URGENT - Apache not starting - Problem LetsEncrypt after 3.2.2 update and ask for new SSL

During update from 3.2.1 to 3.2.2
Create new ISPConfig SSL certificate (yes,no) [no]: yes

Checking / creating certificate for domain.com
Using certificate path /etc/letsencrypt/live/domain.com
Using apache for certificate validation
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.com
Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.

Broadcast message from [email protected] (Mon 2021-01-10 10:10:10 CET):

Password entry required for 'Enter passphrase for SSL/TLS keys for domain.com:8080 (RSA):' (PID 14717).
Please enter password with the systemd-tty-ask-password-agent tool:

Waiting for verification...


Challenge failed for domain domain.com
http-01 challenge for domain.com
Cleaning up challenges
Some challenges have failed.
Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
Could not issue letsencrypt certificate, falling back to self-signed.
Generating RSA private key, 4096 bit long modulus (2 primes)
----------------------------
ports 80/443 open
all known letsencrypt IP subnets whitelisted

Any ideas?
Mail clients not working without proper cert.

 

I had it open, but after failing, i cannot start the server anymore (apache2).
its failing with:
---------
Starting The Apache HTTP Server...
NameVirtualHost has no effect and will be removed in the next release...
Syntax error on line 65 of /etc/apache2/sites-enabled/000-ispconfig.vhost
SSLCertificateFile: file '/usr/local/ispconfig/interface/ssl/ispserver.crt' does not exist or is empty
Action 'start' failed.

 

I pulled an one week older backup and performed the LetsEncrypt creation and postfix symlink and update to 3.2.2 without any issues. So i guess that the problem occurs in specific scenario. You should prepare an rescue plan for this kind of situations. How to reset everything of the LE down to zero and start the update again.
I will investigate thoroughly later. If any of you guys have a suggestion, please share your knowledge

regards

 

I had the same problem while updating to 3.2.3. Wanted to create a new certificate because the old one was expired.
The "simple fix" did not work for me, apache kept asking for a passphrase.
As a workaround I am using the old expired certificate now, just for apache to start correctly.
What is the correct solution for this problem?

 

Is the certificate LE or self signed or something else? Did you set a passphrase on the certificate when creating it?
If LE, turn off the LE certificate on that website setting, save. Wait 2 minutes. Turn LE back on and save. Check if it works now. If not, see https://www.howtoforge.com/community/threads/please-read-before-posting.58408/

 

The certificate is LE, did not set a passphrase. The problem seems to be, that LE reported a challenge fail and switched back to self-signed.
This occured for the ispconfig certificate, so there is no website setting for it.

I solved it now by creating an empty website for the same domain and turned on LE for that. Is this the right way to configure it?

One problem is still left: connecting by FTP reports an expired certificate. Where do I configure the certificate for pure-ftp?

thanks for your help.

 

ISPConfig does that automatically if it generates the certificate for the host. So if you force reconfigure services and let ISPConfig generate new certificate that is taken care of.
When LE can not create certificate, follow the instructions in "please read before posting" like I wrote in #7.

 

Hi taleman,
thanks. I read the post and found out, that LE works correctly. The solution for my problem was here: https://www.howtoforge.com/community/threads/solved-pure-ftpd-using-old-certificate.84373/
Is that fixed already in new ISPconfig version, or do I still need to add the delay?

 

Yes, I saw, that the method is different, but the fact, that pure-ftpd.pem didn't contain the correct key+crt was the reason in my case. Seems that also the inbuilt method does not always work correctly.