I've got a bunch of websites, secured with LetsEncrypt certificates through ISPConfig, and they've failed to auto-renew last night. I'm not sure why exactly, as it obviously worked in the first place, in order to obtain the certificates to begin with. What "challenges" does ISPConfig use with LetsEncrypt / Certbot? Because if I know what it's attempting to do, then I can investigate more closely why it's suddenly decided not to work. Or possibly some setting has gone wrong. I don't know. I need guidance as to how to diagnose and fix this.
Now I look further into this, I'm noticing that one of the websites (which is, interestingly, alphabetically first) did renew last Wednesday with LetsEncrypt just fine and works. So could it be the case that just one of the certificate renewals failed, but this stopped the overall process, so the others aren't being renewed? Is there a way to manually force ISPConfig / Certbot to go through the renewal process? So that I can directly see where the errors are happening?
Interesting. I manually turned off "LetsEncrypt SSL" in the website settings and then turned it back on. And that particular website came back up with a valid certificate for the next few months. So, apparently, it's not that the LE renewal doesn't work, but that, somehow, the auto-renewal process failed and left them all (except that alphabetically first site) without renewed certificates.
Are you running the latest version of ISPConfig? Lots of LE errors have been corrected in recent versions.
Maybe you have more than one script that runs certbot renewals. Check in /etc/cron.d/ if there is any script that does a certbot --renew run. If there is one, then it's not from ISPConfig and you should try to disable it.
Yes, there was a "certbot" cronjob there. Must have been installed with the certbot package. Worse, as I run a mirrored multi-server cluster, the cronjob was there on every node, who all have shared access to the LetsEncrypt directories (to be able to serve websites from any of the nodes), so I possibly didn't just have more than one script attempting renewal but, in fact, a big "rush" of them all trying it at the same time. In which case, I'm not surprised things drastically went South on the renewal front there. Well, I've manually fixed the certificates and commented out the offending scripts. It should be good now. Although, well, we have to wait a few months to 100% verify that, when the next renewal happens. Thanks. (And I guess I should keep an eye on any updates to the "cerbot" package, just in case it attempts to reinstate the renewal scripts again.)
