mail.domain.org cert failure - follow on from 'Host Certificate Missing' -

Discussion in 'ISPConfig 3 Priority Support' started by tlove, Feb 2, 2025.

  1. tlove

    tlove Member HowtoForge Supporter

    Just got a message that the mail server certificate (mail.domain.org) has expired today on ISPConfig 3.2 on Ubuntu perfect server (22.04).
    This problem follows from the previous 'Host Certificate Missing' thread where the solution was to symlink the certificate for domain.org because I'd earlier created a website for domain.org.
    SSL and Letsencrypt are both ticked for mail.domain.org in ISPConfig.
    The system is using certbot but has acme.sh also installed
    Please could someone advise me on what I need to do to ensure the letsencrypt certificated for mail.domain.org is created and renewed.
     
    tlove, Feb 2, 2025
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Restart Postfix and Dovecot and check if it works then.
     
    till, Feb 2, 2025
    #2
  3. tlove

    tlove Member HowtoForge Supporter

    Thank you Till,
    When I posted I was felelinga bit of pressure as the mail server was down (here in Western Australia the day started 12 hours ago) and was in a bit of a panic wondering whether what I would do would screw up ISPCOnfig
    I guessed at using sudo certbot certonly --force-renew -d mail.domain.org plus a reboot and it started working.
    My main concern is getting things back in line with the ISPConfig way of doing things.
    Is this all ok or do I need to do something different?
    The reason for getting it back in line with ISPCOnfig's way of doing things is because this server needs to be migrated soon and the less hiccups the better.

    .
     
    tlove, Feb 2, 2025
    #3
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    My guess is that your cert was renewed but the services were not restarted automatically as you linked them to a different certificate. So this should fix itself when you migrate the system. In general, you should try to avoid having acme.sh and certbot on the same system. So I would say it should be ok for the moment; you just might have to restart postfix, dovecot, and pure-ftpd-mysql manually after cert renewal or automate this in some way by a cronjon or some script that checks when the certificate changes.
     
    till, Feb 2, 2025
    #4
  5. tlove

    tlove Member HowtoForge Supporter

    Thanks Till. It looks like the other certificates are renewing ok and that the problem is specific to the host and the mail. subdomain of the host.
    I'll do as you suggest and address it properly when doing the migration in a few weeks.
     
    tlove, Feb 2, 2025
    #5
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Are yousure it did not renew? Because you won't be ableeto see if it renewed unless you restarted the services or as you did, the whole server. My guess is you do not have an issue with cert renewal and just the restart of services are missing. As none of these services will automatically load a new cert unless you restart it.
     
    till, Feb 2, 2025
    #6
  7. tlove

    tlove Member HowtoForge Supporter

    Ah, I understand. Crossed fingers everything is ok and on next renewal I'll just restart the services. Thanks again.
     
    tlove, Feb 2, 2025
    #7

Share This Page