Dear colleagues, I have an created ISPC with Th0m's new auto install, which i'm using as a clone for creating several VM ISPC servers. If i leave the same domain as in installation, i can create again the letsencrypt certificate during ISPconfig 3.2.5 update. But if i previously change the domain of the server everywhere (hosts, hostname, postfix, ftp, ISPC controller) the process doesnt succseed and it starts with manual unsigned ssl cert creation. During the creation, apache is restarted, finds some errors and doesn't start again. --- Create new ISPConfig SSL certificate (yes,no) [no]: yes Checking / creating certificate for sub.server.com Using certificate path /etc/letsencrypt/live/sub.server.com Using apache for certificate validation acme.sh is installed, overriding certificate path to use /root/.acme.sh/sub.server.com sub.server.com:Verify error:Fetching http://sub.server.com/.well-known/acme-challenge/HqzpU-o6hSCgDmCv25q45Gwl324UbGJ489J9NhDhI: Timeout during connect --- Apache error log --- Passenger core shutdown finished AH00526: Syntax error on line 20 of /etc/apache2/sites-enabled/000-apps.vhost: SSLCertificateFile: file '/usr/local/ispconfig/interface/ssl/ispserver.crt' does not exist or is empty --- I guess that i should delete all traces of the previous cert from acme.sh and vhosts or other files, and only the start the update with new cert. WHICH folders, and files should i change, so that the acme.sh doesn't find its previous certs and issue a new one for the new domain? Best regards and many thanks for your help and support upfront Peter
I cloned the minimal Debian server. Then I set up it's IP-number and hostname like the install tutorial tells, and install ISPConfig. You make things complicated by changing the hostname after ISPConfig is installed.
Its the new domain of the server. Acme cannot get the file because in meanwhile the apache service is falling with the error.
I have a ton of customizations like Iptables, ssh, fail2ban filters and jail, ipset with tons of ips, psad, ispconfig template, settings, postfix customizations, custom ports, postgresql, shared folders, backup scripts, etc... Besides, everything was working fine until recently with 5-6 changes of domain name like i mentioned in the post. Thanks for your advice
Ok, but then your issue is not caused by the previous cert as mentioned in first post. What you cyn try is to remove the symlinks for the apps vhost and ispconfig vhost in the folder /etc/apache2/sites-enabled/ and recreate them later again.
I will try that immediately. Just to be clear: If the old domain remains, every update or force update is working. Only when i rename the server (everywhere, and as previously working for years), now its having this problem with the new cert.
NO LUCK: --- Create new ISPConfig SSL certificate (yes,no) [no]: yes Checking / creating certificate for new.server.com Using certificate path /root/.acme.sh/new.server.com Using apache for certificate validation acme.sh is installed, overriding certificate path to use /root/.acme.sh/new.server.com new.server.com:Verify error:Fetching http://new.server.com/.well-known/acme-challenge/n_sV4pxT6i69yMqr7daZ-QYVD12354oSpg1s: Timeout during connect (likely firewall problem - comment:NOT BUT APACHE DOWN) Please add '--debug' or '--log' to check more details. See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt Could not issue letsencrypt certificate, falling back to self-signed. Generating a RSA private key .....++++ .....................................................................++++ writing new private key to '/usr/local/ispconfig/interface/ssl/ispserver.key' ----- APACHE: Reloaded The Apache HTTP Server. Syntax error on line 20 of /etc/apache2/sites-enabled/000-apps.vhost: SSLCertificateFile: file '/usr/local/ispconfig/interface/ssl/ispserver.crt' does not exist or is empty Action 'stop' failed. The Apache error log may have more information. Control process exited, code=exited, status=1/FAILURE Failed with result 'exit-code'.
You removed /etc/apache2/sites-enabled/000-apps.vhost before, right? This means that the updater recreated the symlink before he tried to get the SSL cert.
Yes i removed both vhosts (should i remove ispconfig.conf also?) and check the time of the apps.vhost it was at the same moment when updating, so yes it recreates it
Th0m wrote something similar some time ago, but i couldn't get to work it that way either: https://www.howtoforge.com/communit...-on-ispconfig-update-to-3-2-4-debian-9.86821/ https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6121
May be the suggestion for copying instead of renaming in that issue could be used to resolve the problem but I never have a chance to look into it in depth but someone else could.
I can confirm, that by changing rename into copy, following the proposed changes here: https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6121 i can now update the system with the new domain name...
