Not being able to renew expired SSL

Discussion in 'General' started by Emsanator, Jan 24, 2024.

  1. Emsanator

    Emsanator Member

    Hello,

    I noticed that the SSL for my website's subdomain has expired. To Renew SSL, I selected the "Create SSL" (Website->Subdomain (Vhost)->SSL tab) option in the panel of the relevant subdomain, and when I checked the SSL a few minutes later on the ssllabs.com, I received a report that there was a certificate belonging to a different domain name instead of the certificate of the relevant domain name and that the domain name was incompatible with the certificate domain name.

    Even though I have activated the "SSL" and "Let's Encrypt SSL" options in the relevant domain's panel, when I refresh the page, I see that it is "not selected". What could be the reason for this?

    Thank you for your time and help
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You manually created a self-signed SSL cert using the SSL tab. The SSL tab is not related to Let's Encrypt certs; it is used to manually create SSL certs. If you want to use Let's encrypt, then do not replace the LE cert with a self-signed cert using SSL tab.

    To fix you issue:

    1) Go to SSL tab and select 'Delete certificate' in the action field and press save.
    2) Go to the first tab of the website, uncheck Let#s encrypt checkbox, press save. Then go back, check let#s encrypt checkbox again and press save.

    There are various reasons that can led to a refused SSL cert renewal by Let's encrypt, these are changes in DNS so one of the certs or subdomains is unresolvable. Or this is a website for the system hostname, which conflicts now with the main system SSL cert used by other services.
     
    ahrasis likes this.
  3. Emsanator

    Emsanator Member

    Hello Till,

    I did not know that. Thank you
    --
    I deleted the SSL using the "Delete Certification" option in the "SSL" tab. Afterward, I selected "Let's Encrypt SSL" in the "Subdomain for website" tab, and with my selection, the "SSL" option above it was also selected.

    After waiting for 5-10 minutes, when I tried to access the site, I received a warning saying "The domain name in the SSL certificate does not match the address being accessed," and I couldn't access the site.

    Later, I noticed that both the "Let's Encrypt SSL" and "SSL" options in the "Subdomain for website" tab were not selected. I activate them, but afterward, they become inactive again. I repeated this process several times but I still get the SSL error.

    By the way, I use Cloudflare, but only for DNS management, not for the Proxy service.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    This means that Let's encrypt refuses to issue a cert. Go through this checklist step-by-step to find out why you do not receive a new cert from Let's encrypt: https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/

    Using CloudFlare for DNS is generally fine for Let#s encrypt certs as long as you do not use their Proxy.
     
    ahrasis likes this.
  5. Emsanator

    Emsanator Member

    @till helped save me from this problem, just as you saved me from previous problems, thank you. I solved the problem with your guidance.

    Read this content in detail before starting the process. After, I opted to wait a day, anticipating a potential blockade from Lets Encrypt due to the high volume of requests.

    Today, I meticulously examined the logs using `tail -f /var/log/ispconfig/acme.log` and navigated to the URL prefixed with "https://acme-v02.api.letsencrypt.org/acme/". Within the JSON dataset, entries were marked either as "status": "pending" or "invalid", with underlying causes duly noted. Recognizing the necessity, I concluded that an additional subdomain entry was required within my DNS records. For instance, in the case of an 'hello' domain of type A, it was imperative to also include 'www.hello'. Subsequently, I revisited the ISPconfig admin panel to initiate the recreation of "Lets Encrypt" for the subdomain, thereby commencing SSL creation with Lets Encrypt. Despite encountering an error anew, I promptly revisited the URL documented in the log entries. This time, a 403 error was revealed, attributed to access permissions. Swiftly, I accessed ISPconfig (Subdomain (Vhost)->subdomain->'Options' tab), removing the 'Nginx Directives' segment (with due backup precaution) before proceeding to attempt SSL creation once more. Gratifyingly, this endeavor bore fruit, I'dont need anoymore Cloudflare SSL
     
    ahrasis and till like this.

Share This Page