Update ispserver.pem automatically ?

Discussion in 'General' started by BenM, Mar 15, 2023.

  1. BenM

    BenM Member


    I did a successful migration to debian 11 keeping Let's Encrypt. Now I see that ispserver.pem is not automatically updated resulting in certificate error with FTP.

    I have now solved this manually with:

    cd /usr/local/ispconfig/interface/ssl/
    mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
    cat ispserver.{key,crt} > ispserver.pem
    chmod 600 ispserver.pem
    chmod 600 /etc/ssl/private/pure-ftpd.pem
    service pure-ftpd-mysql restart

    I wonder how this is now handled with ispconfig 3.2
    Is there a hook I can use to automatically update ispserver.pem again?

    Regards, Ben
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    It is done automatically in 3.2 when you opt to create ssl during ISPConfig install or update.
  3. BenM

    BenM Member

    Thanks for your reply.

    If this is supposed to work in 3.2 by default then it won't work. How can I check or reactivate this?
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Try ispconfig_update.sh --force, and let it create certificate when it asks.
    ISPConfig 3.2 install creates automatically certificate for the hostname -f, it is Let's Encrypt certificate if the hostname -f can be resolved from name service (by LE) and points to this server. This certificate is linked to be used for other services running on that host and is used for ISPConfig panel.
    ahrasis likes this.
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

  6. BenM

    BenM Member

    Thanks, i will try this.
    Now i use a webdomain as servername (serverX.domein) to generate a certificate. Is that still the case or must i remove the webdomain?
    I think that could cause a conflict otherwise
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Indeed it could cause conflict, so do remove it before you proceed.
  8. BenM

    BenM Member

  9. BenM

    BenM Member

    serverx.domain:8080 uses an invalid security certificate.

    The certificate is not trusted because it is self-signed.

    I think its a correct answer from mozilla. So ispconfig3 is not using letencrypt or acme? correct?

    PS: i use hsts
  10. pyte

    pyte Active Member HowtoForge Supporter

    No, "MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT" is the error code of Firefox that the webbrowser does not trust the SSL Certificate.

    ISPConfig using certbot or acme for ssl certificate creation so it either uses let's encrypt or new version of acme use ZeroSSL by default
  11. BenM

    BenM Member

    This is strange. I just did ispconfig_update.sh --force and then at the request to generate a certificate it starts the procedure for a self signed certificate.

    Please note I already have a certificate in the root/acme folder, but that should not be a problem, because the symlinks do not refer to those files.

    is it possible that the ispconfig_update.sh --force checks whether there is already a certificate?

    Then I would first have to manually remove the certificate via acme.sh --remove -d domain

    any idea?
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    A self-signed cert gets created when getting a let's encrypt cert has failed. Please post the output you received during update.
  13. BenM

    BenM Member

    Hello Till,

    With which function can I generate that output or do you mean a screen dump?

    Then I will do the update again.
    PS: I can see in the log of acme

    Domain key exists, do you want to overwrite the key?
    [Thu 16 Mar 2023 10:44:21 AM CET] Add '--force', and try again.
    [Thu 16 Mar 2023 10:44:21 AM CET] Create domain key error.
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, then its probably best to try to remove the existing cert using acme.sh manually first, then check if it has been removed from /root/.acme.sh/.... and then run an ispconfig update with --force option to recreate it.

    I mean the output that you get on the screen while running ispconfig_update.sh --force
  15. BenM

    BenM Member

    It worked, after I removed everything as hostname from the server. just removing the certificate is not enough.
  16. BenM

    BenM Member

    assume this also works if I use the old lets encrypt instead of acme?
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, it does not matter which Let's Encrypt client you use.
  18. BenM

    BenM Member

    Thanks for your help
    till likes this.

Share This Page