Hi all, This server is 2 years old, Ubuntu 16.04.5, ISPC 3.1.13 I received emails from LetsEncrypt telling domains certificates will expire. ( I didn't take care as all was running OK for the last 2 years ) Now certificates have expired ... the last logfile from LetsEncrypt is dated 2018-11-15 and it tells : Code: cat /var/log/letsencrypt/letsencrypt.log 2018-11-14 16:01:14,809:DEBUG:certbot.main:Root logging level set at 20 2018-11-14 16:01:14,810:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2018-11-14 16:01:14,810:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages. 2018-11-14 16:01:14,810:DEBUG:certbot.cli:Deprecation warning circumstances: /root/.local/share/letsencrypt/bin/letsencrypt / {'LANG': 'fr_FR.UTF-8', 'SHELL': '/bin/sh', 'SHLVL': '3', 'PWD': '/usr/local/ispconfig/server', 'LOGNAME': 'root', 'HOME': '/root', 'PATH': '/sbin:/usr/sbin:/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:/usr/X11R6/bin', '_': '/root/.local/share/letsencrypt/bin/letsencrypt'} 2018-11-14 16:01:14,810:DEBUG:certbot.main:certbot version: 0.12.0 2018-11-14 16:01:14,810:DEBUG:certbot.main:Arguments: ['-n', '--post-hook', "echo '1' > /usr/local/ispconfig/server/le.restart"] 2018-11-14 16:01:14,810:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#nginx,PluginEntryPoint#standalone,PluginEntryPoint#manual,PluginEntryPoint#webroot,PluginEntryPoint#apache,PluginEntryPoint#null) 2018-11-14 16:01:14,819:INFO:certbot.renewal:Cert not yet due for renewal 2018-11-14 16:01:14,823:INFO:certbot.renewal:Cert not yet due for renewal 2018-11-14 16:01:14,826:INFO:certbot.renewal:Cert not yet due for renewal 2018-11-14 16:01:14,829:INFO:certbot.renewal:Cert not yet due for renewal 2018-11-14 16:01:14,832:INFO:certbot.renewal:Cert not yet due for renewal 2018-11-14 16:01:14,835:INFO:certbot.renewal:Cert not yet due for renewal 2018-11-14 16:01:14,838:INFO:certbot.renewal:Cert not yet due for renewal 2018-11-14 16:01:14,841:INFO:certbot.renewal:Cert not yet due for renewal 2018-11-14 16:01:14,844:INFO:certbot.renewal:Cert not yet due for renewal 2018-11-14 16:01:14,846:INFO:certbot.renewal:Cert not yet due for renewal 2018-11-14 16:01:14,850:INFO:certbot.renewal:Cert not yet due for renewal 2018-11-14 16:01:14,852:INFO:certbot.renewal:Cert not yet due for renewal 2018-11-14 16:01:14,855:INFO:certbot.renewal:Cert not yet due for renewal 2018-11-14 16:01:14,859:INFO:certbot.renewal:Cert not yet due for renewal 2018-11-14 16:01:14,861:INFO:certbot.renewal:Cert not yet due for renewal 2018-11-14 16:01:14,864:INFO:certbot.renewal:Cert not yet due for renewal 2018-11-14 16:01:14,867:INFO:certbot.renewal:Cert not yet due for renewal 2018-11-14 16:01:14,870:INFO:certbot.renewal:Cert not yet due for renewal 2018-11-14 16:01:14,873:INFO:certbot.renewal:Cert not yet due for renewal 2018-11-14 16:01:14,873:DEBUG:certbot.renewal:no renewal failures I have unchecked / rechecked the LE SSL under Sites for one site to test. Certificate seems to have been updated : Code: -r-------- 1 root root 3,2K janv. 21 11:38 competitions.tennisdetable-nc.nc-le.key.old.20190121113803 -r-------- 1 root root 2,5K janv. 21 11:38 competitions.tennisdetable-nc.nc-le.crt.old.20190121113803 -r-------- 1 root root 1,7K janv. 21 11:38 competitions.tennisdetable-nc.nc-le.bundle.old.20190121113803 -r-------- 1 root root 3,2K janv. 21 11:48 competitions.tennisdetable-nc.nc-le.key.old.20190121114802 lrwxrwxrwx 1 root root 66 janv. 21 11:48 competitions.tennisdetable-nc.nc-le.key -> /etc/letsencrypt/live/competitions.tennisdetable-nc.nc/privkey.pem -r-------- 1 root root 4,1K janv. 21 11:48 competitions.tennisdetable-nc.nc-le.crt.old.20190121114802 lrwxrwxrwx 1 root root 68 janv. 21 11:48 competitions.tennisdetable-nc.nc-le.crt -> /etc/letsencrypt/live/competitions.tennisdetable-nc.nc/fullchain.pem -r-------- 1 root root 1,7K janv. 21 11:48 competitions.tennisdetable-nc.nc-le.bundle.old.20190121114802 lrwxrwxrwx 1 root root 64 janv. 21 11:48 competitions.tennisdetable-nc.nc-le.bundle -> /etc/letsencrypt/live/competitions.tennisdetable-nc.nc/chain.pem But browsers are still showing an invalid certificate date while visiting website (cache deleted on browsers). Thanks a lot to point me in the right direction about this renew troubles ! Nicolas
Since you could update that first. There are lots of LE discussions on this forum and instructions on how to debug it to find why it is not working correctly.
Thanks @Taleman for your answer ! Thing is that my previous readings were saying to not use any letsencrypt-auto as it was handled by ISPConfig . I'll update readings, then ...
ISPConfig uses the certbot installed in the operating system. It must be up-to-date for things to work from ISPConfig.
I have launched manually certbot-auto (without any arguments), it displayed : Code: Upgrading certbot-auto 0.12.0 to 0.30.0... Replacing certbot-auto... Creating virtual environment... Installing Python packages... Installation succeeded. Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Which names would you like to activate HTTPS for? I think I should have stop there, but I went forward and applied to the whole proposed domain list. Situation is still the same : domains with SSL expired are still showing expired SSL certs (even after untick / tick LE in Sites, sites resync didn't solve neither). I continue to seek for solutions in posts here. EDIT : from memory this server was setup with first ISPConfig 3.1 / Ubuntu 14.05, then upgraded to Ubuntu 16.04 and ISPConfig 3.1.13 I compare with a new ISPConfig 3.1.13 / Ubuntu 18.04 : I have no : Code: /etc/cron.d/certbot /usr/bin/certbot Is there a hope to make this LE renew running or should I resolve to re-install ? Thanks again for your time.
Because of this, the certificate files are now created by certbot directly, and ISPConfig can not create certificates. You can use it this way, but then you have to fix it so it works correctly. It may be the old certificate files are confusing certbot now. There is FAQ for fixing Let's Encrypt when ISPConfig is used: https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/ Old similar thread, first one of those Internet Search engines found: https://www.howtoforge.com/community/threads/ubuntu-16-04-letsencrypt-not-working.79568/
Solved with : Code: apt-get install software-properties-common add-apt-repository ppa:certbot/certbot apt-get update apt-get install python-certbot-apache Then I untick/tick LE cert under each website to update certs One useful command to watch your LE certs: Code: certbot certificates Now wait 90 days to see if renew runs as expected... (should be) Thanks again for your tracks @Taleman !!!
Certbot starts trying to renew certificate when there is less than 30 days left. So only wait 60 days.
