The server is Ubuntu 20.04.1 LTS (Focal Fossa)) ISPConfig 3.2.4. Server is functioning OK, but one issue. srv1.example.com is the host that has a valid SSL certificate and the certificate renewed properly. Code: Checking / creating certificate for srv1.example.com Using certificate path /etc/letsencrypt/live/srv1.example.com Using apache for certificate validation Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Cert not yet due for renewal Keeping the existing certificate Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: The issue here is: The Panel and the mail server did not get the newed certificate. It appears that the symlink if pointing to something wrong. How come and how to fix it. Thanks in advance,
@Th0m Yes, and I answered yes to renew services. I did that but no luck. Agreed, But my dilemma is the srv1.example.com has a renewed LE cert properly. but srv1.example.com:8080 and smtp seem to be pointing (symlink) to something else!!??
You should check what is the symlink in ispconfig ssl folder to know what is the source and whether it is the right source.
Here is what the symlink is pointing to, which is correct, but the certificate is not updated. Yet when I go to srv1.example.com the browser shows green bar. Code: root@srv1:~# ls -l /etc/letsencrypt/live/srv1.example.com total 4 lrwxrwxrwx 1 root root 42 Feb 1 15:56 cert.pem -> ../../archive/srv1.example.com/cert1.pem lrwxrwxrwx 1 root root 43 Feb 1 15:56 chain.pem -> ../../archive/srv1.example.com/chain1.pem lrwxrwxrwx 1 root root 47 Feb 1 15:56 fullchain.pem -> ../../archive/srv1.example.com/fullchain1.pem lrwxrwxrwx 1 root root 45 Feb 1 15:56 privkey.pem -> ../../archive/srv1.example.com/privkey1.pem -rw------- 1 root root 692 Feb 1 15:56 README I have a weired host domain that has been updated not sure how? Code: root@srv1:~# ls -l /etc/letsencrypt/live/srv1.example.com-0001/ total 4 lrwxrwxrwx 1 root root 47 Apr 14 18:12 cert.pem -> ../../archive/srv1.example.com-0001/cert2.pem lrwxrwxrwx 1 root root 48 Apr 14 18:12 chain.pem -> ../../archive/srv1.example.com-0001/chain2.pem lrwxrwxrwx 1 root root 52 Apr 14 18:12 fullchain.pem -> ../../archive/srv1.example.com-0001/fullchain2.pem lrwxrwxrwx 1 root root 50 Apr 14 18:12 privkey.pem -> ../../archive/srv1.example.com-0001/privkey2.pem -rw-r--r-- 1 root root 692 Feb 13 14:38 README
@ahrasis meant the symlinks in /usr/local/ispconfig/interface/ssl/ .. what do those files/symlinks look like?
Here you are: Code: root@srv1:~# ls -l /usr/local/ispconfig/interface/ssl/ total 64 -rwxr-x--- 1 root root 45 May 10 15:30 empty.dir lrwxrwxrwx 1 root root 54 May 10 15:30 ispserver.crt -> /etc/letsencrypt/live/srv1.example.com/fullchain.pem -rwxr-x--- 1 root root 2025 Jan 25 14:07 ispserver.crt-20210131172109.bak lrwxrwxrwx 1 root root 54 Jan 31 17:21 ispserver.crt-20210201151502.bak -> /etc/letsencrypt/live/srv1.example.com/fullchain.pem lrwxrwxrwx 1 root root 54 Feb 1 15:15 ispserver.crt-20210201155630.bak -> /etc/letsencrypt/live/srv1.example.com/fullchain.pem lrwxrwxrwx 1 root root 54 Feb 1 15:56 ispserver.crt-20210214070449.bak -> /etc/letsencrypt/live/srv1.example.com/fullchain.pem lrwxrwxrwx 1 root root 54 Feb 14 07:04 ispserver.crt-20210510153025.bak -> /etc/letsencrypt/live/srv1.example.com/fullchain.pem -rwxr-x--- 1 root root 1716 Jan 31 20:41 ispserver.csr lrwxrwxrwx 1 root root 52 May 10 15:30 ispserver.key -> /etc/letsencrypt/live/srv1.example.com/privkey.pem -rwxr-x--- 1 root root 3243 Jan 25 14:07 ispserver.key-20210131172109.bak -rwxr-x--- 1 root root 3247 Jan 31 20:41 ispserver.key-20210201151502.bak lrwxrwxrwx 1 root root 52 Feb 1 15:15 ispserver.key-20210201155630.bak -> /etc/letsencrypt/live/srv1.example.com/privkey.pem lrwxrwxrwx 1 root root 52 Feb 1 15:56 ispserver.key-20210214070449.bak -> /etc/letsencrypt/live/srv1.example.com/privkey.pem lrwxrwxrwx 1 root root 52 Feb 14 07:04 ispserver.key-20210510153025.bak -> /etc/letsencrypt/live/srv1.example.com/privkey.pem -rwxr-x--- 1 root root 3311 Jan 31 20:41 ispserver.key.secure -rwxr-x--- 1 root root 7057 May 10 15:30 ispserver.pem -rwxr-x--- 1 root root 5268 Jan 25 14:07 ispserver.pem-20210131172109.bak -rwxr-x--- 1 root root 5312 Jan 31 20:41 ispserver.pem-20210201151502.bak -rwxr-x--- 1 root root 7057 Feb 1 15:56 ispserver.pem-20210214070449.bak -rwxr-x--- 1 root root 7057 Feb 14 07:04 ispserver.pem-20210510153025.bak
I suspect the certs in /etc/letsencrypt/live/srv1.example.com-0001/ are used for your site currently, and /etc/letsencrypt/live/srv1.example.com/ for your panel. Try symlinking the certs to the 0001 certs.
I don't normally like when there are additional 0001, 0002, etc, so I would delete them all and request for new certs instead. For that I would run rm-rf /etc/letsencrypt/*/srv1.example.com* and since it is for the server itself, force update ispconfig and choose creating ssl certs should, in my mind, issue new certs under /etc/letsencrypt/*/srv1.example.com. This is because I think symlinking ISPConfig SSL certs to 0001 LE SSL certs may not be future-update safe / proof but I could be wrong.
@Th0m Tried that and it works. Thanks. @ahrasis I like your approach, when i did that. Cannot restart apache2 for the following reason. Code: May 12 10:06:35 srv1 apachectl[2921107]: AH00526: Syntax error on line 129 of /etc/apache2/sites-enabled/100-srv1.example.com.vhost: May 12 10:06:35 srv1 apachectl[2921107]: SSLCertificateFile: file '/var/www/clients/client0/web9/ssl/srv1.example.com-le.crt' does not exist or is empty May 12 10:06:36 srv1 apachectl[2921098]: Action 'start' failed. root@srv1:~# ls -l /var/www/clients/client0/web9/ssl/ total 0 lrwxrwxrwx 1 root root 55 Feb 13 14:38 srv1.example.com-le.bundle -> /etc/letsencrypt/live/srv1.example.com-0001/chain.pem lrwxrwxrwx 1 root root 59 Feb 13 14:38 srv1.example.com-le.crt -> /etc/letsencrypt/live/srv1.example.com-0001/fullchain.pem lrwxrwxrwx 1 root root 57 Feb 13 14:38 srv1.example.com-le.key -> /etc/letsencrypt/live/srv1.example.com-0001/privkey.pem Is it safe to edit the symlink, or what is the best way to get this fixed
The cert for the site web9 is symlinked to the /etc/letsencrypt cert. That causes Apache to fail. What you can do is: - remove the files in /var/www/clients/client0/web9/ssl that are symlinked to the Let's Encrypt folder - remove the folders as @ahrasis described - start apache - disable LE for srv1.example.com through the ISPConfig panel and re-enable it. - Wait for it to finish and check if the cert is succesfully created - Run a forced update, choose to get a new SSL cert
Thanks for the quick response, but I have already got a new certificate for srv1.example.com after I followed @ahrasis recommendation, is there a way to edit the symlink without requesting another certificate? I am not sure who is creating the symlink is it ISPConfig3 panel? and if it is safe to delete the current and create the symlink manually?
Thanks @Th0m I guess you replied while I am typing my message. What I have done is the: Code: ln -sfn /etc/letsencrypt/live/srv1.example.com/chain.pem srv1.example.com-le.bundle ln -sfn /etc/letsencrypt/live/srv1.example.com/fullchain.pem srv1.example.com-le.crt ln -sfn /etc/letsencrypt/live/srv1.example.com/privkey.pem srv1.example.com-le.key Restart apache and everything is in order. Do I expect that this action would cause any issues or what i have done was safe to do? As FYI for any newbies: -n option is necessary when linking to a different target folder to avoid creating a sub-folder inside that symbolic link and instead replace the symbolic link completely
This guide can be followed if you want to do it manually: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
