I updated ispconfig to version 3.2.11p1. The server certificate has expired and I cannot renew it. I tried to renew using the ispconfig_update.sh --force command and an updated ispserver.crt is generated. But using SSL Checker gives information that it is expired. I use acme.sh Can you help me?
ISPConfig UI uses port 8080 with that certs while by default the SSL checker is checking at port 443.
Definitely possible but highly not recommended nor advisable for ISPConfig server FQDN unless your mastery in linux commands and ISPConfig's is very good because it will require quite some tedious manual work to make it update proof. There are threads where people were asking on how to use port 443 for ISPConfig server FQDN which will involve modifying and using custom ISPConfig vhost.
Port 443 probably currently ends up on the systems default vhost, so it does not use the ISPConfig SSL cert. Edit the default vhost and change the path for SSL cert and key inside to point them to the ISPConfig SSL cert and key in /usr/local/ispconfig/interface/ssl/
Ok, so the problem is a bit different: you created a website for the server hostname, this means the SSL cert will fail either for ISPconfig or for this website as acme.sh deploys the SSL cert to one location only and you have two different vhosts that use it (ispconfig and website).
I agree with @till and as said it is highly not recommended nor advisable though you can make make ISPConfig UI works on that port 443 by modifying and using custom ISPConfig vhost. But if you wish to use this method, try using this for default vhost (change the sub domain to yours): Code: server { listen 80 default_server; listen [::]:80 default_server; root /var/www/html; index index.html index.htm index.nginx-debian.html; server_name _; error_page 404 https://ispconfig.domain.tld/index.html; return 404; location / { try_files $uri $uri/ =404; } } server { listen 443 ssl http2; listen [::]:443 ssl http2 ipv6only=on; ssl_protocols TLSv1.3 TLSv1.2; ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt; ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key; ssl_stapling on; ssl_stapling_verify on; ssl_ecdh_curve secp521r1:secp384r1:prime256v1; resolver 8.8.8.8 8.8.4.4 1.1.1.1 1.0.0.1 valid=300s; server_name ispconfig.domain.tld; root /var/www/html; index index.html; location / { try_files $uri $uri/ =404; } } You can edit /var/www/html/index.html to your liking as landing page for your server. Note that this is different from making ISPConfig UI runs on port 443 instead of 8080.
I'm not sure if this is what he intends to do. His issue is that the SSL cert for the website he created for the hostname expired, so he most likely does not want to run ISPConfig on port 443, all he wants is to have a valid cert for ISPConfig and that website. So I think the solution for the default vhost that you posted in conjunction with removing that website is a good way.
Right, what I wanted was a valid certificate for ispconfig and for the website with the hostname. I removed the site and now the hostname is not listed on the certificate, it has taken over another domain. Should I indicate my domain in the default vhost?
The above advice is still valid if you are using acme.sh as your LE client for your server, but do note, certbot as LE client in an ISPConfig server does not have the same effect since it is using symlink approach, so you can have both website and ISPConfig UI using the same server FQDN.
