Hello, in vhost.conf.master there is a peace of code lke below Code: <tmpl_if name='apache_version' op='<' value='2.4.8' format='version'> SSLCertificateChainFile <tmpl_var name='ssl_bundle_file'> </tmpl_if> Why is this line Code: SSLCertificateChainFile <tmpl_var name='ssl_bundle_file'> not in version higher than 2.4.8 If i test a domain im getting a warning that the intermediate file is missing. When i add the line manualy back then the error is gone. Server version: Apache/2.4.37 (centos)
The SSL bundle is included in the certificate file in apache versions >= 2.4.8, see apache docs, it is described there somewhere. And that's what ISPConfig is doing.
hm i found it. So the only solution now will be to force a renew on all letsencrypt certifcates to fixed it The certificates ware exported from the old server (or waith a couple of months)
Normally LE creates a file which contains all chain certs automatically beside one that contains only the cert, so maybe it's enough to change the symlink in the SSL folder of the website in ispconfig to the fullchain cert.
After ispconfig renewed a certificate the problem still is there Unknown Authority So my version is Apache/2.4.37 (centos) but there is no bundle file in the config. Code: xxx-le.bundle -> /etc/letsencrypt/live/xxx/chain.pem xxx-le.crt -> /etc/letsencrypt/live/xxx/cert.pem xxx-le.key -> /etc/letsencrypt/live/xxx/privkey.pem in the apache config file: Code: SSLCertificateFile /var/www/clients/client170/web1242/ssl/xxx.nl-le.crt SSLCertificateKeyFile /var/www/clients/client170/web1242/ssl/xxxx.nl-le.key SSLUseStapling on SSLStaplingResponderTimeout 5 SSLStaplingReturnResponderErrors off
That's ok as there there should be no bundle file as the bindle is inside the file /var/www/clients/client170/web1242/ssl/aortastam.nl-le.crt
but then im getting missing intermediate errors Jun 30 03:07 /etc/letsencrypt/archive/xxxnl/cert15.pem has only one cert inside
Do you have a version of that cert in the directory which contains the cert plus chain files? There should be such a file and the symlink should point to it on systems with current apache 2.4 servers.
i have: 4 -rw-r--r-- 1 root root 2273 Jun 30 03:07 cert15.pem 4 -rw-r--r-- 1 root root 1647 Jun 30 03:07 chain15.pem 4 -rw-r--r-- 1 root root 3920 Jun 30 03:07 fullchain15.pem 4 -rw-r--r-- 1 root root 3272 Jun 30 03:07 privkey15.pem So you mean fullchain15.pem the config is not pointing tot that file mayby this is a little bug in the migration tool? i did a resync on all sites but that didnt change the symlink then it works. i checked new domains, they linked to fullchain. SO i need to change all symlinks for all other domains manualy :-(
Which shows you that it's not related to the migration tool. Try to uncheck SSL and let's encrypt for the website, press save, then enable let's encrypt and SSL again and press save.
in server/lib/classes/letsencrypt.inc.php i see this peace of code Code: if(@is_link($crt_file)) $app->system->unlink($crt_file); if(@file_exists($crt_tmp_file))$app->system->exec_safe("ln -s ? ?", $crt_tmp_file, $crt_file); if i read the file correct then it should allways unlink the cert on renewal? or is this file only called on new certs? if i look on a renewed certificate then the site /ssl map is untouched for more then a year.
