ISPConfig Perfect Server for Ubuntu has been working several years. Server just stopped updating certificates for the mail server. Domain structure is: host.domain.org => mail.domain.org mail.domain.org => imap.domain.org mail.domain.org => smtp.domain.org Trying to setup email accounts on new Thunderbird instance gives out of date certificate for mail.domain.org, imap.domain.org and smtp.domain.org Moodle now cannot IMAP to mail server on port 110 The Letsencrypt certificates' validity finished a month ago. The only reference in crontab is 59 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null This is strange as I had a memory this server was still on certbot Is there a way of setting this up to renew automatically via ISPConfig? (I'm also wondering if I have the sub.domains and domain alias settings correct for the above domains in ISPConfig). Do I have to renew the domains manually?
There is Let's Encrypt FAQ: https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/ Find out why certificates are not renewed. Run the common issues script to see is this host using certbot or acme.sh. If it has both, there is trouble. https://forum.howtoforge.com/threads/please-read-before-posting.58408/
In addition to what @Taleman posted, if your cert contains multiple domains, then it could not be created by the ISPConfig installer. Either you created it manually, or its the cert of a website in ISPConfig. But with acme.sh, website certs have just one location, so the cert might have got renewed for the website, but not for ISPConfig itself.
Thanks for the excellent script. Both certbot and acme.sh are installed and the log seems to show other errors. What is the best way forward? Do I just apt-get remove certbot? Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Ubuntu 22.04.4 LTS [INFO] uptime: 20:17:21 up 56 days, 12:18, 2 users, load average: 0.28, 0.12, 0.04 [INFO] memory: total used free shared buff/cache available Mem: 15Gi 3.9Gi 1.8Gi 214Mi 9.8Gi 11Gi Swap: 4.0Gi 467Mi 3.5Gi [INFO] systemd failed services status: UNIT LOAD ACTIVE SUB DESCRIPTION ? certbot.service loaded failed failed Certbot ? maldet.service loaded failed failed Linux Malware Detect monitoring - maldet ? snap.certbot.renew.service loaded failed failed Service for snap application certbot.renew ? systemd-quotacheck.service loaded failed failed File System Quota Check LOAD = Reflects whether the unit definition was properly loaded. ACTIVE = The high-level unit activation state, i.e. generalization of SUB. SUB = The low-level unit activation state, values depend on unit type. 4 loaded units listed. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.2.11p2 ##### VERSION CHECK ##### [INFO] php (cli) version is 8.1.27 [INFO] php-cgi (used for cgi php in default vhost!) is version 8.1.27 ##### PORT CHECK ##### ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Apache 2 (PID 117802) [INFO] I found the following mail server(s): Postfix (PID 117729) [INFO] I found the following pop3 server(s): Dovecot (PID 117747) [INFO] I found the following imap server(s): Dovecot (PID 117747) [INFO] I found the following ftp server(s): PureFTP (PID 117834) ##### LISTENING PORTS ##### (only () Local (Address) [localhost]:953 (117972/named) [localhost]:953 (117972/named) [localhost]:953 (117972/named) [localhost]:953 (117972/named) ***.***.***.***:53 (101734/systemd-reso) [localhost]:53 (117972/named) [localhost]:53 (117972/named) [localhost]:53 (117972/named) [localhost]:53 (117972/named) [localhost]:10023 (1226/postgrey) ***.***.***.***:53 (117972/named) ***.***.***.***:53 (117972/named) ***.***.***.***:53 (117972/named) ***.***.***.***:53 (117972/named) [localhost]:11211 (863/memcached) [localhost]:11334 (117736/rspamd:) [localhost]:11332 (117736/rspamd:) [localhost]:11333 (117736/rspamd:) [anywhere]:4190 (117747/dovecot) [anywhere]:3306 (116850/mariadbd) [localhost]:6379 (924/redis-server) [anywhere]:993 (117747/dovecot) [anywhere]:995 (117747/dovecot) [anywhere]:587 (117729/master) [anywhere]:465 (117729/master) [anywhere]:25 (117729/master) [anywhere]:22 (2902367/sshd:) [anywhere]:110 (117747/dovecot) [anywhere]:143 (117747/dovecot) *:*:*:*::*:8081 (117802/apache2) *:*:*:*::*:8080 (117802/apache2) *:*:*:*::*16b3:1fff:fe19:53 (117972/named) *:*:*:*::*16b3:1fff:fe19:53 (117972/named) *:*:*:*::*16b3:1fff:fe19:53 (117972/named) *:*:*:*::*16b3:1fff:fe19:53 (117972/named) *:*:*:*::*:4190 (117747/dovecot) *:*:*:*::*:6379 (924/redis-server) *:*:*:*::*:10023 (1226/postgrey) *:*:*:*::*:3306 (116850/mariadbd) *:*:*:*::*:953 (117972/named) *:*:*:*::*:953 (117972/named) *:*:*:*::*:953 (117972/named) *:*:*:*::*:953 (117972/named) *:*:*:*::*:53 (117972/named) *:*:*:*::*:53 (117972/named) *:*:*:*::*:53 (117972/named) *:*:*:*::*:53 (117972/named) *:*:*:*::*:9983 (2774712/coolwsd) *:*:*:*::*:11334 (117736/rspamd:) *:*:*:*::*:11332 (117736/rspamd:) *:*:*:*::*:11333 (117736/rspamd:) *:*:*:*::*:993 (117747/dovecot) *:*:*:*::*:995 (117747/dovecot) fd8e:c784:c576:0:16b:53 (117972/named) fd8e:c784:c576:0:16b:53 (117972/named) fd8e:c784:c576:0:16b:53 (117972/named) fd8e:c784:c576:0:16b:53 (117972/named) *:*:*:*::*:587 (117729/master) *:*:*:*::*:443 (117802/apache2) *:*:*:*::*:465 (117729/master) *:*:*:*::*:25 (117729/master) *:*:*:*::*:21 (117834/pure-ftpd) *:*:*:*::*:22 (2902367/sshd:) [localhost]10 (117747/dovecot) *:*:*:*::*:80 (117802/apache2) [localhost]43 (117747/dovecot) ##### IPTABLES ##### Chain INPUT (policy DROP) target prot opt source destination ufw-before-logging-input all -- [anywhere]/0 [anywhere]/0 ufw-before-input all -- [anywhere]/0 [anywhere]/0 ufw-after-input all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-input all -- [anywhere]/0 [anywhere]/0 ufw-reject-input all -- [anywhere]/0 [anywhere]/0 ufw-track-input all -- [anywhere]/0 [anywhere]/0 Chain FORWARD (policy DROP) target prot opt source destination ufw-before-logging-forward all -- [anywhere]/0 [anywhere]/0 ufw-before-forward all -- [anywhere]/0 [anywhere]/0 ufw-after-forward all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-forward all -- [anywhere]/0 [anywhere]/0 ufw-reject-forward all -- [anywhere]/0 [anywhere]/0 ufw-track-forward all -- [anywhere]/0 [anywhere]/0 Chain OUTPUT (policy ACCEPT) target prot opt source destination ufw-before-logging-output all -- [anywhere]/0 [anywhere]/0 ufw-before-output all -- [anywhere]/0 [anywhere]/0 ufw-after-output all -- [anywhere]/0 [anywhere]/0 ufw-after-logging-output all -- [anywhere]/0 [anywhere]/0 ufw-reject-output all -- [anywhere]/0 [anywhere]/0 ufw-track-output all -- [anywhere]/0 [anywhere]/0 Chain ufw-after-forward (1 references) target prot opt source destination Chain ufw-after-input (1 references) target prot opt source destination ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:137 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:138 ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:139 ufw-skip-to-policy-input tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:445 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:67 ufw-skip-to-policy-input udp -- [anywhere]/0 [anywhere]/0 udp dpt:68 ufw-skip-to-policy-input all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST Chain ufw-after-logging-forward (1 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-input (1 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-after-logging-output (1 references) target prot opt source destination Chain ufw-after-output (1 references) target prot opt source destination Chain ufw-before-forward (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8 ufw-user-forward all -- [anywhere]/0 [anywhere]/0 Chain ufw-before-input (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 ctstate INVALID DROP all -- [anywhere]/0 [anywhere]/0 ctstate INVALID ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 3 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 11 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 12 ACCEPT icmp -- [anywhere]/0 [anywhere]/0 icmptype 8 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp spt:67 dpt:68 ufw-not-local all -- [anywhere]/0 [anywhere]/0 ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:5353 ACCEPT udp -- [anywhere]/0 ***.***.***.*** udp dpt:1900 ufw-user-input all -- [anywhere]/0 [anywhere]/0 Chain ufw-before-logging-forward (1 references) target prot opt source destination Chain ufw-before-logging-input (1 references) target prot opt source destination Chain ufw-before-logging-output (1 references) target prot opt source destination Chain ufw-before-output (1 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 ACCEPT all -- [anywhere]/0 [anywhere]/0 ctstate RELATED,ESTABLISHED ufw-user-output all -- [anywhere]/0 [anywhere]/0 Chain ufw-logging-allow (0 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW ALLOW] " Chain ufw-logging-deny (2 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 ctstate INVALID limit: avg 3/min burst 10 LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 LOG flags 0 level 4 prefix "[UFW BLOCK] " Chain ufw-not-local (1 references) target prot opt source destination RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type LOCAL RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type MULTICAST RETURN all -- [anywhere]/0 [anywhere]/0 ADDRTYPE match dst-type BROADCAST ufw-logging-deny all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 10 DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-reject-forward (1 references) target prot opt source destination Chain ufw-reject-input (1 references) target prot opt source destination Chain ufw-reject-output (1 references) target prot opt source destination Chain ufw-skip-to-policy-forward (0 references) target prot opt source destination DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-skip-to-policy-input (7 references) target prot opt source destination DROP all -- [anywhere]/0 [anywhere]/0 Chain ufw-skip-to-policy-output (0 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 Chain ufw-track-forward (1 references) target prot opt source destination Chain ufw-track-input (1 references) target prot opt source destination Chain ufw-track-output (1 references) target prot opt source destination ACCEPT tcp -- [anywhere]/0 [anywhere]/0 ctstate NEW ACCEPT udp -- [anywhere]/0 [anywhere]/0 ctstate NEW Chain ufw-user-forward (1 references) target prot opt source destination Chain ufw-user-input (1 references) target prot opt source destination ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:20 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:21 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:22 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:25 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:53 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:80 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:110 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:143 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:443 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:465 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:587 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:993 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:995 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:3306 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:4190 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8080 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 tcp dpt:8081 ACCEPT tcp -- [anywhere]/0 [anywhere]/0 multiport dports 40110:40210 ACCEPT udp -- [anywhere]/0 [anywhere]/0 udp dpt:53 Chain ufw-user-limit (0 references) target prot opt source destination LOG all -- [anywhere]/0 [anywhere]/0 limit: avg 3/min burst 5 LOG flags 0 level 4 prefix "[UFW LIMIT BLOCK] " REJECT all -- [anywhere]/0 [anywhere]/0 reject-with icmp-port-unreachable Chain ufw-user-limit-accept (0 references) target prot opt source destination ACCEPT all -- [anywhere]/0 [anywhere]/0 Chain ufw-user-logging-forward (0 references) target prot opt source destination Chain ufw-user-logging-input (0 references) target prot opt source destination Chain ufw-user-logging-output (0 references) target prot opt source destination Chain ufw-user-output (1 references) target prot opt source destination ##### LET'S ENCRYPT ##### [WARN] You have both certbot and acme.sh installed. This can lead to problems. Certbot: /usr/bin/letsencrypt acme.sh: /root/.acme.sh/acme.sh
I am not sure how to repair the certificate system easily. Do you know which client was installed first? Or which is actually in use now? Try reading the log files of both certbot and acme.sh, see if one of them has no entries recently. Laborious way is to uninstall both LE clients, purge certificates they have created, then install one of them back and in ISPConfig panel create certificate and let ispconfig_update.sh create certificate for the system.
I won't remove certbot just yet, but first, try to check which LE client is used for which certs. Does the mail server hosts websites as well?
The event that almost certainly caused the issue was a glitch in a server migration using the migration tool. The previous server was using certbot and the new server (ISPCONFIG 3.2) using acme. There was some discussion at the time hat this might cause cert problems The server is email server and webserver that hosts 23 websites and serves emails for 24 domains plus 4 domains hosted elsewhere. Email clients show the email server mail.domain.org as having an outdated certificate. However, https://mail.domain.org as website has current certificate as does smtp.domain.org and imap.domain.org The majority of the websites appear to be running via acme. The directory /root/acme.sh/ has 27 domains and includes also all the certbot ones at /etc/letsencrypt/ and includes mail.domain.org plus imap.domain.org and smtp.domain.org /root/.acme.sh/mail.domain.org shows certificate updated but email clients show certificate expiry of mail.domain.org as 1 Mar 2023 Could it be that Dovecot and Postfix are pointing to an old cert? If so, what steps to change it? Or is it better to reconfigure certbot/letsencrypt? And how??
Then your issue is a bit different as the cert gets updated correctly, but in the wrong location. Please follow this guide from the chapter "Replacing the certificate ...". https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/