Hi there everyone, I followed this tutorial to secure 8080 a while back. While working on the server today, I noticed I couldn't reach the admin page due to an SSL cert that never got renewed for the 8080 port. I am also unable to reach it via https IP:8080 for the same reason. Trying to reach it via http just forwards to https. I seem completely locked out. I looked at the tutorial and tried to perform what I thought would restore the cert but it didn't. This is what I tried. I figured I should stop before I break something further. Could someone point me in the right direction on how I can force the SSL cert renewal through the shell? Thanks for your time!
An expired SSL cert does not cause port 8080 to become unreachable, all you get is a warning in the web browser when it's expired. So if you can't reach port 8080, then you must have a different issue. Yers, that's good move. But the commands you used broke the setup already according to the no such file error. Take care to not reload or restart apache/nginx as it won't come up again at the moment. Please run the command: ls -la /usr/local/ispconfig/interface/ssl/ and post the result.
Sorry, it seems I can't even describe issues correctly, much less resolve them Here's what I get when visiting the page: Here's the result of the command:
Ok, that's indeed an expired SSL cert. You can still get access to ispconfig by clicking on advancedbutton and then accept the SSL cert. So let's try to solve the SSL cert issue. First, we must find out which Let#s Encrypt client you use. Please run the commands: ls /root/.acme.sh and which certbot and post the result.
Ok, so you use acme.sh on that system, but the tutorial and commands you used are for certbot. The first step is to undo the commands. Run: Code: cd /usr/local/ispconfig/interface/ssl/ rm ispserver.crt mv ispserver.crt-220626084811.bak ispserver.crt rm ispserver.key mv ispserver.key-220626084824.bak ispserver.key rm ispserver.pem mv ispserver.pem-220626003708.bak ispserver.pem The next question is to find out why the cert expired. according to the ls output you posted, there is no cert for the system's hostname. So you might have created a cert manually or for a different domain which did not renew or you changed the hostname of the server after installation and that's why renewal failed. The hostname of the system is adolf.schwimserver3.com and that's what the SSL cert for ISPConfig typically uses but you seem to have an SSL cert for adolf.schwimserver3.com only. Using a different name which might even be sued for a website you created in ISPConfig will result in SSL cert renewal issues, that#s why one should use (and ISPConfig installer doe sit like that) a SSL cert for the hostname without having a website in that hostname.
That's definitely the tutorial I followed and had a working 8080 at https for a couple of years. Is there any chance that either an OS or ISPC update removed certbot? I've restored the files but am still unable to reach 8080. By that I mean, I'm getting the error I posted a screenie of and Firefox will not allow me to circumvent or bypass the error. Clicking the advanced just provides more of an error but doesn't allow me to "ignore and visit anyway". What should be my next step to restore the cert? I would be happy to remove the site that you state could cause me a problem but I can't reach the admin UI and don't know how I would do it via the terminal.
It seems there's no le directory under etc at all: web2@adolf:/var/www/clients/client1/web3$ cd /etc/letsencrypt -bash: cd: /etc/letsencrypt: No such file or directory
Ok, so there is really no certbot on that system. You can recreate the SSL cert for ispconfig with the ispconfig updater. Run: ispconfig_update.sh --force and chose to create a new SSL cert when the updater asks.
that worked perfectly, thanks! What should I do to ensure that the certificate gets renewed when needed for the admin panel along with the other domains? Do I just need to delete the site with the same name as the admin panel?
Yes. You should delete the site with the same name as the admin panel as acme.sh tend to install LE SSL certs to its directory which causes no update in ISPConfig SSL directory. There is no official fix to this yet. The only other approach if you wish to maintain that site is to use @Th0m approach but I do not recommend this though it works.
I removed it from the "websites" portion of the admin panel. Is there anything else I need to do to purge the site and resolve this issue or am I all set at this stage?
No, not one that I can think of right now, but you should rather do that before running ISPConfig force update, so, if I were you, since you did that after running ISPConfig force update, I would run it (ispconfig_update.sh --force) one more time, as @till mentioned above, just to be sure.
Hello, I have encountered the same issue... do you mean this approach? https://forum.howtoforge.com/thread...-in-ssl-cert-for-interface.88474/#post-432570
I think so and the reason I said so, I think, is the auto renewal of ispserver.pem will fail in the future if the server hostname fqdn is used as website in acme.sh situation.