Hi there, today, I saw that the LE ssl certificate for the control panel is expired. Expiring ssl certificates are occuring from time to time when the auto-update fails due to various issues (e. g. missing DNS records and so on). It's quite easy to troubleshoot these issues and it's also quite easy to manually renew the certificates (by unchecking and re-checking the checkbox). But this all applies to hosted websites. This time, the certificate for the control panel web site expired and I am not sure if I understand the process behind correctly. Could anyone explain to me how the certificate update process for the control panel web site is working? I saw that there's a directory /root/.acme.sh which includes several directories, one for each domain I use LE ssl for. My server name is server1.example.com. I also have a (client) web site named server1.example.com. This means, when I open https://server1.example.com/, I am connected to the client web page and when opening https://server1.example.com:8080/, I can log on to the ISPConfig control panel. In the directory /root/.acme.sh/ there's a sub-directory server1.example.com. I guess that this directory is used for getting the certificates for the client web page, right? But where's the corresponding directory for the control panel on port 8080? Or is the same directory re-used for both purposes? Or is having two web pages with the same name (one for a client web page and one as the control panel interface) not supported? Please don't get me wrong, I do not want to get troubleshoot information on my very problem. I am sure I can sort that out (for example by reading the log files...), I just would like to better understand how things are working behind the scenes. Some more questions, if I may: The automatic renewal of the LE certificates is triggered by one of the following two scripts, right? /usr/local/ispconfig/server/server.php /usr/local/ispconfig/server/cron.php Are the same scripts also responsible for updating the control panel certificate? Is there also a checkbox "Let's Encrypt SSL" for the control panel certificate like there is for the client web sites? Many questions, I know. And maybe they are all easily accessible by searching Google, but unfortunately, I did not find them. So it would be great if you guys could enlighten me... Best Tom
Are you aware of these: https://www.howtoforge.com/community/threads/please-read-before-posting.58408/ https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
I can only guess this is the cause of your problem becausr acme.sh installed to your website SSL directory and thus not linked back to ISPConfig SSL directory and other services SSL directory. I have a may be fix but I have no time to submit that to ISPConfig git. For the time being, to fix this you need to manually force update ISPConfig and choose create SSL again.
The cron.php arranges to run various tasks including /usr/local/ispconfig/server/lib/classes/cron.d/900-letsencrypt.inc.php which determines which letsencrypt client you have and runs the corresponding command to renew certificates. Nothing special is done for the control panel cert vs. a website by that, though the config file for the website cert does point to a renew hook which restarts services (web server, postfix, etc) when that particular certificate renews.
