Dear couleagues I made an migration (with the official tool) from ISPC 3.1.15 to 3.2.6.I disabled the SSL from the trasfered website and the enabled it again in hope that it will issue a new LE cert, but no, even if the form stays checked at the website tab, the website cannot be accessed via https
What exactly happens when you try to access the website? Have you verified the connection goes to the new server?
yes, because http:// of the transferred websites works https:// of the server:8080 works with its wright cert Only websites transferred cannot get its cert, i guess that migration tool copies the old way of LE cert through certbot and the new 3.2.5 doesn't bother to change it because it sees it somewhere. There was a procedure for this i guess bit don't remember where to delete the old ssl or, i guess Till was mentioning something about creating simlinks somewhere, something about that...
Are they Let's Encrypt certificates? Have you checked LE does issue the cert? There is LE error FAQ, in https://www.howtoforge.com/community/threads/please-read-before-posting.58408/ If name service still points to the old server LE can not issue certificates to the new server.
Which LE client does the old server use? Which LE client does the new server use? Did you get a warning about differing LE clients by the migration tool? Are the SSL certs for the sites in /etc/letsencrypt on the new server? Does the LE checkbox really stick (reopen the site settings after the red dot in the menu disappeared)? Look at the vhost file, does it contain the SSL config?
Its an automated install by the latest perfect server autoinstall on Debian 11 As i'm trying to resolve the problem, i can see that acme is not creating any file in website/ssl folder, .acme.sh not well-known folder. Which LE client does the old server use? A: ISPC 3.1.15p3 , so i guess certbot Which LE client does the new server use? A: Autoinstall ISPC 3.2.5 so acme.sh Did you get a warning about differing LE clients by the migration tool? A: No Are the SSL certs for the sites in /etc/letsencrypt on the new server? A: there is no folder etc/lets Does the LE checkbox really stick (reopen the site settings after the red dot in the menu disappeared)? A: yes, even if i uncheck "skip LE check" Look at the vhost file, does it contain the SSL config? A: No --------------------------------------------- IMPORTANT I created a new website like 000.server-domain.tld for it to be the new default https first in alphabetical order, so it can catch all unresolved ssl, but even if it says that its SSL enabled, and the checkmark sticks, no acme.sh subfolder by the domains name, no /client/web/ssl folder is created and no well-known is created. IS THERE a possibility that during migration, the tool transfers some ISPConfig settings also, like type of LE client, or other more serious settings? Thanks again upfront for your time and gray cells
Ok, that's a problem. E.g. the migration guide mentions that you can't migrate between different LE clients. You must have got this warning then, at least if you are using a recent version of the tool. That#s ok in your case, as the migration of LE certs from certbot to acme.sh is not possible. Ok, so you got a new LE cert then. That's what the tool is doing already, it transfers all information that is needed and useful. But if you install a different software that is incompatible with the software you used on the old server, then there is nothing the migration tool can do. It warns you already in this case and also the migration guide clearly explains that you must have the same LE client installed on both servers if you want to keep your LE certs. The main problem is that you are not using the latest ISPConfig version, 3.2.6, which resolved the issue of creating new acme.sh certs already when the former system used certbot. You should always have the target system at latest stable ISPConfig release to avoid issues.
But i'am. Right after i transferred all the data from the old server, i ispconfig_update -force to the new 3.2.6 and that is when the new certificate for the name (the server name is the same with the old one) was issued from the 5th question and the server cert is working with no problems at all. I've got completely unusable .acme.sh only for the websites. Can i somehow solve this problem for now with reissuing the certs for the domains and subdomains from cli? then if i have to i will install a new blank 3.2.6 and migrate again the websites and mails from the new to the new blank server?
No. If the SSL folder of the website still contains broken links to certbot certificates, then delete these symlinks. Then go to the website settings, uncheck the let's encrypt checkbox, press save, then check it again, and press save. If this will not activate LE SSL for the site, then follow Let's encrypt error faq step by step to narrow down why LE SSL can't be enabled for the site.
I think that right now .acme.sh is not working and there is no log after 7.30 this morning when the cert for the server was created. How can i ask from acme.sh for a debug log, not only activity? acme.sh is not a service i guess, because i cannot find any status or similar
Please follow the FAQ step by step until you reach the last step. It contains details / link on how to activate debugging in ISPConfig.
OK, here are some errors from ISPC debug, but doesnt ring a bell to me... 27.09.2021-14:16 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'. 27.09.2021-14:16 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock The first one should be some clue, and the second one is i guess because of the debug mode... ALSO: In the log of the source server i found info about the migration.log: "/root/migration/migrate.log.12:2021-09-20 01:22:28 - [WARN] The target server has a different Let'sEncrypt client than this server. We cannot copy over certificates!" It's Okay not to copy the certs, but shouldnt it lets us to issue new certs via acme ? I'll continue to dig this problem, because i want to transfer 2-3 servers more to this account and probably i will have problems with all of them
Please for a final advice: If we copy emails and website from another server which is using certbot on to a new server with acme.sh, which would be the right procedure? Can we use the migrate tool to only copy emails and websites data and databases, but not certificates, and what would be the procedure later to create the certs in acme.sh? I have my whole server stuck at the moment for more than 9 hours... Thanks in advance
Ok, this means you did not enable LE for the website as the message just means 'nothing to do'. if you debug a system, then you must actually do what you want to debug. So, go to the website, disable le, click save, enable le again, click save, run server.sh and post the result. That's what you did. Untick let's encrypt, press save, enable it and press save. And if this does not work because there are other issues with your new setup, then follow let's encrypt FAQ to find out what the issues are. It's not the Migration tool which not lets you issue certs. Do the debug steps to find out why you can't get certs at the moment.
FINAL RESOLUTION AND TROUBLESHOOT TUTORIAL for anybody that has the same or similar problem, it all boils down to many different problems which suggest that the problem is in ISPC somehow, but you're wrong... First problem: After the migration i didn't know that i should manually uncheck "Server Migration Mode" in System > Server Config > page-down all the way. Acme was not working if its checked Second problem: Even if you check "Skip Lets Encrypt Check" in System > Server Config >Web > SSL Settings, sometimes it tries to do it the web way through .well-known etc... Third problem: You must be careful with the subdomains and check "Don't add to Let's Encrypt certificate" if it is not in use ore somewhere else hosted. In my case one of the subdomains was a local IP in the company, not accessible from outside and the "Don't add..." was not check, so because acme was unable to save and check .wellknown there, it refused to issue cert for the main domain of the website. Once i checked the "Don't add" at the subdomain tab, it all went well Fourth problem: Maybe your external NS (Cloudflare in my case) is still pointing to the old server where you are migrating from, so - no cert for you Mr... I guess that i'have a bunch of other unsolved peaces of this puzzle, but this is at least a good start and solving the main problem ACCESSIBLE SSL WEBSITES. During the troubleshooting, i finally learned and understood how to use the ISPC debug tool server.sh! Previously i was just marking the server line at crontab, and then executing server.sh, doing nothing in between, and then the tool would generate and show = NOTHING! (and i had a wrong attitude that everything's alright). Quick tut for anybody that doesn't know how to use it, yet: Choose DEBUG in ISPC > System > Server Config > Loglevel You comment the "server" line in crontab -e You do the operation which you are investigating e.g. create a database, or create a certificate, or a subdomen, or a website or... whatever you would like to do but you have a problem with that Run /usr/local/ispconfig/server/server.sh and.... DEBUG DEBUG DEBUG line by line... Don't forget to uncomment the line in crontab after you're done Full tut at: https://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/ MANY THANKS FOR THE SUPPORT from Taleman and the nerves of still from Till All the best
