Hello, I am using CentOS8 (RockyLinux) ISP-Config 3.2.7p1. Letsencrypt via python3-certbot. After no renew of the certificates was made, I unceremoniously installed acme.sh. Since the webs did not want to be updated, I triggered the creation of the certificates by hand. "acme.sh --issue --dns dns_hetzner -d 'DOMAIN.de' --server letsencrypt --force." Now when I create a new web a vhost is created which is about 2 kB and contains only the virtualhost :80. ISP-Config itself created under /root/acme.sh/DOMAIN.de/DOMAIN.de.conf DOMAIN.de.csr DOMAIN.csr.conf DOMAIN.de.key. The following is entered in the DNS "@ IN CAA 0 issue "letsencrypt.org"" Code: # /usr/local/ispconfig/server/server.sh /usr/bin/which: no acme.sh in (/usr/local/ispconfig/server/scripts) /usr/bin/which: no acme.sh in (/usr/local/ispconfig/server/scripts) [Mo 14. Mär 10:49:13 CET 2022] www.domain.de:Verify error:Invalid response from http://www.domain.de/.well-known/acme-challenge/sodkbMU4RqpMqKPFhUenfT4O0cJOYqDxsjD5h1Mdlyc [176.9.19.231]: 403 [Mo 14. Mär 10:49:13 CET 2022] Please check log file for more details: /var/log/ispconfig/acme.log [Mo 14. Mär 10:49:13 CET 2022] Please refer to https://curl.haxx.se/libcurl/c/libcurl-errors.html for error code: 3 finished server.php. # usr/bin/which acme.sh /usr/bin/acme.sh Code: # cat /etc/httpd/conf/sites-available/domain.de.vhost <Directory /var/www/domain.de> AllowOverride None Require all denied </Directory> <VirtualHost *:80> DocumentRoot /var/www/domain.de/web ServerName domain.de ServerAlias www.domain.de ServerAdmin [email protected] ErrorLog /var/log/ispconfig/httpd/domain.de/error.log Alias /error/ "/var/www/domain.de/web/error/" ErrorDocument 400 /error/400.html ErrorDocument 401 /error/401.html ErrorDocument 403 /error/403.html ErrorDocument 404 /error/404.html ErrorDocument 405 /error/405.html ErrorDocument 500 /error/500.html ErrorDocument 502 /error/502.html ErrorDocument 503 /error/503.html <Directory /var/www/domain.de/web> # Clear PHP settings of this website <FilesMatch ".+\.ph(p[345]?|t|tml)$"> SetHandler None </FilesMatch> Options +SymlinksIfOwnerMatch AllowOverride All Require all granted <Files ~ '.php[s3-6]{0,1}$'> Require all denied </Files> </Directory> <Directory /var/www/clients/client1/web7/web> # Clear PHP settings of this website <FilesMatch ".+\.ph(p[345]?|t|tml)$"> SetHandler None </FilesMatch> Options +SymlinksIfOwnerMatch AllowOverride All Require all granted <Files ~ '.php[s3-6]{0,1}$'> Require all denied </Files> </Directory> # suexec enabled <IfModule mod_suexec.c> SuexecUserGroup web7 client1 </IfModule> # add support for apache mpm_itk <IfModule mpm_itk_module> AssignUserId web7 client1 </IfModule> <IfModule mod_dav_fs.c> # Do not execute PHP files in webdav directory <Directory /var/www/clients/client1/web7/webdav> <ifModule mod_security2.c> SecRuleRemoveById 960015 SecRuleRemoveById 960032 </ifModule> <FilesMatch "\.ph(p3?|tml)$"> SetHandler None </FilesMatch> </Directory> DavLockDB /var/www/clients/client1/web7/tmp/DavLock # DO NOT REMOVE THE COMMENTS! # IF YOU REMOVE THEM, WEBDAV WILL NOT WORK ANYMORE! # WEBDAV BEGIN # WEBDAV END </IfModule> </VirtualHost>
If by "unceremoniously" you mean installed acme.sh but did not uninstall certbot, then you have both installed on your system and that breaks certificates. By hand created certificates break the ISPConfig certificate maintenance, so probably wrong certificates are used and certificates are not renewed by ISPConfig. There is LE error FAQ. It helps finding what is wrong with certificates and how to fix it and not break things more. https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/ How absolutely true.
if I had left that, my mail customers would have rebelled because they can't pick up mails. and had break my business.
You should have checked why certbot fails and fix that instead of replacing it with acme.sh, which now breaks the whole server as there is no migration path between certbot and acme.sh.
With the link regarding error LE I have searched for weeks. It is only noticed that certbot does not renew the certificate when I came out of the hospital. Broke both my wings. Broken elbow left and broken fingers right. There was not much left but this emergency solution. Now I want to fix it, and I'm running up against limits.
You have basically two options, either switch back to certbot and remove all certs you created with acme.sh, or keep acme.sh and remove all certs you issued with certbot. in any case, you will have to use the Let's encrypt error FAQ to find out why neither acme.sh nor certbot is currently working on your system.
That's expected that you don't get a 443 vhost without an SSL cert. @Taleman suggested already in post #2 what to do: https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
And you would know already for about 1.5 hours now why it's not created if you would have followed the FAQ that @Taleman posted, as it covers such an issue as well in the final debug step. I will not post the FAQ link a third time here.
If you want to solve the issue, please start to follow the FAQ now. I'll post you the last step which will get us forward with this issue: So you enable debug mode and disable server.sh cronjob, then you go to the website settings and enable the let's encrypt checkbox again and press save, then run server.sh script and post the result that you get on the command line here in the forum. Besides the output from debug procedure, run this command as root user and post the result: ls -la /var/www/clients/client1/web7/ssl/
the issue is solved. mod_security bit the communication away, adjust the appropriate rule, and you're good to go. last year, Hetzner's servers were under attack. as a result, I configured mod_security with Fail2ban. And a little GeoIP with pure. Then was peace. Well with the certificates too Thx for your help.
