Lets Encrypt woes!

Discussion in 'ISPConfig 3 Priority Support' started by craig baker, Nov 8, 2021.

Page 1 of 2
  1. craig baker

    craig baker Member HowtoForge Supporter

    I've getting emails from letsencrypt saying updates fail:
    Code:
    021-11-08 03:00:14,397:DEBUG:certbot._internal.main:certbot version: 1.8.0
2021-11-08 03:00:14,399:DEBUG:certbot._internal.main:Arguments: ['-n', '--post-hook', "echo '1' > /usr/local/ispconfig/server/le.restart"]
2021-11-08 03:00:14,401:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2021-11-08 03:00:14,441:DEBUG:certbot._internal.log:Root logging level set at 20
2021-11-08 03:00:14,442:INFO:certbot._internal.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2021-11-08 03:00:14,502:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x7f94272cb198> and installer <certbot._internal.cli.cli_utils._Default object at 0x7f94272cb198>
2021-11-08 03:00:14,502:DEBUG:certbot._internal.cli:Var post_hook=echo '1' > /usr/local/ispconfig/server/le.restart (set by user).
2021-11-08 03:00:14,559:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2021-11-06 06:04:43 UTC.
2021-11-08 03:00:14,559:INFO:certbot._internal.renewal:Cert is due for renewal, auto-renewing...
2021-11-08 03:00:14,559:INFO:certbot._internal.renewal:Non-interactive renewal: random delay of 4.139148848938282 seconds
2021-11-08 03:00:18,704:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2021-11-08 03:00:18,711:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f94273081d0>
Prep: True
2021-11-08 03:00:18,713:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f94273081d0>
and installer None
2021-11-08 03:00:18,713:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2021-11-08 03:00:18,713:WARNING:certbot._internal.renewal:Attempting to renew cert (1stfamilyhomecareinc.com) from /etc/letsencrypt/renewal/1stfamilyhomecareinc.com.conf produced an unexpected error: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/6476580782071d4d31e788842978bc53 does not exist. Skipping.
2021-11-08 03:00:18,715:DEBUG:certbot._internal.renewal:Traceback was:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/renewal.py", line 462, in handle_renewal_request
    main.renew_cert(lineage_config, plugins, renewal_candidate)
  File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/main.py", line 1181, in renew_cert
    le_client = _init_le_client(config, auth, installer)
  File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/main.py", line 603, in _init_le_client
    acc, acme = _determine_account(config)
  File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/main.py", line 507, in _determine_account
    acc = account_storage.load(config.account)
  File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/account.py", line 246, in load
    return self._load_for_server_path(account_id, self.config.server_path)
  File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/account.py", line 221, in _load_for_server_path
    prev_loaded_account = self._load_for_server_path(account_id, prev_server_path)
  File "/opt/eff.org/certbot/venv/lib64/python3.6/site-packages/certbot/_internal/account.py", line 231, in _load_for_server_path
    "Account at %s does not exist" % account_dir_path)
certbot.errors.AccountNotFound: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/6476580782071d4d31e788842978bc53 does not exist

2021-11-08 03:00:18,717:DEBUG:certbot._internal.cli:Var post_hook=echo '1' > /usr/local/ispconfig/server/le.restart (set by user).
2021-11-08 03:00:18,763:DEBUG:certbot._internal.storage:Should renew, less than 30 days before certificate expiry 2021-10-29 06:03:04 UTC.
2021-11-08 03:00:18,763:INFO:certbot._internal.renewal:Cert is due for renewal, auto-renewing...
2021-11-08 03:00:18,764:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2021-11-08 03:00:18,771:DEBUG:certbot._internal.plugins.selection:Single candidate plugin: * webroot
Description: Place files in webroot directory
Interfaces: IAuthenticator, IPlugin
Entry point: webroot = certbot._internal.plugins.webroot:Authenticator
Initialized: <certbot._internal.plugins.webroot.Authenticator object at 0x7f9427313e10>
Prep: True
2021-11-08 03:00:18,771:DEBUG:certbot._internal.plugins.selection:Selected authenticator <certbot._internal.plugins.webroot.Authenticator object at 0x7f9427313e10>
and installer None
2021-11-08 03:00:18,771:INFO:certbot._internal.plugins.selection:Plugins selected: Authenticator webroot, Installer None
2021-11-08 03:00:18,772:WARNING:certbot._internal.renewal:Attempting to renew cert (aghshome.com) from /etc/letsencrypt/renewal/aghshome.com.conf produced an unexpected error: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/6476580782071d4d31e788842978bc53 does not exist. Skipping.

    now the folder its referring to in fact does NOT exist!
    but /etc/letsencrypt/accounts/acme-v02.api.letsencrypt.org DOES exist!!
    v02 not v01!
    can I repoint something? and I'm using certbot not acme this is on an older server?
    how to fix?
    and if fixable how to manually have it redo the needed certs??

    and if not fixable can I delete letsencrypt and start it over? if so how do I get ISPConfig to regenerate ALL certs! what a pain!
    any ideas??
     
    craig baker, Nov 8, 2021
    #1
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    It tells you the folder doesn't exist in the last line:
    Code:
    2021-11-08 03:00:18,772:WARNING:certbot._internal.renewal:Attempting to renew cert (aghshome.com) from /etc/letsencrypt/renewal/aghshome.com.conf produced an unexpected error: Account at /etc/letsencrypt/accounts/acme-v01.api.letsencrypt.org/directory/6476580782071d4d31e788842978bc53 does not exist. Skipping.
    So that config refers to a account that doesn't exist (anymore). Simply try disabling and re-enabling Let's Encrypt for the site.
     
    Th0m, Nov 8, 2021
    #2
  3. craig baker

    craig baker Member HowtoForge Supporter

     
    craig baker, Nov 9, 2021
    #3
  4. craig baker

    craig baker Member HowtoForge Supporter

    Its ALL sites and all point to the identical folder missing. And disable reenable does nothing
     
    craig baker, Nov 9, 2021
    #4
  5. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    I don't know if you can change a certificate conf to list the other account, I suspect it may not work that way; I would try disabling LE/SSL for the site, once that is done (job queue clear), delete the old certificate manually from cli (eg. run "certbot certificates" to list certificates, then "certbot delete <certificate name>"), then enable LE/SSL again. If "certbot delete ..." fails because of the missing/old account issue, just delete all the certificate files directly at that step.
     
    Jesse Norell, Nov 9, 2021
    #5
  6. craig baker

    craig baker Member HowtoForge Supporter

    This all comes down to the fact while back I had TWO api entries under /etc/letsencrypt/account. apparently I removed the WRONG one.
    I put it back and have sucessfully renewed a couple of certs. but how to I get it to do the mass check-for-renewal? I looked for a cron job but dont find one anywhere!
     
    craig baker, Nov 9, 2021
    #6
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Run the command:

    Code:
    certbot renew
    and afterward, restart the webserver. ISPConfig runs the command automatically every night and monitors if services need to be restarted
     
    till, Nov 9, 2021
    #7
  8. craig baker

    craig baker Member HowtoForge Supporter

    ENLIGHTENMENT -
    after restoring the apiv01 folder,
    /opt/eff.org/certbot/venv/bin/certbot renew
    followed by systemctl restart httpd,postfix,dovecot
    has apparently worked! all seems good.
     
    craig baker, Nov 9, 2021
    #8
  9. craig baker

    craig baker Member HowtoForge Supporter

    but Till - my mail is still not working on the other server :)

    and I have two servers (ns9,ns10) that I've used migration tool to clone. certbot is going to be running on each of them. but
    1) if I set up ns9 as the primary server (change ips over) - and want ns10 as the backup - wont certbot get messed up? if the website is hosted on one or the other (but website entries exist on both) wont certbot get extra confused?? one of the sites ssls would not get updated.
    say site a is on ns10. running certbot on ns9 the site files are there. but the http requests will surely be challenging ns10? and then a new cert might be issued on ns9, leaving the cert on ns10 to die (where the site is actually living).
    I want to have ISPCONFIG manage both servers, can I set this up without destroying either of them? (either through my error or otherwise?) and does that solve certbot since it would only be run on one server? but update both? or am I smoking something?
    cdb.
     
    craig baker, Nov 9, 2021
    #9
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, this won't work when certbot runs on both systems as the renewal of certs will fail when certbot is not able to reach the domains.

    Such setups are possible when you create a multiserver mirror system in ISPConfig and use a shared folder (e.g. via nfs) for the /etc/letsencrypt/ folder on both systems. If I understand it correctly, you have two separate systems at the moment and that's not easy to change without reinstalling. When this is for backup purposes only, you can e.g. try to update the second server periodically via rsync.
     
    till, Nov 9, 2021
    #10
  11. craig baker

    craig baker Member HowtoForge Supporter

    oh one more thing. I just realized that the centos 8 perfect server apache2 etc DOES NOT INSTALL LETSENCRYPT!!! thought I must have missed something but its really not in the tutorial.
    any reason?
    how do we add it after the fact so so speak?
     
    craig baker, Nov 12, 2021
    #11
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    This is because ISPConfig installs acme.sh automatically if no acme (let's encrypt) client is present since ISPConfig 3.2, which introduced CentOS 8 support. So unless you want to use certbot instead of acme.sh, there is nothing to do.
     
    Th0m, Nov 12, 2021
    #12
  13. craig baker

    craig baker Member HowtoForge Supporter

    ok but there is no /etc/letsencrypt folder? and no /var/log/letsencrypt? where is everything put?
    I see /root/.acme.sh exists.
    but when I check the letsencrypt/ssl boxes under a domain and save, the boxes remain unchecked.
    and no entry for the domain is under /root/.acme.sh
    and there is no /.acme.sh/acme.sh.log as the account conf refers to?
    and the /usr/local/ispconfig/interface/ssl keys have not changed since april. surely they needed to.
    so... where do I look? whats going on??
    cdb.
     
    craig baker, Nov 12, 2021
    #13
  14. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Th0m, Nov 12, 2021
    #14
  15. craig baker

    craig baker Member HowtoForge Supporter

    hmm going through. when I run .acme.sh manually I get:
    [root@ns2 .acme.sh]# ./acme.sh --cron --home "/root/.acme.sh"
    [Fri Nov 12 15:29:11 EST 2021] ===Starting cron===
    [Fri Nov 12 15:29:11 EST 2021] Already uptodate!
    [Fri Nov 12 15:29:11 EST 2021] Upgrade success!
    [Fri Nov 12 15:29:11 EST 2021] Auto upgraded to: 3.0.2
    [Fri Nov 12 15:29:11 EST 2021] Renew: 'ns2.odesigngroup.com'
    [Fri Nov 12 15:29:11 EST 2021] Skip invalid cert for: ns2.odesigngroup.com
    [Fri Nov 12 15:29:11 EST 2021] Skipped ns2.odesigngroup.com
    [Fri Nov 12 15:29:11 EST 2021] ===End cron===

    now the server hosts olsheskydesign.com and website is all happy. and I check boxes and save.
    boxes come back unchecked.
    but the above is all I get from acme.sh. no mention of olsheskydesign. log in /root/.acme.sh/acme.sh.log:
    Code:
    [Fri Nov 12 15:29:11 EST 2021] Running cmd: cron
[Fri Nov 12 15:29:11 EST 2021] Using config home:/root/.acme.sh
[Fri Nov 12 15:29:11 EST 2021] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
[Fri Nov 12 15:29:11 EST 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Fri Nov 12 15:29:11 EST 2021] ===Starting cron===
[Fri Nov 12 15:29:11 EST 2021] Using config home:/root/.acme.sh
[Fri Nov 12 15:29:11 EST 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Fri Nov 12 15:29:11 EST 2021] Retrying GET
[Fri Nov 12 15:29:11 EST 2021] GET
[Fri Nov 12 15:29:11 EST 2021] url='https://api.github.com/repos/acmesh-official/acme.sh/git/refs/heads/master'
[Fri Nov 12 15:29:11 EST 2021] timeout=
[Fri Nov 12 15:29:11 EST 2021] displayError='1'
[Fri Nov 12 15:29:11 EST 2021] _CURL='curl --silent --dump-header /root/.acme.sh/http.header  -L  -g '
[Fri Nov 12 15:29:11 EST 2021] ret='0'
[Fri Nov 12 15:29:11 EST 2021] _hcode='0'
[Fri Nov 12 15:29:11 EST 2021] Already uptodate!
[Fri Nov 12 15:29:11 EST 2021] Upgrade success!
[Fri Nov 12 15:29:11 EST 2021] Using config home:/root/.acme.sh
[Fri Nov 12 15:29:11 EST 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Fri Nov 12 15:29:11 EST 2021] Auto upgraded to: 3.0.2
[Fri Nov 12 15:29:11 EST 2021] Using config home:/root/.acme.sh
[Fri Nov 12 15:29:11 EST 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Fri Nov 12 15:29:11 EST 2021] _stopRenewOnError
[Fri Nov 12 15:29:11 EST 2021] _set_level='2'
[Fri Nov 12 15:29:11 EST 2021] di='/root/.acme.sh/ns2.odesigngroup.com/'
[Fri Nov 12 15:29:11 EST 2021] d='ns2.odesigngroup.com'
[Fri Nov 12 15:29:11 EST 2021] Using config home:/root/.acme.sh
[Fri Nov 12 15:29:11 EST 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Fri Nov 12 15:29:11 EST 2021] DOMAIN_PATH='/root/.acme.sh/ns2.odesigngroup.com'
[Fri Nov 12 15:29:11 EST 2021] Renew: 'ns2.odesigngroup.com'
[Fri Nov 12 15:29:11 EST 2021] Le_API='https://acme-v02.api.letsencrypt.org/directory'
[Fri Nov 12 15:29:11 EST 2021] Using config home:/root/.acme.sh
[Fri Nov 12 15:29:11 EST 2021] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
[Fri Nov 12 15:29:11 EST 2021] Skip invalid cert for: ns2.odesigngroup.com
[Fri Nov 12 15:29:11 EST 2021] Return code: 2
[Fri Nov 12 15:29:11 EST 2021] Skipped ns2.odesigngroup.com
[Fri Nov 12 15:29:11 EST 2021] _error_level='3'
[Fri Nov 12 15:29:11 EST 2021] _set_level='2'
[Fri Nov 12 15:29:11 EST 2021] ===End cron===
    I'm invoking it with the --cron --home flags matching whats in crontab.

    when I tell ispconfig to turn on ssl for olsheskydesign should it not be creating directories at least?
    what am I missing?
     
    Last edited: Nov 12, 2021
    craig baker, Nov 12, 2021
    #15
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Please follow the Let's encrypt error FAQ step by step to find out why no Let's encrypt cert can be issued. @Thom posted the link above already.

    That's to be expected for the command you have run. If no cert can be issued in the first place, then there is no cert to be renewed. So back to the FAQ, follow it step by step, leave no steps out. When you are at the bottom of the list, you know why you don't get a LE cert.
     
    till, Nov 12, 2021
    #16
    Th0m likes this.
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    No, not if the prerequisites for a LE cert are not met.

    Please just follow the FAQ.
     
    till, Nov 12, 2021
    #17
  18. craig baker

    craig baker Member HowtoForge Supporter

    following the FAQ and have a bit more info. when I do
    /root/.acme-sh --renew-all
    I get an interesting output at the end of script:
    [Fri Nov 19 08:05:26 EST 2021] Renew: 'ns2.odesigngroup.com'
    [Fri Nov 19 08:05:27 EST 2021] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Fri Nov 19 08:05:27 EST 2021] Single domain='ns2.odesigngroup.com'
    [Fri Nov 19 08:05:27 EST 2021] Getting domain auth token for each domain
    [Fri Nov 19 08:05:29 EST 2021] Getting webroot for domain='ns2.odesigngroup.com'
    [Fri Nov 19 08:05:29 EST 2021] Verifying: ns2.odesigngroup.com
    [Fri Nov 19 08:05:30 EST 2021] Pending, The CA is processing your order, please just wait. (1/30)
    [Fri Nov 19 08:05:32 EST 2021] Success
    [Fri Nov 19 08:05:32 EST 2021] Verify finished, start to sign.
    [Fri Nov 19 08:05:32 EST 2021] Lets finalize the order.
    [Fri Nov 19 08:05:32 EST 2021] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/119793576/40883536390'
    [Fri Nov 19 08:05:33 EST 2021] Downloading cert.
    [Fri Nov 19 08:05:33 EST 2021] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/03c23d14e1597b0f329549079b30fa726537'
    [Fri Nov 19 08:05:34 EST 2021] Cert success.
    -----BEGIN CERTIFICATE-----
    MIIFLTCCBBWgAwIBAgISA8I9FOFZew8ylUkHmzD6cmU3MA0GCSqGSIb3DQEBCwUA
    MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
    EwJSMzAeFw0yMTExMTkxMjA1MzNaFw0yMjAyMTcxMjA1MzJaMB8xHTAbBgNVBAMT
    FG5zMi5vZGVzaWduZ3JvdXAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
    CgKCAQEA46s//QB/GqTG8NoWNTcazVJq6gfiEpBeOzYnyDozXT0OmLxpR/+KdU1o
    4y7aHZv3RkRnHVTCIxF5T8306nnMoHcmIkm5Nmk/zcDYQlIGnDTwf3pbQvUqDy2W
    kiDv17ssdKCJVYvQ7l3sRVCGfp+KKE1oI+TgR84K/EtaxONSrqZ2oxxm4Z1TRWfJ
    hPOZ6POeGNAO5krN9cr2TwXfmT7o7WSoBSIxOWVFdbpe2cUffBtXbz/saeuR0bGy
    5+uDwZuVhJs8MTGcgIgBPFDTRRdqdSsqh/toTEYtfiObXdM0EDQP6HpJ3PB3x7Op
    zjBNWDy9fi8ZnMncK84zDKf5OOVP0wIDAQABo4ICTjCCAkowDgYDVR0PAQH/BAQD
    AgWgMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAMBgNVHRMBAf8EAjAA
    MB0GA1UdDgQWBBQ3L3e3gqBmqOPzLTvQKcNFazdDYjAfBgNVHSMEGDAWgBQULrMX
    t1hWy65QCUDmH6+dixTCxjBVBggrBgEFBQcBAQRJMEcwIQYIKwYBBQUHMAGGFWh0
    dHA6Ly9yMy5vLmxlbmNyLm9yZzAiBggrBgEFBQcwAoYWaHR0cDovL3IzLmkubGVu
    Y3Iub3JnLzAfBgNVHREEGDAWghRuczIub2Rlc2lnbmdyb3VwLmNvbTBMBgNVHSAE
    RTBDMAgGBmeBDAECATA3BgsrBgEEAYLfEwEBATAoMCYGCCsGAQUFBwIBFhpodHRw
    Oi8vY3BzLmxldHNlbmNyeXB0Lm9yZzCCAQMGCisGAQQB1nkCBAIEgfQEgfEA7wB1
    AN+lXqtogk8fbK3uuF9OPlrqzaISpGpejjsSwCBEXCpzAAABfThNWp8AAAQDAEYw
    RAIgASB8Qhdbe9+kZxU8PAA2TXPAeLRY45ePUkAowJyybCUCIH4D0IWeA5UjJw22
    w7aAZ8eTBcE5EfPvZHX99klOL895AHYARqVV63X6kSAwtaKJafTzfREsQXS+/Um4
    havy/HD+bUcAAAF9OE1ayQAABAMARzBFAiBzvdwLxgK4fm2Etkblz4QqU6yMQ1hh
    /VFeSCIpJHctlgIhAOaT2Rw70lBjm8q1iK1YDEWao6F1WK31OHGFpzWTS0L2MA0G
    CSqGSIb3DQEBCwUAA4IBAQBhgqcIAGGvvMIGSTn8gzIuvOMoAeqzb7cGXJoUIO5e
    /brEHsBd+8NhMAEtxtU5Aewz7l9iJu4iHfYIPi8b6uCkis/UrmQ6hoWuBdQk5pOV
    yraVMPO1BvfG1YdB9vf6D17GaXVb5apCuRfnN2oDyje00bvg1AmqKKf8ltogiblv
    9OcgaHw/B9iSpz2iigO0gwj2BV94cnxAsC+n3ViSpiiZbg2Znuaodt31Ut/cLFEK
    ju/6422oOIYxe6HWzTUYKGBkQSzoPZpRtoDOWza7eMDfW+7mvDHG4Eiv3XF4DJzS
    un8f1Rmzm+wP638qtnjdGBwkH8J9sR+C3GAuKYYEqA8I
    -----END CERTIFICATE-----
    [Fri Nov 19 08:05:34 EST 2021] Your cert is in: /root/.acme.sh/ns2.odesigngroup.com/ns2.odesigngroup.com.cer
    [Fri Nov 19 08:05:34 EST 2021] Your cert key is in: /root/.acme.sh/ns2.odesigngroup.com/ns2.odesigngroup.com.key
    [Fri Nov 19 08:05:34 EST 2021] The intermediate CA cert is in: /root/.acme.sh/ns2.odesigngroup.com/ca.cer
    [Fri Nov 19 08:05:34 EST 2021] And the full chain certs is there: /root/.acme.sh/ns2.odesigngroup.com/fullchain.cer
    [Fri Nov 19 08:05:34 EST 2021] Run renew hook:'letsencrypt_renew_hook.sh'
    ./acme.sh: line 3559: letsencrypt_renew_hook.sh: command not found
    [Fri Nov 19 08:05:34 EST 2021] Error when run renew hook.
    [Fri Nov 19 08:05:34 EST 2021] Call hook error.
    [Fri Nov 19 08:05:34 EST 2021] Error renew ns2.odesigngroup.com.

    ah -- where is letsencrypt_renew_hook.sh when I need it?
    a bit more looking in /usr/local/bin I find:
    lrwxrwxrwx 1 root root 64 Apr 18 2021 /usr/local/bin/letsencrypt_renew_hook.sh -> /tmp/ispconfig3_install/server/scripts/letsencrypt_renew_hook.sh

    so the script points to a nonexistant file in /tmp?'

    well advancing a bit - I delete the bad symlinks and create ones pointing to the ispconfig3 scripts files.
    and now runs but at end of acme.sh output:
    [Fri Nov 19 08:28:48 EST 2021] Run renew hook:'letsencrypt_renew_hook.sh'
    /usr/local/bin/letsencrypt_renew_hook.sh: line 35: [: -q: binary operator expected
    /usr/local/bin/letsencrypt_renew_hook.sh: line 36: [: -q: binary operator expected
    /usr/local/bin/letsencrypt_renew_hook.sh: line 37: [: -q: binary operator expected
    /usr/local/bin/letsencrypt_renew_hook.sh: line 38: [: -q: binary operator expected
    /usr/local/bin/letsencrypt_renew_hook.sh: line 39: [: -q: binary operator expected
    /usr/local/bin/letsencrypt_renew_hook.sh: line 40: [: -q: binary operator expected
    /usr/local/bin/letsencrypt_renew_hook.sh: line 41: [: -q: binary operator expected
    /usr/local/bin/letsencrypt_renew_hook.sh: line 42: [: -q: binary operator expected
    /usr/local/bin/letsencrypt_renew_hook.sh: line 43: [: -q: binary operator expected

    seems I just cant win!
     
    Last edited: Nov 19, 2021
    craig baker, Nov 19, 2021
    #18
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    Due to your manual renew run, you must restart services manually (apache/nginx, dovecot, postfix and pure ftpd) now too. Then check if the ispconfig login has a valid new SSL cert after the restart.
     
    till, Nov 19, 2021
    #19
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    Just checked it here on my systems, the symlinks are fine on my servers:

    root@server1:~# ls -la /usr/local/bin/letsencrypt_renew_hook.sh
    lrwxrwxrwx 1 root root 61 Oct 22 13:15 /usr/local/bin/letsencrypt_renew_hook.sh -> /usr/local/ispconfig/server/scripts/letsencrypt_renew_hook.sh
    root@server1:~#

    Which Linux distribution do you use?
     
    till, Nov 19, 2021
    #20
Page 1 of 2

Share This Page