The first Let's encrypt certificates are expiring and not being replaced by the latest ones. When I check the configuration I see that the cert & key files from the /ssl subdir are being used and that there are symlinks to the /etc/letsencrypt/archive files. Going further I saw that indeed certbot had renewed the certificates, so there is cert2.pem instead of cert1.pem in the archive, but ISPconfig hasn't replaced it's symlinks. What could be the issue? Why isn't ISPconfig using the /live dir instead of the /archive? I suppose ISPconfig is triggering the certbot renew command, right? I am using ISPconfig 3.1.1 and coudln't find the changelog/diff to 3.1.1p1 to check if that would resolve the issue.
The live dir is used for the symlink in 3.1.1 and 3.1.1p1. Most likely the LE cert was created in 3.1.0 which has a bug in the symlinks.
thanks for your reply. don't know with which version the LE was enabled on this site. I am running right now a re-sync of the websites, it takes quite a while with allt he restarting of apache. I suppose this will fix the symlink? Or do I need to manually fix it? What was changed from 3.1.1 to 3.1.1p1 so that i know if i need to upgrade?
There is currently no way to let ispconfig do it as ispconfig will not set new symlinks if there is already a symlink in place. I'm currently working on a change in the code to recreate the symlinks when you disable / enable LE in a site. I'll push it to git stable-3.1 branch later today.
I used some "find" magic (and bash) to fix all the paths on my system. For reference if anybody else runs into that issue, as I didn't want to go site by site and disable & enable LE manually. Code: find /var/www/clients -maxdepth 4 -type l -ilname "*/etc/letsencrypt/archive/*" -exec bash -c '\ old_link_target=$(readlink "$0"); \ new_link_target=${old_link_target//archive/live}; \ new2_link_target=${new_link_target//[0-9]*.pem/.pem}; \ echo "change to $new2_link_target"; \ ln -snf $new2_link_target $0' {} \;
should that change be included in the latest 3.1.3 release? i couldn't find it mentioned in the milestone here: https://git.ispconfig.org/ispconfig/ispconfig3/milestones/53
Yes, that should be included, but it won't show up in the milestone. You can probably find it in the activity list.
found it, https://git.ispconfig.org/ispconfig/ispconfig3/commit/5cfd5d349cdf00af6ed8e8cd517e104122f98026, thanks
just for clarification, i suppose the existing symlinks won't be changed automatically from archive to live until the site is not reconfigured? so i will run my command from above to fix it automatically for all the sites that have still the archive symlink.
