Letsencrypt two accounts mess

Discussion in 'Server Operation' started by zyzzza, Apr 25, 2024.

  1. zyzzza

    zyzzza Member

    Somehow i got 2 acocunt for letsencrypt v01 (since 2019) and v02 (since December).
    if i try to add new domain, it fails with problem of choosing the proper one. However old domains would work for reissue.
    if i remove v01 folder from /etc/letsencrypt/accounts, i can validate NEW domains, but old domains wont reissue .
    Is there any way i can clean this mess and make ALL domains use one same account ?

  2. pyte

    pyte Well-Known Member HowtoForge Supporter

    Should be possible to force a reissue with certbot and specify the server. That way you can migrate the old v1 to v2 and going forward only have v2. Something like this should work depending on the setup:

    certbot renew --apache --agree-tos --force-renewal --server https://acme-v02.api.letsencrypt.org/directory
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The above is ok; you can have v1 and v2 together, that's not two accounts but one account available as v1 and v2. Check inside the v1 and v2 folders; most likely, you have two accounts in one of them.
    ahrasis and pyte like this.
  4. zyzzza

    zyzzza Member

    Indeed , v02 has one true account and one symlink to v01 . So, should i remove symlink, run update command @pyte suggested, and then remove v01 totaly ?

  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, you must remove one of the accounts. If you remove the symlink or the other one, it does not matter much. I would decide this based on each account's number of certs and remove the one with the least certs as it's the least amount of work to switch over the certs.
  6. zyzzza

    zyzzza Member

    Thanks a lot ! Seems like things worked perfectly - certificates renewed. However one domain still has problem - its the same domain as used as a hostname for server . There is a WEBSITE entry with same domain created (not sure why this was done, as this is quite an old server, but it is empty web) and same domain is used as ISPCONFIG conneciton url . and probably thats why it does not updates. Should i remove it from WEBSITES, and somehow update ISPCONFIG 8080 certificate ?

  7. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    Before ISPconfig had the very good certbot integration for the panel itself, it was an easy hack to have a website with the same hostname to obtain the certificate.
    I think it _should_ be fine to delete it if it does not have any purpose anymore. But maybe wait for till if I missed something.

    It is the same name, but a different config and port
  8. zyzzza

    zyzzza Member

    OK, deleted it from the websites, as i had no purpose . However , question is - how do i check ISPconfig will be reissued by letencrypt on 8080 port ?
  9. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    acme.sh --list
    should show you a cert for your hostname, still
    your /etc/apache2/sites-enabled/000-ispconfig.vhost is probably set to
    should be found - and a pre and post one.

    crontab -l
    38 18 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    * * * * * /usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
    * * * * * /usr/local/ispconfig/server/cron.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
    As far as I know the cronjob should do its job.
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I would run ispconfig force update again and choose creating LE ssl certs during the process as the acme.sh install command should then copy the certs to ISPConfig ssl folder and set the renewal path in its conf file to this folder again. This is because via creating the website and asking LE certs for it earlier, you already set the renewal of the certs path to that website ssl folder and it will still be it until another acme.sh install command to other path is issued. This can be verified by reading the renewal conf file. Simply deleting the website won't change this renewal path.
    Last edited: Apr 26, 2024
    ztk.me likes this.

Share This Page