Renew SSL connection Ispconfig server

Discussion in 'ISPConfig 3 Priority Support' started by chsdaiguil, Dec 21, 2024.

Tags:
  1. chsdaiguil

    chsdaiguil Member HowtoForge Supporter

    Hello
    I am new here, and a member for 5 minutes. However, I have consulted your forum quite often in recent years, and often found answers.
    Here is my problem at the moment with Ispconfig and SSL certificates
    -------------
    I can't renew the certificate of my Ispnconfig server.
    Here is the error following the command:

    root@server1:/tmp/ispconfig3_install/install# php -q update.php --force
    ....
    Updating ISPConfig
    ISPConfig Port [8080]:
    Create new ISPConfig SSL certificate (yes,no) [no]: yes
    .....
    Domain key exists, do you want to overwrite it?
    [Sat Dec 21 10:15:55 CET 2024] If so, add '--force' and try again.
    [Sat Dec 21 10:15:55 CET 2024] Error creating domain key.
    [Sat Dec 21 10:15:55 CET 2024] Please check log file for more details: /var/log/ispconfig/acme.log
    Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating a RSA private key
    ................................................++++
    ....
    Do you have any idea why I have this error?
    Thanks
     
    chsdaiguil, Dec 21, 2024
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    What does /var/log/ispconfig/acme.log contain about the problem?
     
    till, Dec 21, 2024
    #2
  3. chsdaiguil

    chsdaiguil Member HowtoForge Supporter

    [Sat Dec 21 10:28:38 CET 2024] LE_WORKING_DIR='/root/.acme.sh'
    [Sat Dec 21 10:28:38 CET 2024] Running cmd: upgrade
    [Sat Dec 21 10:28:38 CET 2024] Using config home: /root/.acme.sh
    [Sat Dec 21 10:28:38 CET 2024] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
    [Sat Dec 21 10:28:38 CET 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Sat Dec 21 10:28:38 CET 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
    [Sat Dec 21 10:28:38 CET 2024] _ACME_SERVER_PATH='directory'
    [Sat Dec 21 10:28:38 CET 2024] GET
    [Sat Dec 21 10:28:38 CET 2024] url='https://api.github.com/repos/acmesh-official/acme.sh/git/refs/heads/master'
    [Sat Dec 21 10:28:38 CET 2024] timeout=30
    [Sat Dec 21 10:28:38 CET 2024] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g --connect-timeout 30'
    [Sat Dec 21 10:28:38 CET 2024] ret='0'
    [Sat Dec 21 10:28:38 CET 2024] Already up to date!
    [Sat Dec 21 10:28:38 CET 2024] Upgrade successful!
    [Sat Dec 21 10:28:39 CET 2024] LE_WORKING_DIR='/root/.acme.sh'
    [Sat Dec 21 10:28:39 CET 2024] Running cmd: setdefaultca
    [Sat Dec 21 10:28:39 CET 2024] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory
     
    chsdaiguil, Dec 21, 2024
    #3
  4. chsdaiguil

    chsdaiguil Member HowtoForge Supporter

    [Sat Dec 21 10:20:15 CET 2024] LE_WORKING_DIR='/root/.acme.sh'
    [Sat Dec 21 10:20:15 CET 2024] Running cmd: upgrade
    [Sat Dec 21 10:20:15 CET 2024] Using config home: /root/.acme.sh
    [Sat Dec 21 10:20:15 CET 2024] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
    [Sat Dec 21 10:20:15 CET 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Sat Dec 21 10:20:15 CET 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
    [Sat Dec 21 10:20:15 CET 2024] _ACME_SERVER_PATH='directory'
    [Sat Dec 21 10:20:15 CET 2024] GET
    [Sat Dec 21 10:20:15 CET 2024] url='https://api.github.com/repos/acmesh-official/acme.sh/git/refs/heads/master'
    [Sat Dec 21 10:20:15 CET 2024] timeout=30
    [Sat Dec 21 10:20:15 CET 2024] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g --connect-timeout 30'
    [Sat Dec 21 10:20:15 CET 2024] ret='0'
    [Sat Dec 21 10:20:15 CET 2024] Already up to date!
    [Sat Dec 21 10:20:15 CET 2024] Upgrade successful!
    [Sat Dec 21 10:20:16 CET 2024] LE_WORKING_DIR='/root/.acme.sh'
    [Sat Dec 21 10:20:16 CET 2024] Running cmd: setdefaultca
    [Sat Dec 21 10:20:16 CET 2024] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory
     
    chsdaiguil, Dec 21, 2024
    #4
  5. chsdaiguil

    chsdaiguil Member HowtoForge Supporter

    [Sat Dec 21 10:15:54 CET 2024] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
    [Sat Dec 21 10:15:54 CET 2024] ACME_NEW_AUTHZ
    [Sat Dec 21 10:15:54 CET 2024] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
    [Sat Dec 21 10:15:54 CET 2024] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
    [Sat Dec 21 10:15:54 CET 2024] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
    [Sat Dec 21 10:15:54 CET 2024] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf'
    [Sat Dec 21 10:15:54 CET 2024] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
    [Sat Dec 21 10:15:55 CET 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Sat Dec 21 10:15:55 CET 2024] _on_before_issue
    [Sat Dec 21 10:15:55 CET 2024] _chk_main_domain='server1.xxxxx.biz'
    [Sat Dec 21 10:15:55 CET 2024] _chk_alt_domains
    [Sat Dec 21 10:15:55 CET 2024] '/usr/local/ispconfig/interface/acme' does not contain 'no'
    [Sat Dec 21 10:15:55 CET 2024] Le_LocalAddress
    [Sat Dec 21 10:15:55 CET 2024] d='server1.xxxxx.biz'
    [Sat Dec 21 10:15:55 CET 2024] Checking for domain='server1.xxxxxxx.biz'
    [Sat Dec 21 10:15:55 CET 2024] _currentRoot='/usr/local/ispconfig/interface/acme'
    [Sat Dec 21 10:15:55 CET 2024] d
    [Sat Dec 21 10:15:55 CET 2024] '/usr/local/ispconfig/interface/acme' does not contain 'apache'
    [Sat Dec 21 10:15:55 CET 2024] _saved_account_key_hash='UTFXos+x0xfsMMrTs8GNYDWv5wO2VT2VdE4qZx343bo='
    [Sat Dec 21 10:15:55 CET 2024] _saved_account_key_hash was not changed, skipping account registration.
    [Sat Dec 21 10:15:55 CET 2024] Read key length: 2048
    [Sat Dec 21 10:15:55 CET 2024] Creating domain key
    [Sat Dec 21 10:15:55 CET 2024] Using config home: /root/.acme.sh
    [Sat Dec 21 10:15:55 CET 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Sat Dec 21 10:15:55 CET 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
    [Sat Dec 21 10:15:55 CET 2024] _ACME_SERVER_PATH='directory'
    [Sat Dec 21 10:15:55 CET 2024] Domain key exists, do you want to overwrite it?
    [Sat Dec 21 10:15:55 CET 2024] If so, add '--force' and try again.
    [Sat Dec 21 10:15:55 CET 2024] Error creating domain key.
    [Sat Dec 21 10:15:55 CET 2024] pid
    [Sat Dec 21 10:15:55 CET 2024] No need to restore nginx config, skipping.
    [Sat Dec 21 10:15:55 CET 2024] _clearupdns
    [Sat Dec 21 10:15:55 CET 2024] dns_entries
    [Sat Dec 21 10:15:55 CET 2024] Skipping dns.
    [Sat Dec 21 10:15:55 CET 2024] _on_issue_err
    [Sat Dec 21 10:15:55 CET 2024] Please check log file for more details: /var/log/ispconfig/acme.log
    [Sat Dec 21 10:15:55 CET 2024] _chk_vlist
     
    chsdaiguil, Dec 21, 2024
    #5
  6. chsdaiguil

    chsdaiguil Member HowtoForge Supporter

    [Sat Dec 21 10:11:11 CET 2024] LE_WORKING_DIR='/root/.acme.sh'
    [Sat Dec 21 10:11:11 CET 2024] Running cmd: setdefaultca
    [Sat Dec 21 10:11:11 CET 2024] Changed default CA to: https://acme-v02.api.letsencrypt.org/directory
    [Sat Dec 21 10:11:12 CET 2024] _is_idn_d='server1.xxxxxxx.biz'
    [Sat Dec 21 10:11:12 CET 2024] _idn_temp
    [Sat Dec 21 10:11:12 CET 2024] Let's find the script directory.
    [Sat Dec 21 10:11:12 CET 2024] _SCRIPT_='/root/.acme.sh/acme.sh'
    [Sat Dec 21 10:11:12 CET 2024] _script='/root/.acme.sh/acme.sh'
    [Sat Dec 21 10:11:12 CET 2024] _script_home='/root/.acme.sh'
    [Sat Dec 21 10:11:12 CET 2024] Using config home: /root/.acme.sh
    [Sat Dec 21 10:11:12 CET 2024] LE_WORKING_DIR='/root/.acme.sh'
    [Sat Dec 21 10:11:12 CET 2024] Running cmd: issue
    [Sat Dec 21 10:11:12 CET 2024] _main_domain='server1.xxxxxx.biz'
    [Sat Dec 21 10:11:12 CET 2024] _alt_domains='no'
    [Sat Dec 21 10:11:12 CET 2024] Using config home: /root/.acme.sh
    [Sat Dec 21 10:11:12 CET 2024] default_acme_server='https://acme-v02.api.letsencrypt.org/directory'
    [Sat Dec 21 10:11:12 CET 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Sat Dec 21 10:11:12 CET 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
    [Sat Dec 21 10:11:12 CET 2024] _ACME_SERVER_PATH='directory'
    [Sat Dec 21 10:11:12 CET 2024] DOMAIN_PATH='/root/.acme.sh/server1.xxxxxx.biz'
    [Sat Dec 21 10:11:12 CET 2024] '/usr/local/ispconfig/interface/acme' does not contain 'dns'
    [Sat Dec 21 10:11:12 CET 2024] Le_NextRenewTime='1731531791'
    [Sat Dec 21 10:11:12 CET 2024] Using ACME_DIRECTORY: https://acme-v02.api.letsencrypt.org/directory
    [Sat Dec 21 10:11:12 CET 2024] _init API for server: https://acme-v02.api.letsencrypt.org/directory
    [Sat Dec 21 10:11:12 CET 2024] GET
    [Sat Dec 21 10:11:12 CET 2024] url='https://acme-v02.api.letsencrypt.org/directory'
    [Sat Dec 21 10:11:12 CET 2024] timeout=
    [Sat Dec 21 10:11:12 CET 2024] _CURL='curl --silent --dump-header /root/.acme.sh/http.header -L -g '
    [Sat Dec 21 10:11:13 CET 2024] ret='0'
    [Sat Dec 21 10:11:13 CET 2024] response='{
    "W-i0-5JcdKY": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
    "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
    "meta": {
    "caaIdentities": [
    "letsencrypt.org"
    ],
    "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
    "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
    "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
    "renewalInfo": "https://acme-v02.api.letsencrypt.org/draft-ietf-acme-ari-03/renewalInfo",
    "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
    }'
    [Sat Dec 21 10:11:13 CET 2024] ACME_KEY_CHANGE='https://acme-v02.api.letsencrypt.org/acme/key-change'
    [Sat Dec 21 10:11:13 CET 2024] ACME_NEW_AUTHZ
    [Sat Dec 21 10:11:13 CET 2024] ACME_NEW_ORDER='https://acme-v02.api.letsencrypt.org/acme/new-order'
    [Sat Dec 21 10:11:13 CET 2024] ACME_NEW_ACCOUNT='https://acme-v02.api.letsencrypt.org/acme/new-acct'
    [Sat Dec 21 10:11:13 CET 2024] ACME_REVOKE_CERT='https://acme-v02.api.letsencrypt.org/acme/revoke-cert'
    [Sat Dec 21 10:11:13 CET 2024] ACME_AGREEMENT='https://letsencrypt.org/documents/LE-SA-v1.4-April-3-2024.pdf'
    [Sat Dec 21 10:11:13 CET 2024] ACME_NEW_NONCE='https://acme-v02.api.letsencrypt.org/acme/new-nonce'
    [Sat Dec 21 10:11:13 CET 2024] Using CA: https://acme-v02.api.letsencrypt.org/directory
    [Sat Dec 21 10:11:13 CET 2024] _on_before_issue
    [Sat Dec 21 10:11:13 CET 2024] _chk_main_domain='server1.xxxxx.biz'
    [Sat Dec 21 10:11:13 CET 2024] _chk_alt_domains
    [Sat Dec 21 10:11:13 CET 2024] '/usr/local/ispconfig/interface/acme' does not contain 'no'
    [Sat Dec 21 10:11:13 CET 2024] Le_LocalAddress
    [Sat Dec 21 10:11:13 CET 2024] d='server1.xxxxxx.biz'
    [Sat Dec 21 10:11:13 CET 2024] Checking for domain='server1.xxxxxxx.biz'
    [Sat Dec 21 10:11:13 CET 2024] _currentRoot='/usr/local/ispconfig/interface/acme'
    [Sat Dec 21 10:11:13 CET 2024] d
    [Sat Dec 21 10:11:13 CET 2024] '/usr/local/ispconfig/interface/acme' does not contain 'apache'
    [Sat Dec 21 10:11:13 CET 2024] _saved_account_key_hash='UTFXos+x0xfsMMrTs8GNYDWv5wO2VT2VdE4qZx343bo='
    [Sat Dec 21 10:11:13 CET 2024] _saved_account_key_hash was not changed, skipping account registration.
    [Sat Dec 21 10:11:14 CET 2024] Read key length: 2048
    [Sat Dec 21 10:11:14 CET 2024] Creating domain key
    [Sat Dec 21 10:11:14 CET 2024] Using config home: /root/.acme.sh
    [Sat Dec 21 10:11:14 CET 2024] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Sat Dec 21 10:11:14 CET 2024] _ACME_SERVER_HOST='acme-v02.api.letsencrypt.org'
    [Sat Dec 21 10:11:14 CET 2024] _ACME_SERVER_PATH='directory'
    [Sat Dec 21 10:11:14 CET 2024] Domain key exists, do you want to overwrite it?
    [Sat Dec 21 10:11:14 CET 2024] If so, add '--force' and try again.
    [Sat Dec 21 10:11:14 CET 2024] Error creating domain key.
    [Sat Dec 21 10:11:14 CET 2024] pid
    [Sat Dec 21 10:11:14 CET 2024] No need to restore nginx config, skipping.
    [Sat Dec 21 10:11:14 CET 2024] _clearupdns
    [Sat Dec 21 10:11:14 CET 2024] dns_entries
    [Sat Dec 21 10:11:14 CET 2024] Skipping dns.
    [Sat Dec 21 10:11:14 CET 2024] _on_issue_err
    [Sat Dec 21 10:11:14 CET 2024] Please check log file for more details: /var/log/ispconfig/acme.log
    [Sat Dec 21 10:11:14 CET 2024] _chk_vlist
     
    chsdaiguil, Dec 21, 2024
    #6
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so acme.sh just seems to have an issue with the key its created for the domain. Try to remove the SSL cert with:

    acme.sh --remove -d server1.xxxxxx.biz

    and then check with:

    ls -la /root/.acme.sh/

    that there is no directory for that domain name anymore in this path. Then run an ISPConfig update with --force option again to create a new cert.

    Things that you should also check is if the system hostname correctly resolves to the server IP in DNS and also that port 80 is not closed in a firewall in front of the server, as Let's Encrypt will try to reach your server on port 80 to verify the SSL cert. A complete checklist can be found here: https://forum.howtoforge.com/threads/lets-encrypt-error-faq.74179/ Its mainly for website SSL certs, but the prerequisites to get a LE cert for the main system are the same.
     
    till, Dec 21, 2024
    #7
    chsdaiguil likes this.
  8. chsdaiguil

    chsdaiguil Member HowtoForge Supporter

    great, thanks.
     
    chsdaiguil, Dec 21, 2024
    #8
    till likes this.

Share This Page