[solved] Letsencrypt writes certs but checkbox gets empty after a while

Discussion in 'Installation/Configuration' started by linus, Apr 5, 2017.

Page 2 of 2
  1. gobrien

    gobrien New Member

    Florian,
    Just FYI, mine is doing exactly the same. I upgraded this morning to stable using the upgrade script with no errors.
    When I check the LetsEncrypt box and save, all is well ... the config updates with correct ssl locations and certs are put in
    /var/www/clients/client5/web23/ssl/hostname-le.crt (-le.key and -le.bundle)
    Next trip back to the UI, the box is unchecked and if I change something else about the config and forget to go back and recheck the LE box, it reverts to the old self-signed cert.
    Separately, I went into the database and forced it to ssl_letsencrypt='y'. It stayed that way for a minute or so and then went back to 'n'.
    This is not a problem for me now that I know to re-check the LE box. Let me know if there is anything I should check to help out.
    Gareth.
     
    gobrien, Apr 10, 2017
    #21
  2. linus

    linus Member

    No, there are no custom files there.
     
    linus, Apr 11, 2017
    #22
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    @gobrien: You can use the ISPConfig debug mode to see why the SSL cert gets reverted.
     
    till, Apr 11, 2017
    #23
  4. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    And: do you have a *err-file for the domain in /etc/apache2/sites-enabled?
     
    florian030, Apr 11, 2017
    #24
  5. linus

    linus Member

    No, I don't think so?
    ls -la /etc/apache2/sites-enabled/
    Code:
    000-apps.vhost
000-default.conf
000-ispconfig.conf
000-ispconfig.vhost
100-example.com.vhost
     
    linus, Apr 11, 2017
    #25
  6. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    sorry. sites-availables
     
    florian030, Apr 12, 2017
    #26
  7. linus

    linus Member

    No, I couldn't find any of those either:

    ls -la /etc/apache2/sites-available/*err*
    ls: cannot access /etc/apache2/sites-available/*err*: No such file or directory
     
    linus, Apr 12, 2017
    #27
  8. linus

    linus Member

    Thank you, Florian! Florian found an apache-plugin for ispconfig on my dns slave server. He said if you run a mirror ispconfig, all services will be mirrored. As long as server-plugin is active, this will be excuted and apache could not find the cert so the slave disabled LE. In the system server services for the slave I had only DNS-server checked and Is mirror of server, but somehow I had installed the apache plugin too.

    Days of wondering came to an end. =)
     
    linus, Apr 13, 2017
    #28
    Baptistev, Jesse Norell, till and 1 other person like this.
  9. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    This problem would/could have been avoided even with the bad apache plugin present if/when the ability to mirror selected services is implemented. I found https://git.ispconfig.org/ispconfig/ispconfig3/issues/990 for DNS specifically, though I thought there was another ticket for the issue a little more generally (ie. so you could set a server to mirror another service on a per-service basis).
     
    Jesse Norell, Apr 13, 2017
    #29
    Baptistev likes this.
  10. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    This problem does not exist, when you did not install "useless" software. I.e. you don't need apache on an dns-server. I don't see any problems if we send all data to a mirror. But we may can enable/disable plugins on a server when you enable/disable a service using the GUI.
     
    florian030, Apr 13, 2017
    #30
  11. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Yes, it's mostly harmless the way it's currently implemented (the extra data would cause a little overhead but be unused); the per-service mirroring would be a new feature to handle scenarios like: server1 is web+dns, server2 is mail+dns mirror (ony dns service is mirrored).
     
    Jesse Norell, Apr 13, 2017
    #31
    Baptistev and elmacus like this.
Page 2 of 2

Share This Page