errors
     
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You can use
    Code:
    cat
    on SSH, or SFTP/FTP?
     
  13. mrbronz

    mrbronz Member HowtoForge Supporter

    Well that was a ask and a half, I had to use WinSPC in the end

    I don't really want to share the log file here, it has auth codes in it.
    Any ideas?
    Also its bigger that 2000 chars
     
  14. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Alright, let's try this in a different way (as described in the read before posting (https://www.howtoforge.com/community/threads/please-read-before-posting.58408/) -> I can't issue a Let's Encrypt cert (box is unchecked/error in log, etc) -> LE FAQ (https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/).

    Disable LE for the site, then go through this: https://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/
    then enable LE and run the server.sh script manually. Check the output.
     
  15. mrbronz

    mrbronz Member HowtoForge Supporter

    Nothing
    Code:
    root@martin:~# /usr/local/ispconfig/server/server.sh
    finished server.php.
    My Bad
    Didn't save after changing log level
     
  16. mrbronz

    mrbronz Member HowtoForge Supporter

    Code:
    11.03.2021-19:40 - DEBUG - Unable to register function 'vm_insert' from plugin '                                                                                             openvz_plugin' for event 'openvz_vm_insert'
    11.03.2021-19:40 - DEBUG - Unable to register function 'vm_update' from plugin '                                                                                             openvz_plugin' for event 'openvz_vm_update'
    11.03.2021-19:40 - DEBUG - Unable to register function 'vm_delete' from plugin '                                                                                             openvz_plugin' for event 'openvz_vm_delete'
    11.03.2021-19:40 - DEBUG - Calling function 'check_phpini_changes' from plugin '                                                                                             webserver_plugin' raised by action 'server_plugins_loaded'.
    11.03.2021-19:40 - DEBUG - Found 2 changes, starting update process.
    11.03.2021-19:40 - DEBUG - Calling function 'server_ip' from plugin 'apache2_plu                                                                                             gin' raised by event 'server_update'.
    11.03.2021-19:40 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - retu                                                                                             rn code: 0
    11.03.2021-19:40 - DEBUG - Writing the conf file: /etc/apache2/sites-available/i                                                                                             spconfig.conf
    11.03.2021-19:40 - DEBUG - Calling function 'update' from plugin 'apps_vhost_plu                                                                                             gin' raised by event 'server_update'.
    11.03.2021-19:40 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - retu                                                                                             rn code: 0
    11.03.2021-19:40 - DEBUG - Calling function 'update' from plugin 'network_settin                                                                                             gs_plugin' raised by event 'server_update'.
    11.03.2021-19:40 - DEBUG - Network configuration disabled in server settings.
    11.03.2021-19:40 - DEBUG - Calling function 'update' from plugin 'postfix_server                                                                                             _plugin' raised by event 'server_update'.
    11.03.2021-19:40 - DEBUG - safe_exec cmd: which 'dovecot' 2> /dev/null - return                                                                                              code: 0
    11.03.2021-19:40 - DEBUG - Calling function 'update' from plugin 'server_service                                                                                             s_plugin' raised by event 'server_update'.
    11.03.2021-19:40 - DEBUG - Calling function 'server_update' from plugin 'webserv                                                                                             er_plugin' raised by event 'server_update'.
    11.03.2021-19:40 - DEBUG - Processed datalog_id 739
    11.03.2021-19:40 - DEBUG - Calling function 'server_ip' from plugin 'apache2_plu                                                                                             gin' raised by event 'server_update'.
    11.03.2021-19:40 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - retu                                                                                             rn code: 0
    11.03.2021-19:40 - DEBUG - Writing the conf file: /etc/apache2/sites-available/i                                                                                             spconfig.conf
    11.03.2021-19:40 - DEBUG - Calling function 'update' from plugin 'apps_vhost_plu                                                                                             gin' raised by event 'server_update'.
    11.03.2021-19:40 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - retu                                                                                             rn code: 0
    11.03.2021-19:40 - DEBUG - Calling function 'update' from plugin 'network_settin                                                                                             gs_plugin' raised by event 'server_update'.
    11.03.2021-19:40 - DEBUG - Network configuration disabled in server settings.
    11.03.2021-19:40 - DEBUG - Calling function 'update' from plugin 'postfix_server                                                                                             _plugin' raised by event 'server_update'.
    11.03.2021-19:40 - DEBUG - safe_exec cmd: which 'dovecot' 2> /dev/null - return                                                                                              code: 0
    11.03.2021-19:40 - DEBUG - Calling function 'update' from plugin 'server_service                                                                                             s_plugin' raised by event 'server_update'.
    11.03.2021-19:40 - DEBUG - Calling function 'server_update' from plugin 'webserv                                                                                             er_plugin' raised by event 'server_update'.
    11.03.2021-19:40 - DEBUG - Processed datalog_id 740
    11.03.2021-19:40 - DEBUG - Calling function 'restartHttpd' from module 'web_modu                                                                                             le'.
    11.03.2021-19:40 - DEBUG - Restarting httpd: systemctl restart apache2.service
    11.03.2021-19:40 - DEBUG - Calling function 'restartPostfix' from module 'mail_module'.
    11.03.2021-19:40 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    
     
  17. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Is this after enabling LE?

    Did you disable the server.sh cronjob?

    Also, part of the output is cut off, please share the full output.
     
  18. mrbronz

    mrbronz Member HowtoForge Supporter

    I've just done it again with the LE checked
    Code:
    root@martin:~# /usr/local/ispconfig/server/server.sh
    11.03.2021-20:16 - DEBUG - Unable to register function 'vm_insert' from plugin 'openvz_plugin' for event 'openvz_vm_insert'
    11.03.2021-20:16 - DEBUG - Unable to register function 'vm_update' from plugin 'openvz_plugin' for event 'openvz_vm_update'
    11.03.2021-20:16 - DEBUG - Unable to register function 'vm_delete' from plugin 'openvz_plugin' for event 'openvz_vm_delete'
    11.03.2021-20:16 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    11.03.2021-20:16 - DEBUG - Found 1 changes, starting update process.
    11.03.2021-20:16 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    11.03.2021-20:16 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    11.03.2021-20:16 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client1/web1' - return code: 0
    11.03.2021-20:16 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
    11.03.2021-20:16 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client1/web1'|awk 'END{print $2,$NF}' - return code: 0
    11.03.2021-20:16 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
    11.03.2021-20:16 - DEBUG - safe_exec cmd: setquota -u 'web1' '0' '0' 0 0 -a &> /dev/null - return code: 0
    11.03.2021-20:16 - DEBUG - safe_exec cmd: setquota -T -u 'web1' 604800 604800 -a &> /dev/null - return code: 0
    11.03.2021-20:16 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
    11.03.2021-20:16 - DEBUG - Verified domain gregson.me.uk should be reachable for letsencrypt.
    11.03.2021-20:16 - DEBUG - Verified domain www.gregson.me.uk should be reachable for letsencrypt.
    11.03.2021-20:16 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    11.03.2021-20:16 - DEBUG - Create Let's Encrypt SSL Cert for: gregson.me.uk
    11.03.2021-20:16 - DEBUG - Let's Encrypt SSL Cert domains:
    11.03.2021-20:16 - DEBUG - exec: R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue  -d gregson.me.uk -d www.gregson.me.uk -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [[ $R -eq 0 || $R -eq 2 ]] ; then /root/.acme.sh/acme.sh --install-cert  -d gregson.me.uk -d www.gregson.me.uk --key-file '/var/www/clients/client1/web1/ssl/gregson.me.uk-le.key' --fullchain-file '/var/www/clients/client1/web1/ssl/gregson.me.uk-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [[ $C -eq 0 ]] ; then exit $R ; else exit $C  ; fi
    11.03.2021-20:16 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    11.03.2021-20:16 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    11.03.2021-20:16 - DEBUG - safe_exec cmd: chattr -i '/var/www/php-fcgi-scripts/web1/.php-fcgi-starter' - return code: 0
    11.03.2021-20:16 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web1/.php-fcgi-starter
    11.03.2021-20:16 - DEBUG - safe_exec cmd: chattr +i '/var/www/php-fcgi-scripts/web1/.php-fcgi-starter' - return code: 0
    11.03.2021-20:16 - DEBUG - Enable SSL for: gregson.me.uk
    11.03.2021-20:16 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/gregson.me.uk.vhost
    11.03.2021-20:16 - DEBUG - Apache status is: running
    11.03.2021-20:16 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    11.03.2021-20:16 - DEBUG - Restarting httpd: systemctl restart apache2.service
    11.03.2021-20:16 - DEBUG - Apache restart return value is: 0
    11.03.2021-20:16 - DEBUG - Apache online status after restart is: running
    11.03.2021-20:16 - DEBUG - Processed datalog_id 741
    11.03.2021-20:16 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished server.php.
    
     
  19. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    FWIW, the auth codes are not terrible sensitive/useful info, to abuse them you would also need the contents of the auth file as well as to intercept http traffic from letsencrypt servers to your server (either en-route or via dns attack), within the short time which letsencrypt will honor the particular request auth. But if you can manage the http interception, you can simply perform a new request for certificate, you don't need the actual auth file that is sitting on your real server. So not a big worry (spend time setting up your dnssec for protection).
     
  20. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Your log shows acme.sh completed with no problems (and indeed, checking the certificate on your web site, it was issued today) - see /var/log/ispconfig/acme.log for possibly more info.
     

Share This Page