Certbot problems

Discussion in 'General' started by SamTzu, Mar 24, 2018.

  1. SamTzu

    SamTzu Member

    All too often I wake up and realize that website SSL has "broken" because some web-site alias no longer works.
    When I go check at the ISPC web-site panel I notice that the Lets Encrypt tab is no longer marked and only the SSL tab is on.
    This usually turns out to be a problem with site alias or DNS configuration issue with a site alias and because Certbot is really touchy what it will renew the site is suddenly broken without SSL Cert and without any clear notification to anybody.

    I think we need to re-examine how web-site alias's affect the actual SSL certificate's ability to work. Alias's are nice but they should not be allowed to break the actual web-site.
    I realize the alias is configured in to the /etc/apache/sites-available/100-example-domain.xom.conf file and when that alias fails (because it's DNS was changed in the past month or something else mysterious happened) also the certbot renew for that actual site fails.
    This is especially apparent on sites that have many alias domains.

    Any ideas how we could add an alias site check before we let "certbot renew" break the actual site SSL certificate?
    I know it's not easy but I think it's something we need.
    Simple solution would be to send an alert email if the site can't renew it's SSL.

    Just spitballing here. You may start laughing now.
     
    Last edited: Mar 24, 2018
  2. ahrasis

    ahrasis Well-Known Member

    LE in ISPC will have more changes in the future since the introduction of wildcard SSL (with dns challenge) to it. Maybe it's worth to look into this as well while doing the changes later since that is not yet developed.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPconfig has such an alias check when the ssl cert gets created to exclude sub and aliasdomains the do not point to the server. As certbot renew does not has such a function, we'll probably have to run some kind of cleanup cronjob that checks if all aliases exist for a given cert before certbot renew is started and if not all of them exist, then create a new ssl cert instead of renewing the old one and send a message to the admin.
     
  4. ahrasis

    ahrasis Well-Known Member

    With regards to the above, I think the answer is here, where in other words, if you received an email from LE (via the one you provided when creating its account) it means that your site can't renew its SSL thus you should immediately check on it.
     
  5. SamTzu

    SamTzu Member

    Also there is the dreaded "certbot.renewal:Cert not yet due for renewal" error.
    I have seen those quite a lot lately and even though everything should work - it does not.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    That's not an error. This is just a information from certbot that it checked the cert and the rsult was that there is no need to renew it.
     
  7. Jesse Norell

    Jesse Norell Well-Known Member

    https://git.ispconfig.org/ispconfig/ispconfig3/issues/4534 is an rfe to allow specifying the email address, but says it is now set to [email protected] (I didn't verify), so maybe just create that email alias for each domain and you will receive them.
     
    ahrasis likes this.

Share This Page