Read the Lets Encrypt FAQ and followed most steps; didn't go into debug mode. Here's why ... acme.sh creates the Lets Encrypt certificates and appears to install them properly. The Lets Encrypt tick box remains ticked in ISPconfig. The problem is when accessing the domain via https the only certificate offered is the self signed one (not the generated & install Lets Encrypt one). As a last chance, forced a reinstall of ISPconfig. No change. Rebooted server and even my wife's desktop. Apache2 still using only self-signed cert. Lets Encrypt works for all the other nine domain on the server. Debian 11 with ISPconfig installed via the corresponding install document. Here's what I'm seeing: Forced update for Lets Encrypt Code: root@mail:~/.acme.sh# ./acme.sh -f -r -d writeworks.uk [Sat 25 Mar 2023 11:38:57 AM GMT] Renew: 'writeworks.uk' [Sat 25 Mar 2023 11:38:57 AM GMT] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory [Sat 25 Mar 2023 11:38:58 AM GMT] Using CA: https://acme-v02.api.letsencrypt.org/directory [Sat 25 Mar 2023 11:38:58 AM GMT] Using pre generated key: /root/.acme.sh/writeworks.uk/writeworks.uk.key.next [Sat 25 Mar 2023 11:38:58 AM GMT] Generate next pre-generate key. [Sat 25 Mar 2023 11:38:59 AM GMT] Multi domain='DNS:writeworks.uk,DNS:www.writeworks.uk,DNS:Plume.writeworks.uk' [Sat 25 Mar 2023 11:38:59 AM GMT] Getting domain auth token for each domain [Sat 25 Mar 2023 11:39:02 AM GMT] Getting webroot for domain='writeworks.uk' [Sat 25 Mar 2023 11:39:02 AM GMT] Getting webroot for domain='www.writeworks.uk' [Sat 25 Mar 2023 11:39:03 AM GMT] Getting webroot for domain='plume.writeworks.uk' [Sat 25 Mar 2023 11:39:03 AM GMT] writeworks.uk is already verified, skip http-01. [Sat 25 Mar 2023 11:39:03 AM GMT] www.writeworks.uk is already verified, skip http-01. [Sat 25 Mar 2023 11:39:03 AM GMT] plume.writeworks.uk is already verified, skip http-01. [Sat 25 Mar 2023 11:39:03 AM GMT] Verify finished, start to sign. [Sat 25 Mar 2023 11:39:03 AM GMT] Lets finalize the order. [Sat 25 Mar 2023 11:39:03 AM GMT] Le_OrderFinalize='https://acme-v02.api.letsencrypt.org/acme/finalize/749524277/172192305857' [Sat 25 Mar 2023 11:39:04 AM GMT] Downloading cert. [Sat 25 Mar 2023 11:39:04 AM GMT] Le_LinkCert='https://acme-v02.api.letsencrypt.org/acme/cert/0373dd0250a61da54506b1b5510d864ad0a2' [Sat 25 Mar 2023 11:39:05 AM GMT] Cert success. -----BEGIN CERTIFICATE----- [..] -----END CERTIFICATE----- [Sat 25 Mar 2023 11:39:05 AM GMT] Your cert is in: /root/.acme.sh/writeworks.uk/writeworks.uk.cer [Sat 25 Mar 2023 11:39:05 AM GMT] Your cert key is in: /root/.acme.sh/writeworks.uk/writeworks.uk.key [Sat 25 Mar 2023 11:39:05 AM GMT] The intermediate CA cert is in: /root/.acme.sh/writeworks.uk/ca.cer [Sat 25 Mar 2023 11:39:05 AM GMT] And the full chain certs is there: /root/.acme.sh/writeworks.uk/fullchain.cer [Sat 25 Mar 2023 11:39:05 AM GMT] Your pre-generated next key for future cert key change is in: /root/.acme.sh/writeworks.uk/writeworks.uk.key.next [Sat 25 Mar 2023 11:39:05 AM GMT] Installing key to: /var/www/clients/client1/web1/ssl/writeworks.uk-le.key [Sat 25 Mar 2023 11:39:05 AM GMT] Installing full chain to: /var/www/clients/client1/web1/ssl/writeworks.uk-le.crt [Sat 25 Mar 2023 11:39:05 AM GMT] Run reload cmd: systemctl force-reload apache2.service [Sat 25 Mar 2023 11:39:06 AM GMT] Reload success Directory certificates were installed to: Code: root@mail:/var/www/clients/client1/web1/ssl# ls -la total 56 drwxr-xr-x 2 root root 4096 Mar 25 11:29 . drwxr-xr-x 11 root root 4096 Sep 27 01:57 .. -rw-r--r-- 1 root root 1947 Mar 25 11:29 writeworks.uk.crt -rw-r--r-- 1 root root 1915 Mar 25 11:29 writeworks.uk.crt~ -rw-r--r-- 1 root root 1869 Mar 25 01:50 writeworks.uk.crt.bak -rw-r--r-- 1 root root 1728 Mar 25 11:29 writeworks.uk.csr -rw-r--r-- 1 root root 1700 Mar 25 11:29 writeworks.uk.csr~ -rw-r--r-- 1 root root 1690 Mar 25 01:50 writeworks.uk.csr.bak -r-------- 1 root root 3324 Mar 25 11:29 writeworks.uk.key -r-------- 1 root root 3272 Mar 25 11:29 writeworks.uk.key~ -r-------- 1 root root 3324 Mar 25 01:50 writeworks.uk.key.bak -rw-r--r-- 1 root root 5991 Mar 25 11:39 writeworks.uk-le.crt -rw------- 1 root root 3243 Mar 25 11:39 writeworks.uk-le.key How would it be best to proceed for troubleshooting?
It would have really helped to save you and our time if you posted the debug mode output right away, as it shows way more details on what is important for that topic, like if SSL has been activated for the site and if apache accepted the changes in config etc. That's why everyone who likes to get help in regard to a LE topic is requested to post that output. So let#s do it manually instead. Check in the apache sites-availale folder to see if there is a vhost file with .err file ending for this website.
I do apologist for skipping the debug mode. I honestly should know by now when you state something that one should really just do it. No .err file there: Code: root@mail:/etc/apache2/sites-available# ls -la total 200 drwxr-xr-x 2 root root 4096 Mar 25 11:29 . drwxr-xr-x 8 root root 4096 Mar 21 06:13 .. -rw-r--r-- 1 root root 1332 Jun 9 2022 000-default.conf -rw-r--r-- 1 root root 310 Mar 25 01:56 acme.conf -rw-r--r-- 1 root root 3339 Mar 25 02:22 apps.vhost -rw-r--r-- 1 root root 6338 Jun 9 2022 default-ssl.conf -rw-r--r-- 1 root root 9074 Jan 26 19:00 gppixelworks.com.vhost -rw-r--r-- 1 root root 8252 Oct 19 09:21 gppixelworks.co.uk.vhost -rw-r--r-- 1 root root 2322 Mar 25 02:22 ispconfig.conf -rw-r--r-- 1 root root 3572 Mar 25 01:57 ispconfig.vhost -rw-r--r-- 1 root root 8757 Oct 13 11:37 knowledgelighthouse.co.uk.vhost -rw-r--r-- 1 root root 10070 Feb 3 02:39 lansbury.me.uk.vhost -rw-r--r-- 1 root root 9534 Oct 31 02:37 lansbury.me.uk.vhost.ORIG -rw-r--r-- 1 root root 9024 Feb 3 02:47 me.selfhost.uk.vhost -rw-r--r-- 1 root root 10146 Feb 3 02:45 ormisher.co.uk.vhost -rw-r--r-- 1 root root 8661 Dec 2 00:03 q2a.selfhost.uk.vhost -rw-r--r-- 1 root root 8810 Oct 13 17:12 responsiblebystander.co.uk.vhost -rw-r--r-- 1 root root 9116 Feb 3 02:44 top-dogs-names.com.vhost -rw-r--r-- 1 root root 9494 Mar 25 11:47 writeworks.uk.vhost -rw-r--r-- 1 root root 9041 Mar 23 13:10 writeworks.uk.vhost.No.Plume -rw-r--r-- 1 root root 8109 Oct 28 01:04 writeworks.uk.vhost.ORIG -rw-r--r-- 1 root root 9494 Mar 25 01:47 writeworks.uk.vhost.plume Based on your reply I've an idea of the problem. For the domain in question it's sole purpose is running a Federated publishing/blogging platform, Plume. Plume had been running at a different VPS with ISPconfig with no problems. Moving servers as the original VPS rates doubled. Plume requires some edits to the .vhost file. One of which is the addition of a reverse proxy: Code: # Added for Plume ProxyPreserveHost On RequestHeader set X-Forwarded-Proto "https" ProxyPass / http://127.0.0.1:7878/ ProxyPassReverse / http://127.0.0.1:7878/ # End added for Plume Thus I have the *.vhost.plume file to copy over *.vhost on system boots. Awkward but it was the first solution I found. So I'm guessing the .vhost is being editing by acme.sh followed by my mistake of blindly overwriting the fresh, required additions. FWIW, here's the additional required edits to the .vhost file that is required for Plume to run. In <VirtualHost *:80> section: Code: # Added for Plume ServerAlias plume.writeworks.uk ServerAlias www.writeworks.uk ServerAdmin [email protected] # Added for Plume Balance of edits in <VirtualHost *:443> section: Code: # Added for Plume ServerAlias plume.writeworks.uk ServerAlias www.writeworks.uk ServerAdmin [email protected] Code: # Added for Plume <Directory "/plume"> Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set Strict-Transport-Security "max-age=31536000; preload" </Directory> SSLEngine on # End added for Plume Code: # Added for Plume SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1 SSLHonorCipherOrder On Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff SSLCompression off SSLUseStapling on # Requires Apache >= 2.4.11 SSLSessionTickets Off # Disable http/1.0 # Requires Apache >= 2.4.17 Protocols h2 http/1.1 # End added for Plume
Till, Many thanks for pointing out what should have been obvious. The sole error was mine; I was overwriting the .vhost file manually with edits which were required for Plume to run. In order to retain the .vhost settings for Plume, am I correct in understanding one can use directive snippets to retain those settings when rebooting or ISPconfig needs to make a change to the .vhost file?
