Hi! I'm running ISPConfig 3.1 (latest). Today I received an email from LetsEncrypt telling that one of my certificates was not renewed and it will going to expire in 20 days. I dig a little and found that I did not have certbot installed (don't know why because always worked. I installed certbot-auto for Debian Jessie and changed the /init from Code: 0 */12 * * * root test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot -q renew to Code: 0 */12 * * * root test -x /usr/local/bin/certbot-auto -a \! -d /run/systemd/system && perl -e 'sleep int(rand(3600))' && certbot-auto -q renew Then, I run: Code: certbot-auto -q renew to renew the certificate right way. I got errors because the certificate I want to renew is tied to 2 domains (domain A1 and domain A2) and one of those domains was not renewed (A2). As soon as I figured this, I went to ISPConfig Admin Panel and remove DNS entries and Aliasdomain for that domain - A2 (this is why they were related). They I tick again the Letsencrypt option in the Web domain A1 but this option is not maintained (image). Then, I run Code: certbot-auto -q renew getting the following errors: A1 and A2 are the domain names. So, I still see that certbot is renewing certificate from both domains. Attached is the log file from letsencrypt. I'm a bit lost here. I do not know how to fix this and be able to issue certificates again inside ISPConfig. Any hints would be much appreciated. Thanks.
The renew is run by ISPConfig, don't add a separate cronjob for certbot renewals. Besides that, current certbot versions have a bug, they fail to write the domains correctly to the renewal config file. We implemented a workaround for this in ispconfig. Update ispconfig to git-stable version with the ispconfig_update.sh command. Then log in to ispconfig, go to the website, untick the lets encrypt checkbox, press save, then go back to the site and enable the let's encrypt checkbox again.
Thanks till. I followed your steps and the ssl for letsencrypt is now enabled for that website (and keeps enabled). I will update this thread today with the results after the cronjob for certbot (from ISPConfig) runs and renews the certificate.
Updated info! I just checked and it seems that the certificate was renewed. However, it kind of create a new certificate and keep the other unrenewed for the domain. Here is the logfile after running certbot-auto certificates: Code: 2019-04-25 13:23:46,965:DEBUG:certbot.main:certbot version: 0.33.1 2019-04-25 13:23:46,965:DEBUG:certbot.main:Arguments: [] 2019-04-25 13:23:46,965:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#apache,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2019-04-25 13:23:46,992:DEBUG:certbot.log:Root logging level set at 20 2019-04-25 13:23:46,993:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2019-04-25 13:23:47,004:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): ocsp.int-x3.letsencrypt.org:80 2019-04-25 13:23:47,074:DEBUG:urllib3.connectionpool:http://ocsp.int-x3.letsencrypt.org:80 "POST / HTTP/1.1" 200 527 2019-04-25 13:23:47,077:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/live/abaco44.es-0001/cert.pem is: OCSPCertStatus.GOOD 2019-04-25 13:23:47,079:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): ocsp.int-x3.letsencrypt.org:80 2019-04-25 13:23:47,320:DEBUG:urllib3.connectionpool:http://ocsp.int-x3.letsencrypt.org:80 "POST / HTTP/1.1" 200 527 2019-04-25 13:23:47,321:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/live/abaco44.es/cert.pem is: OCSPCertStatus.GOOD As you can see, abaco44.es-0001 was created and the certificate was issued correctly BUT the previous entry for that domain abaco44.es was not renewed. Here is the output of certbot-auto certificates: Code: Found the following certs: Certificate Name: abaco44.es-0001 Domains: abaco44.es abaco44.com www.abaco44.com www.abaco44.es Expiry Date: 2019-07-23 16:02:31+00:00 (VALID: 89 days) Certificate Path: /etc/letsencrypt/live/abaco44.es-0001/fullchain.pem Private Key Path: /etc/letsencrypt/live/abaco44.es-0001/privkey.pem Certificate Name: abaco44.es Domains: abaco44.es abaco44.com aurt.es www.abaco44.com www.abaco44.es www.aurt.es Expiry Date: 2019-05-14 00:59:04+00:00 (VALID: 18 days) <- NOT RENEWED Certificate Path: /etc/letsencrypt/live/abaco44.es/fullchain.pem Private Key Path: /etc/letsencrypt/live/abaco44.es/privkey.pem Is this going to cause any problem? Can it be fixed?
