Hi, We’ve been running two servers with CentOS 7 and ISPConfig 3.2 for over a year with no issues, both installed following "The Perfect Server CentOS 7.6 with Apache, PHP 7.2, Postfix, Dovecot, Pure-FTPD, BIND and ISPConfig 3.1" (installing ISPConfig 3.2 instead of 3.1). Recently, when connecting thru FTP we’ve started getting warnings that the FTP/TLS certificates on both servers have expired. All other services on the servers (Apache, email, etc.) update and work fine with the server certificates automatically renewed by ISPConfig/LetsEncrypt. The contents in the /etc/ssl/private/ directory are as follows: Code: total 16 drwxr-xr-x. 2 root root 4096 Jul 5 00:06 . drwxr-xr-x. 3 root root 34 Jul 21 2023 .. -rw-r--r--. 1 root root 424 Jul 22 2023 pure-ftpd-dhparams.pem lrwxrwxrwx 1 root root 48 Jul 5 00:06 pure-ftpd.pem -> /usr/local/ispconfig/interface/ssl/ispserver.pem -rw-------. 1 root root 2985 Jul 21 2023 pure-ftpd.pem-20230722022159.bak lrwxrwxrwx. 1 root root 48 Jul 22 2023 pure-ftpd.pem-20230722090409.bak -> /usr/local/ispconfig/interface/ssl/ispserver.pem lrwxrwxrwx. 1 root root 48 Jul 22 2023 pure-ftpd.pem-20230722111711.bak -> /usr/local/ispconfig/interface/ssl/ispserver.pem -rw-------. 1 root root 3103 Jul 22 2023 pure-ftpd.pem-20230722115606.bak lrwxrwxrwx. 1 root root 48 Jul 22 2023 pure-ftpd.pem-20230722121929.bak -> /usr/local/ispconfig/interface/ssl/ispserver.pem lrwxrwxrwx. 1 root root 48 Jul 22 2023 pure-ftpd.pem-240705000653.bak -> /usr/local/ispconfig/interface/ssl/ispserver.pem Any idea what might be causing this issue and how I can fix it?
Is the file /usr/local/ispconfig/interface/ssl/ispserver.pem the new certificate or an old one? What you describe looks like pure-ftpd using different certificate file than other services. Has pure-ftpd restarted after certificate was renewed? What is uptime of host? You could try Code: ispconfig_update.sh --force and let it create new host certificate.
Which tutorial you followed in obtaining the certs for the server? The old one if not remove properly might have caused this. If you still have traces of the old tutorial, remove that traces completely; then use ISPConfig update with force, reconfiguring services and request ssl during that process so that it will be extended to all services including the ftps. Otherwise, if you did not follow the old tutorial, simply try ISPConfig force update part above.
/usr/local/ispconfig/interface/ssl/ispserver.pem is an old certificate. Uptime of both servers is about 100 days and pure-ftpd has been restarted recently. I'll program an ispconfig_update.sh --force asap. Thanks.
Then either the renewal of the cert failed, or you created a website for the system hostname in ISPConfig which effectively will cause certs for other services like pure-ftpd to not get updated anymore.
