Trying to get certificate for ISPCofig admin server failed

Seams I have n old lets encrypt certifiacte expired Nob 2019.
I'm on DEBIAN 10 latest patches and ISPConfig 3.2.4
Have multiple server configuration
I have an SSH connection to the admin server
ISPConfig admin server, thats where the admin.domain.tld:8080 webpage is on one IP addresse and a www.domain.tld on the web server on an other address.
Letsencrypt certificates for my normal webservers works fie
So first I tried thishttps://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ checked the ssl and Let´s encrypt check boxes nothing changesm still the old certificate
then I tried acme.sh --issue -d domain.tld --webroot /var/www/admin.domain.tld
got an error
domain.tld:Verify error:Invalid response from https://domain.tld/.well-known/acme-challenge/AvmaaTBd54yZLdyV_kVhqkX_a65QyEptp-G7Ryc59Bk [xxx.yyy.zzz.75]:
[Sun 04 Apr 2021 12:01:35 PM CEST] Please add '--debug' or '--log' to check more details.
[Sun 04 Apr 2021 12:01:35 PM CEST] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
OK thats the wrong IP
then I tried
/.acme.sh# ./acme.sh --issue --apache -d admin.domain.tld --webroot /var/www/admin.domain.tld
Got error again
admin.domain.tld:Verify error:Invalid response from http://admin.domain.tld/.well-known/acme-challenge/1aw6P_1LTdjMvxK1zbIZ97BsuGq0qjKU-8S00aQCnJ4 [xxx.yyy.zzz.74]:
but this time tis is the IP of the admin server.the website admin.domain.tld is reachable with a dummy content but with a security warning expired certificate
What to do now.

Thanks for any help hint
Rainer
did add --debug, but the outputtells me nothing

 

Thanks, I did but
Create new ISPConfig SSL certificate (yes,no) [no]: yes

Checking / creating certificate for admin.gerdakloos.de
Using certificate path /root/.acme.sh/admin.domain.tld
Using apache for certificate validation
acme.sh is installed, overriding certificate path to use /root/.acme.sh/admin.domain.tld
[Sun 04 Apr 2021 01:55:29 PM CEST] admin.gerdakloos.de:Verify error:Fetching http://admin.domain.tld/.well-known/acme-challenge/je3eeJlXBT4awzICM50GdqAOaVRwKUHhiR85g_KbuYE: Connection refused
[Sun 04 Apr 2021 01:55:29 PM CEST] Please add '--debug' or '--log' to check more details.
[Sun 04 Apr 2021 01:55:29 PM CEST] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
Could not issue letsencrypt certificate, falling back to self-signed.
Generating RSA private key, 4096 bit long modulus (2 primes)

admin.domain.tld has a vaild working DNS.
ping from anywhre to admin.domain.tld resolves to teh correct IP address

and apache refuse to start now, restart ask for a password for admin.domain,tld. I just pressed enter two times when the script ask for challange password so it should be empty

 

yes
Firewall is not managed by ISPConfig its an extra firewall server in front configured with Firewallbuilder using iptables with does nat and all ip forwardung to all the server admin, web, dns mail etc. behind. So it is not so easy to turn on and off. works since years no recent changes

 

starting apache still ask for password.
removed comments an did run ispconfig_update.sh --force
again. made shure enter noting just ENTER when asking for passphrase, still apache asks
Enter passphrase for SSL/TLS keys for admin.domain.tld:443 (RSA): even I the symlink for this vhost from sites-enabled
i had made a backup running the force update. would its not be better to restore this. it my production ISPConfig

Is the a description how to restore, the on I found on the net is 5 years old

 

I know I have to bring up apache starting. commenting all ssl lines did not not help nor apache tells me which certificate does not mach. never had a passphrase for any certificate. is the a way to find out what certificate and then delete ist. or better to restore from the /var/backup/ispconfig,admin.domain.tld.20....I have from the this morning
The system worked fine since years there was only the enoying browser warning from the expired certificat. the holidays now where fine for fixing this, Did not think to run in such problems.

 

restored the .../ssl files and symlinks apache nowEnter passphrase for SSL/TLS keys for admin.gerdakloos.de:8080 (RSA):
what the mess fools me

 

there is a ispconfig.conf too
here the requested content

Code:

root@admin:/etc/apache2/sites-available# cat ispconfig.vhost
######################################################
# This virtual host contains the configuration
# for the ISPConfig controlpanel
######################################################

 Listen 8080
NameVirtualHost *:8080

<VirtualHost _default_:8080>
  ServerAdmin webmaster@localhost

  Alias /mail /var/www/ispconfig/mail

  <Directory /var/www/ispconfig/>
    <FilesMatch "\.ph(p3?|tml)$">
      SetHandler None
    </FilesMatch>
  </Directory>
  <Directory /usr/local/ispconfig/interface/web/>
    <FilesMatch "\.ph(p3?|tml)$">
      SetHandler None
    </FilesMatch>
  </Directory>

  <IfModule mod_fcgid.c>
    DocumentRoot /var/www/ispconfig/
    SuexecUserGroup ispconfig ispconfig
    <Directory /var/www/ispconfig/>
      Options -Indexes +FollowSymLinks +MultiViews +ExecCGI
      AllowOverride AuthConfig Indexes Limit Options FileInfo
      <FilesMatch "\.php$">
        SetHandler fcgid-script
      </FilesMatch>
      FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php
            Require all granted
          </Directory>
    IPCCommTimeout  7200
    MaxRequestLen 15728640
  </IfModule>

  <IfModule mpm_itk_module>
    DocumentRoot /usr/local/ispconfig/interface/web/
    AssignUserId ispconfig ispconfig
    AddType application/x-httpd-php .php
    <Directory /usr/local/ispconfig/interface/web>
      # php_admin_value open_basedir "/usr/local/ispconfig/interface:/usr/share:/tmp"
      Options +FollowSymLinks
      AllowOverride None
            Require all granted
            php_value magic_quotes_gpc        0
    </Directory>
  </IfModule>

  # ErrorLog /var/log/apache2/error.log
  # CustomLog /var/log/apache2/access.log combined
  ServerSignature Off

  <IfModule mod_security2.c>
    SecRuleEngine Off
  </IfModule>

  # SSL Configuration
  SSLEngine On
    SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
    SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
  #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle

  SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
  SSLHonorCipherOrder On
  
  <IfModule mod_headers.c>
    # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
    Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
    Header set X-Content-Type-Options: nosniff
    Header set X-Frame-Options: SAMEORIGIN
    Header set X-XSS-Protection: "1; mode=block"
    Header always edit Set-Cookie (.*) "$1; HTTPOnly"
    Header always edit Set-Cookie (.*) "$1; Secure"
    <IfVersion >= 2.4.7>
        Header setifempty Strict-Transport-Security "max-age=15768000"
    </IfVersion>
    <IfVersion < 2.4.7>
        Header set Strict-Transport-Security "max-age=15768000"
    </IfVersion>
    RequestHeader unset Proxy early
  </IfModule>

    SSLUseStapling On
  SSLStaplingResponderTimeout 5
  SSLStaplingReturnResponderErrors Off
  </VirtualHost>

 

Thats what I did on your first request before restoring the .../ssl/ directory but now I could start apache.
I check port 80 open via nmap from an externer customer server port = open.
die the force update
<code>
Create new ISPConfig SSL certificate (yes,no) [no]: yes

Checking / creating certificate for admin.gerdakloos.de
Using certificate path /root/.acme.sh/admin.gerdakloos.de
Using apache for certificate validation
acme.sh is installed, overriding certificate path to use /root/.acme.sh/admin.gerdakloos.de
[Sun 04 Apr 2021 04:57:02 PM CEST] admin.gerdakloos.de:Verify error:Fetching http://admin.gerdakloos.de/.well-known/acme-challenge/qaMB39sCKn0XrB9_fB46_J8dZJw6ZhFVyLuo0IgwFYg: Connection refused
[Sun 04 Apr 2021 04:57:02 PM CEST] Please add '--debug' or '--log' to check more details.
[Sun 04 Apr 2021 04:57:02 PM CEST] See: https://github.com/acmesh-official/acme.sh/wiki/How-to-debug-acme.sh
Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
Could not issue letsencrypt certificate, falling back to self-signed.
Generating RSA private key, 4096 bit long modulus (2 primes)
.....................................................................++++
..............................................................................................++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]E
State or Province Name (full name) [Some-State]:BY
Locality Name (eg, city) []:Rednitzhembach
Organization Name (eg, company) [Internet Widgits Pty Ltd]:IB MK
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:admin.gerdakloos.de
Email Address []:[email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
writing RSA key
Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: n

Reconfigure Crontab? (yes,no) [yes]:
</code>

restart apache Ok
I can start the admin panel now but the certificate is now self signed
disabled and enabled the admin.domain.tld/
no there is a valid new letsencrypt certificate
Thanks a lot so far
But how to get a valid cert for :8080, my fist way seamed the wrong way

 

yes its weird as it works for admin.domain.tdl/ so the norm port 80 with reroute to 443. An that certificate is from now.

Thanks anyway

 

Oh mess sorry. followed the instructions the link you provided. did the section
Changing ISPConfig 3 Control Panel (Port 8080
did the command one by one with copy paste to not do a false typo
got to my browser startet the admin panel, still the self signed cert.
did a apache restart and i am at the beging, beeing asked for passphrase
apache fails to start

so I restart at the point commenting the ssl lines