LE Multi-Certificate renewal doesn't include main domain

Discussion in 'Installation/Configuration' started by tweyhr3156, Jan 23, 2023.

  1. tweyhr3156

    tweyhr3156 New Member

    I have some websites with alias-Domains.
    When I create the Website or when I disable cert ->save->enable cert. All will work as expected.
    But when the cert is renewed with the nighly script, the certificate contains only the alias-Names, not the main name.
    When I recreate the cert with ISPConfig or with the shell command, it works correct.
    SSH: /root/.acme.sh/acme.sh -r -f -d xxx-yyy.de

    Can someone help me?
    Regards Thomas
  2. pyte

    pyte Well-Known Member HowtoForge Supporter

    Can you check the log in /var/log/ispconfig/acme.log? Is there anything in there that might explain it?
  3. tweyhr3156

    tweyhr3156 New Member

    All domains are listed in log-File. No Errors in the script. Only two messages appears:
    '/usr/local/ispconfig/interface/acme' does not contain 'dns'
    '/usr/local/ispconfig/interface/acme' does not contain 'no'
  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    This you should never do.

    For LE failure for main domain, if this is true, do troubleshoot using LE FAQ.
  5. tweyhr3156

    tweyhr3156 New Member

    Why not? This is the acme-script to renew a certificate. ISPConfig use the same script.
    In the LE FAQ there is no hint for this problem.
    It happens for all websites with domain alias, resulting in a multi-domain certificate.
    Using the shell command, the certificate contains all names, so I think the problem is not in the acme script
    Last edited: Jan 24, 2023
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    I have not seen this on any system yet, and we have no such other report, so it must be something very special that happens on your system only. What @ahrasis meant is that manually using acme.sh command can lead to all kind of errors when not run with the exact same options that ISPConfig is using.
    ahrasis likes this.
  7. tweyhr3156

    tweyhr3156 New Member

    I have the solution to my problem:
    For whatever reason, a configuration was stored in the /root/.acme.sh/ folder for the main domain and for the domain aliases.
    If the certificate was renewed, first the main domain and then the alias domains were renewed, overwriting the certificate of the main domain.
    The problem was solved by deleting the configuration for the alias domains.

    However, I cannot say why this configuration was created.

Share This Page