Let's Encrypt SSL Not Working (No errors)

Discussion in 'Installation/Configuration' started by UTF_8x, Nov 2, 2020.

Thread Status:
Not open for further replies.
  1. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Again, you should set up a subdomain to be your hostname instead of rothmedia.net. So change your hostname to that and then issue a cert for that hostname and use it for the panel.
     
  2. Taxi

    Taxi Member

    Yes, this should work. Many thanks!
     
  3. Taxi

    Taxi Member

    Thanks for your patience with me!
    Just to double check.
    I create a subdomain vhost within ispconfig tool. Check the Let's Encrypt button to create the certificate for this subdomain. Then I go to /var/www/sun.rothmedia.net/ssl/ and copy this certificates to /usr/local/ispconfig/interface/ssl/ and change the names to ispconfig.crt and ispconfig.key. And copy both files into ispconfig.pem
    Correct?
    The server /etc/hostsname is already 'sun'
    And /etc/hosts ist sun.rothmedia.net sun
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Wrong. Since you created the LE SSL certs manually, follow my tutorial in @Th0m answer. I currently prefer to use ISPConfig 3.2 installer / updater to secure my ISPConfig server (hook based) but many still prefer using the tutorial (incron based). Both approaches symlink the certs rather than copy them.
     
  6. Taxi

    Taxi Member

    Yes, I symlinked them to the location above. While ISPConfig does renew them, I'm on the safe side. Many thanks!
    I wanted to secure my ISPConfig server as well with the 3.2 updater, but it does not work.
     
  7. Taxi

    Taxi Member

    Many thanks for the tutorials! They are very good.
    As I understand, for ISPConfig 3.2 the certificates are not in
    /etc/letsencrypt/live/$(hostname -f)/ but in /var/www/$(hostname -f)/ and in /root/.acme.sh/$(hostname -f)/
    Cron runs the acme.sh script and renews the certificates. Are they renewed in both places? Then it doesn't matter where I link the ispserver.crt and ispserver.key, correct?
    You're linking fullchain.pem to ispserver.crt Why not the .cer to ispserver.crt?

    For securing the mail server I have the following question:
    Why do you recommend to create the subdomain.domain.tld as website and not as subdomain?
    Is it because the alias domains?
     
  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You should use /root/.acme.sh/$(hostname -f)/ instead of the old /etc/letsencrypt path in 3.2 and above if you haven't installed certbot instead of acme.sh
    You should create it as website so the cert is just for the panel and you can use the main domain for other stuff without it ever interfering. Plus the alias domains can only be a alias of a website and not a subdomain :)
     
    ahrasis likes this.
  9. Taxi

    Taxi Member

    I understand. Many thanks for your help. I'm very happy with my new server config tool! So good that developers like you are doing such a great job!
     
    Th0m likes this.
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I missed that you use acme.sh so I have to reclarify that my symlink advise is for certbot.

    To note, the default approach for acme.sh in the ISPConfig installer or updater, is to install the certs directly to ISPConfig ssl folder as acme.sh always keep the issued certs inside its hidden folder but can install certs elsewhere, therefore I am not sure symlink is best for acme.sh issued or installed since the developer clearly wants the certs to be installed in ISPConfig ssl folder directly.

    I am not very well versed in acme.sh and was not the one writing it, so I hope the writer of that code can explain the reasoning behind such approach.
     
  11. Taxi

    Taxi Member

    I could issue the certificates and resolve all the problems. Many thank to you all!
    Now also the ispconfig_update.sh --force is working without errors issuing a new certificate.
    ISPConfig is running on my Debian bullseye/testing with PHP 7.4. :)
    I'm very happy with this powerfull and user friendly server configuration tool and also with the excellent support from you here!
    Many, many thanks!
     
    Th0m likes this.
  12. dsgagi

    dsgagi New Member

    Hello. I experienced the same issue, so sorry in advance if I had to open a new thread. :)

    We have 30+ ISPConfig instances so I started updating them to 3.2 version right before NY. Replacing the self-signed certs with LE certs failed with first 4 or 5 servers that I tried (with error "Verify error:Invalid response from"), and so I decided to look into the problem after the NY break (I created new self-signed certs on those servers). :)

    I noticed that, on the first run, update script always tries using "/etc/letsencrypt/live" for certificate path. Only on the subsequent runs it will try using "/root/.acme.sh/hostname". So it would fail to use LE cert on the first run, fall back to self-signed, and on the second forced update it will successfully replace self-signed cert with LE cert.

    These servers either didn't have any LE client or folders before, or I made sure to clean certbot client and "/etc/letsencrypt" folder before running the update. OS is Deb9 or Deb10 with apache webserver.

    I took a glance today on the update script/code and I think that this part should be modified in "installer_base.lib.php".

    PHP:
            swriteln('Checking / creating certificate for ' $hostname);

            
    $acme_cert_dir '/usr/local/ispconfig/server/scripts/' $hostname;
            
    $check_acme_file $acme_cert_dir '/' $hostname '.cer';
            if(!@
    is_dir($acme_cert_dir)) {
                
    $acme_cert_dir '/root/.acme.sh/' $hostname;
                
    $check_acme_file $acme_cert_dir '/' $hostname '.cer';
                if(!@
    is_dir($acme_cert_dir)) {
                    
    $acme_cert_dir '/etc/letsencrypt/live/' $hostname;
                    
    $check_acme_file $acme_cert_dir '/cert.pem';
                }
            }
    As it is now, if no LE clients or folders are found, certificate path would always fall back to "/etc/letsencrypt/live/" first, but this folder doesn't exist and is never created. I then noticed that "/root/.acme.sh/hostname" folder was created after the first update run. The check for "/etc/letsencrypt/live/hostname" folder should probably come before "/root/.acme.sh/hostname" folder.
     
  13. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Could you open a issue for this on our GitLab so we can look into it? Thanks!
     
  14. Taxi

    Taxi Member

    Hello dsgagi. Maybe it is because you have both letsencrypt and acme.sh installed. I'm using only acme.sh and it works fine.
     
  15. dsgagi

    dsgagi New Member

    Nope, either it had no clients before or I cleaned up all certbot files before that.

    @Th0m
    Sure, will do. Thanks.
     
  16. config.zerosub.de

    config.zerosub.de New Member

    Hi Th0m,
    i'm a long term ispconfig user (since version 2). I recently deceided to switch my server from Debian8 to a recent version.
    I'm running a Debian10 VM on Proxmox on a Hetzner Server. I did the "perfect Setup" tutorial twice. At the point where Letsencrypt gets involved, i get the following error:
    Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]:
    Checking / creating certificate for xxx.xxxxxx.xx
    Using certificate path /etc/letsencrypt/live/xxx.xxxxxx.xx
    Using apache for certificate validation
    Issuing certificate seems to have succeeded but /usr/local/ispconfig/interface/ssl/ispserver.crt seems to be missing.
    Falling back to self-signed. Generating RSA private key, 4096 bit long modulus (2 primes)


    The hostname is configured properly and the IP is pointing to the right machine. I can not find the problem. Even when i go further, letsenrypt is not able to issue any certificate. To me there seems to be a problem with the acme.sh
    Doing ispconfig_update.sh --force results in the same error.

    Could there be something wrong with the acme.sh implementation in the recent setup?
     
  17. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  18. config.zerosub.de

    config.zerosub.de New Member

  19. config.zerosub.de

    config.zerosub.de New Member

    Thanks for the hint Taleman, it's what i did first (2 Weeks ago).

    The Server is a fresh install, new hostname, single own IP.
    All pointing towards the right machine(isp.zerosub.de).
    As mentioned above, the ispconfig installscript fails always at the same point -> acme.sh

    And my goal was not to hijack, but to gather information at the right point.
    Would it be better to open a fresh topic for this?
     
  20. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Yes.
     
Thread Status:
Not open for further replies.

Share This Page