Hello! First time poster, long time user of the forums. I have an ISPC Server that just today started to have problems and I'm not sure where they started. When a client makes a configuration change the LetsEncrypt configuration gets removed from the configuration file for the domain. The only way to get LetsEncrypt into the configuration files and keep websites being served over SSL is to run 'certbot --apache' and select the websites and have it automatically add to the configuration file. However again, the next change through ISPC will remove it and overwrite the change. I'm not sure what happened, or why this is all of a sudden happening. Or if the master file somehow changed. Does anyone have any insight? I'm new to this forum, and this software so I'm not even really sure where to begin. Thanks Brad
Try Let's Encrypt error FAQ. https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
I don't mean to be rude, but this doesn't seem to be an issue with LetsEncrypt. The certificates generate properly and using the command line included with ISPC I can manually add them to the configuration files with ease. The problem is that ISPConfig does not insert that information into the configuration files when it resyncs or re-generates them, leading me to believe this is an ISPConfig issue, not a Lets Encrypt issue. Additionally, this was working fine originally for months. It just started out of no where yesterday. No changes were made to the server prior to this issue happening.
You run a certbot command not suitable for an ISPConfig web server which will, of course, be overwritten. @Taleman pointed you to the right direction if you still want to manage your web server with ISPConfig.
While I appreciate the insight, I know 100% after significant testing this is NOT a Lets Encrypt issue. The certificates WERE issued by the default lets encrypt function built into ISPC. They were issued, renewed, and then deleted and reissued to verify it was not the certificates using that same method. NOT BY USING certbot -d example.com or any other method. The only way that I was able to RESTORE the configuration that ISPConfig should be putting into the vhost configuration files when SSL and LetsEncrypt are selected in the Web GUI was to use the the certbot command with the apache plugin to manually add them to the vhost configuration file. The problem is that once the client updates the configuration, it overwrites the SSL configuration I manually added. Which is fine. The bigger problem is that ISPConfig is NOT adding the SSL information into the domains vhost file when the configuration is regenerated. Lets Encrypt does not generate the vhost files ISPConfig does, which means it's NOT Lets Encrypt. The fact that the certbot command is on the server is irrelevant, because it was not ever used to download any certificates used by ISPConfig or any of the client websites.
If you want your web server to be managed with ISPConfig, then do it its way. To issue letsencrypt certificates and modify a domain vhost to use its ssl, one must do it via ISPConfig web settings page, not via terminal. Many have use this feature without any problems, so do it the ISPConfig way, or don't use ISPConfig at all; otherwise, as said, vhost settings added or modified by the certbot command you run will be overwritten.
Again, and not to be rude. But this IS how I've been doing it, and I have stated that since the very beginning. I don't know how to much more clearly spell it out than to put it in every language I can think of. WE ARE NOT ISSUING SSL CERTIFICATES VIA TERMINAL, THEY ARE BEING ISSUED VIA ISPCONFIG's WEB INTERFACE! Danish: VI UDGIVER IKKE SSL-CERTIFIKATER VIA TERMINAL, DE UDSTEDES VIA ISPCONFIGS WEB-grænseflade! German: WIR STELLEN KEINE SSL-ZERTIFIKATE ÜBER DAS TERMINAL AUS, SIE WERDEN ÜBER DIE WEB-SCHNITTSTELLE VON ISPCONFIG AUSGESTELLT! Spanish: ¡NO ESTAMOS EMITIENDO CERTIFICADOS SSL A TRAVÉS DE LA TERMINAL, ESTÁN EMITIDOS POR LA INTERFAZ WEB DE ISPCONFIG! Persian: ما از گواهینامه های SSL از طریق TERMINAL استفاده نمی کنیم ، آنها از طریق وب سایت ISPCONFIG از طریق ISPCONFIG استفاده می شوند! Finnish: Emme anna SSL-TODISTUKSIA TERMINALISSA, JOTKA JULKAISETAAN ISPCONFIGIN WEB-LIITTYMÄSSÄ! French: NOUS N'ÉMETTRONS PAS DE CERTIFICATS SSL PAR TERMINAL, ILS SONT ÉMIS PAR L'INTERFACE WEB DE ISPCONFIG! Japanese: ターミナル経由でSSL証明書を発行するのではなく、ISPCONFIGのWebインターフェイス経由で発行されます! Korean: 우리는 터미널을 통해 SSL 인증서를 발급하지 않고 ISPCONFIG의 웹 인터페이스를 통해 발급됩니다! Latin: WE ARE NOT ISSUING SSL CERTIFICATES VIA TERMINAL, THEY ARE BEING ISSUED VIA ISPCONFIG's WEB INTERFACE! Malay: KAMI TIDAK MENGGUNAKAN SERTIFIKAT SSL VIA TERMINAL, MEREKA MENGGUNAKAN INTERFACE WEB ISPCONFIG! Polish: NIE WYDAWAMY CERTYFIKATÓW SSL ZA POMOCĄ TERMINALU, WYDAJĄ SIĘ ZA POMOCĄ INTERFEJSU INTERNETOWEGO ISPCONFIG! Portuguese: NÃO ESTAMOS EMITIDO CERTIFICADOS SSL ATRAVÉS DO TERMINAL, ESTÃO SENDO EMITIDOS PELA INTERFACE WEB DA ISPCONFIG! Russian: МЫ НЕ ВЫПУСКАЕМ СЕРТИФИКАТЫ SSL С ПОМОЩЬЮ ТЕРМИНАЛА, ОНИ ВЫДАЮТ НА ВЕБ-ИНТЕРФЕЙСЕ ISPCONFIG! Swedish: VI UTGÖR INTE SSL-CERTIFIKAT VIA TERMINAL, DE FÅR UTFÖRAS VIA ISPCONFIGS WEB-INTERFACE! Ukrainian: МИ НЕ ВИДАЄМО СЕРТИФІКАТИ SSL ВІД ТЕРМІНАЛІВ, ВИ ВИДАЄТЬСЯ ВЕБ-ІНТЕРФЕКЦІЮ ВІА ISPCONFIG! Chinese: 我们不是通过终端发布SSL证书,而是通过ISPCONFIG的Web界面发布的! Let's forget completely here the fact that I have certbot installed on the system. It's not there for all intents and purposes. Because I know that's not attributing to this issue. When I create a new domain name, or modify a domain configuration that already exists via the ISPConfig interface... ISPConfig (when SSL and LetsEncrypt are selected via the domains configuration) is supposed to go and get the SSL certificate for that domain (granted the DNS is pointed properly), and once it is retrieved, it is supposed to then add the new certificate files to the configuration file for the vhost. While it is generating the SSL certificate. The problem....which I've stated countless times now, is that ISPConfig is NOT adding the SSL configuration to the vhost files. It's almost as if the master file is damaged or corrupted, but I can see the SSL configuration information in the vhost master. @till or @florian030 I'm hoping maybe either of you have some insight as you seem to be the men to ask on this subject, and I seem to get better no where fast on this thread.
Sounds silly, but have you tried switching it off and on again? Helped for me. Switch on debug logging, deactivate Letsencrypt for the host and activate it again after its executed.
You said the above. This has to be done to determine the cause of your problem. I merely explained what you have done to fix in your opening post is wrong and to determine the cause you need to follow the FAQ as suggested by @Taleman. I am not so sure whether you do understand but you don't fix thing using certbot command and making changes manually. Read the thread mentioned by @Taleman and follow the FAQ.
As I've said multiple times in this thread. Creating the actual certificate IS NOT THE ISSUE!!!! The certificate gets created. But it's NOT BEING ADDED TO THE APACHE CONFIGURATION FILES!!!! I'm not sure how to say this more clearly than I'm already saying this. At this point I'm ready to say the hell with this panel as I'm being given support on something that is not even an issue! Additionally, the FAQ you sent is only for the certificate, not for what to do if the certificate isn't being added in the Apache configuration.
Did you follow step 11 from The Perfect Server tutorial? Something you could try aswell is reconfiguring your services by running: Code: sudo -s cd /tmp wget http://www.ispconfig.org/downloads/ISPConfig-3.1.15p2.tar.gz tar xvfz ISPConfig-3.1.15p2.tar.gz cd ispconfig3_install/install php -q update.php When asked if you want to reconfigure services, choose yes.
1) Ensure that you are using the latest ISPConfig version, which is 3.1.15p2 2) Ensure that you use the latest certbot version. The reason for that is that older certbot versions stopped working due to LE disabling some auth methods and latest certbot versions, which work fine, require also latest ISPConfig version, using an older version will cause SSL not to get activated. So your claim that let's encrypt is not the cause is not necessarily the case, I've seen several systems with exact your issue and the cause was always let's encrypt. You posted this above: . If you have really run certbot --apache command on this system, then ISPConfig will not be able anymore to edit the configuration files because certbot --apache has duplicated the files, so all further attempts to use LE certs from ISPConfig must fail. Please check if that's the case by looking at the sites-enabled folder of apache (/etc/apache2/sites-enabled/ on Debian and Ubuntu), is there any file/symlink with '-le' in its name. @Taleman referred you in post #2 to the Let's encrypt FAQ which shows the detailed steps to debug your issue as it covers the creation of certs and also the steps of writing and activating existing certs in the config, so this FAQ is a 100% match of your issue. I have not seen in your comments that you followed all the steps outlined in the FAQ, especially I don't see where you posted the ISPConfig debug output. So please follow each step from LE FAQ now and especially post the debug output from server.sh script when run right after you activated LE in a website.
