letsencrypt does nor renew

Discussion in 'Installation/Configuration' started by muekno, Jun 20, 2021.

  1. muekno

    muekno Active Member HowtoForge Supporter

    I have am old letsencrypt cert but it does not renew
    https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/ lead me to this

    Code:
    20.06.2021-10:07 - WARNING - Let's Encrypt SSL Cert for: www.max-eckstein.de could not be issued.
    20.06.2021-10:07 - WARNING - R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue  -d www.max-eckstein.de -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [[ $R -eq 0 || $R -eq 2 ]] ; then /root/.acme.sh/acme.sh --install-cert  -d www.max-eckstein.de --key-file '/var/www/clients/client0/web5/ssl/www.max-eckstein.de-le.key' --fullchain-file '/var/www/clients/client0/web5/ssl/www.max-eckstein.de-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [[ $C -eq 0 ]] ; then exit $R ; else exit $C  ; fi
    
    the checkboxes ssl and letsencryt are not set if i set them they reset after apply
    lI have no entries in the log files the article above points tp
    What to do?

    Thanks for help hint
    Rainer
     
    Last edited: Jun 20, 2021
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  3. muekno

    muekno Active Member HowtoForge Supporter

    Exactly that what I did, see line 2 in my post. After following all points in that FAQ I cam to the last point what led me to the postet warning.
    System is Debinan 10 latest patches and I have ISPConfig3.2.5. It maust have works a there is a letsencrypt cert outdated 21.3.2021. but now the SSL and letsencrypt checkboxes are empty, if I set them they are empty after update again
    Sorry what did I do wrong
    Rainer
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You did not read that carefully as the last step is to enable debugging mode and run the server.sh script.
     
  5. muekno

    muekno Active Member HowtoForge Supporter

    So again. I set loglevel to debug
    iI edit crontab as root and disable first line
    Code:
    #* * * * * /usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
    * * * * * /usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
    54 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    
    Edit the website and check SSL and letsencrypt
    run
    /usr/local/ispconfig/server/server.sh
    get the following beside some other DEBUG messages
    Code:
    20.06.2021-13:39 - DEBUG - Create Let's Encrypt SSL Cert for: www.max-eckstein.de
    20.06.2021-13:39 - DEBUG - Let's Encrypt SSL Cert domains: 
    20.06.2021-13:39 - DEBUG - exec: R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue  -d www.max-eckstein.de -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [[ $R -eq 0 || $R -eq 2 ]] ; then /root/.acme.sh/acme.sh --install-cert  -d www.max-eckstein.de --key-file '/var/www/clients/client0/web5/ssl/www.max-eckstein.de-le.key' --fullchain-file '/var/www/clients/client0/web5/ssl/www.max-eckstein.de-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [[ $C -eq 0 ]] ; then exit $R ; else exit $C  ; fi
    [Sun 20 Jun 2021 01:39:20 PM CEST] Please add '--debug' or '--log' to check more details.
    [Sun 20 Jun 2021 01:39:20 PM CEST] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
    20.06.2021-13:39 - WARNING - Let's Encrypt SSL Cert for: www.max-eckstein.de could not be issued.
    20.06.2021-13:39 - WARNING - R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue  -d www.max-eckstein.de -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [[ $R -eq 0 || $R -eq 2 ]] ; then /root/.acme.sh/acme.sh --install-cert  -d www.max-eckstein.de --key-file '/var/www/clients/client0/web5/ssl/www.max-eckstein.de-le.key' --fullchain-file '/var/www/clients/client0/web5/ssl/www.max-eckstein.de-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [[ $C -eq 0 ]] ; then exit $R ; else exit $C  ; fi
    20.06.2021-13:39 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    20.06.2021-13:39 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/www.max-eckstein.de.vhost
    Thanks for support on sunday
    Rainer
     
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I do not use acme as Let's Encrypt client, have certbot instead so not sure how to interpret the log. But
    have you named the website www.max-ekstein.de and enabled the auto-subdomain www?
    Does the website have other alias- or subdomains that do not resolve from name service?
     
  7. muekno

    muekno Active Member HowtoForge Supporter

    The website is named www.macx-ecksteine.de the auto subdomain ist disabled. It worked for a long time. I do not remember when I upgraded to Debian 10, but it was this year. Following Tims Tutorial https://www.howtoforge.com/perfect-...-dovecot-ispconfig-3-1/#-install-lets-encrypt and some other information acme.sh ist the new preferred. certbot ist not installed.
    Your right certbot seams to work. It is used on two other server debian 10 ispconfig controlled servers where the certs arerenwed regular.
    I have the same problem with an other debin 10 ISPconfig controled server running acme.sh and just these day I gat a warning for another similar server running acme.sh that the certificate will expire, what is not normal if the renewal works fine.
    Perhaps anyone from the development team can clear this.
     
  8. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    If you used certbot and then changed to acme.sh in your process of upgrading, then you could have a problem due to that.

    I think one way to recover is to uninstall acme.sh and all of its folders totally, reinstall certbot, run ISPConfig update again.
     
  9. muekno

    muekno Active Member HowtoForge Supporter

    thats what I thougt too, but did not find much information how to uninstall acme totally
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    Do not switch from certbot to acme.sh or from acme.sh to certbot on an existing server as you will lose all existing certs, they won't renew anymore. Stay with the LE client that you initially installed the server with. acme.sh works way better and more stable than certbot, that's why all new setups should use it. But you should not install acme.sh on a server that uses certbot already.

    So it comes down to the question if you initially installed this server with certbot or acme.sh. If this server was set up with certbot and xou accidentally installed acme.sh later, then acme.sh must be removed. You will get trouble of course if you created any sites after you installed acme.sh that use LE certs, as they will get broken.
     
  11. muekno

    muekno Active Member HowtoForge Supporter

    I upgraded the problem servers from debian 9 to 10 and while this I migththave switched from sertbot to acme.sh.
    So I will try to uninstall acme.sh, is there a recommended way and reinstall certbot.
    Then getting new certs should be no problem.
     
  12. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Before proceeding, I would suggest disabling LE SSL for all websites.

    Then, to remove acme.sh (according to Neilpang himself):
    Code:
    acme.sh --uninstall
    rm -r  ~/.acme.sh
    As for the installation of certbot, it should be covered in latest ubuntu or older debian tutorials.

    Run ISPConfig update accordingly and thereafter re-enable LE SSL for all websites.
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    You can install it via snap as described on the certbot website. But just install it as described there, do not issue certs manually on the shell with certbot command.
     
  14. muekno

    muekno Active Member HowtoForge Supporter

    First thanks for all the help
    I worked fine for a slave server
    but the master server asks for a passphrase on port 8080
    So I made a snapshot as it is a vm
    Then i restored /etc/apache2, /etc/ssl and /etc/letsencrypt /from /var/backup
    Starting apache same problem
    then I did an update of ISPConfig again, recreating ISPConfig cert
    Starting apache same problem again, asks for passphrase will not start apache
    Keep in mind i is the master server of a production running system, the other servers are working fine but the system is umanageable without starting the ISPConfig portal
    Thanks for further help
    Rainer
     
  15. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    This thread is about
    How come you now write about
    In what situation does something ask for passphrase? I am completely confused what this is about.
     
  16. muekno

    muekno Active Member HowtoForge Supporter

    I followed your last post on the affected slave server, the mail server not renewing the Webmailer cert
    Worked fine following your recommended steps.
    The Webserver still are on certbot so are renewing fine
    The master server had been changed to acme.sh too and was not renewing
    so I did the same as on the mail server
    After the ISPConfig update it tries to restart apache the it asks
    Enter passphrase for SSL/TLS keys for admin.domain.tld:8080 (RSA):
    Restart apache manually the same

    Rainer
     
  17. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I suspect a cert was generated during the update, and when asked for a passphrase, you entered something instead of leaving it empty. Run the update again, regenerate a cert, don't set a passphrase.
     
  18. muekno

    muekno Active Member HowtoForge Supporter

    @Th0m I am quit shure I entered nothing. And I did what you recommend before I postet before the snapshot and again twice after the snapshot. is the another directory I have to restore from backup to get old old certs without the passphrase to be able to restar
    Rainer
     
  19. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You can remove the certs manually from /usr/local/ispconfig/interface/ssl.
     
  20. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    As has been mentioned several times, to simplify things you oughtn't change certbot to acme.sh. Other than what @Th0m mentioned above, remove acme.sh totally from your master server and restore certbot by re-installing it and run ispconfig update again choosing to create ssl for the server during the process.
     

Share This Page