Hi! I just upgraded to the latest ISPConfig version and tried the new Letsencrypt feature. It works great with websites, but I get an error when I have a website with an aliasdomain. I think I found a fix for the problem, but I don't know if the fix is really needed, or if I missed something. The Aliasdomain simply redirects to "https://www.main-domain.tld". It also has a Seo-Redirect from domain -> www.domain.tld enabled. When I enable the LetsEncrypt SSL checkbox in the interface, I get the following error in the log: 07.03.2017-15:50 - WARNING - nginx did not restart after the configuration change for website main-domain.tld. Reverting the configuration. Saved non-working config as /etc/nginx/sites-available/main-domain.tld.vhost.err 07.03.2017-15:50 - WARNING - Reason for nginx restart failure: nginx: [emerg] BIO_new_file("/var/www/clients/client6/web6/ssl/main-domain.tld.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/var/www/clients/client6/web6/ssl/main-domain.tld.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) nginx: configuration file /etc/nginx/nginx.conf test failed So the vHost has an entry which links to an SSL-Cert which doesn't exist. In the vHost file, I have the following block: at the end (for the alias domain): server { listen *:80; listen *:443 ssl; ssl_certificate /var/www/clients/client6/web6/ssl/main-domain.tld.crt; ssl_certificate_key /var/www/clients/client6/web6/ssl/main-domain.tld.key; server_name www.aliasdomain.tld; location ~ /\.well-known/acme-challenge/ { root /usr/local/ispconfig/interface/acme/; index index.html index.htm; try_files $uri =404; } rewrite ^ https://www.main-domain.tld$request_uri? redirect; } So there we see the entry to the invalid SSL File. The correct SSL-File is named: main-domain-le.tld.crt When I edit the /usr/local/ispconfig/server/conf/nginx_vhost.conf.master file and add the "le" to the relevant block, the generation of the LetsEncrypt SSL-Cert works as expected: </tmpl_if> ssl_certificate <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>-le.crt; ssl_certificate_key <tmpl_var name='document_root'>/ssl/<tmpl_var name='ssl_domain'>-le.key; </tmpl_if> So my question is: Is this a bug in ISPConfig, and the template needs to be corrected, or did I miss something here?
I guess you use a custom nginx vhost template which you did not adjust to the new version yet. Neither the document_root nor the ssl_domain variable is used anymore in the ssl path anymore. The template that ships with ispconfig has these ssl lines: ssl_certificate <tmpl_var name='ssl_crt_file'>; ssl_certificate_key <tmpl_var name='ssl_key_file'>; whic point to the correct cert path automatically.
Hmm - that's weird. I don't use a custom template, and I updated multiple servers which all have the same (apparently wrong) vhost file. What would be the best way to verify if other files have been kept back? Or how can I even tell ISPConfig too keep a custom file, instead of installing the new one?
The ispconfig updater overwrites all files, except of files that shall be preserved by using the conf-custom folder. Take a look at /usr/local/ispconfig/server/conf-custom/, this folder is there to keep custom versions of config file templates. You can find the current nginx vhost conf template here: https://git.ispconfig.org/ispconfig/ispconfig3/blob/stable-3.1/server/conf/nginx_vhost.conf.master
Hi Till! I just checked, and I actually already used the correct version of the nginx_vhost.conf.master. But please take a look at lines 300 - 303 - this are the lines that I had to change for the alias domain + redirect + letsencrypt-ssl to work.
