Hello there, I am using on my server ISPConfig Version: 3.0.5.3 and debian 7.11. I am trying to install a ssl certificate for a website but it is not working. I use the options create certificate, save certificate and even delete certificate, but it was useless. Using the terminal, the certificate files are there on the ssl directory. The domain.crt, domain.csr, domain.key and domain.key.org and the bak for each of them. I tried to find something using the logs, but couldn't find nothing about this domain ssl. On /var/log I checked isconfig and apache logs. Do you have any ideas? Thanks for the help and have a nice day!
For the domain in question, do you have a .err file in /etc/apache2/sites-available (or nginx equivalent, if you are using nginx)? That would indicate that the webserver did not restart properly with the certificate and reverted the configuration. I could think of problems, that arise from your old software versions when trying with modern encryption. Also consider using at least letsencrypt certificates instead of self-signed (unless this server is not connected to the internet) There is always the option to enable ispconfig debug logging, make the change and see whats failing. => http://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/ Please note that Debian wheezy is end of life and even the extended long term support will end in the next months. Before changing a lot at your system, consider upgrading. Many of the problems will be magically gone (unfortunately, new ones will arise, too)
Thank you. I enabled the DEBUG mode. Last night I deleted the certificate using the ispconfig, so now I created a new one. The log is below. Code: root@acmewebserver:~# /usr/local/ispconfig/server/server.sh 04.02.2020-14:21 - DEBUG - Set Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock 04.02.2020-14:21 - DEBUG - Found 1 changes, starting update process. 04.02.2020-14:21 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 128032 semi-random bytes loaded Generating RSA private key, 2048 bit long modulus .........................................................................................................+++ ........................................................+++ e is 65537 (0x10001) writing RSA key 04.02.2020-14:21 - DEBUG - Creating self-signed SSL Cert for: www.domain.com 04.02.2020-14:21 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'. setquota: Not setting block grace time on /dev/mapper/acmewebserver-root because softlimit is not exceeded. setquota: Not setting inode grace time on /dev/mapper/acmewebserver-root because softlimit is not exceeded. setquota: Not setting block grace time on /dev/mapper/vg001-lv001 because softlimit is not exceeded. setquota: Not setting inode grace time on /dev/mapper/vg001-lv001 because softlimit is not exceeded. 04.02.2020-14:21 - DEBUG - Add server alias: www2.domain.com 04.02.2020-14:21 - DEBUG - Add server alias: domain.com.br 04.02.2020-14:21 - DEBUG - Creating fastcgi starter script: /home/www/php-fcgi-scripts/web170/.php-fcgi-starter 04.02.2020-14:21 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/domain.com.vhost 04.02.2020-14:21 - DEBUG - Apache status is: running 04.02.2020-14:21 - DEBUG - Calling function 'restartHttpd' from module 'web_module'. 04.02.2020-14:21 - DEBUG - Apache restart return value is: 0 04.02.2020-14:21 - DEBUG - Apache online status after restart is: running 04.02.2020-14:21 - DEBUG - Processed datalog_id 1587 04.02.2020-14:21 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock finished. "Writing the vhost file" There is no change to it but the time that the file was edited is changed. Will be a problem if a edit myself the sites-enable file on apache2? Again, thanks for the help and have a nice day!
Do you have a vhost template file in /usr/local/ispconfig/server/conf-custom/ ? If so, I'd guess your local template does not handle adding the certificate, and you should update it (copy the latest version from 'conf' and make your local changes to it). Yes; you can make changes and restart apache as a short term fix, but your changes will be overwritten the next time the vhost file is generated by ISPConfig.
Have you checked if the root domain (ie. address without www.) points to same IP address than the www. address? Sometimes they are configured with different DNS address and are actually located on different servers (maybe because of email?) I'm not sure if it's possible to generate Certbot SSL unless both addresses are same. Does any1 know? How to configure www. SSL without root?
If the DNS points to wrong (or old) server you get something like this on /var/log/letsencrypt/ log: Code: Failed authorization procedure. avainexpert.fi (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://avainexpert.fi/.well-known/acme-challenge/uludFCynlHpOzo4z0vG5DfOCGJ4CmTJ5LLd_EdpQC3Y [79.134.108.134]: The IP address gives a clue.
It is possible with a correct setup. Eg. if you had the domain website on one server and www subdomain setup as a website on another server, each of those could request and receive a certificate. However if your domain website had the default Auto-Subdomain setting of 'www', it would not be able to obtain a certificate, because it would try to request a single certificate with both the domain name and www subdomain included, and couldn't verify the latter.
Now why didn't I think of that? I guess it's just a habit to enter only the root domain name in the Website config - probably because of the "Auto-Subdomain" box assumes www.
