messed up a nginx vhost file, how to get ISPCFG3.1 to recreate it from scratch?

After many, many trials and errors with letsencrypt I managed to delete the letsencrypt certs for one site, then messed up my vhost. It seems letsencrypt now created a new certificate but no matter if I check/uncheck the letsencrypt box in the ISPCFG panel the vhost file stays the same. I mean there is no trace of anything HTTPS related in the vhost file although its timestamp changed every time I save the site#s configuration inside ISPCFG3.

Any clues? I want ISPCFG3 to generate the vhost file WITH HTTPS - even if I remove the vhost file, then go to ISPCFG3 edit the site and save, the newly generated vhost file still has no https active even though ISPCFG3 show its checked for this site.

 

I'm getting closer. I copied the vhost.err to vhost file, tried a nginx -t to see what's wrong.

Code:

nginx -t
nginx: [emerg] BIO_new_file("/var/www/clients/client10/web39/ssl/intramed.sa.com.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/var/www/clients/client10/web39/ssl/intramed.sa.com.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file)
nginx: configuration file /etc/nginx/nginx.conf test failed

which is very weird, it should not be looking for: intramed.sa.com.crt the file name differs:

Code:

ls -al /var/www/clients/client10/web39/ssl/
total 8
drwxr-xr-x 2 root root 4096 Jan 22 23:01 .
drwxr-xr-x 8 root root 4096 Apr 17  2013 ..
lrwxrwxrwx 1 root root   51 Jan 22 22:38 intramed.sa.com-le.crt -> /etc/letsencrypt/live/intramed.sa.com/fullchain.pem
lrwxrwxrwx 1 root root   49 Jan 22 22:38 intramed.sa.com-le.key -> /etc/letsencrypt/live/intramed.sa.com/privkey.pem

the links are working:

Code:

ls -al /etc/letsencrypt/live/intramed.sa.com/
total 8
drwxr-xr-x 2 root root 4096 Jan 22 22:30 .
drwx------ 7 root root 4096 Jan 22 22:48 ..
lrwxrwxrwx 1 root root   39 Jan 22 22:30 cert.pem -> ../../archive/intramed.sa.com/cert1.pem
lrwxrwxrwx 1 root root   40 Jan 22 22:30 chain.pem -> ../../archive/intramed.sa.com/chain1.pem
lrwxrwxrwx 1 root root   44 Jan 22 22:30 fullchain.pem -> ../../archive/intramed.sa.com/fullchain1.pem
lrwxrwxrwx 1 root root   42 Jan 22 22:30 privkey.pem -> ../../archive/intramed.sa.com/privkey1.pem

no idea why nginx is complaining:

Code:

ls -al /etc/letsencrypt/archive/intramed.sa.com/
total 16
drwxr-xr-x 2 root root 4096 Jan 22 22:30 .
drwx------ 8 root root 4096 Jan 22 22:48 ..
-rw-r--r-- 1 root root 2256 Jan 22 22:30 cert1.pem
-rw-r--r-- 1 root root 1647 Jan 22 22:30 chain1.pem
-rw-r--r-- 1 root root    0 Jan 22 23:00 fullchain1.pem
-rw-r--r-- 1 root root    0 Jan 22 23:00 privkey1.pem

Yes I see that fullchain1.pem and privkey1.pem are empty. Why and how to fix?

 

not much in there I could make sense of except saying that I run an old version of letsecrypt so I installed letsencrypt again according to: https://www.howtoforge.com/tutorial...ovecot-ispconfig-3-1/2/#-install-lets-encrypt

after running ./certbot-auto I now see:

Code:

/opt/certbot# ./certbot-auto
Creating virtual environment...
Installing Python packages...
Installation succeeded.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Failed to find apache2ctl in PATH: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
Certbot doesn't know how to automatically configure the web server on this system. However, it can still get a certificate for you. Please run "certbot-auto certonly" to do so. You'll need to manually configure your web server to use the resulting certificate.

basically the question is how to "reset" a vhost to some sensible defaults and start over with its letsencrypt configuration? It works for most sites I host, I just managed to mess up this one.

 

with SSL+LE enabled:

Code:

ls -al | grep intra
-rw-r--r-- 1 root root 5133 Jan 22 22:39 intramed.sa.com.vhost
-rw-r--r-- 1 root root 5863 Jan 22 22:39 intramed.sa.com.vhost.err

if I do a diff, the .err one has SSl activated and redirects http to https.

deactivating SSL+Le via ISPCFG3 the vhost files look like this:

Code:

ls -al | grep intra
-rw-r--r-- 1 root root 5133 Jan 24 21:40 intramed.sa.com.vhost
-rw-r--r-- 1 root root 5863 Jan 22 22:39 intramed.sa.com.vhost.err

activating SSL+LE again in ISPCFG3 and my vhosts look like this:

Code:

ls -al | grep intra
-rw-r--r-- 1 root root 5133 Jan 24 21:43 intramed.sa.com.vhost
-rw-r--r-- 1 root root 5863 Jan 22 22:39 intramed.sa.com.vhost.err

and still no SSL inside the vhost file, only inside the .err one

Code:

ls -al /etc/letsencrypt/archive/intramed.sa.com/
total 16
drwxr-xr-x 2 root root 4096 Jan 22 22:30 .
drwx------ 9 root root 4096 Jan 24 21:43 ..
-rw-r--r-- 1 root root 2256 Jan 22 22:30 cert1.pem
-rw-r--r-- 1 root root 1647 Jan 22 22:30 chain1.pem
-rw-r--r-- 1 root root    0 Jan 22 23:00 fullchain1.pem
-rw-r--r-- 1 root root    0 Jan 22 23:00 privkey1.pem

then inside the LE log I see what looks like errors:

Code:

2017-01-24 20:43:06,864:DEBUG:certbot.cert_manager:Renewal conf file /etc/letsencrypt/rene
wal/intramed.sa.com.conf is broken. Skipping.
2017-01-24 20:43:06,864:DEBUG:certbot.cert_manager:Traceback was:
Traceback (most recent call last):
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/cert_mana
ger.py", line 247, in _search_lineages
    candidate_lineage = storage.RenewableCert(renewal_file, cli_config)
  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/storage.py", line 392, in __init__
    self._check_symlinks()                                                                  File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/certbot/storage.py", line 431, in _check_symlinks                                                              "expected {0} to be a symlink".format(link))                                          CertStorageError: expected /etc/letsencrypt/live/intramed.sa.com/cert.pem to be a symlink

2017-01-24 20:43:06,898:INFO:certbot.main:Obtaining a new certificate
2017-01-24 20:43:06,898:DEBUG:root:Requesting fresh nonce
2017-01-24 20:43:06,898:DEBUG:root:Sending HEAD request to https://acme-v01.api.letsencryp
t.org/acme/new-authz.
2017-01-24 20:43:07,084:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.ap
i.letsencrypt.org:443 "HEAD /acme/new-authz HTTP/1.1" 405 0
2017-01-24 20:43:07,085:DEBUG:acme.client:Received response:
HTTP 405
Server: nginx
Content-Type: application/problem+json
Content-Length: 91
Allow: POST
Boulder-Request-Id: mrphV9HKz2ZILOTVi8bXhHZhdMIBRfcfB9OZOFeyhGY
Replay-Nonce: TtG4jnC2KiaD3lF-vDewCvHfbQmIFMa00P3Nkdt8lBA
Expires: Tue, 24 Jan 2017 20:43:07 GMT
Cache-Control: max-age=0, no-cache, no-store
Pragma: no-cache
Date: Tue, 24 Jan 2017 20:43:07 GMT
Connection: keep-alive


2017-01-24 20:43:07,085:DEBUG:acme.client:Storing nonce: TtG4jnC2KiaD3lF-vDewCvHfbQmIFMa00
P3Nkdt8lBA
2017-01-24 20:43:07,085:DEBUG:acme.client:JWS payload:
{
  "identifier": {                                                                             "type": "dns",
    "value": "intramed.sa.com"
  },
  "resource": "new-authz"
}
2017-01-24 20:43:07,097:DEBUG:root:Sending POST request to https://acme-v01.api.letsencrypt.org/acme/new-authz:
2017-01-24 20:43:07,345:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.ap
i.letsencrypt.org:443 "POST /acme/new-authz HTTP/1.1" 201 1454
2017-01-24 20:43:07,346:DEBUG:acme.client:Received response:
HTTP 201
Server: nginx                                                                             Content-Type: application/json
Content-Length: 1454
Boulder-Request-Id: VB9Wht0a-LV7mpCYc29zhO5O0exv9c4Xetkaz2dhQt8
Boulder-Requester: 5657401
Link: <https://acme-v01.api.letsencrypt.org/acme/new-cert>;rel="next"
Location: https://acme-v01.api.letsencrypt.org/acme/authz/CrkOfwlZ6LHuXo_ygk_cfAmkzCvQxbO6
uI-qwOJxGTs

lots of other stuff

2017-01-24 20:43:15,806:DEBUG:certbot.storage:Writing new config /etc/letsencrypt/renewal/
intramed.sa.com-0001.conf.
2017-01-24 20:43:15,807:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your ce
rtificate and chain have been saved at /etc/letsencrypt/live/intramed.sa.com-0001/fullchai
n.pem. Your cert will expire on 2017-04-24. To obtain a new or tweaked version of this cer
tificate in the future, simply run letsencrypt-auto again. To non-interactively renew *all
* of your certificates, run "letsencrypt-auto renew"
2017-01-24 20:43:15,807:DEBUG:certbot.reporter:Reporting to user: If you like Certbot, ple
ase consider supporting our work by:

Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
Donating to EFF:                    https://eff.org/donate-le

So it seems to have succeeded but I have 2 problems:
- the 0 byte files mentioned earlier
- the disability to activate SSL+LE as its never written to the vhost file

 

the problem resolved itself almost entirely with the update to the latest ISPCFG 3.1.2 version. There were a few issues with domains which had alias domains and/or subdomains defined. I removed those as they were no longer needed and things worked out.

 

sorry, I forgot to actually mention that ISPCFG3 seems to make a small mistake when it comes to alias domains in its vhost files.

It links the alias domains to domain.tld.crt and domain.tkd.key while the actual domain points to domain.tld-le.crt and domain.tld-le.key

 

Exactly! Thanks for taking notice.