Try to enable it, if it doesn't work post the output of the acme.log here, so we can help you debug the issue. (remember to remove any information from the log for privacy e.g. domainnames)
To note: if you migrating from old ISPConfig server that was using certbot, new ISPConfig server setup should also use certbot. The only thing to note is that currently you need to install certbot via snap. However, if the old ISPConfig server is already using acme.sh, then using the same in the new ISPConfig server for the migration purpose.
Is that really required? I've migrated some sites from an ISPConfig with certbot to a new one with acme.sh, and after reenabling SSL IT worked just fine.
As so often, it depends on what one needs and what one wants to do if you want to migrate the SSL certs seamlessly, means the new system shall get the old certs, the LE client must be the same. if it's fine for you to create new SSL certs after you migrated the sites and switched DNS, then you can use a different LE client.
Most likely, the DNS is not fully switched to new system in such a case, if let's encrypt can not reach the new server yet because either DNS records has not been changed yet or DNS changes are not fully propagated, you will not get a new LE cert until the DNS changes are finished. as mentioned before, check everything that#s in the LE FAQ, post acme.sh log file and debug log can be helpful as well. But acme.sh log might suffice for the first step.
Thanks @till I don't expect it to be DNS as using online propagation checkers it all looks OK - the DNS changes were made last week. I'll go through the FAQ (properly this time) and post back later ;-) Thanks
Hi @till OK, as I re-migrated my sites because of my certbot error, there are now 2 sites affected with SSL failure - not just 1 as per my original post heading! The site detailed below is a WordPress instance, while the other one is just a standard PHP site - which isn't showing as a directory in /root/.acme.sh/ (see below for context!)... So, here is what I have done so far; I checked acme.sh is installed - reports as version 3.0.5 I am running the latest ISPConfig There is no NAT Not using Cloudflare Domains (and subdomains) are all pointing to the server and DNS is showing as propagated globally - When I go to https://mywebsite.com, it brings up the security warning and if you accept the danger and proceed it actually takes you to https://mywebsite2.com - however if I overwrite the https://mywebsite.com with http://www.mywebsite.com it will take you to the correct, non HTTPS, website. But both domain/subdomain are landing on the correct server. Checked Apache version - 2.4.41 Checked 'Server Migration Mode' is unchecked I've looked for acme.sh.log in /var/log/ispconfig/ & /root/.acme.sh/ - but its not there. Interestingly in /root/.acme.sh/ there is a directly which is named mywebsite.com which is the site which SSL wont work on... so this is obviously a clue!? In this folder is a file called mywebsite.com.conf, the contents of which are; Le_Domain='mywebsite.com' Le_Alt='mywebsite.com' Le_Webroot='/usr/local/ispconfig/interface/acme' Le_PreHook='' Le_PostHook='' Le_RenewHook='' Le_API='https://acme.zerossl.com/v2/DV90' I have searched the server using Midnight Commander and cannot find acme.sh.log. So, I enabled debug loglevel, disabled the server.sh cronjob, then I enabled Let's Encrypt for mywebsite.com - the red circle which shows unapplied changes showed 1 (Update website settings: 1), but never cleared - not sure if this is expected or not? Anyway, I then manually ran the server script from an SSH session and have attached the log file - I have replaced the real URL with mywebsite.com
Ooooh - another update... I just went back on my server to re-enable server.sh cronjob and uncheck the debug loglevel - and noticed the red circle showing pending operations ahs gone... and now the site is working with SSL - both https://mywebsite.com and https://www.mywebsite.com seem to be working - although the LetsEncrypt SSL box in Domains is unchecked - whereas on my other sites this too is checked - so should I check it? I also tested on my non-Wordpress PHP site, and this one is still not working... so I will re-run the above tests (unless you spot any anomalies) and post the results back here for that site - which was the original non-working SSL issue. Thanks
Code: 18.01.2023-10:48 - DEBUG [system.inc:1819] - exec: R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue -d mywebsite.com -d www.mywebsite.com -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [ $R -eq 0 -o $R -eq 2 ] ; then /root/.acme.sh/acme.sh --install-cert -d mywebsite.com -d www.mywebsite.com --key-file '/var/www/clients/client6/web13/ssl/mywebsite.com-le.key' --fullchain-file '/var/www/clients/client6/web13/ssl/mywebsite.com-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [ $C -eq 0 ] ; then exit $R ; else exit $C ; fi [Wed Jan 18 10:48:23 UTC 2023] Please add '--debug' or '--log' to check more details. [Wed Jan 18 10:48:23 UTC 2023] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh 18.01.2023-10:48 - WARNING - Let's Encrypt SSL Cert for: mywebsite.com could not be issued. So acme.sh is run by ispconfig, but it failed to receive an SSL cert from Let's encrypt. You should be able to find the reason in the acme.sh log file.
There is no /var/log/ispconfig/acme.log file; Also no /root/.acme.sh/acme.sh.log file either; However now I have tried to apply SSL for the PHP site (mywebsite2.com) it is now showing as a directory in /root/.acme.sh/ - if I tick the LetsEncrypt SSL & the SSL tick boxes in the domains, the Wordpress site (mywebsite.com) unticks the LetsEncrypt SSL box, but leaves the SSL one selected - on the vanilla PHP site (mywebsite2.com) it deselects both options. All the other sites which migrated already have both SSL and LetsEncrypt SSL selected - I have not tried unchecking and re-checking any of these in case it causes another problem I have attached a debug log taken when I try to select SSL for mywebsite2.com... as before after running server.sh when I go back into the domain both SSL and LetsEncrypt SSL have unchecked. I am unable to find /var/log/ispconfig/acme.log or /root/.acme.sh/acme.sh.log anywhere - so some help here would be appreciated
Run the command from the Shell and see what happens. Code: /root/.acme.sh/acme.sh --issue -d mywebsite2.com -d www.mywebsite2.com -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096
Run this command and then test the creation via ISPConfig again: Code: acme.sh --set-default-ca --server letsencrypt if that doesn't work now, run the command from the post before again and report back.
After re-checking the SSL & LetsEncrypt SSL boxes and waiting for the server to apply - both boxes are checked BUT when you go to https://mywebsite2.com or http://www.mywebsite2.com you now go to the wrong website with HTTPS forced. So we cant even access the HTTP version of the site now
Ok, so you got an SSL cert now. The reasons for this behavior are described here: https://forum.howtoforge.com/threads/please-read-before-posting.58408/
Hi @till All my sites are set to listen on a specific IP address, as I have had this issue before - I checked in the ISPConfig UI to make sure this was the case, and it was. However I changed the IP to * on both site A & B, then set it back to the IP address and they are now working with HTTPS enabled The only other issue was https://mywebsite.com showed no SSL enabled, so I checked the LetsEncrypt SSL box, applied, and its all working now - I also checked all the websites and its finally all looking good now! This has proved to be a real pain to sort out a, but I really appreciate everyones help ( @pyte @ahrasis @Taleman ). Can I ask if this was caused by user-error, as I am not sure that I did anything wrong but would like to know if this is the case to try and make sure I dont repeat it again in future? Obviously if this is something with the system it might help future development/de-bugging or perhaps someone else with the same issue will find this and be able to self-help their issue The only thing left to do is work out how to apply an SSL cert on the subdomain for my ISPConfig UI (server.mydomain.com:8080) - but I think thats for another day ;-) Anyway - thanks again for all your patience and expertise
The default CA for acme.sh was set to ZeroSSL which is the default for acme since 2021. However to use ZeroSSL you need an account and register your acme.sh with the creditials. I don't know why your acme was still the default and not let's encrypt CA, but someone from the team might be able to answer this, as i don't know when or even if ISPConfig changes the CA for acme.
The auto-installer changes the CA at install time when acme.sh is called the first time. Maybe a failure to create the certs during installation e.g. when dns of hostname is not set upfront of installation caused the ca not to change.
This is done at install time and can also be re-done using ispconfig update: ispconfig_update.sh --force The failure to set the DNS for the hostname upfront properly so that LE can reach your system is probably also the cause of your other issues.
