Letsencrypt not working after migration to a new server

Discussion in 'Installation/Configuration' started by Thrash Cardiom, Dec 2, 2019.

Tags:
  1. Thrash Cardiom

    Thrash Cardiom New Member

    I used the ISPConfig migration tool to migrate my installation to a new server - Debian 9 to Debian 10. I have an issue in that Letsencrypt is not working correctly. It certainly doesn't seem to be creating or renewing any certificates.
    When I select a domain to renew the cert on, nothing happens. The certificate is not created. Nothing appears in the letsencrypt.log. No files are created in /etc/letsencrypt. The same thing occurs if I select a domain that has not had a certificate previously.

    In Ispconfig, the Let's Encrypt SSL checkbox is set to unticked.

    upload_2019-12-3_8-37-15.png

    I have run certbot-auto manually and used it to renew one domain. The result was the certificate was renewed but only for the tld domain and did not include the 'www.tld'.

    I have a number of domains coming up for renewal and would like to get this sorted.

    I do not have the debian version of letsencrypt installed.

    Thank you
     
  2. Thrash Cardiom

    Thrash Cardiom New Member

    More on this: Is ISPConfig even interacting with letsencrypt? When run from within ISPConfig, nothing is logged in the letsencrypt log.
     
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Refer to the top post in this forum for instructions to enable debugging for the ISPConfig server cronjob, and see what logs you get with that (ie. enable debugging, make some change that should trigger letsencrypt, then run server.sh and see what it says).
     
  4. Thrash Cardiom

    Thrash Cardiom New Member

    Thanks for the response. Yes, I have already done that. I got:


    /usr/local/ispconfig/server/server.sh


    finished.​

    Nothing more than that. No real output and nothing written to the letsencrypt.log file at all
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Is this multi-server? If so, you need to set logging to debug level for the web server you're troubleshooting and run server.sh on that web server (not the control panel server). If it's a single server, something's not right in the setup or the test scenario - make sure you have Loglevel set to debug, and that you disabled server.sh in the root's crontab, then turn off the ssl and letsencrypt checkboxes, hit save, run server.sh manually (just ignore this output), then turn those checkboxes back on, and run server.sh again manually. It will have more output than that.

    One other thing to check is that you're logged in as admin; if not, try changing some other setting (php mode/verion or something) and save that, then check if your change was saved or not.
     
  6. Thrash Cardiom

    Thrash Cardiom New Member

    Thanks. I had missed the debug bit.
    Output from running server.sh:


    03.12.2019-12:25 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    03.12.2019-12:25 - DEBUG - Found 2 changes, starting update process.
    03.12.2019-12:25 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    03.12.2019-12:25 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    03.12.2019-12:25 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client15/web26' - return code: 0
    03.12.2019-12:25 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client15/web26' - return code: 0
    03.12.2019-12:25 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client15/web26'|awk 'END{print $2,$NF}' - return code: 0
    03.12.2019-12:25 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
    03.12.2019-12:25 - DEBUG - safe_exec cmd: setquota -u 'web26' '5120000' '5121024' 0 0 -a &> /dev/null - return code: 0
    03.12.2019-12:25 - DEBUG - safe_exec cmd: setquota -T -u 'web26' 604800 604800 -a &> /dev/null - return code: 0
    03.12.2019-12:25 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client15/web26' - return code: 0
    03.12.2019-12:25 - DEBUG - Migration mode active, skipping Let's Encrypt SSL Cert creation for: domainONE.com
    03.12.2019-12:25 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    03.12.2019-12:25 - DEBUG - Let's Encrypt Cert file: does not exist.
    03.12.2019-12:25 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    03.12.2019-12:25 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    03.12.2019-12:25 - DEBUG - Add server alias: alias.one.com
    03.12.2019-12:25 - DEBUG - Add server alias: alias.two.com
    03.12.2019-12:25 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    03.12.2019-12:25 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web26/.php-fcgi-starter
    03.12.2019-12:25 - DEBUG - Enable SSL for: domainONE.com
    03.12.2019-12:25 - DEBUG - Enable SSL for IPv6: domainONE.com
    03.12.2019-12:25 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/domainONE.com.vhost
    03.12.2019-12:25 - DEBUG - Created AWStats config file: /etc/awstats/awstats.domainONE.com.conf
    03.12.2019-12:25 - DEBUG - Processed datalog_id 887
    03.12.2019-12:25 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    03.12.2019-12:25 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    03.12.2019-12:25 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client1/web24' - return code: 0
    03.12.2019-12:25 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web24' - return code: 0
    03.12.2019-12:25 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client1/web24'|awk 'END{print $2,$NF}' - return code: 0
    03.12.2019-12:25 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
    03.12.2019-12:25 - DEBUG - safe_exec cmd: setquota -u 'web24' '5120000' '5121024' 0 0 -a &> /dev/null - return code: 0
    03.12.2019-12:25 - DEBUG - safe_exec cmd: setquota -T -u 'web24' 604800 604800 -a &> /dev/null - return code: 0
    03.12.2019-12:25 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client1/web24' - return code: 0
    03.12.2019-12:25 - DEBUG - Migration mode active, skipping Let's Encrypt SSL Cert creation for: domainTWO.com
    03.12.2019-12:25 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    03.12.2019-12:25 - DEBUG - Let's Encrypt Cert file: does not exist.
    03.12.2019-12:25 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    03.12.2019-12:25 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    03.12.2019-12:25 - DEBUG - Add server alias: alias.three.com
    03.12.2019-12:25 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    03.12.2019-12:25 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web24/.php-fcgi-starter
    03.12.2019-12:25 - DEBUG - Enable SSL for: domainTWO.com
    03.12.2019-12:25 - DEBUG - Enable SSL for IPv6: domainTWO.com
    03.12.2019-12:25 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/domainTWO.com.vhost
    03.12.2019-12:25 - DEBUG - Created AWStats config file: /etc/awstats/awstats.domainTWO.com.conf
    03.12.2019-12:25 - DEBUG - Processed datalog_id 888
    03.12.2019-12:25 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    03.12.2019-12:25 - DEBUG - Restarting httpd: systemctl reload apache2.service
    03.12.2019-12:25 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock

    /var/log/letsencryp/letsencrypt.log had no changes.

    The interesting thing is that it is telling me the Let's Encrypt Cert file does not exist. No, it doesn't for domain ONE but it certainly does for domain TWO.
     
  7. Thrash Cardiom

    Thrash Cardiom New Member

    Aha - Migration mode still enabled!

    Turned off and things are running now. Thank you for your help, Jesse.
     
    till and Jesse Norell like this.
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Normally the tool disables the migration mode at the end on its own, but maybe the target was not reachable for a moment so that the remote api call to switch it off failed at the end of the migration run.
     
    Thrash Cardiom likes this.

Share This Page