Server SSL did not auto-update - Expired

Discussion in 'Installation/Configuration' started by FutureX, Jul 14, 2022.

  1. FutureX

    FutureX New Member

    I just noticed that the server SSL did not auto-update. The individual website SSLs are updating fine but when I FTP in it says the cert expired on July 4, 2022.
    What's the best way to configure the server to auto-update the SSL cert?
    Thanks!
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    ISPConfig server autoupdates certificate automatically.
    How was this system installed?
    Use this to get some info, there is part about FAQ Let's Encrypt errors, if you use LE to get the server certificate.
    https://forum.howtoforge.com/threads/please-read-before-posting.58408/
     
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    If you use certbot and installed it using apt beware that you need to uninstall it, install snap and then install certbot using snap.

    Other than that, as @Taleman said, follow LE FAQ to troubleshoot. Provide more info for us to help if that doesn't work either.
     
  4. FutureX

    FutureX New Member

    I used the perfect server - Ubuntu 20.04 to install. I'm going through the FAQs now. Thanks for the info!
     
  5. FutureX

    FutureX New Member

    Did a couple of tests and they show that certbot is not installed.
    I ran:
    apt-cache policy certbot | grep Installed
    Result:
    Installed: (none)

    and

    certbot --version
    result:
    Command 'certbot' not found, but can be installed with:
    apt install certbot
    Please ask your administrator.

    If I install certbot using the install instructions here: https://certbot.eff.org/instructions?ws=apache&os=ubuntufocal will that mess anything up with my websites that are updating properly?

    I'm on Ubuntu 20.04
    ISPConfig 3.2.8p1
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Current ISPConfig versions use acme.sh and not Certbot, so do not install Certbot as it would break your server. Instead, check if acme.sh is installed:

    ls /root/.acme.sh

    Do you have a website with the exact same name as the hostname of your server which ahs SSL enabled too?
     
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Based on his response that he followed Ubuntu 20.04 PST he most probably was using certbot and not acme.sh, as that tutorial never mentioned about installing the latter, unless he means other tutorial instead.

    If he did setup his server via that tutorial we do not know why certbot was missing but to check for acme.sh is the right thing to do but installing acme.sh might not.

    Even if there is now acme.sh as LE client, which we are not sure how he get that installed, if he confirmed following Ubuntu 20.04 PST, he will have to remove that and reinstall certbot via snap.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    We have two tutorials for installing ISPConfig on Ubuntu 20.04, one uses acme.sh (the currently recommended guide which is based on the auto installer) and the other certbot (the old perfect server guide). So if he followed the latest guide for Ubuntu 20.04, then his setup uses acme.sh.

    That is entirely wrong, never change the installed Le client. If he followed the most recent ubuntu guide, then he is using acme.sh and he should keep using that. And even if he would have used the 'old' perfect server guide and left out the certbot install step, then acme.sh was installed automatically. And has he just has issue switch renewals, it is quite likely that he just hit the acme.sh issue where acme.,sh can not update the ISPConfig LE cert when there is a website with the same name as the hostname as acme.sh will copy the renewed SSL cert only to the site and not the ISPConfig SSL folder.

    So let's just wait until he confirms which LE client is used by answering my question from above as it#s impossible to give him the right recommendation for the fix without knowing the LE client of the system.
     
  9. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Agreed.
     
  10. FutureX

    FutureX New Member

    Thanks for all the info! Yes acme.sh is installed. There is account.conf, acme.sh, acme.sh.env, ca, deploy, etc. And all the website names.
    I don't have a website name with the exact name as the host name. I added 'vps' to the main domain name. vps.xxxx.com

    This is the Lets Encrypt log, (x'ing out the actual domain name)

    [Fri Jul 15 00:32:02 UTC 2022] di='/root/.acme.sh/vps.xxx.com/'
    [Fri Jul 15 00:32:02 UTC 2022] d='vps.xxx.com'
    [Fri Jul 15 00:32:02 UTC 2022] _renewServer
    [Fri Jul 15 00:32:02 UTC 2022] Using config home:/root/.acme.sh
    [Fri Jul 15 00:32:02 UTC 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Fri Jul 15 00:32:02 UTC 2022] DOMAIN_PATH='/root/.acme.sh/vps.xxx.com'
    [Fri Jul 15 00:32:02 UTC 2022] Renew: 'vps.xxx.com'
    [Fri Jul 15 00:32:02 UTC 2022] Le_API='https://acme-v02.api.letsencrypt.org/directory'
    [Fri Jul 15 00:32:02 UTC 2022] Renew to Le_API=https://acme-v02.api.letsencrypt.org/directory
    [Fri Jul 15 00:32:02 UTC 2022] Using config home:/root/.acme.sh
    [Fri Jul 15 00:32:02 UTC 2022] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Fri Jul 15 00:32:02 UTC 2022] Skip, Next renewal time is: 2022-08-04T00:32:46Z
    [Fri Jul 15 00:32:02 UTC 2022] Add '--force' to force to renew.
    [Fri Jul 15 00:32:02 UTC 2022] Return code: 2
    [Fri Jul 15 00:32:02 UTC 2022] Skipped vps.xxx.com
    [Fri Jul 15 00:32:02 UTC 2022] _error_level='3'
    [Fri Jul 15 00:32:02 UTC 2022] _set_level='2'
    [Fri Jul 15 00:32:02 UTC 2022] ===End cron===


    Now I'm confused. On the ISPConfig admin webpage I click the lock next to the URL and it shows a current cert not expiring until Sep 2. But when I use CyberDuck to FTP in it shows the cert to the vps.xxx.com expired on July 4, 2022, I also just tried a new connection with FileZilla and it's showing expired cert of July 4, 2022.
     
    Last edited: Jul 15, 2022
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to restart the ftp server to see if your FTP clients show the correct cert then as well:

    sudo service pure-ftpd-mysql restart
     
  12. FutureX

    FutureX New Member

    Restarting FTP server did not work, still seeing the old cert.
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Please try to run these commands:

    Code:
    cd /usr/local/ispconfig/interface/ssl/
    mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
    cat ispserver.{key,crt} > ispserver.pem
    chmod 600 ispserver.pem
    chmod 600 /etc/ssl/private/pure-ftpd.pem
    service pure-ftpd-mysql restart
     
  14. FutureX

    FutureX New Member

    That worked! Thank you!
     
  15. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I am sure that solved the problem temporarily as the main problem is that the LE certs for the server were not automatically renewed or they were not automatically extended to other services in that server (in this case FTP).

    Can't properly help simply by checking whether acme.sh or certbot was installed but rather need to know which one was first installed and used in that server.

    A switch of these LE clients could be the cause but can't know for sure unless the above is confirmed and if needed, fixed.

    If truly acme.sh is installed first, then running ISPConfig force update is the best to fix it, otherwise, if there was a switch, cleanly reverting back to the original LE client then running ISPConfig force update is the best to fix it.
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    So we know now that the LE cert was renewed properly, so there is no issue with the cert renewal. But the combined SSL cert which is used by pure-ftpd was not built automatically.

    As @ahrasis is still not convinced that you are not using certbot, please post the output of:

    ls /etc/letsencrypt
     
  17. FutureX

    FutureX New Member

    Here is the output:

    sudo ls /etc/letsencrypt
    ls: cannot access '/etc/letsencrypt': No such file or directory
     

Share This Page