Hi, I'm currently activating Let's encrypt for various already configured websites. This process does not run totally smooth with my installation, therefore I've got one/maybe some questions. First of all: I activated Let's Encrypt for my website domain1.de. This worked fine, I can access the site via HTTPS. In the browser I see that the cert was issued today and is valid until February 3rd. But having a look in /etc/letsencrypt/archive/domain1.de I do not see any key/cert/chain. Where are these files saved to? I would like to use the cert elsewhere too (actually for accessing ISPConfig itself, Postfix, Dovecot...). Thanks!
I should have figured out that myself: Look in /etc/apache2/sites-enabled/100-domain1.de.vhost for the SSL configuration (SSLCertificateFile). There you find a path like /var/www/clients/client1/web1/ssl/domain1.de-le.crt. This is a file/symlink to something like /etc/letsencrypt/live/domain2.de/fullchain.pem. Et voila, that's the file and directory you look for. I wasn't aware that Let's Encrypt supports and ISPConfig uses SAN-certificates. Therefore I just had a look in the domain1.de directory. Sorry to have bothered you!
Well, but now, I hope, a serious question: As I wrote here I had to update some machines (Debian 8 to 9, ISPConfig 3.0.x to 3.1.7p1). I did that now and the process went smooth in general. But some little issues arise here due to the fact that I had manually added Let's Encrypt support in ISPConfig 3.0 following this procedure: https://github.com/alexalouit/ISPConfig-letsencrypt. I have now the official Debian "certbot" package installed, as described in the "perfect server" tutorial for Debian 9. Nevertheless under /root/.local/share/letsencrypt and /root/letsencrypt there are the remains of the old certbot installation. What is more in /var/spool/cron/crontabs/root there is the following: Code: 30 02 * * * /root/.local/share/letsencrypt/bin/letsencrypt-renewer >> /var/log/ispconfig/cron.log; done But /root/.local/share/letsencrypt/ would not be there wouln't it be for the old install?! In /etc/cron.d/certbot there is: Code: 0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew This seems correct as it comes from the Debian package. What is more, there is /etc/apache2/conf-enabled/letsencrypt.conf with: Code: <IfModule mod_headers.c> <LocationMatch "/.well-known/acme-challenge/*"> Header set Content-Type "text/plain" </LocationMatch> </IfModule> Some websites do work with the Let's Encrypt certificate but I tried to issue another one for another website domain5.de and this one fails. The log output (as described in "Debugging of ISPConfig 3 server actions in case of a failure"): Code: root@vs01:~# /usr/local/ispconfig/server/server.sh 06.11.2017-08:43 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 06.11.2017-08:43 - DEBUG - Found 1 changes, starting update process. 06.11.2017-08:43 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 06.11.2017-08:43 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'. 06.11.2017-08:44 - WARNING - Could not verify domain domain5.de, so excluding it from letsencrypt request. 06.11.2017-08:45 - WARNING - Could not verify domain www.domain5.de, so excluding it from letsencrypt request. 06.11.2017-08:46 - WARNING - Could not verify domain domain6.de, so excluding it from letsencrypt request. 06.11.2017-08:47 - WARNING - Could not verify domain www.domain6.de, so excluding it from letsencrypt request. 06.11.2017-08:48 - WARNING - Could not verify domain domain7.de, so excluding it from letsencrypt request. 06.11.2017-08:49 - WARNING - Could not verify domain www.domain7.de, so excluding it from letsencrypt request. 06.11.2017-08:49 - WARNING - Let's Encrypt SSL Cert for: domain5.de could not be issued. 06.11.2017-08:49 - WARNING - 06.11.2017-08:49 - DEBUG - Add server alias: domain6.de 06.11.2017-08:49 - DEBUG - Add server alias: domain7.de 06.11.2017-08:49 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web9/.php-fcgi-starter 06.11.2017-08:49 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/domain5.de.vhost 06.11.2017-08:49 - DEBUG - Apache status is: running 06.11.2017-08:49 - DEBUG - Calling function 'restartHttpd' from module 'web_module'. 06.11.2017-08:49 - DEBUG - Restarting httpd: systemctl restart apache2.service 06.11.2017-08:49 - DEBUG - Apache restart return value is: 0 06.11.2017-08:49 - DEBUG - Apache online status after restart is: running 06.11.2017-08:49 - DEBUG - Processed datalog_id 623 06.11.2017-08:49 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock finished. Thanks in advance for your help!
Both cronjobs are not from ISPConfig and can be removed. ISPConfig takes care on renewing the certs itself. The log output means that some domains are unreachable from the server, ISPConfig adds a test token in the same way LE is doing it and tries to connect to it by http, when this fails, then the domain is excluded from the SSL cert. Check the DNS settings of the domains. When your server is behind a router so that domains can not be reached from the server itself, then disable the LE check under System > server config > web.
Ok, then I will delete both cron-entries. As one of them gets installed automatically by the Debian package, maybe the "perfect server" tutorial should/could be edited to reflect the deactivation? What about the file /etc/apache2/conf-enabled/letsencrypt.conf? Is this needed or maybe a problem? Besides I'm going to wait somewhat longer - maybe there is a problem with DNS distribution (as the entries are the same for the non-working domains as for the working ones). At the latest tomorrow all the changes should be propagated to every server.
Sorry to bother you again: is my statement in the previous post correct? And what about /etc/apache2/conf-enabled/letsencrypt.conf? The issuing problems where probably related to some DNS problem. After waiting some more it worked like a charm. Thanks!
I'll take a look at the perfect server guide. But it's not an issue when the cronjob exists, it's just a duplicate of what ISPConfig does. That should be fine.
