Hi, We’ve been running two servers with CentOS 7 and ISPConfig 3.2 for over a year with no issues, both installed following "The Perfect Server CentOS 7.6 with Apache, PHP 7.2, Postfix, Dovecot, Pure-FTPD, BIND and ISPConfig 3.1" (installing ISPConfig 3.2 instead of 3.1). Recently, when connecting thru FTP we’ve started getting warnings that the FTP/TLS certificates on both servers have expired. All other services on the servers (Apache, email, etc.) update and work fine with the server certificates automatically renewed by ISPConfig/LetsEncrypt. The contents in the /etc/ssl/private/ directory are as follows: Code: total 16 drwxr-xr-x. 2 root root 4096 Jul 5 00:06 . drwxr-xr-x. 3 root root 34 Jul 21 2023 .. -rw-r--r--. 1 root root 424 Jul 22 2023 pure-ftpd-dhparams.pem lrwxrwxrwx 1 root root 48 Jul 5 00:06 pure-ftpd.pem -> /usr/local/ispconfig/interface/ssl/ispserver.pem -rw-------. 1 root root 2985 Jul 21 2023 pure-ftpd.pem-20230722022159.bak lrwxrwxrwx. 1 root root 48 Jul 22 2023 pure-ftpd.pem-20230722090409.bak -> /usr/local/ispconfig/interface/ssl/ispserver.pem lrwxrwxrwx. 1 root root 48 Jul 22 2023 pure-ftpd.pem-20230722111711.bak -> /usr/local/ispconfig/interface/ssl/ispserver.pem -rw-------. 1 root root 3103 Jul 22 2023 pure-ftpd.pem-20230722115606.bak lrwxrwxrwx. 1 root root 48 Jul 22 2023 pure-ftpd.pem-20230722121929.bak -> /usr/local/ispconfig/interface/ssl/ispserver.pem lrwxrwxrwx. 1 root root 48 Jul 22 2023 pure-ftpd.pem-240705000653.bak -> /usr/local/ispconfig/interface/ssl/ispserver.pem Any idea what might be causing this issue and how I can fix it?
Is the file /usr/local/ispconfig/interface/ssl/ispserver.pem the new certificate or an old one? What you describe looks like pure-ftpd using different certificate file than other services. Has pure-ftpd restarted after certificate was renewed? What is uptime of host? You could try Code: ispconfig_update.sh --force and let it create new host certificate.
Which tutorial you followed in obtaining the certs for the server? The old one if not remove properly might have caused this. If you still have traces of the old tutorial, remove that traces completely; then use ISPConfig update with force, reconfiguring services and request ssl during that process so that it will be extended to all services including the ftps. Otherwise, if you did not follow the old tutorial, simply try ISPConfig force update part above.
/usr/local/ispconfig/interface/ssl/ispserver.pem is an old certificate. Uptime of both servers is about 100 days and pure-ftpd has been restarted recently. I'll program an ispconfig_update.sh --force asap. Thanks.
Then either the renewal of the cert failed, or you created a website for the system hostname in ISPConfig which effectively will cause certs for other services like pure-ftpd to not get updated anymore.
hi, I have the same problem. I have a website for the system host name, so this might be the problem. Can I make a symlink to the correct certificate file? Which file do I have to link?
Hi Till, Sorry for reviving this old post, but i have exactly that problem now, pure-ftp doesn't uses the new certificates and Filezilla tells to me that the certificate on the ftp server was expired. I have seen that my ispserver.pem is very old, any idea on how to renew without broke the rest of certificates that are working fine in my server? Many thanks. Abraham.
I'd bet on filezilla problem, but since you confirmed that your ispserver.pem is very old, so try Taleman said above to simply run: Code: ispconfig_update.sh --force and let it create new certificates for the host and extend it to other services in it. That should normally fix the mentioned problem, unless there were some other modifications to it, like creating a website with the same name, also mentioned above, which may cause such a problem as well.
Hi ahrasis, I have the same problem with the letsencrypt certificates again, but when i try to follow your instructions making: Code: ispconfig_update.sh --force The script tryies to retrieve a letsencrypt certificate but it tells me this message, and roll back with selfsigned certificates: I have check my server name in ISPconfig control panel and it is: amserver.airmonkey.es, but i'm not sure that this name is correct, should the name of the server the same as my domain? (airmonkey.es). The second issue before execute "isconfig_update.sh --force" is that Apache stops to work, but i think that the problem is a result of the new letsencrypt certificate retrieve error. I will have to recover my backup to continue working... Many thanks for the help. Abraham.
Check and follow the established LE Error FAQ to troubleshoot all LE errors. For your error above, AI said:
Hello, I have read all https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/ When i check my hostname with: Code: hostname -f I obtain only: I have checked my DNS configuration and i have "amserver.airmonkey.es" pointing to my IP and my firewall is correctly configured to allow the access from the WAN to the server. But when i do: Code: isconfig_update.sh --force Letsencrypt returns: And Apache stops to work (surely due to selfsigned certificates...) My doubt: Should the hostname only "amserver" as i have it in the file?, or should be "amserver.airmonkey.es"? Many thanks, for the help. Abraham
Hostname -f must return the fully qualified hostname. If you just get the short form, then you set the hostname wrong in /etc/hosts before you installed ISPConfig. See installation tutorial, chapter 2, on how to set this up correctly: https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/
Hi Till, Many thanks for your response. I checked the hostname and host files and indeed the names were incorrectly configured. I corrected the error in the hosts file and now the names seem to be correct. The next step was to run: and it generated the certificates correctly, although it gave me this information: But now, Filezilla, The ISPConfig panel, and Thunderbird, tells that the certificate not correspond with the name (before: airmonkey.es and now amserver.airmonkey.es) I understand that the symlinks of the certificates was replace from "airmonkey.es" to "amserver.airmonkey.es", should i change the symlinks?, What i'm doing wrong? Many thanks again for the help. Abraham
Please check that you use amserver.airmonkey.es and not airmonkey.es in the browser and in Thunderbird, as the connection is made to the system hostname, which is amserver.airmonkey.es, not to another hosted domain.
Many thanks, Till. You are right, i replaced the name in the different programs and navigator and now all is working fine. Just one doubt: If I add another client to the ISPConfig panel, they will set up their own domain. If the client has to configure Filezilla to access via FTP, they should use the host name of the main server (in this case amserver.airmonkey.es), correct? Thanks again for the help, Till.
