ISPConfig + letsencrypt update

Discussion in 'General' started by toffie, Jun 22, 2020.

  1. toffie

    toffie Member

    Hey all,

    I'm in a bit of panic state.. I've forgot all about the letsencrypt update and its just a few days left.

    The server is running Debian Jessie, with Apache, in live mode - so I can't just take it down, install a new OS version and so on..
    I'm running ISPConfig version 3.1.11 - I know, there are newer versions, but the risk of crash due to possible bugs in ISPConfig makes me not wanna try, if possible. Again - Live system.

    My head is just spinning around and I really don't know what to do and I've missed a couple hundred things that you guys want to know to be able to help me. Just throw it at me and I'll reply as soon as possible.

    I really hope you can help me without taking down the server.

    Big Thanks in advance!!

    // Chris


    I've found the following things, but it didn't work;
    apt update
    apt install software-properties-common
    add-apt-repository ppa:certbot/certbot
    apt update
    apt upgrade -y
    apt remove letsencrypt -y
    apt install python-certbot-apache -y
    from the thread;
    But that is Ubuntu and doesn't work on this specific server I'm using.

    Trying to uninstall "letsencrypt" like above says that it is not available. add-apt-repository - sure, but there are none available for Debian, only Ubuntu.

    I also followed step 1-3 on this site;
    But then what.. Step 4? What should I pick - if this is even the right way to go? I really don't know as ISPConfig is supposed to handle the certbot communication for adding and renewing certs..

    2020-06-22 12:36:03,820:DEBUG:certbot.main:certbot version: 0.24.0
    2020-06-22 12:36:03,822:DEBUG:certbot.main:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', '', '--rsa-key-size', '4096', '--email', '[email protected]', '--domains', 'domainredacted', '--webroot-path', '/usr/local/ispconfig/interface/acme']
    2020-06-22 12:36:03,822:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2020-06-22 12:36:03,850:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
    2020-06-22 12:36:03,851:DEBUG:certbot.cli:Deprecation warning circumstances: /opt/ / {'LANG': 'sv_SE.UTF-8', 'SHELL': '/bin/sh', 'SHLVL': '3', 'PWD': '/usr/local/ispconfig/server', 'LOGNAME': 'root', 'HOME': '/root', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', '_': '/opt/'}
    2020-06-22 12:36:03,877:DEBUG:certbot.log:Root logging level set at 20
    2020-06-22 12:36:03,879:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2020-06-22 12:36:03,881:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2020-06-22 12:36:03,893:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
    Description: Place files in webroot directory
    Interfaces: IAuthenticator, IPlugin
    Entry point: webroot = certbot.plugins.webroot:Authenticator
    Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f7d99d59810>
    Prep: True
    2020-06-22 12:36:03,895:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f7d99d59810> and installer None
    2020-06-22 12:36:03,895:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
    2020-06-22 12:36:03,907:DEBUG:certbot.main:Picked account: <Account(RegistrationResource(body=Registration(status=u'valid', terms_of_service_agreed=None, contact=(u'mailto:[email protected]',), agreement=u'', key=JWKRSA(key=<ComparableRSAKey(<cryptography.hazmat.backends.openssl.rsa._RSAPublicKey object at 0x7f7d9919a490>)>)), uri=u'', new_authzr_uri=u'', terms_of_service=u''), cc3fb0fb23ab9baee09c08ea2fc2c773, Meta(creation_host=u'domainredacted', creation_dt=datetime.datetime(2018, 5, 16, 10, 58, 9, tzinfo=<UTC>)))>
    2020-06-22 12:36:03,910:DEBUG:acme.client:Sending GET request to
    2020-06-22 12:36:03,921:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1):
    2020-06-22 12:36:04,565:DEBUG:requests.packages.urllib3.connectionpool: "GET /directory HTTP/1.1" 200 658
    2020-06-22 12:36:04,566:DEBUG:acme.client:Received response:
    HTTP 200
    Server: nginx
    Date: Mon, 22 Jun 2020 10:36:04 GMT
    Content-Type: application/json
    Content-Length: 658
    Connection: keep-alive
    Cache-Control: public, max-age=0, no-cache
    Replay-Nonce: 0001wmke8y-Ls0baOdSF9kEV7XWhOvulLoz3eaDc143WPhA
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
      "F8phwSnWdMM": "",
      "key-change": "",
      "meta": {
        "caaIdentities": [
        "terms-of-service": "",
        "website": ""
      "new-authz": "",
      "new-cert": "",
      "new-reg": "",
      "revoke-cert": ""
    2020-06-22 12:36:04,585:INFO:certbot.renewal:Cert not yet due for renewal
    2020-06-22 12:36:04,586:INFO:certbot.main:Keeping the existing certificate
  2. ahrasis

    ahrasis Well-Known Member

    In my view simply remove letsencrypt and certbot and then install certbot-auto would be the best option, instead of adding certbot repo and install certbot.

    Certbot-auto will auto update by checking update first when its command is being called and since you were using letsencrypt / certbot, IMHO your system should run fine with it.

    Or if you wish to use, simply remove certbot and let ISPConfig install it for you.

    This script will also auto update itself, but in using it, you'll find that its directory structures are different if compared to certbot; thuswise IMHO this should not be tried in production server like yours.
  3. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    the first step is to calm down and stop panicking. you're much more likely to make a mistake and break things if you're panicking.

    secondly, and this is much quicker/easier if you don't have a lot of domains with certificates.
    if, and ONLY if your certificates are still able to renew ok, in ispconfig, deselect letsencrypt on those websites. then delete the conf files for them in /etc/letsencrypt/renewal and the domain's folders in /etc/letsencrypt/archive and /etc/letsencrypt/live.
    re-enable the letsencrypt certs on those websites.
    you now have completely new letsencrypt certificates on all those sites. since they're should only auto-renew when they're within 30 days of expiry, you now have 60 days in which to update your letscencrypt/certbot software before you run into any problems.
    that should help you calm down a bit...
    hopefully you won't have anyone wanting new letsencrypt certs until you've got a solution in place.

    i'd now suggest you spend the 60 day window you've given yourself getting a new server instance with debian buster installed and working with the latest ispconfig as per the perfect server tutorial, and migrate your existing system to the new one. especially since jessie goes end-of-life in 8 days time. even if you do this just on a temporary vps so you can keep everything live and active whilst you re-install/upgrade the old server without having to worry about downtime and then migrate everything back to the old server.
    as an added bonus to this getting you onto the latest debian and ispconfig releases, it also resolves your outdated letsencrypt/certbot software issue.
    30uke and Th0m like this.
  4. toffie

    toffie Member

    Thanks ahrasis!
    I believe I have "installed" certbot-auto when following this link, as it says certbot-auto in step 3

    However, there are more steps to the guide and I do not know if ISPConfig wants me to do
    /usr/local/bin/certbot-auto --apache
    as it says in the guide.

    Also, I have no idea on how to use and I don't know how to remove certbot/lets encrypt from the system.

    With my panicking.. :) I went full on.. I said screw it and started updating screws, bolts, software, patch cables.. well.. ok.. not really :)

    But I looked back at the howtoforge guide I used for the installation

    and I saw.. hey.. I should have downloaded certbot into the /opt/certbot folder.. so I checked.. and sure enough.. there it was! I ran the script ./certbot-auto and it started updating to v2 and it all went on extremely smoothly. It also asked which domain I wanted to renew and I did that - worked perfectly.

    But just to F things up, I went into ISPConfig and disabled SSL + Let's Encrypt and then reenable it, just to see that it works from ISPConfig.. and no.. it didn't..

    Checked the logfiles and ISPConfig got a complaint that Let's Encrypt is still running v1.

    Removed all account files and settings for Let's Encrypt.. did a new ./certbot-auto and it tries to enable the SSL but.. it can, but not completely.. ok..

    so I thought.. hmm, I'll do an ISPConfig update - which is very smooth (I know this from before) - and hope for no bugs. and sure enough.. now it works..

    ISPConfig 3.1.15p3 is now up and running.. and uses v2 of Certbot Let's Encrypt..

    so now it can renew the certificates without problems..

    However.. the system went down.. so might have to do a field trip to reset shits.. fun stuff!! ;)

    No, it seems that everything went up as it should. So all in all, panic.. panic.. now relax :) Thanks for your help guys!

    ahrasis - you got me thinking a little more, that's why I went for the howtoguide I used and eventually found the certbot-auto in the /opt/ folder :)
    Last edited: Jun 22, 2020
    Richard Foley, ahrasis and Th0m like this.

Share This Page