Not sure if Installation/Configuration is the correct place to post this issue: After setting up a new server using the automated installation on a new Debian 11 VM, i used the migration toolkit to copy all the ISPConfig configuration from the old server. Some days after, i created a new customer's domain and some weeks after they asked for a HTTPS certificate for the webmail page (roundcube). Days ago, tried to setup SSL for the whole domain from within ISPConfig -> Site page using the SSL and Let's Encrypt SSL options. Nothing happend (!!!) and the Let's Encrypt SSL was deactivated after some minutes. So started to search on internet for such behavior, and yesterday found the following on ISPConfig cron.log on the exact time when i tried to activate the Let's Encrypt SSL option: Please add '--debug' or '--log' to check more details. See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh Not sure what was going on, i reviewed the server and found that certbot was not even installed, so manually installed it (i am using Apache on that web server): sudo apt install python3-certbot-apache Then today tried again the Let's Encrypt SSL option, but the errors persisted. So continued the research and found this and tried the reported solution: sudo su cd /root/.acme.sh ./acme.sh --server letsencrypt --set-default-ca exit Finally, after activating again the Let's Encrypt SSL option, it worked and domain now has the HTTPS connection configured. Hope somebody can review this and can help others with similar situation. Thanks a lot for your great ISPConfig software.
Because it should not be installed on any recent setup, installing it messes up your system. So the first step to fix your system is to uninstall it and hopefully you have not run it yet, as it destroys the site setup if you do for any site. The only reason having certbot installed is if you migrated from a certbot system, but then your new system must be explicitly set up for certbot using the command option of the auto installer as mentioned in the migration tutorial and your system would not have acme.sh then. What you should have done is simply following the Let's encrypt error FAQ step-by-step: https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/ If you installed the system with the auto-installer, then acme.sh was already installed exactly like this, unless you have chosen certbot but then no acme.sh would be present at all.
Thanks Till, but unfortunately that guide is very well hidden so just now i know it exists. I did not use it at all, only thought i would be missing. I am going to uninstall it now, thanks. The thing is that the cron.log DO NOT report any valid error message, so i was guessing how to fix the problem. Well, sorry but clearly acme.sh was not installed that way and did not set the default CA, may be an auto-installer error??? Thanks again.
Well hidden? It is a sticky post and pinned at the top of the forum so nobody can miss it, and it is mentioned in basically any Let's Encrypt related thread of the past few years as we always tell users to follow it step-by-step if they have a issue with Let's encrypt. That's what the debug log is for, but its all explained in the Let's encrypt FAQ and hundreds of other posts here in the forum. It's very unlikely and I have not seen any such case in the past years. For example, preventing the ca from being set would require you to change the code as it's hard coded and always executed. Also, Acme.sh is automatically downloaded and installed in case it's missing if you try to issue a cert in ISPConfig. Your problem was likely something else, but as you did not follow the Let's Encrypt FAQ, we can not reconstruct this now. So, to sum it up, if anyone finds this thread in the future, do not follow the instructions from the first post, as e.g., installing Certbot will mess up your system and manually installing acme.sh is also not needed and will not solve your problem as ISPConfig retries to install it anyway when you issue a cert and its not there, but installing certbot manually can prevent that. If you have an issue, just follow Let's Encrypt error faq: https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/
Sorry Till, but it is not clear to me how to apply that page to my issue. There is nothing about the ISPConfig behavior in it, so to me is not useful. Of course, you are the expert, so to you it is clear enough. Did not know also about the debug log (i have no such option on the Monitor -> Logs page) and again i found nothing about the precise ISPConfig behavior only the other post that helped me resolving the issue. Again the other post was created on October, 2022, About one and a half year. Thanks again for your time.
It applies exactly to your issue as this post is about all possible causes that lead to the non-issuing of an LE cert. And according to your first post, you had an issue with a LE cert not being issued. The debug log is shown on the shell when you execute server.sh as described in the debug instructions. It is shown in the GUI as well, but it makes more sense to get them in realtime on the shell. You should have read the posts until the end Ok, so we have two systems out of several ten thousand installations that were made in between that did not had such an issue where at least the old post was a case where the user messed around with the LE client install a lot manually and tried to setup certbot as you did as he tried to set up DNS auth. And this messing around with the LE setup likely caused his LE account to become unregisterd or caused the use of another account. As said, if you had followed the debug instructions, this would have shown up directly in the debug log, what the real issue was.
Well, again, it was much more useful the post with the answer that worked. No, i have no option in the GUI. Not could find where the logs were. Well, i am also a developer (more that 30 years of experience), and thought you could be interested about knowing it was another system with that kind of issue. But clearly you are not. For the next time i will not post anything. And i DO NOT execute let's encrypt, only installed it. If your point is: "your are are ignorant who does not read or find properly", well hell YES, i am, i have tens of other things to do more than dig in ISPConfig to find out what the problem is, so i searched for a solution. And i found it. And i use ISPConfig on all my servers, also use several "how to" and have paid for the Migration Tollkit and some times for the manual also. I am your customer Till, just to let you know.
