Lets encrypt certs not creating and renewing

Discussion in 'Installation/Configuration' started by Simik, Nov 30, 2024 at 11:05 AM.

  1. Simik

    Simik New Member

    Hello,

    Let's encrypt certificates are not renewing for the sites hosted on my server...
    I tried to check/uncheck the box, even wait few days...
    I tried to delete files from /.acme.sh/XXX.com and recheck the box...
    I tried to create a new site, it didn't create the certificate...
    ISPConfig Version: 3.2.12p1 on debian 10

    htf report:
    Code:
    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] OS version is Debian GNU/Linux 10 (buster)
     
    [INFO] uptime:  21:13:01 up 6 days, 10:29,  1 user,  load average: 0.06, 0.14, 0.16
     
    [INFO] memory:
                  total        used        free      shared  buff/cache   available
    Mem:          3.8Gi       1.8Gi       1.0Gi        15Mi       1.0Gi       1.8Gi
    Swap:         1.0Gi       165Mi       858Mi
     
    [INFO] systemd failed services status:
    0 loaded units listed. Pass --all to see loaded but inactive units, too.
    To show all installed unit files use 'systemctl list-unit-files'.
    
    [INFO] ISPConfig is installed.
    
    ##### ISPCONFIG #####
    ISPConfig version is 3.2.12p1
    
    
    ##### VERSION CHECK #####
    
    [INFO] php (cli) version is 7.3.31-1~deb10u7
    [INFO] php-cgi (used for cgi php in default vhost!) is version 7.3.31
    
    ##### PORT CHECK #####
    
    
    ##### MAIL SERVER CHECK #####
    
    
    ##### RUNNING SERVER PROCESSES #####
    
    [INFO] I found the following web server(s):
        Apache 2 (PID 29924)
    [INFO] I found the following mail server(s):
        Postfix (PID 14593)
    [INFO] I found the following pop3 server(s):
        Dovecot (PID 14642)
    [INFO] I found the following imap server(s):
        Dovecot (PID 14642)
    [INFO] I found the following ftp server(s):
        PureFTP (PID 14814)
    
    ##### LISTENING PORTS #####
    (only        ()
    Local        (Address)
    [localhost]:10027        (14593/master)
    [anywhere]:587        (14593/master)
    [localhost]:11211        (464/memcached)
    [anywhere]:110        (14642/dovecot)
    [anywhere]:143        (14642/dovecot)
    [anywhere]:465        (14593/master)
    ***.***.***.***:53        (14841/named)
    [localhost]:53        (14841/named)
    [anywhere]:21        (14814/pure-ftpd)
    [anywhere]:22        (525/sshd)
    [localhost]:953        (14841/named)
    [anywhere]:25        (14593/master)
    [anywhere]:993        (14642/dovecot)
    [anywhere]:995        (14642/dovecot)
    [localhost]:8997        (467/php-fpm:)
    [localhost]:10023        (637/postgrey)
    [localhost]:10024        (14627/amavisd-new)
    [localhost]:10025        (14593/master)
    [localhost]:10026        (14627/amavisd-new)
    *:*:*:*::*:587        (14593/master)
    [localhost]10        (14642/dovecot)
    [localhost]43        (14642/dovecot)
    *:*:*:*::*:8080        (29924/apache2)
    *:*:*:*::*:80        (29924/apache2)
    *:*:*:*::*:8081        (29924/apache2)
    *:*:*:*::*:465        (14593/master)
    *:*:*:*::*:53        (14841/named)
    *:*:*:*::*:21        (14814/pure-ftpd)
    *:*:*:*::*:22        (525/sshd)
    *:*:*:*::*:953        (14841/named)
    *:*:*:*::*:25        (14593/master)
    *:*:*:*::*:443        (29924/apache2)
    *:*:*:*::*:993        (14642/dovecot)
    *:*:*:*::*:995        (14642/dovecot)
    *:*:*:*::*:10023        (637/postgrey)
    *:*:*:*::*:10024        (14627/amavisd-new)
    *:*:*:*::*:10026        (14627/amavisd-new)
    *:*:*:*::*:3306        (14289/mysqld)
    
    
    
    
    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination         
    f2b-pure-ftpd  tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 21
    f2b-postfix-sasl  tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 25
    f2b-sshd   tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 22
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination         
    
    Chain f2b-sshd (1 references)
    target     prot opt source               destination         
    REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
    RETURN     all  --  [anywhere]/0            [anywhere]/0           
    
    Chain f2b-postfix-sasl (1 references)
    target     prot opt source               destination         
    REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
    RETURN     all  --  [anywhere]/0            [anywhere]/0           
    
    Chain f2b-pure-ftpd (1 references)
    target     prot opt source               destination         
    RETURN     all  --  [anywhere]/0            [anywhere]/0           
    
    
    
    
    ##### LET'S ENCRYPT #####
    acme.sh is installed in /root/.acme.sh/acme.sh
    and debug:

    Code:
    /usr/local/ispconfig/server/server.sh
    29.11.2024-22:34 - DEBUG [plugins.inc:155] - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    29.11.2024-22:34 - DEBUG [server:184] - Found 3 changes, starting update process.
    29.11.2024-22:34 - DEBUG [plugins.inc:118] - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    29.11.2024-22:34 - DEBUG [plugins.inc:118] - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: chattr -i '/var/www/clients/client1/web2' - return code: 0
    29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: chattr +i '/var/www/clients/client1/web2' - return code: 0
    29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: df -T '/var/www/clients/client1/web2'|awk 'END{print $2,$NF}' - return code: 0
    29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
    29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: setquota -u 'web2' '0' '0' 0 0 -a &> /dev/null - return code: 0
    29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: setquota -T -u 'web2' 604800 604800 -a &> /dev/null - return code: 0
    29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: chattr +i '/var/www/clients/client1/web2' - return code: 0
    29.11.2024-22:34 - DEBUG [letsencrypt.inc:393] - Verified domain brm.XXX.com should be reachable for letsencrypt.
    29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    29.11.2024-22:34 - DEBUG [system.inc:2089] - Trying to use Systemd to restart service
    29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0
    29.11.2024-22:34 - DEBUG [letsencrypt.inc:436] - Create Let's Encrypt SSL Cert for: brm.XXX.com
    29.11.2024-22:34 - DEBUG [letsencrypt.inc:437] - Let's Encrypt SSL Cert domains:
    29.11.2024-22:34 - DEBUG [system.inc:1826] - exec: R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue  -d brm.XXX.com -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [ $R -eq 0 -o $R -eq 2 ] ; then /root/.acme.sh/acme.sh --install-cert  -d brm.XXX.com --key-file '/var/www/clients/client1/web2/ssl/brm.XXX.com-le.key' --fullchain-file '/var/www/clients/client1/web2/ssl/brm.XXX.com-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [ $C -eq 0 ] ; then exit $R ; else exit $C  ; fi
    29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    29.11.2024-22:34 - DEBUG [apache2 plugin.inc:1892] - Writing the vhost file: /etc/apache2/sites-available/brm.XXX.com.vhost
    29.11.2024-22:34 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    29.11.2024-22:34 - DEBUG [apache2 plugin.inc:3464] - Writing the PHP-FPM config file: /opt/php-5.6/etc/php-fpm.d/web2.conf
    29.11.2024-22:35 - DEBUG [services.inc:56] - Calling function 'restartPHP_FPM' from module 'web_module'.
    29.11.2024-22:35 - DEBUG [system.inc:2089] - Trying to use Systemd to restart service
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: systemctl is-enabled 'php-5.6-fpm' 2>&1 - return code: 0
    29.11.2024-22:35 - DEBUG [web module.inc:316] - Restarting php-fpm: systemctl reload php-5.6-fpm.service
    29.11.2024-22:35 - DEBUG [apache2 plugin.inc:2010] - Apache status is: running
    29.11.2024-22:35 - DEBUG [services.inc:56] - Calling function 'restartHttpd' from module 'web_module'.
    29.11.2024-22:35 - DEBUG [system.inc:2089] - Trying to use Systemd to restart service
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0
    29.11.2024-22:35 - DEBUG [web module.inc:246] - Restarting httpd: systemctl restart apache2.service
    29.11.2024-22:35 - DEBUG [apache2 plugin.inc:2013] - Apache restart return value is: 0
    29.11.2024-22:35 - DEBUG [apache2 plugin.inc:2024] - Apache online status after restart is: running
    29.11.2024-22:35 - DEBUG [modules.inc:240] - Processed datalog_id 96
    29.11.2024-22:35 - DEBUG [plugins.inc:118] - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    29.11.2024-22:35 - DEBUG [plugins.inc:118] - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: chattr -i '/var/www/clients/client1/web1' - return code: 0
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: df -T '/var/www/clients/client1/web1'|awk 'END{print $2,$NF}' - return code: 0
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: setquota -u 'web1' '0' '0' 0 0 -a &> /dev/null - return code: 0
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: setquota -T -u 'web1' 604800 604800 -a &> /dev/null - return code: 0
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    29.11.2024-22:35 - DEBUG [apache2 plugin.inc:1892] - Writing the vhost file: /etc/apache2/sites-available/XXX.com.vhost
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    29.11.2024-22:35 - DEBUG [apache2 plugin.inc:3464] - Writing the PHP-FPM config file: /etc/php/7.3/fpm/pool.d/web1.conf
    29.11.2024-22:35 - DEBUG [services.inc:56] - Calling function 'restartPHP_FPM' from module 'web_module'.
    29.11.2024-22:35 - DEBUG [system.inc:2089] - Trying to use Systemd to restart service
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: systemctl is-enabled 'php7.3-fpm' 2>&1 - return code: 0
    29.11.2024-22:35 - DEBUG [web module.inc:316] - Restarting php-fpm: systemctl reload php7.3-fpm.service
    29.11.2024-22:35 - DEBUG [apache2 plugin.inc:2010] - Apache status is: running
    29.11.2024-22:35 - DEBUG [services.inc:56] - Calling function 'restartHttpd' from module 'web_module'.
    29.11.2024-22:35 - DEBUG [system.inc:2089] - Trying to use Systemd to restart service
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0
    29.11.2024-22:35 - DEBUG [web module.inc:246] - Restarting httpd: systemctl restart apache2.service
    29.11.2024-22:35 - DEBUG [apache2 plugin.inc:2013] - Apache restart return value is: 0
    29.11.2024-22:35 - DEBUG [apache2 plugin.inc:2024] - Apache online status after restart is: running
    29.11.2024-22:35 - DEBUG [modules.inc:240] - Processed datalog_id 97
    29.11.2024-22:35 - DEBUG [plugins.inc:118] - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    29.11.2024-22:35 - DEBUG [plugins.inc:118] - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: chattr -i '/var/www/clients/client1/web1' - return code: 0
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: df -T '/var/www/clients/client1/web1'|awk 'END{print $2,$NF}' - return code: 0
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: setquota -u 'web1' '0' '0' 0 0 -a &> /dev/null - return code: 0
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: setquota -T -u 'web1' 604800 604800 -a &> /dev/null - return code: 0
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: chattr +i '/var/www/clients/client1/web1' - return code: 0
    29.11.2024-22:35 - DEBUG [letsencrypt.inc:393] - Verified domain XXX.com should be reachable for letsencrypt.
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    29.11.2024-22:35 - DEBUG [system.inc:2089] - Trying to use Systemd to restart service
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0
    29.11.2024-22:35 - DEBUG [letsencrypt.inc:436] - Create Let's Encrypt SSL Cert for: XXX.com
    29.11.2024-22:35 - DEBUG [letsencrypt.inc:437] - Let's Encrypt SSL Cert domains:
    29.11.2024-22:35 - DEBUG [system.inc:1826] - exec: R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue  -d XXX.com -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [ $R -eq 0 -o $R -eq 2 ] ; then /root/.acme.sh/acme.sh --install-cert  -d XXX.com --key-file '/var/www/clients/client1/web1/ssl/XXX.com-le.key' --fullchain-file '/var/www/clients/client1/web1/ssl/XXX.com-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [ $C -eq 0 ] ; then exit $R ; else exit $C  ; fi
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    29.11.2024-22:35 - DEBUG [apache2 plugin.inc:1831] - Enable SSL for: XXX.com
    29.11.2024-22:35 - DEBUG [apache2 plugin.inc:1892] - Writing the vhost file: /etc/apache2/sites-available/XXX.com.vhost
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    29.11.2024-22:35 - DEBUG [apache2 plugin.inc:3464] - Writing the PHP-FPM config file: /etc/php/7.3/fpm/pool.d/web1.conf
    29.11.2024-22:35 - DEBUG [services.inc:56] - Calling function 'restartPHP_FPM' from module 'web_module'.
    29.11.2024-22:35 - DEBUG [system.inc:2089] - Trying to use Systemd to restart service
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: systemctl is-enabled 'php7.3-fpm' 2>&1 - return code: 0
    29.11.2024-22:35 - DEBUG [web module.inc:316] - Restarting php-fpm: systemctl reload php7.3-fpm.service
    29.11.2024-22:35 - DEBUG [apache2 plugin.inc:2010] - Apache status is: running
    29.11.2024-22:35 - DEBUG [services.inc:56] - Calling function 'restartHttpd' from module 'web_module'.
    29.11.2024-22:35 - DEBUG [system.inc:2089] - Trying to use Systemd to restart service
    29.11.2024-22:35 - DEBUG [system.inc:2436] - safe_exec cmd: systemctl is-enabled 'apache2' 2>&1 - return code: 0
    29.11.2024-22:35 - DEBUG [web module.inc:246] - Restarting httpd: systemctl restart apache2.service
    29.11.2024-22:35 - DEBUG [apache2 plugin.inc:2013] - Apache restart return value is: 0
    29.11.2024-22:35 - DEBUG [apache2 plugin.inc:2024] - Apache online status after restart is: running
    29.11.2024-22:35 - DEBUG [modules.inc:240] - Processed datalog_id 98
    29.11.2024-22:35 - DEBUG [server:224] - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished server.php.
    
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    According to the log, the certificate has been created successfully. So your issue might not be a SSL certificate problem on the server. Maybe you access a different server when testing the site or something similar.

    If you could delete a cert file, then this means it was created successfully. And that's also what the debug log showed you. So you do not have an issue creating LE certs for the site. Also, do not manually delete /.acme.sh/XXX.com when you want to issue a cert as this might cause failures in future. Just follow the Let's Encrypt FAQ post, which does not tell you to do this for that reason.
     
  3. Simik

    Simik New Member

    But the files in /.acme.sh/XXX.com are still the same... Nothing new...
    When I try the website, the certificated is expired since 18.11...
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Either you deleted it as you said, then it can't be the same content. or you did not deleted it and the cert was already renewed, then its fine that its the same. As I said, there can be many other causes not related to SSL cert renewal and according to the logs, SSL cert renewal is not your issue.

    Have you manually stopped the web server, verified it is stopped, and then started it again? Does it help?
    Post the ls -la frm the cert directory, and from the SSL directory of the site, and the host file of that site.
    Is this site possibly a site for the server's hostname? If yes, then what you describe is normal, as you can not have a site for the hostname plus ISPConfig using it for the main cert. Either ISPConfig or this site will not have a valid SSL cert then due to that misconfiguration, they only way to do that is by symlinking the certs in such a manual setup.
     
  5. Simik

    Simik New Member

    I deleted the files because it heleped other guys... As it didn't change anything, I restored the original files.. So the content is the same as before

    Restart of the server doesn't change anything, the ssl directory is empty.
    The site is under brm.XXX.com, ISPconfig is under server1.XXX.com... All certificates expired, none of them is renewing and certificates are not created for new sites....
     
  6. michelangelo

    michelangelo Active Member

    Do you host any other domains on your server, except XXX.com and can you issue LE certs without problems on your server for those?

    In case of a yes, you should check the zone of your domain for CAA records. If there are any CAA records set that don't relate to Let's Encrypt then you have two options: Delete the CAA records OR add the LE CA as CAA record to your zone.

    However, the acme.log in /var/log/ispconfig should generally give insight in what might be wrong when issuing the LE cert.
    Have you had a look at this file?
     
  7. Simik

    Simik New Member

    I tried YYY.com and it doesn't create certificate for YYY.com...

    acme.log is empty
     
  8. Simik

    Simik New Member

    when forcing an ispconfig update, it says
    Code:
    acme.sh is installed, overriding certificate path to use /root/.acme.sh/server1.XXX.com
    Issuing certificate seems to have succeeded but /usr/local/ispconfig/interface/ssl/ispserver.crt seems to be missing. Falling back to self-signed.
    I checked the file and it's not missing o_O
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Of course, it was missing when this message was written on the screen. ;) ISPConfig fixed it afterward by putting a self-signed SSL cert there, as your webserver would have failed to start otherwise.
     
  10. variable99

    variable99 Member HowtoForge Supporter

    The best (fastest) way to regenerate SSL:
    1. rm /usr/local/ispconfig/interface/ssl/ispserver.*
    2. ispconfig_update.sh --force
    3. Select Y when you asked for SSL. Be sure that server hostname points to server IP (turn off cloudflaare protection if any);
    That's it.
    And to permanently fix the problem enable default-ssl.conf with these lines (default conf has snakeoil certs):

    Code:
    SSLCertificateFile      /usr/local/ispconfig/interface/ssl/ispserver.pem
    SSLCertificateKeyFile   /usr/local/ispconfig/interface/ssl/ispserver.key
    
     

Share This Page