letsencrypt does nor renew

i deletet all beside emty.dir
Did an update again let create a cert for ispconfig
Starting apache asks for pasphrase again
got 3 new entries in /usr/local/ispconfig/interface/ssl

Code:

 ispserver.crt -> /etc/letsencrypt/live/admin.domain.de/fullchain.pem
ispserver.key -> /etc/letsencrypt/live/admin.domain.de/privkey.pem
ispserver.pem

 

@ahrasis
So to clear up again.
i had two servers the master and the mail server (in the same multiserver system) that were move to acme.sh and the had problems renewing certs
following your post above everything works fine for the mail server as I did not would begin with the master.
doing the same on the master server led me in the asking passphrase problem.
this, the master server has no rests of acme.sh, at least I can see.
I installed certbot following https://certbot.eff.org/lets-encrypt/debianbuster-apache.html as I did at the mail server where everything is fine now.
Rainer

 

@Tim that was half the job thank but there is still an apache start error
update created a new self signed cert
in line 129 of 100-admin.domain.de.vhost the ssl file and in 130 the ssl key points to /var/www.client1/web69/admin.domain.de-le.crt respectiv .key

 

I did not rename anything. The website itself is emty it is just for the LE cert for Ispconfig. Is it save to remove the file from .../apache/sites-enabled

the apache error
AH00526: Syntax error on line 129 of /etc/apache2/sites-enabl

 

Ok ISPConfig portal is available again but with an unsecure self signed cert. Thank you
So last question, I can delete the admin website. But what dns entry should I use to get an LE cert for port 8080
The Information I found on HowToForge was allways to create a dummy website for this with the ip of ISPConfig

 

back at the beginning
php -q update.php --force result

Code:

>> Update 

Operating System: Debian 10.0 (Buster) or compatible

This application will update ISPConfig 3 on your server.

Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]: 

Creating backup of "/usr/local/ispconfig" directory...
Creating backup of "/etc" directory...
Checking ISPConfig database .. OK
Starting incremental database update.
Loading SQL patch file: /tmp/ispconfig3_install/install/sql/incremental/upd_dev_collection.sql
Reconfigure Permissions in master database? (yes,no) [no]: 

Service 'mail_server' has been detected (currently disabled) do you want to enable and configure it?  (yes,no) [no]: 

Service 'firewall_server' has been detected (currently disabled) do you want to enable and configure it?  (yes,no) [no]: 

Service 'db_server' has been detected (currently disabled) do you want to enable and configure it?  (yes,no) [no]: 

Reconfigure Services? (yes,no,selected) [yes]: 

Configuring BIND
Configuring Apache
Configuring vlogger
Configuring Apps vhost
Configuring Jailkit
Configuring Database
Updating ISPConfig
ISPConfig Port [8080]: 

Create new ISPConfig SSL certificate (yes,no) [no]: yes

Checking / creating certificate for admin.gerdakloos.de
Using certificate path /etc/letsencrypt/live/admin.gerdakloos.de
Using apache for certificate validation
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: 

Reconfigure Crontab? (yes,no) [yes]: 

Updating Crontab
Restarting services ...
Enter passphrase for SSL/TLS keys for admin.gerdakloos.de:8080 (RSA): 
Job for apache2.service failed because the control process exited with error code.
See "systemctl status apache2.service" and "journalctl -xe" for details.
Update finished.
root@admin:/tmp/ispconfig3_install/install# 

I will be out of office from 1pm to about 7pm

 

Code:

root@admin:/tmp/ispconfig3_install/install# ls -la /usr/local/ispconfig/interface/ssl
total 36
drwxr-s--- 2 root      root      4096 Jun 23 12:37 .
drwxr-s--- 9 ispconfig ispconfig 4096 Oct  9  2016 ..
-rwxr-x--- 1 root      root        45 Jun 23 12:37 empty.dir
lrwxrwxrwx 1 root      root        55 Jun 23 12:37 ispserver.crt -> /etc/letsencrypt/live/admin.gerdakloos.de/fullchain.pem
-rwxr-x--- 1 root      root      2004 Jun 23 11:25 ispserver.crt-20210623123658.bak
lrwxrwxrwx 1 root      root        53 Jun 23 12:37 ispserver.key -> /etc/letsencrypt/live/admin.gerdakloos.de/privkey.pem
-rwxr-x--- 1 root      root      3272 Jun 23 11:24 ispserver.key-20210623123658.bak
-rwxr-x--- 1 root      root      5441 Jun 23 12:37 ispserver.pem
-rwxr-x--- 1 root      root      5276 Jun 23 11:25 ispserver.pem-20210623123658.bak
root@admin:/tmp/ispconfig3_install/install# ls -la /usr/local/ispconfig/interface/ssl/ispserver.key
lrwxrwxrwx 1 root root 53 Jun 23 12:37 /usr/local/ispconfig/interface/ssl/ispserver.key -> /etc/letsencrypt/live/admin.gerdakloos.de/privkey.pem
root@admin:/tmp/ispconfig3_install/install#

i have Debian 10 latest patches and ISPConfig 3.2.5

 

I now think you had previously used the old tutorial to secure this server and you have not removed that in full before upgrading your system. If this is true, the fix is to undo whatever you did following that tutorial, before doing whatever advised in here thereafter.

 

do not ask me what I did before months. For the moment I will try to come back to a self signed cert, so I can use ISPConfig. Tomorrow I have a eye operation and it will need some days until I can work on the PC again.
Thanks fpr help so long
my be tiil finds a reason why the letsencrypt certs are generated with passphrase passphrase

Rainer

 

I think the passphrase is in the previously generated certificate. You have not managed to remove it completely or not managed to force apache to stop using that old certificate.

 

The fix is quite easy but you have to delete all of the old LE certs for your server before continuing as per @till advise above but if you really did follow that old tutorial long time before this, undoing that tutorial steps beforehand properly is necessary.

 

After, my eye is ok I can see again, I tried to fix. I deleted the ISPconfig symlinks in /usr/local/ispconfig/interface/ssl/
and the sysmlinks where they pointed to and the certs these symlinks pointed to.
Deleted all certs with certbot delete
the did a forceupdate of ISP Config, with create cert = yes
then a self signed cert was created and finally I can start ISPConfig again with a cert warning.
certbot shows me a cert for the admin server, the admin server website still exist, ISPCon has SSL and letsencrypt checked but only a http connection is working no SSL
I will do a snapshot now an the try to get ssl running, any hints for that
thanks for all the help

 

Deleted the admin web site, as Till wrote its not needed to get a letsencrypt cert for port 8080 the ISPConfig portal.
did a --force update again
Said yes to create ssl cert but got

Code:

Could not issue letsencrypt certificate, falling back to self-signed.
Generating a RSA private key

and still have a self signed cert
did not remove the DNS entry, ping to server name still resolves to the correct IP address
Whats going wrong
Rainer

 

Deleted letsencrypt log files
deleted existing certs wit certbot delete
deleted everything under /etc/letsencrypt/archives/
deleted everything under /etc/letsencrypt/csr/
deleted everything under /etc/letsencrypt/keys/
deleted everything under /etc/letsencrypt/live/ without readme
deleted everything under /etc/letsencrypt/renewal/
the other letsencrypt directories where empty or seamed not relevant holding old data
Did an update --force again.
Wow got a letesencrypt vallid cert
Tanks everybody
Rainer
P.S: why I dis this there were some lines in the letsencrypt logfiles regarding the live subdirectory which made me thinking, so I decides to clean up letsencrypt totally