Hello all I've just installed a new deb10 server and installed ISPc using the automatic install script. All seems to have installed correctly. I have also successfully migrated from the old server to this new server. However I can't seem to secure ISPc using a Letsecrypt SSL cert. All other domains on the server are secured. I have run the ISPc update script using --force and answered yes to create a new cert. But the ISPc consol still seems to be insecure. Code: Checking / creating certificate for mydomain.tld Using certificate path /etc/letsencrypt/live/mydomain.tld Using apache for certificate validation Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Missing command line flag or config entry for this setting: Please choose an account Choices: ['mydomain.tld@2020-07-24T21:32:10Z (3423)', 'mydomain.tld@2019-08-09T05:55:11Z (2b50)', 'mydomain.tld@2021-07-03T01:22:33Z (64ee)'] Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt Could not issue letsencrypt certificate, falling back to self-signed. Generating a RSA private key For the purpose of this post I changed the actual domain name to mydomain.tld So my questions are: 1. How do I now secure ISPc? 2. Do I still use the update SSL script as per this howto? This new server has been online (live) for the past week, so I doubt it is DNS related. But I may be wrong. Debian 10 ISPConfig 3.2.5 Regards Fred
Seems as if you have more than one account configured in certbot, there should be just one account, you will have to remove all accounts except of the one with the most SSL certs. The certs from other accounts will fail to renew, that#s why it#s important to remove the account which has no certs at all or the least amount of certs.
There is a new version of autoinstall, this one is from ISPConfig project. https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/
OK, I don't understand what you mean by having more than on account for certbot. I have tried the new autoinstall script (thank you Taleman) I have managed to secure ISPc after 4 attempts at running the update script. But now non of my sites will allow me to activate Let's Encrypt SSL. I can turn on SSL. Migrated everything using the Migrate Tool. Regards Fred
Make sure you don't mix certbot and acme.sh script and always use the one you were using in your old server before the migration.
OK, so I have no idea what the autoinstall script installs by default. When I did the migration it said the certs coudn't be transfered, so I assumed the system would generate new certs. Now ISPc is secured. But I cannot create/activate Let's Encrypt SSL from the consol for any domain. I also cannot create a cert under the SSL tab for any domain. I have not installed any other apps after the script finished. I ran the script without any options. Regards Fred
You should read thoroughly before using it where there should be a step to skip installing acme.sh and install certbot instead. (I haven't use it yet). By default it will install acme.sh but most of old ISPConfig servers are using certbot thereby if you are not careful, you will end up migrating old ISPConfig server with certbot to new server with acme.sh. This is the basic cause for such failure as asked and reported several times in this forum as long as I can remember.
@ahrasis: according to the log from 1, FredZ initially was not using acme.sh, he was using certbot, which was correct, see: He just had a duplicate certbot entry, which you can see from here: That's why I suggested to him to remove one account, which could have been done easily by either using certbot command or by deleting the account file in /etc/letsencrypt and has been described multiple times in the forum as well. So his initial setup was perfectly fine, he just had to remove one account in certbot as I instructed him in #2. Instead of doing what I suggested, he now reinstalled and made things worse by mixing certbot and acme.sh. The solution is way more complicated now and includes a lot of manual work. To be able to issue new certs on this system due to certbot/acme.sh mix, you will have to manually clean up each website 'ssl' folder and remove the obsolete symlinks to the old Let's encrypt SSL certs. Then you can re-issue a new SSL cert through ISPConfig.
OK. This is clearly beyond my understanding. I'll request paid support to have this resolved. Regards Fred
That's not really complicated, you just have to go into the SSL folder of the sites that use Let's encrypt, e.g.: Code: cd /var/www/yourdomain.tld/ssl/ replace the domain name if the name of the website domain and there you have to remove the symlinks: Code: rm *-le.bundle rm *-le.crt rm *-le.key
While you were right before that @till, my answer was in response to his replies later on where he followed @Taleman advise and faced new problems due to that (as quoted above). I understand your frustation and I feel sorry for it but his action has already been done even before I participated in this thread. The way I see it he can fix manually one by one as per your advise or he can reset and redo his new server properly this time i.e. with certbot option and migrate again thereafter.
