ISPConfig - certificate is expired

Discussion in 'General' started by pyte, Nov 8, 2022.

  1. pyte

    pyte Active Member HowtoForge Supporter

    Hi,

    i have a problem with one of my mailservers mail02 in my multiserver setup. My dsync configuration was not working so i've check it manually.
    Code:
    Error: doveadm server disconnected before handshake: Received invalid SSL certificate: certificate has expired: /CN=mail02.domain.tld (check ssl_client_ca_* settings?)
    
    I went and checked the certificate on the host mail02.
    Code:
    openssl x509 -enddate -noout -in /usr/local/ispconfig/interface/ssl/ispserver.crt
    notAfter=Sep 21 13:05:24 2022 GMT
    So the certificate is indeed expired it seems. I've checked the acme.log which states that the certificate does not need a renewal yet.
    Code:
    [Di 8. Nov 00:17:01 CET 2022] Running cmd: cron
    [Di 8. Nov 00:17:01 CET 2022] Using config home:/root/.acme.sh
    [Di 8. Nov 00:17:01 CET 2022] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
    [Di 8. Nov 00:17:01 CET 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Di 8. Nov 00:17:02 CET 2022] ===Starting cron===
    [Di 8. Nov 00:17:02 CET 2022] Using config home:/root/.acme.sh
    [Di 8. Nov 00:17:02 CET 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Di 8. Nov 00:17:02 CET 2022] GET
    [Di 8. Nov 00:17:02 CET 2022] url='https://api.github.com/repos/acmesh-official/acme.sh/git/refs/heads/master'
    [Di 8. Nov 00:17:02 CET 2022] timeout=
    [Di 8. Nov 00:17:02 CET 2022] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L '
    [Di 8. Nov 00:17:02 CET 2022] ret='0'
    [Di 8. Nov 00:17:02 CET 2022] Already uptodate!
    [Di 8. Nov 00:17:02 CET 2022] Upgrade success!
    [Di 8. Nov 00:17:02 CET 2022] Using config home:/root/.acme.sh
    [Di 8. Nov 00:17:02 CET 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Di 8. Nov 00:17:02 CET 2022] Auto upgraded to: 3.0.5
    [Di 8. Nov 00:17:02 CET 2022] Using config home:/root/.acme.sh
    [Di 8. Nov 00:17:02 CET 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Di 8. Nov 00:17:02 CET 2022] _stopRenewOnError
    [Di 8. Nov 00:17:02 CET 2022] _server
    [Di 8. Nov 00:17:02 CET 2022] _set_level='2'
    [Di 8. Nov 00:17:02 CET 2022] di='/root/.acme.sh/mail02.domain.tld/'
    [Di 8. Nov 00:17:02 CET 2022] d='mail02.domain.tld'
    [Di 8. Nov 00:17:02 CET 2022] _renewServer
    [Di 8. Nov 00:17:02 CET 2022] Using config home:/root/.acme.sh
    [Di 8. Nov 00:17:02 CET 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Di 8. Nov 00:17:02 CET 2022] DOMAIN_PATH='/root/.acme.sh/mail02.domain.tld'
    [Di 8. Nov 00:17:02 CET 2022] Renew: 'mail02.domain.tld'
    [Di 8. Nov 00:17:02 CET 2022] Le_API='https://acme-v02.api.letsencrypt.org/directory'
    [Di 8. Nov 00:17:02 CET 2022] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
    [Di 8. Nov 00:17:02 CET 2022] Using config home:/root/.acme.sh
    [Di 8. Nov 00:17:02 CET 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Di 8. Nov 00:17:02 CET 2022] Skip, Next renewal time is: 2022-12-18T22:17:09Z
    [Di 8. Nov 00:17:02 CET 2022] Add '--force' to force to renew.
    [Di 8. Nov 00:17:02 CET 2022] Return code: 2
    [Di 8. Nov 00:17:02 CET 2022] Skipped mail02.domain.tld
    [Di 8. Nov 00:17:02 CET 2022] _error_level='3'
    [Di 8. Nov 00:17:02 CET 2022] _set_level='2'
    [Di 8. Nov 00:17:02 CET 2022] ===End cron===
    
    This seems to be a reoccuring issue with the host. I've already tried an forced update of ispconfig, but the issue remains. I guess the only thing that helps is to move the current cert and recreate with an force update. Any ideas why this is not working?
     
  2. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    what are the ownership/permissions for the certificate file in /usr/local/ispconfig/interface/ssl ? maybe the immutable bit is set on it?

    it looks like the certificate is renewing ok, if it thinks it doesn't expire until 18th dec, so maybe it is renewing the certificate without problems, but can't move/copy the certificate files from /root/.acme.sh/mail02.domain.tld folder to the /usr/local/ispconfig/interface/ssl folder.

    did you create a website in ispconfig also called mail02.domain.tld? if so, acme.sh can only move/copy the cert files to one place and i believe acme.sh will copy them to /var/www/mail02.domain.tld/ssl instead of /usr/local/ispconfig/interface/ssl

    those are the only two scenario's i can think of.
     
    ahrasis and pyte like this.
  3. pyte

    pyte Active Member HowtoForge Supporter

    Thank you for the help. I'll check tomorrow what the issue might be. I'm sure i've messed up somewhere.
     
  4. pyte

    pyte Active Member HowtoForge Supporter

    This is the case. The certificate is in /root/.acme.sh/...../mail02.domain.tld.cer and is valid.
    Code:
    notAfter=Jan 18 21:17:07 2023 GMT
    This is the case too, i have a a website called mail02.domain.tld for rspamd with the following apache directivs:

    Code:
    RewriteEngine On
    RewriteRule ^/rspamd$ /rspamd/ [R,L]
    RewriteRule ^/rspamd/(.*) http://127.0.0.1:11334/$1 [P]
    Header set Access-Control-Allow-Origin https://mail01.domain.tld
    Can you help me out? I need the rspamd configuration but need to make sure that the auto renew of the certificates is working correctly.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    What you can do to overcome the limitation of acme.sh to copy SSL certs to one place only is that you symlink the certs. e.g. If the certs get updated in the website only now, symlink ispconfig certs to the website certs. or what might be better is to edit the config of the caert in acme.sh (I guess there must be a file for that, don't now the exact name though) and change the path inside it back to the ispconfig SSL directory and then symlink the website SSL certs t the ispconfig SSL dir, might be a better long time solution. And in general, we will probably have to build some function in ispconfig that if someone creates a website for the hostname, to not create a new le cert for this but symlink to the one from ISPConfig. The downside to such an approach would be if someone just adds the hostname as alias domain to a site or add other domains to a site issued for the hostname, then things would break again. So we have to consider carefully what the best solution for this case is.
     
  6. pyte

    pyte Active Member HowtoForge Supporter

    Right, makes sense. Quiet a complex topic as there are alot of services that are or may be involved that use the same cert.
    I'll use your second approach. The name of the file is domain.tld.conf in the /root/.acme.sh/ directory.
    Code:
    Le_RealKeyPath='/var/www/clients/client0/web2/ssl/mail02.domain.tld-le.key'
    Le_RealFullChainPath='/var/www/clients/client0/web2/ssl/mail02.domain.tld-le.crt'
    Seems like these two lines need to be changed to the correct path. So it should read:
    Code:
    Le_RealKeyPath='/usr/local/ispconfig/interface/ssl/ispserver.key'
    Le_RealFullChainPath='/usr/local/ispconfig/interface/ssl/ispserver.crt'
    After that creating the symlinks with the following commands:
    Code:
    ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt /var/www/mail02.domain.tld/ssl/mail02.domain.tld.cer
    ln -s /usr/local/ispconfig/interface/ssl/ispserver.key /var/www/mail02.domain.tld/ssl/mail02.domain.tld.key
    ln -s /usr/local/ispconfig/interface/ssl/fullchain.cer /var/www/mail02.domain.tld/ssl/fullchain.cer
    Where does it determine where the fullchain.cer goes? Does this look right to you?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Looks fine to me. There are some actions which are done via the letsencrypt renew hook script, have a look at the file /usr/local/ispconfg/server/scripts/letsencrypt_renew_hook.sh This has originally written by @ahrasis so he might give you a more detailed answer, it is executed on renewal by acme.sh, if I remember correctly.
     
    pyte likes this.
  8. pyte

    pyte Active Member HowtoForge Supporter

    For the sake of completeness, the fullchain.cer does not need to be linked. acme.sh copies only two files to the configured location.
    • ispserver.key
    • ispserver.crt
    The ispserver.crt contains a the full certificate chain. See:
     
    till likes this.
  9. ahrasis

    ahrasis Well-Known Member

    I am currently still outstation and will be busy when I get back too.

    All I can think for acme.sh for now is you have to play with the renewal conf for that server hostname as it should not matter where the certs were copied as the original certs are always in acme.sh ssl folder.

    In my mind a solution that could be used for now (and in the future too if it is good, acceptable and future proof) is to use a direct symlink from acme.sh ssl folder to ISPConfig ssl folder and modify its renewal conf file to add the renewal hook.

    I think that will be it as this won't affect or require many codes for the website nor ISPConfig.

    This could also be implemented in ISPConfig installer, if the developers agreed, so that when it comes to ISPConfig server, a symlink will be used, but if uses in its website, copies will be made, like any other websites.

    As far as my knowledge, experience and understanding of Let's Encrypt, unless there are any scripts modifying its renewal conf, it won't be disturbed and should continously works in the future as certbot or acme.sh won't change renewal conf. Do check and verify this.

    Note that I just play this in my mind, did not test it but it seems fine to me for now. Interested parties should look into it and test it as well for real result.
     
    pyte likes this.

Share This Page