Let's encrypt on ISPConfig 3.1.1 will not work

Discussion in 'Installation/Configuration' started by ressel, Oct 27, 2016.

  1. ressel

    ressel Member

    I have installed a new webserver on my multiserver setup with Nginx.
    But Now I have this problem, when I activate SSL + Let's Encrypt I can see the cert is generated as it should, but Nginx fail to restart because a wrong path to cert, check this out:
    This is from my vhost (error file):
            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_certificate /var/www/clients/client1/web673/ssl/hostname.domain.tld.crt;
            ssl_certificate_key /var/www/clients/client1/web673/ssl/hostname.domain.tld.key;
    This is what my SSL folder looks like with ls -l
    lrwxrwxrwx 1 root root   58 okt 27 10:29 hostname.domain.tld-le.crt -> /etc/letsencrypt/live/hostname.domain.tld/fullchain.pem
    -r-------- 1 root root 3810 okt 27 10:29 hostname.domain.tld-le.crt.old.20161027102901
    lrwxrwxrwx 1 root root   56 okt 27 10:29 hostname.domain.tld-le.key -> /etc/letsencrypt/live/hostname.domain.tld/privkey.pem
    -r-------- 1 root root 3272 okt 27 10:29 hostname.domain.tld-le.key.old.20161027102901
    as you can see the file name is not a match, because file name is not the same as in vhost file:
    Vhost file:
    ssl folder:

    Any idea how I can solve this, or is this a bug in Ispconfig 3.1.1 ?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Please try to replace the lines:

    ssl_certificate <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.crt;
    ssl_certificate_key <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>.key;


    ssl_certificate <tmpl_var name='ssl_crt_file'>;
    ssl_certificate_key <tmpl_var name='ssl_key_file'>;

    in /usr/local/ispconfig/server/conf/nginx_vhost.conf.master
    DonMcCoy likes this.
  3. Archi

    Archi New Member

    I can confirm that I've met with the same issue, and your fix worked for me till, thank you!

    I'd be grateful if you could take a look into ISP source php files and correct it the way you suggested, because I've been wondering for months why ISP was generating wrong paths for my cert files. I'm not entirely sure why original solution works for some people, and doesn't for others, but your suggestion definitely fixed my issue, so thanks once again!
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I will add the change for the bug introduced with the 3.1.1 release last week into GIT and make a patch release.

    That's impossible that you had this problem for weeks as the change in the code that required the above path change is in the ISPConfig code just since ISPConfig 3.1.1, so you could not had this issue before.
  5. ressel

    ressel Member

    Thank you, now it's working.
  6. linus

    linus Member

    I have a similar problem with apache and ispconfig 3.1.1p1:

    Starting httpd: [Sat Oct 29 09:39:05 2016] [warn] The Alias directive in /etc/httpd/conf.d/squirrelmail.conf at line 5 will probably never match because it overlaps an earlier Alias.
    Syntax error on line 144 of /etc/httpd/conf/sites-enabled/domain.vhost:
    SSLCertificateFile: file '/var/www/clients/client/web/ssl/domain.crt' does not exist or is empty

    SSLCertificateFile <tmpl_var name='ssl_crt_file'>
    SSLCertificateKeyFile <tmpl_var name='ssl_key_file'>

    Non working generated .vhost-file:
    SSLCertificateFile /var/www/clients/client/web/ssl/domain.crt
    SSLCertificateKeyFile /var/www/clients/client/web/ssl/domain.key
    SSLCACertificateFile /var/www/clients/client/web/ssl/domain.bundle

    /var/www/clients/client/web/ssl/domain-le.* files are generated correctly (with the appended -le causing the problem)

    Btw, great looking the new 3.1, good job, thank you Till & Co!!
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Seems as if you use a custom vhost file which does not contain the changes implemented in 3.1.1.
  8. linus

    linus Member

    Thank you for your help and you are right, my mistake! I had a vhost.conf.master overriding from the folder conf-custom to allow varnish's custom ports! I inserted the lines from the old template into the new and the certificates works crazy well! Wonderful =)

Share This Page