HI all Some time ago I had a problem with the certificates not being secure, in my ignorance, I messed around with it and fobar'd it up. Well, it seems to have occurred again, this time I have done nothing in the hope I can locate the issue and create an automation for updating the certificate. I was asked last time to give the output of Code: ls -la /usr/local/ispconfig/interface/ssl/ So here it is again Code: # ls -la /usr/local/ispconfig/interface/ssl/ total 32 drwxr-x--- 2 root root 4096 Jun 21 00:19 . drwxr-x--- 9 ispconfig ispconfig 4096 Apr 20 11:07 .. -rwxr-x--- 1 root root 45 Jun 9 17:51 empty.dir -rwxr-x--- 1 root root 3445 Apr 20 11:07 ispserver.crt -rwxr-x--- 1 root root 1675 Apr 20 11:07 ispserver.key -rw------- 1 root root 5120 Jun 21 00:19 ispserver.pem -rwxr-x--- 1 root root 3172 Apr 20 12:08 ispserver.pem-210621001915.bak Any help or pointers would be very much appreciated Many thanks in advance Martin PS. Sorry, I think I previously posted this as a conversation to Till and Th0m.
If this is about Let's Encrypt certificates, there is Let's Encrypt Error FAQ in https://www.howtoforge.com/community/threads/please-read-before-posting.58408/ which should show why certificate can not be created.
Unless you are using acme.sh, that seems like self-signed certs. If you are using acme.sh that could be expired LE certs. If they are the later, you server has not renew the certs automatically. If it is the former, try force update ISPConfig and get LE certs. If that failed, check LE FAQ to troubleshoot as mentioned by @Taleman.
Thank Taleman But not sure what I'm looking for as the install guide Code: https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/ states:- Code: 11 Install Let's Encrypt ISPConfig is using acme.sh now as Let's Encrypt client. Install acme.sh using the following command: curl https://get.acme.sh | sh -s Which I followed Nothing is said about continually updating certificates
ispconfig_update.sh --force Before you update, is this server quite new? Has you been using acme.sh from the beginning or you migrated from certbot?
No, the situation is just a bit strange. You had valid LE certs, which did not renew and the guide you used is using certbot as le client, but these certs are not from certbot. So we have to find out now how all this fits together. Do you have a folder /root/.acme.sh on the server? You can check it with: ls /root/.acme.sh and you have a folder /etc/letsencrypt/live/ which contains a subfolder for the hostname of the server? You can get the server hostname by using the command: hostname -f
I have the following output Code: # ls /root/.acme.sh account.conf acme.sh.env deploy gregson.me.uk martin.gregson.me.uk trick-e-tronics.co.uk acme.sh ca dnsapi http.header notify # hostname -f martin.gregson.me.uk
Sorry if I am confusing the issue but it seems like the cert is not working ONLY on port 8080 to ISP control pannel All other sites are working fine Code: https://martin.gregson.me.uk https://martin.gregson.me.uk:8080
Ok, so you are using acme.sh for the ssl certs, not certbot. Do you have a website martin.gregson.me.uk in ISPConfig?
Hi Till Yes I have a site in ISP martin.gregson.me.uk As far as I am aware I am using acme.sh for my SSL certs as per the guid
I have only just noticed but I have 4 jobs in the job queue pending but that is to update my NS2 server, I don't think that will be an issue for this problem
Edit Never mind on this point I found the solution... However, still have cert problem with port 8080
Ok, this explains your problem. acme.sh is only able to update one SSL cert location, so it can either update the SSL certs of that website or update the SSL certs from ISPConfig. The only solution is that you replace the SSL certs in ISPConfig with symlinks to the SSL certs of the website and then restart apache.
Good morning Till Seems you are right, after fixing the job queue issue I left it over night and when I just came back to it port 8080 is now secure Would you say I still need to create the symlinks if so, which certs need to be symlinked to my local ISP control pannel site?
If it works now, then leave it as it is for now. If the error reoccurs in 3 months, then you should create symlinks.