I broke ssl

Hi, my first post so hello all
I have little server with few domains, and now want to use mail cause google cancel google apps free accounts
I configure all with tutorial for debian 10, now is upgraded to debian 11 qnd almost all works perfect but have some problems with ssl
Ssl working for all domains what im using, but not working for serwer hostname.
Myhost name is server.domain.pl, few months ago cert for server dont renew so i try do it manually, and acccidently deleted all files from /etc/letsencrypt/archive/server.domain.pl so it broke renew totally but for domains for hosted sites renew certs still works.
Im install acme.sh too so probably have some duplicated certs
Now when i try to run mail server i cant send any mail with tls bacause error 220 authenticate error with roundcube and i think is cert issue

Question is how safe renew/make new cert for server?

 

Ohh, im sory i was sure im posted at ispconfig forum
Now i just update ispconfig with generate new cert, but archive directory still empty, so i copy files from backup previous updates ispconfig, i hope it helps, but now im worry to restart services

 

I have both, which is preffered by ispconfig? Ispconfig says something about acme.sh, so i uninstall cerbot
I dont remember why i have both, but cerbot installed from repository, and acme by some scripts :/

 

This is not entirely correct but if your domain is not for education, then it won't be able to benefit from the Google Workspace fundamentals which is still available for free up to 100TB jointly. My educational organization is still using it for free.

You shouldn't have both but one. If you start from scratch, acme.sh is the preferred ISPConfig LE client, on the other hand, if this server has already been operating with certbot, the best is to maintain certbot and remove acme.sh fully which I think is your case.

Please note that the new way to install certbot properly on Debian, Ubuntu and most other OS'es is now using snap and you can check this in its instructions page. You may or may not have to upgrade your certbot by removing the current certbot via apt-get remove certbot, then install snap and use snap to install the latest certbot but I advise that you should.

About running ISPConfig email server, just ensure your server have full access to port 25. You already has @Jesse Norell here to help you with it, so you are in a good hand.

 

I forgot to mention one thing which is quite crucial (at least to me) due to my recent experience, that is @Jesse Norell has made an important fix @https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1541/diffs which modified installer_base.lib.php as follows:

Code:

                       // certbot returns with 0 on issue for already existing certificate

                       $acme_cert_dir = '/etc/letsencrypt/live/' . $hostname;
                       foreach (array( $ssl_crt_file, $ssl_key_file) as $f) {
                           if (file_exists($f) && ! is_link($f)) {
                               unlink($f);
                           }
                       }
                       symlink($acme_cert_dir . '/fullchain.pem', $ssl_crt_file);
                       symlink($acme_cert_dir . '/privkey.pem', $ssl_key_file);

Without the unlink command being run first, the symlink will fail and the older LE certs will be used instead of the latest and will cause security warning / access failure at least at ISPConfig UI / control panel page; and since other services rely on the LE certs inside ISPConfig SSL folder, that is via symlink to them, they will most probably fail too.

Thus wise, when one want to create LE certs for one's server or fix it, one should use ISPConfig development package or fix that file in ISPConfig 3.2.7p1 extracted package before running php -q update.php as ISPConfig 3.2.7p1 doesn't include this fix.

The known error is mentioned in this post: https://www.howtoforge.com/community/threads/certificat-problems-yet-again.88143/#post-430329