I have am old letsencrypt cert but it does not renew https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/ lead me to this Code: 20.06.2021-10:07 - WARNING - Let's Encrypt SSL Cert for: www.max-eckstein.de could not be issued. 20.06.2021-10:07 - WARNING - R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue -d www.max-eckstein.de -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [[ $R -eq 0 || $R -eq 2 ]] ; then /root/.acme.sh/acme.sh --install-cert -d www.max-eckstein.de --key-file '/var/www/clients/client0/web5/ssl/www.max-eckstein.de-le.key' --fullchain-file '/var/www/clients/client0/web5/ssl/www.max-eckstein.de-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [[ $C -eq 0 ]] ; then exit $R ; else exit $C ; fi the checkboxes ssl and letsencryt are not set if i set them they reset after apply lI have no entries in the log files the article above points tp What to do? Thanks for help hint Rainer
At the top of this forum there is a thread "Read before posting", which covers this problem. Please read that thread and the FAQs in it before opening a new thread. https://www.howtoforge.com/community/threads/please-read-before-posting.58408/
Exactly that what I did, see line 2 in my post. After following all points in that FAQ I cam to the last point what led me to the postet warning. System is Debinan 10 latest patches and I have ISPConfig3.2.5. It maust have works a there is a letsencrypt cert outdated 21.3.2021. but now the SSL and letsencrypt checkboxes are empty, if I set them they are empty after update again Sorry what did I do wrong Rainer
You did not read that carefully as the last step is to enable debugging mode and run the server.sh script.
So again. I set loglevel to debug iI edit crontab as root and disable first line Code: #* * * * * /usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done * * * * * /usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done 54 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null Edit the website and check SSL and letsencrypt run /usr/local/ispconfig/server/server.sh get the following beside some other DEBUG messages Code: 20.06.2021-13:39 - DEBUG - Create Let's Encrypt SSL Cert for: www.max-eckstein.de 20.06.2021-13:39 - DEBUG - Let's Encrypt SSL Cert domains: 20.06.2021-13:39 - DEBUG - exec: R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue -d www.max-eckstein.de -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [[ $R -eq 0 || $R -eq 2 ]] ; then /root/.acme.sh/acme.sh --install-cert -d www.max-eckstein.de --key-file '/var/www/clients/client0/web5/ssl/www.max-eckstein.de-le.key' --fullchain-file '/var/www/clients/client0/web5/ssl/www.max-eckstein.de-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [[ $C -eq 0 ]] ; then exit $R ; else exit $C ; fi [Sun 20 Jun 2021 01:39:20 PM CEST] Please add '--debug' or '--log' to check more details. [Sun 20 Jun 2021 01:39:20 PM CEST] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh 20.06.2021-13:39 - WARNING - Let's Encrypt SSL Cert for: www.max-eckstein.de could not be issued. 20.06.2021-13:39 - WARNING - R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue -d www.max-eckstein.de -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [[ $R -eq 0 || $R -eq 2 ]] ; then /root/.acme.sh/acme.sh --install-cert -d www.max-eckstein.de --key-file '/var/www/clients/client0/web5/ssl/www.max-eckstein.de-le.key' --fullchain-file '/var/www/clients/client0/web5/ssl/www.max-eckstein.de-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [[ $C -eq 0 ]] ; then exit $R ; else exit $C ; fi 20.06.2021-13:39 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0 20.06.2021-13:39 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/www.max-eckstein.de.vhost Thanks for support on sunday Rainer
I do not use acme as Let's Encrypt client, have certbot instead so not sure how to interpret the log. But have you named the website www.max-ekstein.de and enabled the auto-subdomain www? Does the website have other alias- or subdomains that do not resolve from name service?
The website is named www.macx-ecksteine.de the auto subdomain ist disabled. It worked for a long time. I do not remember when I upgraded to Debian 10, but it was this year. Following Tims Tutorial https://www.howtoforge.com/perfect-...-dovecot-ispconfig-3-1/#-install-lets-encrypt and some other information acme.sh ist the new preferred. certbot ist not installed. Your right certbot seams to work. It is used on two other server debian 10 ispconfig controlled servers where the certs arerenwed regular. I have the same problem with an other debin 10 ISPconfig controled server running acme.sh and just these day I gat a warning for another similar server running acme.sh that the certificate will expire, what is not normal if the renewal works fine. Perhaps anyone from the development team can clear this.
If you used certbot and then changed to acme.sh in your process of upgrading, then you could have a problem due to that. I think one way to recover is to uninstall acme.sh and all of its folders totally, reinstall certbot, run ISPConfig update again.
Do not switch from certbot to acme.sh or from acme.sh to certbot on an existing server as you will lose all existing certs, they won't renew anymore. Stay with the LE client that you initially installed the server with. acme.sh works way better and more stable than certbot, that's why all new setups should use it. But you should not install acme.sh on a server that uses certbot already. So it comes down to the question if you initially installed this server with certbot or acme.sh. If this server was set up with certbot and xou accidentally installed acme.sh later, then acme.sh must be removed. You will get trouble of course if you created any sites after you installed acme.sh that use LE certs, as they will get broken.
I upgraded the problem servers from debian 9 to 10 and while this I migththave switched from sertbot to acme.sh. So I will try to uninstall acme.sh, is there a recommended way and reinstall certbot. Then getting new certs should be no problem.
Before proceeding, I would suggest disabling LE SSL for all websites. Then, to remove acme.sh (according to Neilpang himself): Code: acme.sh --uninstall rm -r ~/.acme.sh As for the installation of certbot, it should be covered in latest ubuntu or older debian tutorials. Run ISPConfig update accordingly and thereafter re-enable LE SSL for all websites.
You can install it via snap as described on the certbot website. But just install it as described there, do not issue certs manually on the shell with certbot command.
First thanks for all the help I worked fine for a slave server but the master server asks for a passphrase on port 8080 So I made a snapshot as it is a vm Then i restored /etc/apache2, /etc/ssl and /etc/letsencrypt /from /var/backup Starting apache same problem then I did an update of ISPConfig again, recreating ISPConfig cert Starting apache same problem again, asks for passphrase will not start apache Keep in mind i is the master server of a production running system, the other servers are working fine but the system is umanageable without starting the ISPConfig portal Thanks for further help Rainer
This thread is about How come you now write about In what situation does something ask for passphrase? I am completely confused what this is about.
I followed your last post on the affected slave server, the mail server not renewing the Webmailer cert Worked fine following your recommended steps. The Webserver still are on certbot so are renewing fine The master server had been changed to acme.sh too and was not renewing so I did the same as on the mail server After the ISPConfig update it tries to restart apache the it asks Enter passphrase for SSL/TLS keys for admin.domain.tld:8080 (RSA): Restart apache manually the same Rainer
I suspect a cert was generated during the update, and when asked for a passphrase, you entered something instead of leaving it empty. Run the update again, regenerate a cert, don't set a passphrase.
@Th0m I am quit shure I entered nothing. And I did what you recommend before I postet before the snapshot and again twice after the snapshot. is the another directory I have to restore from backup to get old old certs without the passphrase to be able to restar Rainer
As has been mentioned several times, to simplify things you oughtn't change certbot to acme.sh. Other than what @Th0m mentioned above, remove acme.sh totally from your master server and restore certbot by re-installing it and run ispconfig update again choosing to create ssl for the server during the process.