Hi Guys I know this is going to be simple - but need someone to point me in the right direction. I have installed IPSc 3.2.5 on a new Ubuntu 20.04 server - but hadnt set the subdomain CNAME record before letting the autoinstaller run, so the SSL certificate didnt get created. I could trash the server and run the install again, now the CNAME record exists, but assume that there must be a way to for a renew from the console - or at the CLI on the server... can anyone help? Many thanks & sorry for being such a noob!
Use command Code: ispconfig_update.sh --force and let it create certificate when the script asks for it.
OK, so even though I hate to admit it, I still have a problem... but before I trash my Ubuntu VM and start again I thought I'd eat some humble pie first as @Taleman was so so helpful. So, to recap what I have done... I started with a fresh install of Ubuntu 20.04, then followed the setup instructions. I edited the /etc/hosts file to look like this; Code: 127.0.0.1 localhost.localdomain localhost 127.0.1.1 ispconfig.mydomain.com ispconfig # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters On my router, I have forwarded the following TCP ports to the installation: 20,21,22,25,80,443,40110-40210,110,143,465,587,993,995,53,8080,8081 And the following UDP ports: 53 As I mentioned in my original post I hadnt created CNAME / A records for the domain so obviously it failed... but I have added the following DNS records; After running the force update it seemed to work and, as instructed, I told it to install a new SSL cert... but the ISPConfig installation at either mydomain (8080) or ispconfig.mydomain (8080) shows as insecure. I cant put a proper link as being such a noob I cant post links ;-) Anyway, as I am using it for a few personal sites for friends I thought 'OK I can live with the SSL error', but when I tick the SSL box on my test website, it too shows as insecure... so I am guessing that the fact the installation isnt signed that any websites hosted on it will fail too? I am close to deleting and starting again - but if there are any thoughts on how to fix this before starting again I would be very grateful. Thanks
That's not the case, each SSL cert is separate and if LE refuses to create an SSL cert for one domain e.g. because you don't have a DNS A-Record for it pointing to the server, then this does not mean that you won't get an SSL cert for another domain which has a valid SSL record. I've noticed that you are using cname records, try replacing them with a-records. And there is a detailed FAQ on how to FIX Let's encrypt errors: https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
OK, a quick update... I had a friend who is very skilled in Ubuntu take a look and he managed to sort the issue out. He said that acme.sh had tried to create the SSL for ispconfig.mydomain.com and when it failed, rather than delete the attempt, it just kept failing every time. So, we created a new A Record - ispconfig2.mydomain.com and re-ran the update script and it worked first time! Sorry I cant provide any more details, but fixing this was beyond me - but hopefully this snippet may help someone who finds this post! Thanks for the help
How many times did you try to run the installer/cert generation, LE has a low cap (5 I think) on failures for a host. Not sure if the failure rate for a domain exists. In any case its possible that your attempts after failed because of the cap. Anyway, the logs at /var/log/letsencrypt will tell you why they failed, if it was the cap reached then that lifts after a a few days (not sure ont he exact number but its in their docs)
Thanks @Chris_UK - I know that LE has a finite number of attempts because I have fallen foul of that on other projects previously. I am pretty certain this wasnt the issue as I had attempted about 3 times... after my friend had a look he did trigger an error saying that the number had been exceeded. The error message once it tripped the "too many attempts" changed to; Code: acme.sh is installed, overriding certificate path to use /root/.acme.sh/ispconfig.mydomain.com [Mon Jul 26 22:51:08 UTC 2021] Create new order error. Le_OrderFinalize not found. { "type": "urn:ietf:params:acme:error:rateLimited", "detail": "Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/", "status": 429 I did run a test on another virgin server, to see if it failed too, by creating a new A-record for the domain and re-running the ISPConfig autoinstaller before the A-record was pointing at the correct IP caused exactly the same issue, which we were unable to remedy. But thanks for the input ;-)
