Hi all. I am sorry to have to ask about this. Iv'e worked really hard to try and work it out on my own. I setup a new server based this link: https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/ Everything seemed to go well until I noticed I did not have a letsencrypt cert (the documentations showed to install acme.sh and I did that. I went to link the ispconfig panel to the domain certs, but there was no /etc/letsencrypt/live directory and so no certs. I created certs using acme.sh -d ...... and they were placed into the /root directory. I have working certs now, but I don't think they will update on their own. I'm sure I didn't miss any instructions. Can I get some help to point me in the right direction to make sure certificates will be issues properly. Thanks Roger
Never use the command line for acme.sh yourself, as this breaks the implementation with ISPConfig. Undo your changes and then enable Let's Encrypt in the panel to create certs for your websites. The certs with acme.sh don't go in /etc/letsencrypt/live but in /root/.acme.sh/ by the way. So if you ever follow a tutorial like https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/ replace the neccessary text.
As said by @Th0m, don't obtain LE SSL certs for your server manually. Delete them totally if they are already issued. The right way is to download latest ISPConfig 3.2 and say yes during update process to secure your server with LE SSl certs automatically. This way you can be certain that they will be renewed properly when it is time for the server and all its services.
Ok thanks. I need a bit of help then. I have already created a bunch of certificates because of issues I had with one of the other panels and it went rouge. I can't create many more without reaching my limit. So can I just remove the ones in the wrong place and then carry on. I'm already using ispconfig 3.2. That's what I started with and was never asked about LE certs. I now have certificates in /root/.acme.sh/ but I have the one I created in /etc/letsencrypt/live/ so can I just change the links in tutorial Th0m mentioned to the /root/acme.sh/ Are their links in each of the client directory /ssl to the actual certs in /root/acme.sh/ I need to try to fix this without generating new certs. Thanks for helping!
Then symlink the certs from /root/.acme.sh is the best option you have. My old tutorial guides this for certbot but you can adjust them for acme.sh as well, though it is not the advisable way for ISPConfig 3.2, at least not in my opinion as the writer and the contributor to that tutorial and relevant code in installer_base.lib.php. Don't get me wrong. To explain - the tutorial is mainly aimed for advanced users as it uses incron, manual work and manually created script, while the default ISPConfig 3.2 installer is aimed for all users as it uses hook, built in script and runs automatically during install or update when yes to SSL is opted.
So like I said, I'm a newbie. I did try doing the tutorial an replace the acme directories in pace of certbot. It's not working and I'm really lost here. Just to add... I undid the links and symbolic links that I did before, and then I unchecked saved, and rechecked the "letsencreypt" and "SSL" checkboxes. I can see that the certificates have been created in /root/.acme.sh/ but the site fails to deliver an encrypted page if I enter https://soon.and.so/index.html *Just another edit here. I noticed that there is no /etc/letsencrypt directory structure on my disk. I've seen a couple comments talking about acme and /etc/letsencrypt/...
soon.and.so does not work because there is no DNS record for it, not because of a HTTPS problem. There is no /etc/letsencrypt because you use acme.sh which stores the certs in /root/.acme.sh/ As said, undo your changes and enable Let's Encrypt through the panel. If you hit the limits, you will have to wait till next monday when they are reset. It's the best way to get a reliable system.
Soon.and.so was an example. I did what you said and I see the certificates but when I go to the ssl page, there is no certificate served. I also notice now that ispconfig shows on the monitor page that none of the services are running. But logging in via ssh and checking the status of dovecot,apache2,Mariadb are all showing good status. Something clearly has gone wrong with this install. I’ll reinstall it again. How do I make sure I get a letsencrypt certificate when installing from scratch? It asks if I want ssl and if I say yes it creates a self signed certificate and then I’m right back here. This will be my 3rd install.
You need to ensure your server1.domain.tld (subdomain, not root domain) A record (at least) is pointing to your server and it is a fully qualified domain.name, so try to dig your server1.domain.tld to make sure that it does point to your server A record.
Yup. That's fine and looks good. That doesn't answer the question though. When going through the install process, what do I do to make sure I get a letsencrypt cert installed. Do I have to do it manually after the install?????
Ok I got it reinstalled and the panel has letsencrypt cert. one of the sites I created has certificates in it’s ssl directory but when I go to the page using https, it’s not available. What could I be doing wrong now.
I'm also no seeing that the mail server for that domain is not TLS enabled. Where should I look for config problems around this issue. I've been using VestaCP for years and got used to where they kept files. It's totally different here. I thought the manual might help so I bought it, but it's not helping at all with this issue.
I'm seeing what's happening no but have no idea why. When I create the site it add /etc/apache2/sites-available/example.com.vhost and example.com.vhost.err the config with the .err has the listen 443. The other does not and it is the one without the listen 443 that is becoming the site-enabled. I thought maybe it was that the certificate directory /var/www/clients/client1/web2/ssl/ was empty, but the key and the LE key and cert were in there. Ok for anyone else that has this issue I finally figured it out. The key and the cert did not match. So removing the key and cert fixed the issue. What I don't understand is how they became corrupt in the first place. I do think it might be valuable for the ispconfig team to wonder why. I think it had something to do with Letsencrypt, and the SSL tab. I noticed the problem when I went into th blogs, but I then looked at the SSL tab and saw there was a certificate in there. I did not place it there. It would have been work to cut and paste the key in there manually and I never did that. Anyway. I hope my experience helps someone else. Thanks all!
The manual needs some improvement and we are looking for a better system to manage it, so we can update outdated information and add some information about stuff like this. Stay tuned! That should not happen. Did you do some manual changes in that folder, or create a cert from the SSL tab? Before adding a SSL cert, you should remove the old cert by going to the SSL tab and selecting "Delete certificate" for certificate action.
I did not place anything in that folder manually. I have noticed that if you go to the ssl tab and at the bottom set “create” then don’t save it... just leave the ssl tab and you will see that the red update circle at the top of the screen will appear. I think during that time, something goes wrong.
Leaving the tab is the same as saving, unless you change the config under System -> Main config -> Misc -> Discard changes on tab change