Invalid certificates

Discussion in 'General' started by mrbronz, Aug 9, 2021.

  1. mrbronz

    mrbronz Member HowtoForge Supporter

    HI all
    Some time ago I had a problem with the certificates not being secure, in my ignorance, I messed around with it and fobar'd it up.
    Well, it seems to have occurred again, this time I have done nothing in the hope I can locate the issue and create an automation for updating the certificate.
    I was asked last time to give the output of
    Code:
    ls -la /usr/local/ispconfig/interface/ssl/
    So here it is again
    Code:
    # ls -la /usr/local/ispconfig/interface/ssl/
    total 32
    drwxr-x--- 2 root      root      4096 Jun 21 00:19 .
    drwxr-x--- 9 ispconfig ispconfig 4096 Apr 20 11:07 ..
    -rwxr-x--- 1 root      root        45 Jun  9 17:51 empty.dir
    -rwxr-x--- 1 root      root      3445 Apr 20 11:07 ispserver.crt
    -rwxr-x--- 1 root      root      1675 Apr 20 11:07 ispserver.key
    -rw------- 1 root      root      5120 Jun 21 00:19 ispserver.pem
    -rwxr-x--- 1 root      root      3172 Apr 20 12:08 ispserver.pem-210621001915.bak
    Any help or pointers would be very much appreciated
    Many thanks in advance
    Martin

    PS. Sorry, I think I previously posted this as a conversation to Till and Th0m.
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. ahrasis

    ahrasis Well-Known Member

    Unless you are using acme.sh, that seems like self-signed certs. If you are using acme.sh that could be expired LE certs. If they are the later, you server has not renew the certs automatically. If it is the former, try force update ISPConfig and get LE certs. If that failed, check LE FAQ to troubleshoot as mentioned by @Taleman.
     
  4. mrbronz

    mrbronz Member HowtoForge Supporter

    Thank Taleman
    But not sure what I'm looking for as the install guide
    Code:
    https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/
    states:-
    Code:
    11 Install Let's Encrypt
    ISPConfig is using acme.sh now as Let's Encrypt client. Install acme.sh using the following command:
    
    curl https://get.acme.sh | sh -s
    Which I followed
    Nothing is said about continually updating certificates
     
  5. mrbronz

    mrbronz Member HowtoForge Supporter

    How do I force an update?
     
  6. ahrasis

    ahrasis Well-Known Member

    ispconfig_update.sh --force

    Before you update, is this server quite new? Has you been using acme.sh from the beginning or you migrated from certbot?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The certs seem indeed to be either self-signed or acme.sh certs as they are no symlinks.
     
  8. mrbronz

    mrbronz Member HowtoForge Supporter

    I used the guide as stated above I have been updating and upgrading the server on a regular basis
     
  9. mrbronz

    mrbronz Member HowtoForge Supporter

    In that case Till have I missed something out?
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    No, the situation is just a bit strange. You had valid LE certs, which did not renew and the guide you used is using certbot as le client, but these certs are not from certbot. So we have to find out now how all this fits together. Do you have a folder /root/.acme.sh on the server? You can check it with:

    ls /root/.acme.sh

    and you have a folder /etc/letsencrypt/live/ which contains a subfolder for the hostname of the server? You can get the server hostname by using the command:

    hostname -f
     
  11. mrbronz

    mrbronz Member HowtoForge Supporter

    I have the following output

    Code:
    # ls /root/.acme.sh
    account.conf  acme.sh.env  deploy  gregson.me.uk  martin.gregson.me.uk  trick-e-tronics.co.uk
    acme.sh       ca           dnsapi  http.header    notify
    # hostname -f
    martin.gregson.me.uk
    
     
  12. mrbronz

    mrbronz Member HowtoForge Supporter

    Sorry if I am confusing the issue but it seems like the cert is not working ONLY on port 8080 to ISP control pannel

    All other sites are working fine

    Code:
    https://martin.gregson.me.uk
    https://martin.gregson.me.uk:8080
    
     
    Last edited: Aug 9, 2021
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so you are using acme.sh for the ssl certs, not certbot. Do you have a website martin.gregson.me.uk in ISPConfig?
     
  14. mrbronz

    mrbronz Member HowtoForge Supporter

    Hi Till

    Yes I have a site in ISP martin.gregson.me.uk

    As far as I am aware I am using acme.sh for my SSL certs as per the guid
     
    Last edited: Aug 9, 2021
  15. mrbronz

    mrbronz Member HowtoForge Supporter

    I have only just noticed but I have 4 jobs in the job queue pending but that is to update my NS2 server, I don't think that will be an issue for this problem
     
  16. mrbronz

    mrbronz Member HowtoForge Supporter

    Edit
    Never mind on this point I found the solution...

    However, still have cert problem with port 8080
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, this explains your problem. acme.sh is only able to update one SSL cert location, so it can either update the SSL certs of that website or update the SSL certs from ISPConfig. The only solution is that you replace the SSL certs in ISPConfig with symlinks to the SSL certs of the website and then restart apache.
     
  18. mrbronz

    mrbronz Member HowtoForge Supporter

    Good morning Till
    Seems you are right, after fixing the job queue issue I left it over night and when I just came back to it port 8080 is now secure

    Would you say I still need to create the symlinks if so, which certs need to be symlinked to my local ISP control pannel site?
     
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    If it works now, then leave it as it is for now. If the error reoccurs in 3 months, then you should create symlinks.
     
    mrbronz likes this.
  20. mrbronz

    mrbronz Member HowtoForge Supporter

    Yes, I agree ... if it ain't broken don't fix it !!!

    THanks one and all
     

Share This Page