Letsencrypt - certbot-auto replaced by ispconfig 3.2 - how to verify good working?

Discussion in 'Installation/Configuration' started by FabioIamp, Jun 2, 2021.

  1. FabioIamp

    FabioIamp New Member

    On my server I have Debian 10, ispconfig 3.2, apache 2.4 with nearly 20 virtual hosts, letsencrypt, acme.
    I used certbot and certbot-auto for Letsencrypt certificates renewal and for setting up the SSL. Now I disabled certbot-auto by deleting the command in crontab (it was deprecated by the Letsencrypt team a few months ago also if still working under particular conditions). Then I enabled the Letsencrypt in ISPconfig on one of my domains (i don't know if it is important but I still have the folder "certbot" under /etc/letsencrypt). I remarked that in the folder "acme" was created a folder with the site name. The problem is that I'm not so sure about the correct working of that. How can I test whether it will be renewed or not? Is there any way, maybe by forcing the renewal?
    Thanks for your support

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Certbot-auto has not been replaced by ISPConfig as you state in the title. You removed certbot auto and ispconfig had to download an alternative LE client as you created new LE certs without having a LE client installed. Switching from certbot to acme.sh is not easy as all old certs will fail and you even have to remove the whole /etc/letsencrypt folder before you start using acme.sh, means you must disable SSL and let's encrypt on all sites first plus manually clean all SSL directories, therefore we do not recommend deleting certbot-auto as you did on a setup where LE certs have already been issued by certbot. All old certs will fail to renew now due to missing certbot, cerbot and acme.sh are not compatible with each other, so you can not simply switch between them without removing the other client and all its issued certs first.

    To fix your setup, the besatw ay would be to disable SSL and letsencrypt on the one website where you used acme.sh, then delete acme.sh completely. Finally install certbot again as shown on the certbot web page. If you have a symlink /usr/bin/letsencrypt that points to certbot, then delete that symlink.
  3. FabioIamp

    FabioIamp New Member

    Thanks for your answer. You are very helpful. If I understood well I have to remove every trace of acme. Then I should install certbot but I have a doubt: a certbot folder is under /etc/letsencrypt; maybe is it already installed?). I don't have the symlink in /usr/sbin. What about the deprecated certbot-auto? How will it be possible to get automatic renewal of certificates without certbot-auto? And, finally, how to test the renewal procedure is working?
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Certbot renews automatically, certbot-auto does not mean other certbots do not renew.
    Read letsencrypt.log to see what certificates are checked and are they due for renewal.
  5. FabioIamp

    FabioIamp New Member

    Thanks for your answer. Then certbot-auto can be removed without consequences. I didn't understand if I have to install certbot considering that a folder certbot already exists under the folder letsencrypt. My sites certificates will expire in two months but I'd like to test the renewal procedure maybe by forcing. How do I test it? Howewer I still don't understand how these certificates wil be renewed automatically.
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Certbot-auto is a script that downloads and installs certbot. You can install certbot using other means. But some certbot must be installed if it is to be used. https://github.com/certbot/certbot/blob/master/certbot-auto
    What is your actual concern? If you want to see exactly how it happens, you have to read the certbot code. That is available for your perusal. If you worry how to set up the renewal, at least I did nothing extra, certbot just renews the certificate when it has less than 30 days left. If the renew failes for some reason, you get an e-mail to the address you gave when creating the Let's Encrypt account.
    ahrasis likes this.
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    A couple other pieces to the renewal are that ispconfig runs a cronjob to renew the certificates and restart apache (and depending how you installed certbot, you may have another cron job running to renew, which does not restart apache), and if you need to see why a renewal failed, you can check the letsencrypt log.
    ahrasis likes this.
  8. FabioIamp

    FabioIamp New Member

    Thanks to everything. Now it is clear.

Share This Page