The best way is to run ispconfig_update.sh --force. If you choose to reconfigure services, the updater will ask if you like to create a new SSL cert.
Ok but i may hit an error here. Do i need to remove the certificate from /root/.acme.sh/domain.tld/? Code: [Mi 13. Sep 11:01:08 CEST 2023] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change' [Mi 13. Sep 11:01:08 CEST 2023] ACME_NEW_AUTHZ [Mi 13. Sep 11:01:08 CEST 2023] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order' [Mi 13. Sep 11:01:08 CEST 2023] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct' [Mi 13. Sep 11:01:08 CEST 2023] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert' [Mi 13. Sep 11:01:08 CEST 2023] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf' [Mi 13. Sep 11:01:08 CEST 2023] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce' [Mi 13. Sep 11:01:08 CEST 2023] Using CA: https://acme-v02.api.letsencrypt.org/directory [Mi 13. Sep 11:01:08 CEST 2023] _on_before_issue [Mi 13. Sep 11:01:08 CEST 2023] _chk_main_domain='panel.domain.tld' [Mi 13. Sep 11:01:08 CEST 2023] _chk_alt_domains [Mi 13. Sep 11:01:08 CEST 2023] '/usr/local/ispconfig/interface/acme' does not contain 'no' [Mi 13. Sep 11:01:08 CEST 2023] Le_LocalAddress [Mi 13. Sep 11:01:08 CEST 2023] d='panel.domain.tld' [Mi 13. Sep 11:01:08 CEST 2023] Check for domain='panel.domain.tld' [Mi 13. Sep 11:01:08 CEST 2023] _currentRoot='/usr/local/ispconfig/interface/acme' [Mi 13. Sep 11:01:08 CEST 2023] d [Mi 13. Sep 11:01:08 CEST 2023] '/usr/local/ispconfig/interface/acme' does not contain 'apache' [Mi 13. Sep 11:01:08 CEST 2023] _saved_account_key_hash='9zPSTqpRDUJ8Mqr2beMmOuY8dvaDD2L8bpJ5JxHoky4=' [Mi 13. Sep 11:01:08 CEST 2023] _saved_account_key_hash is not changed, skip register account. [Mi 13. Sep 11:01:08 CEST 2023] Read key length:2048 [Mi 13. Sep 11:01:08 CEST 2023] Creating domain key [Mi 13. Sep 11:01:08 CEST 2023] Using config home:/root/.acme.sh [Mi 13. Sep 11:01:08 CEST 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Mi 13. Sep 11:01:08 CEST 2023] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Mi 13. Sep 11:01:08 CEST 2023] _ACME_SERVER_PATH='directory' [Mi 13. Sep 11:01:08 CEST 2023] Domain key exists, do you want to overwrite the key? [Mi 13. Sep 11:01:08 CEST 2023] Add '--force', and try again. [Mi 13. Sep 11:01:08 CEST 2023] Create domain key error. [Mi 13. Sep 11:01:08 CEST 2023] pid [Mi 13. Sep 11:01:08 CEST 2023] No need to restore nginx, skip. [Mi 13. Sep 11:01:08 CEST 2023] _clearupdns [Mi 13. Sep 11:01:08 CEST 2023] dns_entries [Mi 13. Sep 11:01:08 CEST 2023] skip dns. [Mi 13. Sep 11:01:08 CEST 2023] _on_issue_err [Mi 13. Sep 11:01:08 CEST 2023] Please check log file for more details: /var/log/ispconfig/acme.log [Mi 13. Sep 11:01:08 CEST 2023] _chk_vlist [Mi 13. Sep 11:01:51 CEST 2023] LE_WORKING_DIR='/root/.acme.sh' [Mi 13. Sep 11:01:51 CEST 2023] Running cmd: upgrade [Mi 13. Sep 11:01:51 CEST 2023] Using config home:/root/.acme.sh [Mi 13. Sep 11:01:51 CEST 2023] default_acme_server='https://acme-v02.api.letsencrypt.org/directory' [Mi 13. Sep 11:01:51 CEST 2023] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory' [Mi 13. Sep 11:01:51 CEST 2023] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org' [Mi 13. Sep 11:01:51 CEST 2023] _ACME_SERVER_PATH='directory' [Mi 13. Sep 11:01:51 CEST 2023] GET [Mi 13. Sep 11:01:51 CEST 2023] url='https://api.github.com/repos/acmesh-official/acme.sh/git/refs/heads/master' [Mi 13. Sep 11:01:51 CEST 2023] timeout= [Mi 13. Sep 11:01:51 CEST 2023] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g ' [Mi 13. Sep 11:01:51 CEST 2023] ret='0' [Mi 13. Sep 11:01:51 CEST 2023] Already uptodate! [Mi 13. Sep 11:01:51 CEST 2023] Upgrade success! [Mi 13. Sep 11:01:51 CEST 2023] LE_WORKING_DIR='/root/.acme.sh' [Mi 13. Sep 11:01:51 CEST 2023] Running cmd: setdefaultca [Mi 13. Sep 11:01:51 CEST 2023] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory
Nevermind i just moved the whole /root/.acme.sh/domain.tld to backup and tried again. The issue seems to be something else: Code: Invalid response from https://panel.domain.tld/.well-known/acme-challenge/i6KqX_JUJ3jVJDpoo3rY0ym2uSjanJuPjw2yidURJhc: 500","status": 403} Maybe this SSL config is the issue for this? Code: <VirtualHost *:443> SSLEngine on SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder on SSLCipherSuite HIGH:!aNULL:!MD5:!3DES:!CBC #SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4" SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload" ServerName panel.domain.tld ServerAlias www.panel.domain.tld SSLProxyEngine on ProxyPreserveHost On ProxyRequests Off ProxyVia Off ProxyPass / https://localhost:8080/ ProxyPassReverse / https://localhost:8080/ </VirtualHost>
As far as I know, LE tries to connect to your system on port 80. If you rewrite or proxy connects to the server hostname, it might be necessary that you try to exclude the folder .well-known/ or if you want to be more specific .well-known/acme-challenge/ from being rewritten or proxied.You can test the verification path like this: https://forum.howtoforge.com/threads/a-catch22-letsencrypt-and-ispconfig-install.91115/#post-449305
Well that might be an issue and i edited the config while checking manually with the methode you provided i found that the cause might be this: "HTTP request sent, awaiting response... 301 Moved Permanently" In the 000-default.conf the following is set: Code: Redirect permanent / https://panel.domain.tld/ Could this be the issue? Sorry but i'm a bit lost right now
Yes, this will be the problem. Need to exclude acme directory requests from that redirect @tbrehm how can we make the acme dir redirect rules prefer over such redirects?
I was the issue indeed. I've removed it and now i can get grab the testfile with wget. Now i have to wait an hour anyways as i hit the LE rate limit I'll test the config later on
I don't think that this is possible for manually added redirects. For redirects added by ISPConfig using redirect tab, the acme path is excluded from the rules.
Can one of you describe how to set this up the "correct" way? So that the panel is exposed on :443 and i don't run into issues with this manual hack again?
Basically as described here: https://stackoverflow.com/questions/3414015/redirect-site-with-htaccess-but-exclude-one-folder So you can e.g. use this in the vhost file instead of your current rule: Code: RewriteCond %{REQUEST_URI} !^/\.well-known/ RewriteRule (.*) https://panel.domain.tld/$1 [R=301,L] untested though