Hello, I did install Debian 10 + ISPConfig 3.2.1 on a new VM. Everything works fine - but I couldn't figure out why SSL is not working for port 8080 (ISPConfig). The URL for ISPConfig is: https://vps2.domain.com:8080 I have added a site https://vps2.domain.com and Let's encrypt SSL works fine. In the past I could simply ln (symlink) a certificate and that works fine. I did notice that certificates are now under /root/.acme.sh. I am not sure how to go ahead. Couldn't find something in the manual (it's 3.1 based). I am a bit confused when I look at the other posts (please note: I do run ISPConfig and a site on the same domain). I am hoping someone can help me into the right direction. Thank you.
The panel has a different vhost for port 8080 than your site on vps2.domain.com. You can go through this guide to use that cert for the panel: https://www.howtoforge.com/tutorial...ript-for-your-ispconfig-pem-file-ispserverpem or set up a cert with a force upgrade and select yes for Let's Encrypt SSL cert.
Hi Tom, I am confused now... Sorry. I am using the LE4ISPC script on my other server. I was under the impression that the LE4ISPC script was not required anymore and that this would automatically work with ISPConfig 3.2.1. Might be that I do misunderstand this? The renewal script does not work for me. And the LE4ISPC script doesn't work either as it can't find certbot. I might want to install certbot? But I did notice the following line in crontab: 54 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null Looking at this: I don't know what to expect and what is best practice for ISPConfig 3.2.1 at this stage. I did follow this tutorial for Debian 10 and ISPConfig 3.2.1: https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/ Thank you.
The 3.2.1 installer will offer to request a letsencrypt certificate for the server's hostname (hostname -f) if the cert files/symlinks in /usr/local/ispconfig/interface/ssl/ do not exist. If that fails it can fall back to generating a self-signed certificate. If that suits your needs, you could remove those files/symlinks, cleanup LE4ISPC and any cronjobs/etc. which support it, and run the ispconfig installer again, and answer yes to generating a certificate.
EDIT: I did just try running LE4ISPC after installing certbot [apt install certbot] and it works. At the first run of le4ispc.sh I had to set my e-mail address, agree with the Terms of Service and answer some y/n questions. So, this resolved my issue. Please be aware of this. I am still not sure what's the best practice as the documentation manual is not updated (it's still 3.1). I will leave my initial question below this line. EDIT: This has been resolved - please read the info ^^ above this line ^^ Thanks Jesse... still confused. Do you know if LE4ISPC works after installing certbot? And doesn't it interfere with /root/.acme.sh? I did also read about an issue with this on the newest Debian version: https://github.com/ahrasis/LE4ISPC/issues/12
You should use either acme.sh OR certbot. acme.sh is installed by default in 3.2 and above. MNot sure if LE4ISPC works with acme.sh. I use the tutorial I shared earlier. When using acme.sh, you will need to change some paths. You can also use the built in script in the updater ofcourse.
Thanks Th0m. It still confuses me a bit - I might be spoiled with LE4ISPC as it does what I require. Please see my previous reply https://www.howtoforge.com/community/threads/ispconfig-3-2-1-ssl-new-installation.85899/#post-414423 EDIT: I did also reboot the server to see if everything still works. Everything seems to work. I can view web pages, use ISPConfig and send/receive e-mails.
LE4ISPC still works on most cases but as its writer I personally advise not to use it in servers that use ISPConfig 3.2 and above mainly for the reason that in recreating ispserver.pem, incron might fail sometimes while hook chances of success is much more higher. I am suppose to rewrite LE4ISPC script to betterment including the removing of old incron approach but I kinda become lazier lately maybe due to pandemic LazyVirus20. ;-P
The functionality is now built into the ISPConfig installer, there is no separate script needed anymore since ISPConfig 3.2.
I did notice the creation of a certificate for ISPConfig during install / update. Does this also work for the services? I am looking for some more information about this. The manual was still on version 3.1 when I last checked. Thanks for all the effort and help
The script will ask wether you want to set up that same cert for Postfix, Dovecot, and Pure-FTPd. The manual is outdated. It is not really maintainable so we want to introduce a new system, but I don't know when that will be done
Thanks Th0m. I guess I just want to disable LE4ISPC and next run the update script to reconfigure ISPConfig. Looking at the release notes I have to run "php -q update.php" and not "ispconfig_update.sh", right? https://www.ispconfig.org/blog/ispconfig-3-2-released/ Thanks.
You can download it and run that, but Code: ispconfig_update.sh works fine. Select stable to upgrade to the latest stable version.
That means you already have 3.2.1. To run the update script anyways, use Code: ispconfig_update.sh --force
It's all working now. Thank you. I had to "turn it off and on again"... as incron was borking. I did comment out the line(s) for LE4ISPC. After running the update script I got 400% CPU load... whoops. I did complete remove and purge incrontab. It's a bit spooky when something like that happens.
Manual removal of LE4ISPC incron settings and existing LE SSL certs for the server then run update ISPConfig on the server with ssl request should be the right way. However, I think if you don't remove the existing LE SSL certs before the said update, you may find that certbot may not add the latest hook in the renewal file, since if I remember correctly it is not coded to do that automatically. Please do check your server LE certs renewal conf file just to confirm what I said above if you didn't remove the existing certs before proceeding with re-securing the server before the update.