Hello, Have always been able to debug SSL issues with ispconfig in the past pretty much. This one is new. Renewed certificate successfully saved in ispconfig interface (v3.0.5.3) for the applicable site. Unfortunately the key, crt and bundle files all save in the applicable ssl dir as .err files. Have checked the files and they matched. Would appreciate guidance on how to debug and determine where the issue is, not finding any further details in logs, etc. Thanks
Your ispconfig version is very old, please update to a current release. There had been issues in your version with ssl certs.
So update to 3.0.5.4p5 successfully completed without issue. Attempted to resave the ssl cert from within ispconfig for the affected site, the SSL files are all touched (modification time on all files updated) but the .err files remain and the certificate remains the one that is soon expiring. Advise on how to smoothly change to the correct certificate (which is the one present in the SSL tab in ispconfig of the site in question) without downtime for the site? thanks # ll total 44 -rw-r--r-- 1 root root 1820 Nov 26 01:16 domain.com.bundle -rw-r--r-- 1 root root 1818 Nov 26 01:16 domain.com.bundle.err -rw-r--r-- 1 root root 2010 Nov 26 01:16 domain.com.crt -rw-r--r-- 1 root root 2084 Nov 26 01:16 domain.com.crt.err -rw-r--r-- 1 root root 1120 Nov 26 01:16 domain.com.csr -rw-r--r-- 1 root root 1120 Nov 26 01:16 domain.com.csr.err -r-------- 1 root root 1702 Nov 26 01:16 domain.com.key -r-------- 1 root root 1702 Nov 26 01:16 domain.com.key~ -r-------- 1 root root 1702 Nov 26 01:16 domain.com.key.err -r-------- 1 root root 1743 Nov 26 01:16 domain.com.key.org -r-------- 1 root root 1743 Nov 26 01:16 domain.com.key.org.err
A .err file is created when apache did not restart with the new ssl cert, so there must be something wrong with the new cert that you inserted. The most common mistake is that a new cert has been created on the basis of a different csr, so that the existing ssl key is not valid for the new ssl cert. Here are the steps to renew a ssl cert, its really easy and takes just a minute: 1) Copy the csr from the csr field in ispconfig. The csr has to be the same one that you used for the old cert already. Take this csr and let it sign in a ssl authority of your choice. 2) copy the ssl cert that you got back from the ssl authority into the certificate field, select "save certificate" in the action field and click on save.
Hi Till, Yes I am super familiar with that. I have already verified that the new crt is based on the csr and the key that i have. As a test I simply backed up the existing .crt file and then renamed the .crt.err as the .crt and restarted apache and now all seems to be well. Curious that ispconfig refused to save the cert. Is there anything you would recommend I do to avoid issues when this cert is renewed in the future on this server? thanks
ISPConfig is processing the changes like this: 1) Write new the new configuration. 2) Restart apache. 3) Test if apache is running again. 4) if apache is not running, save the non working config with .err file ending and roll back to the last working config. But, this procedure can fail when there has been a failed config change before, as all new config changes must fail as well until it is corrected. So e.g. when there are custom apache directives in the apache directives field of the website and these have an error, so that apache cant start with them, then a change in the ssl cert must result in an error as well as ispcoonfig can not decide if an apache failure is caused by the ssl cert change or the custom directive, so both gets rolled back to last known working setup.
ah yes of course, I remember this now thank you very much Till, I will look for some incorrect apache directives take care, Ron
