The problem comes from the fact that this domain once upon a time had an alias domain and now the certificate for the alias-domain cannot be renewed since the domain no longer exists. So I went into ISPCFG3 and deleted every trace of this alias domain, then waited for the cert to be renewed but it still seems to not work. I looked into: /etc/letsencrypt/renewal and see -rw-r--r-- 1 root root 758 Sep 11 09:35 intramed.sa.com-0001.conf -rw-r--r-- 1 root root 761 May 30 04:05 intramed.sa.com.conf the -0001.conf file is actually the correct one as it does not contain the old alias domain. here is the content of intramed.sa.com.conf: Code: # renew_before_expiry = 30 days version = 0.10.1 archive_dir = /etc/letsencrypt/archive/intramed.sa.com cert = /etc/letsencrypt/live/intramed.sa.com/cert.pem privkey = /etc/letsencrypt/live/intramed.sa.com/privkey.pem chain = /etc/letsencrypt/live/intramed.sa.com/chain.pem fullchain = /etc/letsencrypt/live/intramed.sa.com/fullchain.pem # Options used in the renewal process [renewalparams] account = 67f3e868662cb26281a9f10801ca1e09 authenticator = webroot rsa_key_size = 4096 installer = None [[webroot_map]] www.intramed.sa.com = /usr/local/ispconfig/interface/acme intramed-distribution.co.za = /usr/local/ispconfig/interface/acme www.intramed-distribution.co.za = /usr/local/ispconfig/interface/acme intramed.sa.com = /usr/local/ispconfig/interface/acme intramed.sa.com is the current domain, intramed-distribution was the old alias domain. What shall I do, edit this file by hand and remove the old alias domain? Also, I used to go edit the site in ISPCFG3 and edit the site then save to trigger the cert check/renewal, how else can I do this via command line?
Do you use ISPConfig 3.1.6? If not, update to 3.1.6, then disable LE in the website settings, click save, then enable LE again.
Sorry, totally forgot to mention that I am still on ISPCFG 3.1.5 - will update this weekend. BUT I already tried exactly what you said with 3.1.5 which led to this thread. I just tried again, I see no more errors yet the cert error is still there. I guess its possible this is being cached somewhere? I already tried an incognito browser window. Still, these 2 files now have these time stamps: -rw-r--r-- 1 root root 758 Sep 11 09:35 intramed.sa.com-0001.conf -rw-r--r-- 1 root root 761 May 30 04:05 intramed.sa.com.conf seems something is still giving an error. I don't see errors inside letsencrypt.log: Code: cat /var/log/letsencrypt/letsencrypt.log 2017-09-11 08:43:06,683:DEBUG:certbot.main:Root logging level set at 20 2017-09-11 08:43:06,684:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2017-09-11 08:43:06,684:WARNING:certbot.cli:You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages. 2017-09-11 08:43:06,684:DEBUG:certbot.cli:Deprecation warning circumstances: /root/.local/share/letsencrypt/bin/letsencrypt / {'LANG': 'en_GB.UTF-8', 'SHELL': '/bin/sh', 'SHLVL': '3', 'PWD': '/usr/local/ispconfig/server', 'LOGNAME': 'root', 'HOME': '/root', 'PATH': '/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin', '_': '/root/.local/share/letsencrypt/bin/letsencrypt'} 2017-09-11 08:43:06,684:DEBUG:certbot.main:certbot version: 0.10.1 2017-09-11 08:43:06,684:DEBUG:certbot.main:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v01.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', '[email protected]', '--domains', 'intramed.sa.com', '--domains', 'www.intramed.sa.com', '--webroot-path', '/usr/local/ispconfig/interface/acme'] 2017-09-11 08:43:06,685:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#standalone,PluginEntryPoint#manual,PluginEntryPoint#nginx,PluginEntryPoint#webroot,PluginEntryPoint#apache,PluginEntryPoint#null) 2017-09-11 08:43:06,685:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None 2017-09-11 08:43:06,688:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot Description: Place files in webroot directory Interfaces: IAuthenticator, IPlugin Entry point: webroot = certbot.plugins.webroot:Authenticator Initialized: <certbot.plugins.webroot.Authenticator object at 0x7f0979dab4d0> Prep: True 2017-09-11 08:43:06,689:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticator object at 0x7f0979dab4d0> and installer None 2017-09-11 08:43:06,729:DEBUG:certbot.main:Picked account: <Account(67f3e868662cb26281a9f10801ca1e09)> 2017-09-11 08:43:06,730:DEBUG:root:Sending GET request to https://acme-v01.api.letsencrypt.org/directory. 2017-09-11 08:43:06,758:DEBUG:requests.packages.urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org 2017-09-11 08:43:06,986:DEBUG:requests.packages.urllib3.connectionpool:https://acme-v01.api.letsencrypt.org:443 "GET /directory HTTP/1.1" 200 561 2017-09-11 08:43:06,987:DEBUG:acme.client:Received response: HTTP 200 Server: nginx Content-Type: application/json Content-Length: 561 Boulder-Request-Id: mqB3TlQEI_qfNtpLnxXDWGOeqZxUA6bWHKpPAHvR5ok Replay-Nonce: Z4JUSa55Kjl9UOqP9cheWbvSIbgBzHLb4Aez2jjFZuY X-Frame-Options: DENY Strict-Transport-Security: max-age=604800 Expires: Mon, 11 Sep 2017 08:43:06 GMT Cache-Control: max-age=0, no-cache, no-store Pragma: no-cache Date: Mon, 11 Sep 2017 08:43:06 GMT Connection: keep-alive { "key-change": "https://acme-v01.api.letsencrypt.org/acme/key-change", "meta": { "terms-of-service": "https://letsencrypt.org/documents/LE-SA-v1.1.1-August-1-2016.pdf" }, "new-authz": "https://acme-v01.api.letsencrypt.org/acme/new-authz", "new-cert": "https://acme-v01.api.letsencrypt.org/acme/new-cert", "new-reg": "https://acme-v01.api.letsencrypt.org/acme/new-reg", "revoke-cert": "https://acme-v01.api.letsencrypt.org/acme/revoke-cert", "yzfTr3YIqm0": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417" } 2017-09-11 08:43:07,419:INFO:certbot.renewal:Cert not yet due for renewal 2017-09-11 08:43:07,420:INFO:certbot.main:Keeping the existing certificate
Need to open this old thread of mine again. I have hit a problem which looks to be the same one: another domain can't get a new certificate as it has an alias domain. I then went and edited the alias domain and ticked the box to "don't add to letsencrypt certificate" but when trying to activate letsencrypt for the main domain I get: Code: Date: Sun, 18 Mar 2018 20:40:06 +0100 (CET) Subject: 18.03.2018-19:40 - WARNING - Reason for nginx rest... 18.03.2018-19:40 - WARNING - Reason for nginx restart failure: nginx: [emerg] BIO_new_file("/var/www/clients/client2/web8/ssl/foodandchatter.co.za.crt") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/var/www/clients/client2/web8/ssl/foodandchatter.co.za.crt','r') error:2006D080:BIO routines:BIO_new_file:no such file) nginx: configuration file /etc/nginx/nginx.conf test failed it is looking for a domain.tld.crt but I only have a domain.tld-le.crt
oh and now in /etc/letsencrypt/live/ this domain now has 2 folders one with its name and another one with -0001 at the end :-(
OK so I unchecked letsencrypt in ISPCFG 3, then delted the folders for this domain in /etc/letsencrypt/live and all the symlinks inside the domains ssl folder. Then ticked the letsencrypt box in ISPCFG 3 again and am again getting not found for the domain.tld.crt file - why does ISPCFG3 create it with -le at the end? Any tips? The site is now obviously offline until I figure this one out.
My guess is that you use an old custom vhost template file in /usr/local/ispconfig/server/conf-custom/ which is not compatible with the ISPConfig version that you are using now. Compare the ssl section of your custom file with the one that ships with ispconfig and adjust the custom file accordingly.
Thanks Till, for the pointer and that makes sense. I did an sdiff between the original nginx_vhost.conf.master and mine. The only lines that differ and have anything to do with ssl are these: The two original lines in mine have been commented out and replaced by the lines from /usr/local/ispconfig/server/conf/nginx_vhost.conf.master Code: #ssl_certificate <tmpl_var name='document_root'>/ssl/ < #ssl_certificate_key <tmpl_var name='document_root'>/ < ssl_certificate <tmpl_var name='ssl_crt_file'>; ssl_certificate_key <tmpl_var name='ssl_key_file'>; And still, after editing this particular site and checking that the vhost file in /etc/nginx/sites-available gets rewritten inside that file I see: Code: ssl_certificate /var/www/clients/client2/web8/ssl/foodandchatter.co.za-le.crt; ssl_certificate_key /var/www/clients/client2/web8/ssl/foodandchatter.co.za-le.key; This seems to have solved the problem as nginx was previously looking for the files without the "-le" so now it looks good.
