Let’s Encrypt SSL issue after server migration from ISPconfig3.1x to 3.2x

Discussion in 'Installation/Configuration' started by Martin Roman, Jan 22, 2021.

  1. Martin Roman

    Martin Roman New Member

    Hello,

    I have a issue with the Let’s Encrypt Certificate after migration from a Debian 10 server with ISPconfig3.1x to Debian 10 with ISPconfig 3.2x.

    Source server:
    Debian 10 server with ISPconfig3.1x

    Target server.
    Debian 10 with ISPconfig 3.2x.

    I have a license of ISPconfig Migration Tool, I installed the migration tool in source server according to instructions found at https://www.howtoforge.com/tutorial...-confixx-plesk-to-ispconfig-31-single-server/

    After performing the migration, the log showed the following (last lines):
    ==================
    2021-01-21 00:54:03 - [INFO] Found 0 invoice sepa xml export entries.
    2021-01-21 00:57:32 - [INFO] Successfully executed command PHP=$(which php) && $PHP -r "print PHP_VERSION;"
    2021-01-21 00:57:52 - [INFO] File ~/.my.cnf does not exist.
    2021-01-21 00:57:52 - [INFO] File /etc/mysql/debian.cnf exists.
    2021-01-21 00:57:52 - [INFO] File /root/migration/v71/my-e3WOwO successfully transferred.
    2021-01-21 00:57:53 - [INFO] Successfully executed command mysql -h 'localhost' -u 'root' -p'EnkNAGqB8bzXfQEUkapA' -e "SELECT VERSION();"
    2021-01-21 00:57:53 - [INFO] Successfully executed command mysql -h 'localhost' -u 'root' -p'EnkNAGqB8bzXfQEUkapA' -s -e "SELECT @@max_allowed_packet;"
    2021-01-21 00:57:53 - [INFO] Config file saved.
    2021-01-21 00:57:53 - [INFO] Directory /etc/letsencrypt does not exist.
    2021-01-21 00:57:54 - [INFO] Directory /root/.acme.sh exists.
    2021-01-21 00:57:54 - [WARN] The target server has a different Let'sEncrypt client than this server. We cannot copy over certificates!
    ======================
    As you can see in the last line, there was a issue with the SSL.


    The site (email) is working well, except that the web page can not be shown over internet because the Let’s Encrypt certificate is not present.

    Upon checking target server I found that Let's encrypt was not installed. I installed it by running: apt-get install certbot

    In the target server I see that in /var/www/clients/client1/web2/ssl/ there are three entries or symlinks like this:

    root@mail:/var/www/clients/client1/web2/ssl# ls
    mysite.com-le.bundle mysite.com-le.crt mysite.com-le.key

    My question is:

    How could I install or reinstall the Let’s Encrypt certificate for the site?

    Any feedback will be appreciated.

    Regards,

    Martin
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Perhaps you had acme.sh installed on that new server? How was ISPConfig installed originally? The auto-install script by ISPConfig installs acme.sh. So maybe it was a mistake to install certbot if you now have both acme.sh and certbot.
     
  3. Martin Roman

    Martin Roman New Member

  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  5. Martin Roman

    Martin Roman New Member

    Hi Taleman,
    Thank you for your post.
    Here the information about acme.
    root@mail:~# dpkg --list | grep -i acme
    ii python3-acme 0.31.0-2 all ACME protocol library for Python 3
    root@mail:~# ls -lh /root/.acme*
    total 236K
    -rw-r--r-- 1 root root 225 ene 22 11:13 account.conf
    -rwxr-xr-x 1 root root 203K ene 20 19:22 acme.sh
    -rw-r--r-- 1 root root 78 ene 20 19:22 acme.sh.env
    drwxr-xr-x 3 root root 4,0K ene 22 08:51 ca
    drwxr-xr-x 2 root root 4,0K ene 20 19:22 deploy
    drwxr-xr-x 2 root root 4,0K ene 20 19:22 dnsapi
    -rw-r--r-- 1 root root 230 ene 22 11:13 http.header
    drwxr-xr-x 3 root root 4,0K ene 22 08:51 mysite.com <=== edited fo
    drwxr-xr-x 2 root root 4,0K ene 20 19:22 notify
    ===========
    It seems that acme.sh installed and also certbot is installed (I installed manually).

    Below the output ispconfig test script:
    ==============
    root@mail:~# wget -q -O htf-common-issues.php "http://gitplace.net/pixcept/ispconfig-tools/raw/stable/htf-common-issues.php" && php -q htf-common-issues.php

    ##### SCRIPT FINISHED #####
    Results can be found in htf_report.txt
    To view results use your favourite text editor or type 'cat htf_report.txt | more' on the server console.

    If you want to see the non-anonymized output start the script with --debug as parameter (php -q htf-common-issues.php --debug).

    root@mail:~# cat htf_report.txt | more

    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] OS version is Debian GNU/Linux 10 (buster)
    [INFO] uptime: 12:44:36 up 1:51, 2 users, load average: 0,00, 0,00, 0,00
    [INFO] memory:
    total used free shared buff/cache available
    Mem: 986Mi 314Mi 124Mi 43Mi 546Mi 486Mi
    Swap: 1,0Gi 509Mi 514Mi
    [INFO] ISPConfig is installed.

    ##### ISPCONFIG #####
    ISPConfig version is 3.2.2


    ##### VERSION CHECK #####

    [INFO] php (cli) version is 7.3.26-1+0~20210112.74+debian10~1.gbpd78724

    ##### PORT CHECK #####


    ##### MAIL SERVER CHECK #####


    ##### RUNNING SERVER PROCESSES #####

    [INFO] I found the following web server(s):
    Apache 2 (PID 889)
    [INFO] I found the following mail server(s):
    Postfix (PID 1139)
    [INFO] I found the following pop3 server(s):
    Dovecot (PID 619)
    [INFO] I found the following imap server(s):
    Dovecot (PID 619)
    [INFO] I found the following ftp server(s):
    PureFTP (PID 977)

    ##### LISTENING PORTS #####
    (only ()
    Local (Address)
    [anywhere]:143 (619/dovecot)
    [anywhere]:465 (1139/master)
    [anywhere]:21 (977/pure-ftpd)
    ***.***.***.***:53 (634/named)
    [localhost]:53 (634/named)
    [anywhere]:22 (627/sshd)
    [anywhere]:25 (1139/master)
    [localhost]:953 (634/named)
    [anywhere]:4190 (619/dovecot)
    [anywhere]:993 (619/dovecot)
    [anywhere]:995 (619/dovecot)
    [localhost]:11332 (659/rspamd:)
    [localhost]:11333 (659/rspamd:)
    [localhost]:11334 (659/rspamd:)
    [localhost]:10023 (717/postgrey)
    [anywhere]:587 (1139/master)
    [localhost]:6379 (656/redis-server)
    [localhost]:11211 (593/memcached)
    [anywhere]:110 (619/dovecot)
    [localhost]43 (619/dovecot)
    *:*:*:*::*:8080 (889/apache2)
    *:*:*:*::*:80 (889/apache2)
    *:*:*:*::*:465 (1139/master)
    *:*:*:*::*:8081 (889/apache2)
    *:*:*:*::*:21 (977/pure-ftpd)
    *:*:*:*::*:53 (634/named)
    *:*:*:*::*:22 (627/sshd)
    *:*:*:*::*:25 (1139/master)
    *:*:*:*::*:953 (634/named)
    *:*:*:*::*:443 (889/apache2)
    *:*:*:*::*:4190 (619/dovecot)
    *:*:*:*::*:993 (619/dovecot)
    *:*:*:*::*:995 (619/dovecot)
    *:*:*:*::*:11332 (659/rspamd:)
    *:*:*:*::*:11333 (659/rspamd:)
    *:*:*:*::*:11334 (659/rspamd:)
    *:*:*:*::*:10023 (717/postgrey)
    *:*:*:*::*:3306 (718/mysqld)
    *:*:*:*::*:587 (1139/master)
    *:*:*:*::*:6379 (656/redis-server)
    [localhost]10 (619/dovecot)

    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    f2b-postfix-sasl tcp -- [anywhere]/0 [anywhere]/0 multi
    port dports 25
    f2b-sshd tcp -- [anywhere]/0 [anywhere]/0 multiport dp
    orts 22

    Chain FORWARD (policy ACCEPT)
    target prot opt source destination

    Chain OUTPUT (policy ACCEPT)
    target prot opt source destination

    Chain f2b-sshd (1 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0

    Chain f2b-postfix-sasl (1 references)
    target prot opt source destination
    RETURN all -- [anywhere]/0 [anywhere]/0

    root@mail:~#
    =========================
    Help and assistance will be appreciated.
    Regards,
    Martin
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    1) Uninstall acme.sh.
    2) Check that all old certs are there in /etc/letsencrypt/...
    3) Run Tools > resync in ISPConfig on the new server, it should find the existing certs and add them to the websites.
     
    ahrasis likes this.
  7. Martin Roman

    Martin Roman New Member

    Hi Till,
    Thank you for your post.
    The issue has been fixed. This is what I did
    1.- I uninstalled acme.sh
    2.- the old certs were not present in new (target) server. I transferred from old server by rsync.
    3.- I enabled SSL and Lets Encrypt in Sites ISPconfig....
    4.- The page loads fine with SSL
    I did not performed - Run Tools > resync in ISPConfig on the new server. Is it still necessary?
    Thank you for your help and assistance.
    Regards,
    Martin
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    No. It just would have saved step 3, but only if the SSL and let's encrypt checkboxes were active before.
     

Share This Page