After many, many trials and errors with letsencrypt I managed to delete the letsencrypt certs for one site, then messed up my vhost. It seems letsencrypt now created a new certificate but no matter if I check/uncheck the letsencrypt box in the ISPCFG panel the vhost file stays the same. I mean there is no trace of anything HTTPS related in the vhost file although its timestamp changed every time I save the site#s configuration inside ISPCFG3. Any clues? I want ISPCFG3 to generate the vhost file WITH HTTPS - even if I remove the vhost file, then go to ISPCFG3 edit the site and save, the newly generated vhost file still has no https active even though ISPCFG3 show its checked for this site.
I'm getting closer. I copied the vhost.err to vhost file, tried a nginx -t to see what's wrong. Code: nginx -t nginx: [emerg] BIO_new_file("/var/www/clients/client10/web39/ssl/intramed.sa.com.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/var/www/clients/client10/web39/ssl/intramed.sa.com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) nginx: configuration file /etc/nginx/nginx.conf test failed which is very weird, it should not be looking for: intramed.sa.com.crt the file name differs: Code: ls -al /var/www/clients/client10/web39/ssl/ total 8 drwxr-xr-x 2 root root 4096 Jan 22 23:01 . drwxr-xr-x 8 root root 4096 Apr 17 2013 .. lrwxrwxrwx 1 root root 51 Jan 22 22:38 intramed.sa.com-le.crt -> /etc/letsencrypt/live/intramed.sa.com/fullchain.pem lrwxrwxrwx 1 root root 49 Jan 22 22:38 intramed.sa.com-le.key -> /etc/letsencrypt/live/intramed.sa.com/privkey.pem the links are working: Code: ls -al /etc/letsencrypt/live/intramed.sa.com/ total 8 drwxr-xr-x 2 root root 4096 Jan 22 22:30 . drwx------ 7 root root 4096 Jan 22 22:48 .. lrwxrwxrwx 1 root root 39 Jan 22 22:30 cert.pem -> ../../archive/intramed.sa.com/cert1.pem lrwxrwxrwx 1 root root 40 Jan 22 22:30 chain.pem -> ../../archive/intramed.sa.com/chain1.pem lrwxrwxrwx 1 root root 44 Jan 22 22:30 fullchain.pem -> ../../archive/intramed.sa.com/fullchain1.pem lrwxrwxrwx 1 root root 42 Jan 22 22:30 privkey.pem -> ../../archive/intramed.sa.com/privkey1.pem no idea why nginx is complaining: Code: ls -al /etc/letsencrypt/archive/intramed.sa.com/ total 16 drwxr-xr-x 2 root root 4096 Jan 22 22:30 . drwx------ 8 root root 4096 Jan 22 22:48 .. -rw-r--r-- 1 root root 2256 Jan 22 22:30 cert1.pem -rw-r--r-- 1 root root 1647 Jan 22 22:30 chain1.pem -rw-r--r-- 1 root root 0 Jan 22 23:00 fullchain1.pem -rw-r--r-- 1 root root 0 Jan 22 23:00 privkey1.pem Yes I see that fullchain1.pem and privkey1.pem are empty. Why and how to fix?
not much in there I could make sense of except saying that I run an old version of letsecrypt so I installed letsencrypt again according to: https://www.howtoforge.com/tutorial...ovecot-ispconfig-3-1/2/#-install-lets-encrypt after running ./certbot-auto I now see: Code: /opt/certbot# ./certbot-auto Creating virtual environment... Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Failed to find apache2ctl in PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot-auto certonly" to do so. You'll need to manually configure your web server to use the resulting certificate. basically the question is how to "reset" a vhost to some sensible defaults and start over with its letsencrypt configuration? It works for most sites I host, I just managed to mess up this one.
Certbot shall not configure any config files itself, so the message that it can not do it is ok. You can try to disable LE in the website, then rename the folder /etc/letsencrypt/live/intramed.sa.com and then enable LE again in the website.
with SSL+LE enabled: Code: ls -al | grep intra -rw-r--r-- 1 root root 5133 Jan 22 22:39 intramed.sa.com.vhost -rw-r--r-- 1 root root 5863 Jan 22 22:39 intramed.sa.com.vhost.err if I do a diff, the .err one has SSl activated and redirects http to https. deactivating SSL+Le via ISPCFG3 the vhost files look like this: Code: ls -al | grep intra -rw-r--r-- 1 root root 5133 Jan 24 21:40 intramed.sa.com.vhost -rw-r--r-- 1 root root 5863 Jan 22 22:39 intramed.sa.com.vhost.err activating SSL+LE again in ISPCFG3 and my vhosts look like this: Code: ls -al | grep intra -rw-r--r-- 1 root root 5133 Jan 24 21:43 intramed.sa.com.vhost -rw-r--r-- 1 root root 5863 Jan 22 22:39 intramed.sa.com.vhost.err and still no SSL inside the vhost file, only inside the .err one Code: ls -al /etc/letsencrypt/archive/intramed.sa.com/ total 16 drwxr-xr-x 2 root root 4096 Jan 22 22:30 . drwx------ 9 root root 4096 Jan 24 21:43 .. -rw-r--r-- 1 root root 2256 Jan 22 22:30 cert1.pem -rw-r--r-- 1 root root 1647 Jan 22 22:30 chain1.pem -rw-r--r-- 1 root root 0 Jan 22 23:00 fullchain1.pem -rw-r--r-- 1 root root 0 Jan 22 23:00 privkey1.pem then inside the LE log I see what looks like errors: Code: 2017-01-24 20:43:06,864:DEBUG:certbot.cert_manager:Renewal conf file /etc/letsencrypt/rene wal/intramed.sa.com.conf is broken. Skipping. 2017-01-24 20:43:06,864:DEBUG:certbot.cert_manager:Traceback was: Traceback (most recent call last): File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/cert_mana ger.py", line 247, in _search_lineages candidate_lineage = storage.RenewableCert(renewal_file, cli_config) File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/storage.py", line 392, in __init__ self._check_symlinks() File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/storage.py", line 431, in _check_symlinks "expected {0} to be a symlink".format(link)) CertStorageError: expected /etc/letsencrypt/live/intramed.sa.com/cert.pem to be a symlink 2017-01-24 20:43:06,898:INFO:certbot.main:Obtaining a new certificate 2017-01-24 20:43:06,898:DEBUG:root:Requesting fresh nonce 2017-01-24 20:43:06,898:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencryp t.org/acme/new-authz. 2017-01-24 20:43:07,084:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.ap i.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0 2017-01-24 20:43:07,085:DEBUG:acme.client:Received response: HTTP 405 Server: nginx Content-Type: application/problem+json Content-Length: 91 Allow: POST Boulder-Request-Id: mrphV9HKz2ZILOTVi8bXhHZhdMIBRfcfB9OZOFeyhGY Replay-Nonce: TtG4jnC2KiaD3lF-vDewCvHfbQmIFMa00P3Nkdt8lBA Expires: Tue, 24 Jan 2017 20:43:07 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Tue, 24 Jan 2017 20:43:07 GMT Connection: keep-alive 2017-01-24 20:43:07,085:DEBUG:acme.client:Storing nonce: TtG4jnC2KiaD3lF-vDewCvHfbQmIFMa00 P3Nkdt8lBA 2017-01-24 20:43:07,085:DEBUG:acme.client:JWS payload: { "identifier": { "type": "dns", "value": "intramed.sa.com" }, "resource": "new-authz" } 2017-01-24 20:43:07,097:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz: 2017-01-24 20:43:07,345:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.ap i.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 1454 2017-01-24 20:43:07,346:DEBUG:acme.client:Received response: HTTP 201 Server: nginx Content-Type: application/json Content-Length: 1454 Boulder-Request-Id: VB9Wht0a-LV7mpCYc29zhO5O0exv9c4Xetkaz2dhQt8 Boulder-Requester: 5657401 Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next" Location: https://acme-v01.api.letsencrypt.org/acme/authz/CrkOfwlZ6LHuXo_ygk_cfAmkzCvQxbO6 uI-qwOJxGTs lots of other stuff 2017-01-24 20:43:15,806:DEBUG:certbot.storage:Writing new config /etc/letsencrypt/renewal/ intramed.sa.com-0001.conf. 2017-01-24 20:43:15,807:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your ce rtificate and chain have been saved at /etc/letsencrypt/live/intramed.sa.com-0001/fullchai n.pem. Your cert will expire on 2017-04-24. To obtain a new or tweaked version of this cer tificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all * of your certificates, run "letsencrypt-auto renew" 2017-01-24 20:43:15,807:DEBUG:certbot.reporter:Reporting to user: If you like Certbot, ple ase consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le So it seems to have succeeded but I have 2 problems: - the 0 byte files mentioned earlier - the disability to activate SSL+LE as its never written to the vhost file
the problem resolved itself almost entirely with the update to the latest ISPCFG 3.1.2 version. There were a few issues with domains which had alias domains and/or subdomains defined. I removed those as they were no longer needed and things worked out.
sorry, I forgot to actually mention that ISPCFG3 seems to make a small mistake when it comes to alias domains in its vhost files. It links the alias domains to domain.tld.crt and domain.tkd.key while the actual domain points to domain.tld-le.crt and domain.tld-le.key