Hi, i've just tested the new webserver and tried to generate a let's encrypt certificate for a domain. In the interface i've checked SSL and Let's Encrypt for the site and applied it with "save". After checking again the checkboxes are not set. I've checked the acme.log, the certificate gets created correctly, and is copied to: /var/www/clients/client1/web365/ssl/. I've checked the content of the files too, seems fine. Validating the key and certificate the md5 matches, so it seems to be good. What could be the cause that ISPConfig is not using it? Is there a log that i can check or do i need to enable debug output beforhand?
Just enabled debug logging to see what is going on, but still i'm not understanding what is happening. Debug messages that are related: Code: 13.01.2023 13:49 web01.xxxxxx.cloud Debug NON-String given in escape function! (boolean) 13.01.2023 13:49 web01.xxxxxx.cloud Warning Let's Encrypt SSL Cert for: xxxxxx.de could not be issued. 13.01.2023 13:49 web01.xxxxxx.cloud Warning Could not verify domain www.xxxxxx.de, so excluding it from letsencrypt request. So let's check acme.log, the latest relevant log is from tonight: Code: [Fr 13. Jan 00:58:01 CET 2023] di='/root/.acme.sh/xxxxxx.de/' [Fr 13. Jan 00:58:01 CET 2023] d='xxxxxx.de' [Fr 13. Jan 00:58:01 CET 2023] _renewServer [Fr 13. Jan 00:58:01 CET 2023] Using config home:/root/.acme.sh [Fr 13. Jan 00:58:01 CET 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Fr 13. Jan 00:58:01 CET 2023] DOMAIN_PATH='/root/.acme.sh/xxxxxx.de' [Fr 13. Jan 00:58:01 CET 2023] Renew: 'xxxxxx.de' [Fr 13. Jan 00:58:01 CET 2023] Le_API='https://acme-v02.api.letsencrypt.org/directory' [Fr 13. Jan 00:58:01 CET 2023] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory [Fr 13. Jan 00:58:01 CET 2023] Using config home:/root/.acme.sh [Fr 13. Jan 00:58:01 CET 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Fr 13. Jan 00:58:01 CET 2023] Skip, Next renewal time is: 2023-01-15T10:33:14Z [Fr 13. Jan 00:58:01 CET 2023] Add '--force' to force to renew. [Fr 13. Jan 00:58:01 CET 2023] Return code: 2 [Fr 13. Jan 00:58:01 CET 2023] Skipped xxxxxx.de Code: Could not verify domain www.xxxxxx.de, so excluding it from letsencrypt request. What does this inidicate? The A-Record is correct and Code: dig @8.8.8.8 xxxxx.de A Returns the correct IP adress
Maybe you have an a-record for example.com but not www.example.com, but auto-subdomain is set to www in website settings? In this case, either create a a-record for www or set auto-subdomain in website to none. Issuing LE certs might also fail when there are AAAA records set but IPv6 connectivity is not working or IPv6 IP is wrong, as LE seems to prefer IPv6 over IPV4 when IPv6 records are there.
To debug such an issue, I mostly just turn on log level to debug and then check what ispconfig server.sh returns in debug mode when re-enabling Let's encrypt checkbox, plus looking at acme.sh log as you did.
Update: This was indeed an DNS Issue as some DNS servers returned the old IP. The acme.log look good now: Code: [Fr 13. Jan 14:10:01 CET 2023] Running cmd: issue [Fr 13. Jan 14:10:01 CET 2023] _main_domain='xxxxxxxx.de' [Fr 13. Jan 14:10:01 CET 2023] _alt_domains='no' [Fr 13. Jan 14:10:01 CET 2023] Using config home:/root/.acme.sh [Fr 13. Jan 14:10:01 CET 2023] default_acme_server='https://acme-v02.api.letsencrypt.org/directory' [Fr 13. Jan 14:10:01 CET 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Fr 13. Jan 14:10:01 CET 2023] DOMAIN_PATH='/root/.acme.sh/xxxxxxxx.de' [Fr 13. Jan 14:10:01 CET 2023] Le_NextRenewTime='1673778794' [Fr 13. Jan 14:10:01 CET 2023] _saved_domain='xxxxxxxx.de' [Fr 13. Jan 14:10:01 CET 2023] _saved_alt='no' [Fr 13. Jan 14:10:01 CET 2023] _normized_saved_domains='no,xxxxxxxx.de,' [Fr 13. Jan 14:10:01 CET 2023] _normized_domains='no,xxxxxxxx.de,' [Fr 13. Jan 14:10:01 CET 2023] Domains not changed. [Fr 13. Jan 14:10:01 CET 2023] Skip, Next renewal time is: 2023-01-15T10:33:14Z [Fr 13. Jan 14:10:01 CET 2023] Add '--force' to force to renew. [Fr 13. Jan 14:10:01 CET 2023] Lets find script dir. [Fr 13. Jan 14:10:01 CET 2023] _SCRIPT_='/root/.acme.sh/acme.sh' [Fr 13. Jan 14:10:01 CET 2023] _script='/root/.acme.sh/acme.sh' [Fr 13. Jan 14:10:01 CET 2023] _script_home='/root/.acme.sh' [Fr 13. Jan 14:10:01 CET 2023] Using default home:/root/.acme.sh [Fr 13. Jan 14:10:01 CET 2023] Using config home:/root/.acme.sh [Fr 13. Jan 14:10:01 CET 2023] Running cmd: installcert [Fr 13. Jan 14:10:01 CET 2023] Using config home:/root/.acme.sh [Fr 13. Jan 14:10:01 CET 2023] default_acme_server='https://acme-v02.api.letsencrypt.org/directory' [Fr 13. Jan 14:10:01 CET 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Fr 13. Jan 14:10:01 CET 2023] DOMAIN_PATH='/root/.acme.sh/xxxxxxxx.de' [Fr 13. Jan 14:10:01 CET 2023] Installing key to: /var/www/clients/client1/web380/ssl/xxxxxxxx.de-le.key [Fr 13. Jan 14:10:01 CET 2023] Installing full chain to: /var/www/clients/client1/web380/ssl/xxxxxxxx.de-le.crt [Fr 13. Jan 14:10:01 CET 2023] Run reload cmd: systemctl force-reload apache2.service [Fr 13. Jan 14:10:01 CET 2023] Reload success The checkboxes are set as expected but i cannot browse the site with https, it loads another webspace on the server. Should the SSL config be in /etc/apache/sites-enabled/xxxxxx.(.conf/vhost)?
yes. the port 80 and 443 vhosts are in the same file, one after another, so you might have to scroll down quite a bit to see the second vhost. Try using debug mode, disable Let's encrypt, save, enable it again, and check what debug is telling you.
Another possible reason is described here https://forum.howtoforge.com/threads/please-read-before-posting.58408/ the part "When visiting domain B ...."
Well aware of this, but it's not the case. I've deactiavted it and actiavted it again, now the SSL section is written within the vhost, it wasn't before. I may broke ISPConfig by debugging the earlier issue :^) It works as expected now. Again it was just a patience issue Cheers thank you for the help!