Apache2 is down after deletion of all configs in /etc/letsencrypt directory

Discussion in 'ISPConfig 3 Priority Support' started by Bradley Hamilton, Nov 24, 2016.

  1. Bradley Hamilton

    Bradley Hamilton New Member HowtoForge Supporter

    Seem to be having an issue with letsencrypt configurations. Is there a way to run the cron job to rebuild the cert structure? I re-ran the isp-update script from the git-stable repo and it didn't solve the issue. I chose to rebuild or update the services.

    apache2.service: Control process exited, code=exited status=1
    Output of config test was:
    AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:69
    AH00526: Syntax error on line 185 of /etc/apache2/sites-enabled/100-linuxnuts.com.vhost:
    SSLCertificateFile: file '/var/www/clients/client1/web1/ssl/linuxnuts.com-le.crt' does not exist or is empty
    Action 'configtest' failed.
    The Apache error log may have more information.
    apache2.service: Control process exited, code=exited status=1
    Failed to start LSB: Apache2 web server.
    apache2.service: Unit entered failed state.
    apache2.service: Failed with result 'exit-code'.
     
    Last edited: Nov 24, 2016
  2. sjau

    sjau Local Meanie Moderator

    is the linuxnuts.com-le.crt file symlinked?
     
  3. Bradley Hamilton

    Bradley Hamilton New Member HowtoForge Supporter

    Yes but it links to nothing as I was told to delete the contents of the /etc/letsencrypt directory
     
  4. Bradley Hamilton

    Bradley Hamilton New Member HowtoForge Supporter

    Like an idiot I did not back them up...... it was late here...
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Right, but the thread was about non-working LE implementation when you created certs outside of ispconfig and not when you have a working LE implementation in ispconfig with certs that are already in use.

    To fix your problem, delete the symlinks of the affected websites in /etc/apache2/sites-enabled, restart apache, login to ispconfig and uncheck the LE checkbox of the website, press save, enable the LE cehckbox again and press save. This will recreate the LE ssl cert for the site and enable it again.
     
  6. Bradley Hamilton

    Bradley Hamilton New Member HowtoForge Supporter

    Re Read it and I get it now.....

    Agreed I did. I didn't point fingers anyone, I just was left at that point. I asked if I need to take any other steps like renew the certs but I thought they would be auto regenerate or something after deleting it. Again not pointing fingers I was just standing naked in the dark wondering why apache farted and my sites were down......
    If I recheck them after getting back in will the certs recreate? I am worried about LE telling me I hit my retry limit or something .... Much SEO is built around encrypted url's.......Then again the biggest part of SEO is that your site runs at all so ........ Iill do as you suggest now :)
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    LE certs are renewed automatically by ispconfig, there is no need to renew them manually. apache can not start when an ssl cert is missing and yes, certs get regenerated when you follow the instructions that I posted.
     
  8. Bradley Hamilton

    Bradley Hamilton New Member HowtoForge Supporter

    I deleted the .crt .bundle and .key symlinks for each clients/client1/web1/ssl directory and apache won't start. I bounced the box to see what happens
     
  9. Bradley Hamilton

    Bradley Hamilton New Member HowtoForge Supporter

    Same error:
    Nov 24 08:06:38 mail.linuxnuts.com apache2[3628]: Output of config test was:
    Nov 24 08:06:38 mail.linuxnuts.com apache2[3628]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:69
    Nov 24 08:06:38 mail.linuxnuts.com apache2[3628]: AH00526: Syntax error on line 185 of /etc/apache2/sites-enabled/100-linuxnuts.com.vhost:
    Nov 24 08:06:38 mail.linuxnuts.com apache2[3628]: SSLCertificateFile: file '/var/www/clients/client1/web1/ssl/linuxnuts.com-le.crt' does not exist or is empty
    Nov 24 08:06:38 mail.linuxnuts.com apache2[3628]: Action 'configtest' failed.
    Nov 24 08:06:38 mail.linuxnuts.com apache2[3628]: The Apache error log may have more information.
    Nov 24 08:06:38 mail.linuxnuts.com systemd[1]: apache2.service: Control process exited, code=exited status=1
    Nov 24 08:06:38 mail.linuxnuts.com systemd[1]: Failed to start LSB: Apache2 web server.
    Nov 24 08:06:38 mail.linuxnuts.com systemd[1]: apache2.service: Unit entered failed state.
    Nov 24 08:06:38 mail.linuxnuts.com systemd[1]: apache2.service: Failed with result 'exit-code'.

    The LE keys and crts are gone but there is a linuxnuts.com.key and linuxnuts.com.org
    Another site has this in it:
    linuxnutz.com.crt linuxnutz.com.csr linuxnutz.com.key linuxnutz.com.key.org linuxnutz.com-le.bundle.old.20161123005508 linuxnutz.com-le.crt.old.20161123005508 linuxnutz.com-le.key.old.20161123005508
    and a third:
    midihipi.xyz.crt midihipi.xyz.csr midihipi.xyz.key midihipi.xyz.key.org

     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    All LE keys are in /etc/letsencrypt/, so you have to do this for all sites with LE keys.
     
  11. Bradley Hamilton

    Bradley Hamilton New Member HowtoForge Supporter

    This directory is empty /etc/letsencrypt/
    all symlinks for each site are gone...
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Please follow the steps I outlined above:

    So the first step is to delete the symlinks in the folder /etc/apache2/sites-enabled/ for all sites that you enabled LE in. Then apache must start, if not, then you missed to delete a symlink of a web site that uses LE there. Then you can login to ispconfig again to regenerate the LE certs.
     
  13. Bradley Hamilton

    Bradley Hamilton New Member HowtoForge Supporter

    OK as always Tim you saved me. I was in the middle of migrating code when this occurred and I am tired. I am an american living in cebu and we have a typhoon hitting in about an hour which means lights out for a while. I hated to think of my sites being dark and I have no power to get to them........... Again thanks. Now I just go re-enable ssl and LE for each site?
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, first disable le and better SSL checkbox as well in each site, press save, then enable SSL + le checkbox again, this will recreate the LE certs.
     
  15. Bradley Hamilton

    Bradley Hamilton New Member HowtoForge Supporter

    ok 3 of 4 are back up with ssl but on one site the ssl and letsencrypt check boxes dont stay checked...
     
  16. Bradley Hamilton

    Bradley Hamilton New Member HowtoForge Supporter

    I got it. Was a subdomain dev.blah.blah dependant on an ssl url deleted it and it's working...Thanks again Tim for the help! Everything is working...
    Brad
     

Share This Page