Lets encrypt certs not creating and renewing

Discussion in 'Installation/Configuration' started by Simik, Nov 30, 2024.

Tags:
  1. Simik

    Simik New Member

    Hello,

    Let's encrypt certificates are not renewing for the sites hosted on my server...
    I tried to check/uncheck the box, even wait few days...
    I tried to delete files from /.acme.sh/XXX.com and recheck the box...
    I tried to create a new site, it didn't create the certificate...
    ISPConfig Version: 3.2.12p1 on debian 10

    htf report:
    Code:
    ##### SERVER #####
IP-address (as per hostname): ***.***.***.***
[WARN] could not determine server's ip address by ifconfig
[INFO] OS version is Debian GNU/Linux 10 (buster)
 
[INFO] uptime:  21:13:01 up 6 days, 10:29,  1 user,  load average: 0.06, 0.14, 0.16
 
[INFO] memory:
              total        used        free      shared  buff/cache   available
Mem:          3.8Gi       1.8Gi       1.0Gi        15Mi       1.0Gi       1.8Gi
Swap:         1.0Gi       165Mi       858Mi
 
[INFO] systemd failed services status:
0 loaded units listed. Pass --all to see loaded but inactive units, too.
To show all installed unit files use 'systemctl list-unit-files'.

[INFO] ISPConfig is installed.

##### ISPCONFIG #####
ISPConfig version is 3.2.12p1


##### VERSION CHECK #####

[INFO] php (cli) version is 7.3.31-1~deb10u7
[INFO] php-cgi (used for cgi php in default vhost!) is version 7.3.31

##### PORT CHECK #####


##### MAIL SERVER CHECK #####


##### RUNNING SERVER PROCESSES #####

[INFO] I found the following web server(s):
    Apache 2 (PID 29924)
[INFO] I found the following mail server(s):
    Postfix (PID 14593)
[INFO] I found the following pop3 server(s):
    Dovecot (PID 14642)
[INFO] I found the following imap server(s):
    Dovecot (PID 14642)
[INFO] I found the following ftp server(s):
    PureFTP (PID 14814)

##### LISTENING PORTS #####
(only        ()
Local        (Address)
[localhost]:10027        (14593/master)
[anywhere]:587        (14593/master)
[localhost]:11211        (464/memcached)
[anywhere]:110        (14642/dovecot)
[anywhere]:143        (14642/dovecot)
[anywhere]:465        (14593/master)
***.***.***.***:53        (14841/named)
[localhost]:53        (14841/named)
[anywhere]:21        (14814/pure-ftpd)
[anywhere]:22        (525/sshd)
[localhost]:953        (14841/named)
[anywhere]:25        (14593/master)
[anywhere]:993        (14642/dovecot)
[anywhere]:995        (14642/dovecot)
[localhost]:8997        (467/php-fpm:)
[localhost]:10023        (637/postgrey)
[localhost]:10024        (14627/amavisd-new)
[localhost]:10025        (14593/master)
[localhost]:10026        (14627/amavisd-new)
*:*:*:*::*:587        (14593/master)
[localhost]10        (14642/dovecot)
[localhost]43        (14642/dovecot)
*:*:*:*::*:8080        (29924/apache2)
*:*:*:*::*:80        (29924/apache2)
*:*:*:*::*:8081        (29924/apache2)
*:*:*:*::*:465        (14593/master)
*:*:*:*::*:53        (14841/named)
*:*:*:*::*:21        (14814/pure-ftpd)
*:*:*:*::*:22        (525/sshd)
*:*:*:*::*:953        (14841/named)
*:*:*:*::*:25        (14593/master)
*:*:*:*::*:443        (29924/apache2)
*:*:*:*::*:993        (14642/dovecot)
*:*:*:*::*:995        (14642/dovecot)
*:*:*:*::*:10023        (637/postgrey)
*:*:*:*::*:10024        (14627/amavisd-new)
*:*:*:*::*:10026        (14627/amavisd-new)
*:*:*:*::*:3306        (14289/mysqld)




##### IPTABLES #####
Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
f2b-pure-ftpd  tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 21
f2b-postfix-sasl  tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 25
f2b-sshd   tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 22

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

Chain f2b-sshd (1 references)
target     prot opt source               destination         
REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
RETURN     all  --  [anywhere]/0            [anywhere]/0           

Chain f2b-postfix-sasl (1 references)
target     prot opt source               destination         
REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
RETURN     all  --  [anywhere]/0            [anywhere]/0           

Chain f2b-pure-ftpd (1 references)
target     prot opt source               destination         
RETURN     all  --  [anywhere]/0            [anywhere]/0           




##### LET'S ENCRYPT #####
acme.sh is installed in /root/.acme.sh/acme.sh
    and debug:

    Code:
    /usr/local/ispconfig/server/server.sh
29.11.2024-22:34 - DEBUG [plugins.inc:155] - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
29.11.2024-22:34 - DEBUG [server:184] - Found 3 changes, starting update process.
29.11.2024-22:34 - DEBUG [plugins.inc:118] - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
29.11.2024-22:34 - DEBUG [plugins.inc:118] - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: chattr -i '/var/www/clients/client1/web2' - return code: 0
29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: chattr +i '/var/www/clients/client1/web2' - return code: 0
29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: df -T '/var/www/clients/client1/web2'|awk 'END{print $2,$NF}' - return code: 0
29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: setquota -u 'web2' '0' '0' 0 0 -a &> /dev/null - return code: 0
29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: setquota -T -u 'web2' 604800 604800 -a &> /dev/null - return code: 0
29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: chattr +i '/var/www/clients/client1/web2' - return code: 0
29.11.2024-22:34 - DEBUG [letsencrypt.inc:393] - Verified domain brm.XXX.com should be reachable for letsencrypt.
29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
29.11.2024-22:34 - DEBUG [system.inc:2089] - Trying to use Systemd to restart service
29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0
29.11.2024-22:34 - DEBUG [letsencrypt.inc:436] - Create Let's Encrypt SSL Cert for: brm.XXX.com
29.11.2024-22:34 - DEBUG [letsencrypt.inc:437] - Let's Encrypt SSL Cert domains:
29.11.2024-22:34 - DEBUG [system.inc:1826] - exec: R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue  -d brm.XXX.com -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [ $R -eq 0 -o $R -eq 2 ] ; then /root/.acme.sh/acme.sh --install-cert  -d brm.XXX.com --key-file '/var/www/clients/client1/web2/ssl/brm.XXX.com-le.key' --fullchain-file '/var/www/clients/client1/web2/ssl/brm.XXX.com-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [ $C -eq 0 ] ; then exit $R ; else exit $C  ; fi
29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
29.11.2024-22:34 - DEBUG [apache2 plugin.inc:1892] - Writing the vhost file: /etc/apache2/sites-available/brm.XXX.com.vhost
29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
29.11.2024-22:34 - DEBUG [apache2 plugin.inc:3464] - Writing the PHP-FPM config file: /opt/php-5.6/etc/php-fpm.d/web2.conf
29.11.2024-22:35 - DEBUG [services.inc:56] - Calling function 'restartPHP_FPM' from module 'web_module'.
29.11.2024-22:35 - DEBUG [system.inc:2089] - Trying to use Systemd to restart service
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: systemctl is-enabled 'php-5.6-fpm' 2>&1 - return code: 0
29.11.2024-22:35 - DEBUG [web module.inc:316] - Restarting php-fpm: systemctl reload php-5.6-fpm.service
29.11.2024-22:35 - DEBUG [apache2 plugin.inc:2010] - Apache status is: running
29.11.2024-22:35 - DEBUG [services.inc:56] - Calling function 'restartHttpd' from module 'web_module'.
29.11.2024-22:35 - DEBUG [system.inc:2089] - Trying to use Systemd to restart service
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0
29.11.2024-22:35 - DEBUG [web module.inc:246] - Restarting httpd: systemctl restart apache2.service
29.11.2024-22:35 - DEBUG [apache2 plugin.inc:2013] - Apache restart return value is: 0
29.11.2024-22:35 - DEBUG [apache2 plugin.inc:2024] - Apache online status after restart is: running
29.11.2024-22:35 - DEBUG [modules.inc:240] - Processed datalog_id 96
29.11.2024-22:35 - DEBUG [plugins.inc:118] - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
29.11.2024-22:35 - DEBUG [plugins.inc:118] - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: chattr -i '/var/www/clients/client1/web1' - return code: 0
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: df -T '/var/www/clients/client1/web1'|awk 'END{print $2,$NF}' - return code: 0
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: setquota -u 'web1' '0' '0' 0 0 -a &> /dev/null - return code: 0
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: setquota -T -u 'web1' 604800 604800 -a &> /dev/null - return code: 0
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
29.11.2024-22:35 - DEBUG [apache2 plugin.inc:1892] - Writing the vhost file: /etc/apache2/sites-available/XXX.com.vhost
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
29.11.2024-22:35 - DEBUG [apache2 plugin.inc:3464] - Writing the PHP-FPM config file: /etc/php/7.3/fpm/pool.d/web1.conf
29.11.2024-22:35 - DEBUG [services.inc:56] - Calling function 'restartPHP_FPM' from module 'web_module'.
29.11.2024-22:35 - DEBUG [system.inc:2089] - Trying to use Systemd to restart service
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: systemctl is-enabled 'php7.3-fpm' 2>&1 - return code: 0
29.11.2024-22:35 - DEBUG [web module.inc:316] - Restarting php-fpm: systemctl reload php7.3-fpm.service
29.11.2024-22:35 - DEBUG [apache2 plugin.inc:2010] - Apache status is: running
29.11.2024-22:35 - DEBUG [services.inc:56] - Calling function 'restartHttpd' from module 'web_module'.
29.11.2024-22:35 - DEBUG [system.inc:2089] - Trying to use Systemd to restart service
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0
29.11.2024-22:35 - DEBUG [web module.inc:246] - Restarting httpd: systemctl restart apache2.service
29.11.2024-22:35 - DEBUG [apache2 plugin.inc:2013] - Apache restart return value is: 0
29.11.2024-22:35 - DEBUG [apache2 plugin.inc:2024] - Apache online status after restart is: running
29.11.2024-22:35 - DEBUG [modules.inc:240] - Processed datalog_id 97
29.11.2024-22:35 - DEBUG [plugins.inc:118] - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
29.11.2024-22:35 - DEBUG [plugins.inc:118] - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: chattr -i '/var/www/clients/client1/web1' - return code: 0
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: df -T '/var/www/clients/client1/web1'|awk 'END{print $2,$NF}' - return code: 0
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: setquota -u 'web1' '0' '0' 0 0 -a &> /dev/null - return code: 0
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: setquota -T -u 'web1' 604800 604800 -a &> /dev/null - return code: 0
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
29.11.2024-22:35 - DEBUG [letsencrypt.inc:393] - Verified domain XXX.com should be reachable for letsencrypt.
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
29.11.2024-22:35 - DEBUG [system.inc:2089] - Trying to use Systemd to restart service
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0
29.11.2024-22:35 - DEBUG [letsencrypt.inc:436] - Create Let's Encrypt SSL Cert for: XXX.com
29.11.2024-22:35 - DEBUG [letsencrypt.inc:437] - Let's Encrypt SSL Cert domains:
29.11.2024-22:35 - DEBUG [system.inc:1826] - exec: R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue  -d XXX.com -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [ $R -eq 0 -o $R -eq 2 ] ; then /root/.acme.sh/acme.sh --install-cert  -d XXX.com --key-file '/var/www/clients/client1/web1/ssl/XXX.com-le.key' --fullchain-file '/var/www/clients/client1/web1/ssl/XXX.com-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [ $C -eq 0 ] ; then exit $R ; else exit $C  ; fi
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
29.11.2024-22:35 - DEBUG [apache2 plugin.inc:1831] - Enable SSL for: XXX.com
29.11.2024-22:35 - DEBUG [apache2 plugin.inc:1892] - Writing the vhost file: /etc/apache2/sites-available/XXX.com.vhost
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
29.11.2024-22:35 - DEBUG [apache2 plugin.inc:3464] - Writing the PHP-FPM config file: /etc/php/7.3/fpm/pool.d/web1.conf
29.11.2024-22:35 - DEBUG [services.inc:56] - Calling function 'restartPHP_FPM' from module 'web_module'.
29.11.2024-22:35 - DEBUG [system.inc:2089] - Trying to use Systemd to restart service
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: systemctl is-enabled 'php7.3-fpm' 2>&1 - return code: 0
29.11.2024-22:35 - DEBUG [web module.inc:316] - Restarting php-fpm: systemctl reload php7.3-fpm.service
29.11.2024-22:35 - DEBUG [apache2 plugin.inc:2010] - Apache status is: running
29.11.2024-22:35 - DEBUG [services.inc:56] - Calling function 'restartHttpd' from module 'web_module'.
29.11.2024-22:35 - DEBUG [system.inc:2089] - Trying to use Systemd to restart service
29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0
29.11.2024-22:35 - DEBUG [web module.inc:246] - Restarting httpd: systemctl restart apache2.service
29.11.2024-22:35 - DEBUG [apache2 plugin.inc:2013] - Apache restart return value is: 0
29.11.2024-22:35 - DEBUG [apache2 plugin.inc:2024] - Apache online status after restart is: running
29.11.2024-22:35 - DEBUG [modules.inc:240] - Processed datalog_id 98
29.11.2024-22:35 - DEBUG [server:224] - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
finished server.php.
     
    Simik, Nov 30, 2024
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    According to the log, the certificate has been created successfully. So your issue might not be a SSL certificate problem on the server. Maybe you access a different server when testing the site or something similar.

    If you could delete a cert file, then this means it was created successfully. And that's also what the debug log showed you. So you do not have an issue creating LE certs for the site. Also, do not manually delete /.acme.sh/XXX.com when you want to issue a cert as this might cause failures in future. Just follow the Let's Encrypt FAQ post, which does not tell you to do this for that reason.
     
    till, Nov 30, 2024
    #2
  3. Simik

    Simik New Member

    But the files in /.acme.sh/XXX.com are still the same... Nothing new...
    When I try the website, the certificated is expired since 18.11...
     
    Simik, Nov 30, 2024
    #3
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Either you deleted it as you said, then it can't be the same content. or you did not deleted it and the cert was already renewed, then its fine that its the same. As I said, there can be many other causes not related to SSL cert renewal and according to the logs, SSL cert renewal is not your issue.

    Have you manually stopped the web server, verified it is stopped, and then started it again? Does it help?
    Post the ls -la frm the cert directory, and from the SSL directory of the site, and the host file of that site.
    Is this site possibly a site for the server's hostname? If yes, then what you describe is normal, as you can not have a site for the hostname plus ISPConfig using it for the main cert. Either ISPConfig or this site will not have a valid SSL cert then due to that misconfiguration, they only way to do that is by symlinking the certs in such a manual setup.
     
    till, Nov 30, 2024
    #4
  5. Simik

    Simik New Member

    I deleted the files because it heleped other guys... As it didn't change anything, I restored the original files.. So the content is the same as before

    Restart of the server doesn't change anything, the ssl directory is empty.
    The site is under brm.XXX.com, ISPconfig is under server1.XXX.com... All certificates expired, none of them is renewing and certificates are not created for new sites....
     
    Simik, Dec 3, 2024
    #5
  6. michelangelo

    michelangelo Active Member

    Do you host any other domains on your server, except XXX.com and can you issue LE certs without problems on your server for those?

    In case of a yes, you should check the zone of your domain for CAA records. If there are any CAA records set that don't relate to Let's Encrypt then you have two options: Delete the CAA records OR add the LE CA as CAA record to your zone.

    However, the acme.log in /var/log/ispconfig should generally give insight in what might be wrong when issuing the LE cert.
    Have you had a look at this file?
     
    michelangelo, Dec 3, 2024
    #6
  7. Simik

    Simik New Member

    I tried YYY.com and it doesn't create certificate for YYY.com...

    acme.log is empty
     
    Simik, Dec 5, 2024
    #7
  8. Simik

    Simik New Member

    when forcing an ispconfig update, it says
    Code:
    acme.sh is installed, overriding certificate path to use /root/.acme.sh/server1.XXX.com
Issuing certificate seems to have succeeded but /usr/local/ispconfig/interface/ssl/ispserver.crt seems to be missing. Falling back to self-signed.
    I checked the file and it's not missing o_O
     
    Simik, Dec 5, 2024
    #8
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Of course, it was missing when this message was written on the screen. ;) ISPConfig fixed it afterward by putting a self-signed SSL cert there, as your webserver would have failed to start otherwise.
     
    till, Dec 5, 2024
    #9
  10. variable99

    variable99 Member

    The best (fastest) way to regenerate SSL:
    1. rm /usr/local/ispconfig/interface/ssl/ispserver.*
    2. ispconfig_update.sh --force
    3. Select Y when you asked for SSL. Be sure that server hostname points to server IP (turn off cloudflaare protection if any);
    That's it.
    And to permanently fix the problem enable default-ssl.conf with these lines (default conf has snakeoil certs):

    Code:
    SSLCertificateFile      /usr/local/ispconfig/interface/ssl/ispserver.pem
SSLCertificateKeyFile   /usr/local/ispconfig/interface/ssl/ispserver.key
     
    variable99, Dec 5, 2024
    #10
  11. Simik

    Simik New Member

    still not working :/
     
    Simik, Dec 6, 2024
    #11
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    We can't really help you if you neither post the exact full output of the ISPconfig updater nor the log from acme.sh for the new attempt. Also, you might want to post the result of:

    ls -la /usr/local/ispconfig/interface/ssl/

    I'm not sure why you run ispconfig_update.sh --force at all, according to your original post, you have an issue with a website SSL cert. But the ispconfig updater is not related to that, it neither changes nor updates SSL certs for websites. The ISPConfig updater is only creating the cert for the ISPConfig GUI and not any website.

    But as you say all certs fail, its more likely that you have a general issue like you blocked port 80 incoming or you reached LE limits or blocked LE using DNS.
     
    Last edited: Dec 6, 2024
    till, Dec 6, 2024
    #12
  13. Simik

    Simik New Member

    result is
    Code:
    total 80
drwxr-x--- 2 root      root      4096 Dec  6 10:00 .
drwxr-x--- 9 ispconfig ispconfig 4096 Aug 21 01:43 ..
-rwxr-x--- 1 root      root       768 Dec  6 10:01 dhparam4096.pem
-rwxr-x--- 1 root      root        45 Dec  6 10:01 empty.dir
-rwxr-x--- 1 root      root      2000 Dec  6 10:00 ispserver.crt
-rwxr-x--- 1 root      root      3932 Nov 23 21:53 ispserver.crt-20241123215316.bak
-rwxr-x--- 1 root      root      1976 Nov 29 21:47 ispserver.crt-20241129214713.bak
-rwxr-x--- 1 root      root      2021 Dec  5 09:42 ispserver.crt-20241205094205.bak
-rwxr-x--- 1 root      root      3272 Dec  6 09:59 ispserver.key
-rwxr-x--- 1 root      root      3243 Nov 23 21:53 ispserver.key-20241123215316.bak
-rwxr-x--- 1 root      root      3272 Nov 29 21:47 ispserver.key-20241129214713.bak
-rwxr-x--- 1 root      root      3272 Dec  5 09:42 ispserver.key-20241205094205.bak
-rwxr-x--- 1 root      root      5272 Dec  6 10:00 ispserver.pem
-rwxr-x--- 1 root      root      7175 Nov 23 21:53 ispserver.pem-20241123215316.bak
-rwxr-x--- 1 root      root      5248 Nov 29 21:47 ispserver.pem-20241129214713.bak
-rwxr-x--- 1 root      root      5293 Dec  5 09:42 ispserver.pem-20241205094205.bak
    As I already wrote, the ssl log is empty.
    I don't block the port 80 and there is no reason why LE could be blocked by DNS...
    The only thing is that on the cert expiry date (november 28), the server had probably an outage...
     
    Simik, Dec 7, 2024
    #13
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    So the SSL cert got updated yesterday. Please run the following command and post the result, so we can see the details of the cert:

    openssl x509 -in /usr/local/ispconfig/interface/ssl/ispserver.crt -noout -text
     
    till, Dec 7, 2024
    #14
  15. Simik

    Simik New Member

    result (anonymized) :
    Code:
    Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            59:2c:05:d0:9a:75:78:9d:61:3c:fa:fe:a6:8d:6b:56:2f:7b:6a:1c
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = CZ, ST = Some-State, L = Prague, O = XXX, CN = XXX.com
        Validity
            Not Before: Dec  6 09:00:54 2024 GMT
            Not After : Dec  4 09:00:54 2034 GMT
        Subject: C = CZ, ST = Some-State, L = Prague, O = XXX, CN = XXX.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)
                Modulus:
                    00:cb:c4:b9:fe:6d:f8:d0:12:26:2f:27:14:63:a0:
                    f5:51:0a:80:35:21:c6:54:6a:1a:34:b5:42:1b:cb:
                    b8:47:af:24:b8:fc:2d:0b:f6:bf:e5:91:84:ae:f4:
                    12:37:4a:aa:04:61:26:19:35:67:11:a5:fc:60:04:
                    b5:c6:9c:96:63:b6:3a:cd:cb:fe:23:84:03:5a:73:
                    c6:7c:ed:c8:8f:20:60:d1:2b:6c:0d:ae:dc:81:57:
                    11:82:72:3a:bb:2e:b6:05:d1:38:74:67:d7:1b:c1:
                    83:8c:0c:d2:fa:4e:c6:e3:cc:ab:ef:78:3b:82:d0:
                    28:a0:70:46:37:4d:c9:11:09:49:79:d2:4d:02:f2:
                    dc:44:45:42:7b:20:95:fd:e6:42:ab:cc:2c:87:8f:
                    06:bf:b1:e1:50:53:07:a4:12:c6:54:5c:b0:90:fa:
                    b7:85:7b:d8:5e:00:e9:7e:9c:09:2b:1f:f5:c0:13:
                    bd:e1:a3:d1:44:26:09:1c:36:41:6d:ff:4c:4a:f8:
                    21:e0:03:77:7e:7a:90:85:91:9b:d2:cd:2b:fd:7a:
                    ab:44:01:b1:56:ab:6a:d9:fe:17:0e:3b:1e:ec:b4:
                    08:65:4a:b0:e0:70:7b:ee:64:61:a6:6e:bf:ee:f4:
                    b5:69:49:49:c8:48:10:a7:e9:4f:79:aa:bb:6a:fe:
                    12:8a:17:11:88:14:fe:0d:98:4f:f3:5e:d4:72:f6:
                    5c:24:0f:9c:7f:a6:f8:d5:01:a2:73:a4:ff:bc:07:
                    ae:ff:f8:cc:23:3f:78:76:5b:04:fa:c0:a1:b0:6e:
                    07:14:1f:11:11:57:dc:a2:d2:4c:bf:da:ba:c7:c2:
                    ef:46:3f:2a:5b:c1:c9:f1:88:33:bf:5a:39:4d:cd:
                    21:d1:f9:ce:c3:36:32:78:29:33:ff:3f:45:ae:3b:
                    7c:b9:2f:49:c7:cd:5c:00:0d:7f:9d:a2:fe:b8:0c:
                    d7:71:7d:e4:c9:81:35:3a:4f:07:cf:1d:9a:4f:51:
                    9a:9a:40:f3:5c:7c:87:5f:83:e2:5f:62:8f:48:2c:
                    3b:02:6f:16:d4:e1:b0:f8:69:7e:7e:16:87:8a:64:
                    23:a8:19:a1:08:51:96:6e:c8:e0:2b:03:a3:f6:75:
                    fe:a2:09:e8:b0:21:ef:0b:ac:85:57:1c:87:74:39:
                    84:7e:20:b4:3e:fd:cb:74:ae:c6:9f:7b:42:0c:b1:
                    f1:6b:64:11:3a:05:0a:89:de:f7:5e:b2:47:32:78:
                    60:d7:dc:20:84:40:75:8f:6a:f7:a4:59:93:36:22:
                    1c:c3:07:63:3d:6e:7c:f4:3a:41:3b:a8:f2:36:1f:
                    f2:47:a1:75:7d:a1:dc:0c:97:35:4f:ae:5d:c5:f6:
                    5c:07:13
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                1E:B2:5D:75:B1:49:86:0E:89:D0:1A:3F:D0:93:40:0A:28:06:6E:62
            X509v3 Authority Key Identifier:
                keyid:1E:B2:5D:75:B1:49:86:0E:89:D0:1A:3F:D0:93:40:0A:28:06:6E:62

            X509v3 Basic Constraints: critical
                CA:TRUE
    Signature Algorithm: sha256WithRSAEncryption
         2d:3f:14:04:2d:a3:ca:2f:e9:ff:3b:31:9b:ec:89:bf:6d:96:
         17:b7:e4:0f:ef:95:0f:47:82:ec:60:52:b4:a0:57:63:1a:30:
         0e:68:30:dd:40:2a:04:da:0a:e4:12:f1:9c:0b:08:6f:99:f9:
         9e:be:61:22:06:14:95:48:6a:6c:20:93:d3:f3:52:c5:96:e9:
         27:03:95:25:f9:33:b0:6d:29:65:04:dd:01:11:d2:1d:08:36:
         dc:94:bd:11:ff:01:14:8d:f8:03:d8:37:94:29:f8:9f:d4:e8:
         6c:a6:36:75:b0:29:dc:11:de:97:7a:55:8b:cd:8c:6f:70:43:
         02:07:68:91:13:9d:af:af:8a:cf:03:13:6b:0f:76:00:d1:95:
         d1:90:87:46:e1:11:bb:04:f3:a2:c8:cf:1b:93:48:3b:c4:a2:
         99:ae:c2:e8:7a:f1:57:a2:e5:6f:61:49:c6:d2:11:4a:33:e4:
         97:32:bb:28:18:ce:35:00:7c:ee:bc:b0:93:e2:32:5e:32:7d:
         fb:f2:2b:a0:9d:1e:dc:e7:a2:46:64:a9:b8:21:4d:e7:93:5b:
         2d:9c:97:f5:d6:93:f1:0c:57:cd:fe:eb:ab:fc:d0:8d:f6:c3:
         3b:80:13:73:52:2f:c8:78:20:0c:34:5d:46:2f:41:98:f4:3f:
         50:7b:99:8a:93:0b:9c:79:3b:81:a5:97:d0:6d:70:ba:25:45:
         08:e8:db:cf:6c:af:f9:94:a9:d1:e5:bd:f7:06:18:47:67:d3:
         67:d2:c1:e4:3a:2c:31:df:58:2b:fa:73:81:33:08:82:c3:7d:
         35:fa:cb:98:1e:83:49:5f:c1:89:c4:d6:38:49:11:9b:87:5f:
         8f:0e:d4:a1:29:59:74:19:87:2a:24:e2:e2:7d:83:52:61:34:
         45:1d:e1:27:0b:2a:4f:92:a1:b1:16:9d:fb:49:c5:b1:79:53:
         ce:f1:17:94:d0:b9:41:41:95:17:68:48:19:5b:a0:6f:05:56:
         8e:ae:45:89:24:e5:88:e4:69:3a:0a:1b:a1:e2:de:e0:6a:97:
         ae:eb:f5:53:6f:b9:e7:1a:fa:ec:ed:a0:bb:6b:9e:c9:74:6b:
         f0:0f:d4:43:46:88:16:19:09:b3:b6:01:54:14:6f:06:af:de:
         b6:cd:6f:21:95:40:65:4c:07:38:26:d8:41:69:f9:f4:c1:71:
         e8:5d:af:d5:30:01:8b:63:c0:ba:99:83:f4:ad:f5:41:d6:f5:
         46:9a:46:3d:33:fd:5f:5b:27:2e:47:a1:a0:38:60:f1:50:c5:
         29:c0:fc:a0:ca:20:3c:13:3d:ba:38:83:b7:2a:a1:9d:10:af:
         14:01:70:28:f4:53:0a:28
     
    Simik, Dec 7, 2024
    #15
  16. remkoh

    remkoh Active Member HowtoForge Supporter

    That's a selfsigned certificate and not a LE certificate.
    A LE certificate has a lifespan of 3 month and not 10 years.

    Try running this from the command line:
    Code:
    acme.sh --issue -w  /usr/local/ispconfig/interface/acme -d <hostname> --keylength 4096 --key-file "/usr/local/ispconfig/interface/ssl/ispserver.key" --fullchain-file "/usr/local/ispconfig/interface/ssl/ispserver.crt" --renew-hook "letsencrypt_renew_hook.sh"
    If acme.sh complains that the certificate already exists and isn't eligible for renewal add --force to the command.
    And when the certificate is renewed run:
    Code:
    cat /usr/local/ispconfig/interface/ssl/ispserver.key /usr/local/ispconfig/interface/ssl/ispserver.crt > /usr/local/ispconfig/interface/ssl/ispserver.pem
    After that acme.sh should again renew the certificate every 2 month automatically.
     
    remkoh, Dec 8, 2024
    #16
  17. Simik

    Simik New Member

    this returns
    Code:
    -bash: acme.sh: command not found
    but acme.sh is installed o_O
     
    Last edited: Dec 8, 2024
    Simik, Dec 8, 2024
    #17
  18. remkoh

    remkoh Active Member HowtoForge Supporter

    Then try it with the full path, which should be /root/.acme.sh/acme.sh
    But something seems fishy with your acme.sh install.
     
    remkoh, Dec 8, 2024
    #18
    till likes this.

Share This Page