Hello, i have checked in on my two installations of ISPConfig and problem is same - LE certs are not renewing automatically. I can renew those by unchecking "SSL" and "Let's Encrypt SSL" checkbox on web page settings, and then checking them again, so script itself is working. What should i check ? FYI: i had run /opt/certbot/certbot-auto manually in the past, to get newest version of the script, with pressing cancel at the end when it ask "Select the appropriate numbers separated by commas and/or spaces, or leave inputblank to select all options shown (Enter 'c' to cancel)", so no config was modified. Hope this is not problem ?
Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/xxx.yyyy.cz.conf ------------------------------------------------------------------------------- Cert not yet due for renewal it says "not yet due for renewal" also for sites with certs already expired ???
Are you using latest ISPConfig version? There were some bugs in earlier versions. Please update to latest version and run Code: service apache2 force-reload If that does not help, please re-sync the websites (Tools -> Resync).
Hello, yes i'm on latest version resync helped ! Does it means, that everything will work now automatically? what changed? path for certs ? (as on formerly expired page is now cert from 17.6...., diff for old and new apache config shows nothing) I'm goign to try resync multiserver setup (hundreds of pages) in next days, will report then
Yes, it should. Yes. The paths might change due to unexpected behaviour of certbot (appending -002 etc. to domain path).
That is what was happening imho, new certs created, bud those in /web/ssl directory still linked to old ones.. two more questions please: - do you reccomend to use /opt/certbot/certbot-auto to update LE scripts regulary ? or stay on some specific version ? - Is there more exact info how LE in ISPC works? i want to offer feature to my clients, bud i need to be in control of feature. There are already dissapointed clients whos ssl was not renewed..
I am not sure whether regular updates might harm. Depends on what certbot changes. I don't know what you mean by more exact info. ISPC uses certbot script to request certs and then (in newest version) searches for the correct cert to include in vhost. A daily cron then calls the renew command of certbot.
It may be not bad idea to include certbot directly into ISPConfig to be sure there is specific and non problematic version of certbot script included in specific version of ISPConfig. i think the way it works now is breaking rock-stability of ispconfig a bit. --- I meant which scripts are doing what, i'm bit lazy to search in the code .] Thank you for help
That's no good idea. ISPC won't be updated that often to always include the latest certbot. Also certbot has a LOT of dependencies installed depending on system os. Sorry, that's up to you if you really need such information.