Hello, Long story short a few months ago I switched over from certbot to acme.sh. To transition went smooth. My server certificates have come up for renewal and they have all failed. I tried to manually renew them but I'm getting connection refused errors. I manually tried to renew and I can see the .well-known dir being filled with the verification file however this error happens: [Tue Oct 15 08:14:43 PM CDT 2024] errordetail='IP_REMOVED: Fetching http://domain.com/.well-known/acme-challenge/ttH9UjAYXcJQUGQpl-1RDmOyvNp1_JQSOnGbeW_OErc: Connection refused' When trying to start nginx I get the following error: SSL_CTX_use_PrivateKey("/usr/local/ispconfig/interface/ssl/ispserver.key") failed (SSL: error:05800074:x509 certificate routines::key values mismatch) They crt/key files inside /usr/local/ispconfig/interface/ssl are symlinked to the LE certs. I was able to generate a self signed SSL and get the servers in my cluster back online. However all LE SSL certs/renewals are now failing. Manually trying to renew via the acme.sh script results in the connection refused errors and takes nginx offline. I can manually restart it with the self signed SSL certs. Is there a process to switch back to certobot from acme.sh? The switch seemed smooth but it has taken my entire network down while certbot ran fine for years without any issues. My servers (VMs) are all running similar to the: https://www.howtoforge.com/tutorial/perfect-server-debian-10-nginx-bind-dovecot-ispconfig-3.1/ the only difference was they had certbot on them before acme.sh became the standard.
Just a follow up. I was able to fix this by running the following commands Generate self signed SSL, restart NGINX: cd /usr/local/ispconfig/interface/ssl openssl genrsa -out ispserver.key 4096 openssl req -new -key ispserver.key -out ispserver.csr openssl x509 -req -days 3650 -in ispserver.csr -signkey ispserver.key -out ispserver.crt openssl rsa -in ispserver.key -out ispserver.key.insecure mv ispserver.key ispserver.key.secure mv ispserver.key.insecure ispserver.key service nginx restart Remove acme.sh: ~/.acme.sh/acme.sh --uninstall Install certbot: apt install certbot Secure services: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ After installing certbot again I regenerated the LetsEncrypt SSL certificates in the GUI. I do not know what happened with acme.sh or why it failed on the renewals, I haven't touched it since switching over from certbot but switching back to certbot seems to have fixed my issues. After the certs are renewed with certbot: rm -r ~/.acme.sh
Do not use this tutorial anymore. Whether you are using acme.sh or certbot, simply update ISPConfig and choose to create SSL certs during that process is sufficient for securing ISPConfig services. You should actually use LE FAQ to resolve your problems rather than reverting back to certbot.
