When I remove Letsencrypt SSL from a single website within ISPConfig and go to the website I see the wrong domain website. How do I tell ISPconfig to use my private cert and not have the behaviour where Letsencypts tries to display the lowest number or letter website Is it just a matter of manually point the next 3 entries in the vhost to the correct SSL cert away from le certs? Will this survive a update thru ISPconfig? The Santigo cert was created thru the SSL option for that website and I have all info like cert and bundle installed. Just need to enable it without screwing up and having my customers domain show up with another domain name. Thanks! SSLCertificateFile /var/www/clients/client106/web182/ssl/xxxx.com-le.crt SSLCertificateKeyFile /var/www/clients/client106/web182/ssl/xxxxx.com-le.key SSLCertificateChainFile /var/www/clients/client106/web182/ssl/xxxxx.com-le.bundle SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off
Disable the Let's Encrypt option on the first tab of the website. Then enter the SSL key, SSL cert, and SSL bundle on the SSL tab of the website, select 'save certificate'a s action and press the save button. And yes, another site might show up for a few seconds, depends on how fast your web server restarts and how long you need to add the new cert after disabling Let#s encrypt. As alternative, you can try to add the new cert first before you disable let#s encrypt, but not sure if that works, so I would enable let#s encrypt first.
Removed Letsencrypt checkboxs and saved. Created the SSL section and saved. For some reason the vhost is not getting the SSL section filled in. I also deleted the domain from LE but when I enter the domain in my browser its still going to the first LE encrypted site (starts with 3things). Not sure what to do. Is there a log that tracks ispconfig related <IfModule mod_ssl.c> </IfModule>
Disable LE, go to the SSL tab, select action "Delete", and then add the new SSL cert. Thinking out loud, maybe we should remove the LE cert when LE is disabled as it causes confusion very often.
I disabled LE for this domain in the gui, even deleted the domain name from certbot. Deleted and added new SSL cert. problem is its not populating my vhost setting. All I see is <IfModule mod_ssl.c> </IfModule> Also I just realized that all my IP settings on that server are *, but with a public domain cert i will need a dedicated IP address for this one domain, will it confuse anything in LE since all the other domains us * and this site will be a dedicated IP?
That may be a business requirement you have, but it is not a technical requirement, you can use a single ip address for all your ssl sites, no matter where the certificates are issued from.
So if I use * for this website will it use SNI to find its way? Big problem now is the SSL section is not getting populated in vhost. Looked in syslog but don't see anything related to trying to install the SSL info. is there a log that says if it failed to install SSL and why? Thanks
You have to select 'save certificate' in the action field. It's not enough to click on save. LE and the normal SSL cert use different names, so this can't be mixed up anymore. This has been changed a few years ago already. Yes, there is no difference if the ssll cert is an LE cert or a cert that you bought from a SSL company. This happens when you don't chose 'save certificate' in the action field on the SSL tab. Another possibility is that the SSL cert you entered is incorrect e.g. because the SSL key does not belong to the SSL cert or that you password protected the SSL key.
Definitely setting the save certificate and clicking green save button. The vhost file gets access time updated to when I save, but the SSL section does not get filled. Is there a log that shows if the certificate is not usable by ISPConfig? I have installed certs before LE came along but its been a while. I deleted all the files in the /ssl folder before I started create certfile, save, and so on.
Doah! Totally forgot to check the SSL after unchecking it when I removed LE. Working now. Thanks all for the help guyz!
In case your wondering why I am switching from a LE ssl cert to a thrid party, its because this customer is using a a security cdn called SiteLock. The A and CNAME record for the domain get pointed to Sitelock and Sitelock redirects to the actual IP where the website is after doing security checks. Problem is LE verifies the Domain A and CNAME records every 60 days and when it checks, the A and CNAME are pointing to Sitelock and the renew fails. To renew I have to change the DNS A and CNAME record to the actual website and then renew the cert LE cert and then after its in place move the A and CNAME records back to Sitelock. Pain in the ass to do this every 60 days.Easier to use a different SSL cert.