Hello, when I add commercial SSL certificate than SSLCertificateChainFile directive appear in apache vhost but bundle file is not updated and contains old intermediate certificate. In .crt file on the server is correctly added intermediate certificate too. When I test on ssllabs I get incorrect order warning. Version of Apache is 2.4.10 so there should be no SSLCertificateChainFile directive in vhost. When I manually delete this line in vhost error about incorrect order disappear. The SSLCertificateChainFile is not presented on all web servers in multiserver setup. It seems like somewhere is deprecated info about apache version. There is no modification of ispconfig vhost template. The vhost template is same on all web servers. Is it possible to correct this problem? ISPConfig 3.1.11 Multiserver setup Apache is 2.4.10
I guess the old bundle cert file does not get cleaned up when you switch from Apache 2.2 to 2.4 and when ispconfig finds that file, it get's included. We'll probably have to write a cleanup script to be used when upgrading from Apache 2.2 to 2.4.
You are right. When I delete bundle file manually ispconfig not generate SSLCertificateChainFile directive anymore. Is it safe to find and remove all bundle files and run websites resynchronize? Thank you
I guess this might cause problems. The reason is that isponfig will try to reload apache when a site has changed, if the file is missing for the next site already, then apache will fail due to the missing bundle file. I guess the best option is that I add some code to the apache plugin that deletes the bundle file when the version is 2.4. This would allow it to run a resync on all sites to clean this up.
I thinked about temporary disabling syntax check but your solution is better. I will wait for it Thank you
This was my first idea too. The drawback with that method would be that if there was a single website were changes were held back for other reasons to be written to the vhost files (like a wrong config in apache directives field), then the whole apache server would fail at the end. I've opened an issue for this task here: https://git.ispconfig.org/ispconfig/ispconfig3/issues/5007
