Certificat problems (yet again!)

Discussion in 'Installation/Configuration' started by Enzo2424, Dec 17, 2021.

  1. Enzo2424

    Enzo2424 Member

    Hi everyone !
    I know, I'm not the first to have problems with the certificats, but by trying to solve my problems, I think I've complicated them.
    I'm running a server on Ubuntu 20.04 with Apache & installed multiple php versions (had problems but solved issue here, thanks again to the team) and server worked fine EXCEPT that navigators we're complaining that websites were not secure.
    (This server was installed about 2 weeks ago following the perfect server guide. https://www.howtoforge.com/tutorial...l-pureftpd-bind-postfix-doveot-and-ispconfig/ )
    Accessing ISPConfig admin interface was the ONLY secure connection I got from my server.
    This presented a problem, notably for a company's Nextcloud connection and globally isn't correct, so needed fixing.
    I looked around and tried to fix this issue following this post :
    https://www.howtoforge.com/communit...ot-available-after-upgrade.75540/#post-355688.

    The idea was to erase all keys and enabled sites, do an update of ISPConfig, and let the update recreate everything cleanly.
    I moved the info in /etc/apache/sites-enabled to a backup directory just in case, and did the same with /etc/letsencrypt
    Without surprise, Apache2 refused to restart, and I applied the update for ISPConfig.
    Here is update's output...
    Code:
    Reconfigure Services? (yes,no,selected) [yes]: yes
    
    Configuring Postfix
    Configuring Dovecot
    Configuring Mailman
    Configuring Spamassassin
    Configuring Amavisd
    Configuring Getmail
    Configuring BIND
    Configuring Pureftpd
    Configuring Apache
    Configuring vlogger
    Configuring Apps vhost
    Configuring Jailkit
    Configuring Ubuntu Firewall
    Configuring Database
    Updating ISPConfig
    ISPConfig Port [8080]:
    
    Create new ISPConfig SSL certificate (yes,no) [no]: yes
    
    Checking / creating certificate for ns310142.ip-188-165-201.eu
    Using certificate path /etc/letsencrypt/live/ns310142.ip-188-165-201.eu
    Using apache for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for ns310142.ip-188-165-201.eu
    Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
    Waiting for verification...
    Challenge failed for domain ns310142.ip-188-165-201.eu
    http-01 challenge for ns310142.ip-188-165-201.eu
    Cleaning up challenges
    Some challenges have failed.
    Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating a RSA private key
    .............../
    
    Generates Key, reconfigured Crontab, Restarted services and Update finished.
    Cerbot failed...
    So i go look at the log (excerpt for the beginning of file) :
    Code:
    2021-12-17 10:16:10,674:DEBUG:certbot.main:certbot version: 0.40.0
    2021-12-17 10:16:10,674:DEBUG:certbot.main:Arguments: ['--agree-tos', '--non-interactive', '--expand', '--rsa-key-si>
    2021-12-17 10:16:10,674:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPo>
    2021-12-17 10:16:10,691:DEBUG:certbot.log:Root logging level set at 20
    2021-12-17 10:16:10,692:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2021-12-17 10:16:10,692:DEBUG:certbot.plugins.selection:Requested authenticator webroot and installer None
    2021-12-17 10:16:10,693:DEBUG:certbot.plugins.selection:Single candidate plugin: * webroot
    Description: Place files in webroot directory
    Interfaces: IAuthenticator, IPlugin
    Entry point: webroot = certbot.plugins.webroot:Authenticator
    Initialized: <certbot.plugins.webroot.Authenticator object at 0x7fbf431a2940>
    Prep: True
    2021-12-17 10:16:10,693:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.webroot.Authenticato>
    2021-12-17 10:16:10,693:INFO:certbot.plugins.selection:Plugins selected: Authenticator webroot, Installer None
    2021-12-17 10:16:10,967:DEBUG:acme.client:Sending GET request to https://acme-v02.api.letsencrypt.org/directory.
    2021-12-17 10:16:10,969:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org>
    2021-12-17 10:16:11,396:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "GET /directory HTTP/1>
    2021-12-17 10:16:11,397:DEBUG:acme.client:Received response:
    HTTP 200
    Server: nginx
    Date: Fri, 17 Dec 2021 10:16:11 GMT
    Content-Type: application/json
    Content-Length: 658
    Connection: keep-alive
    Cache-Control: public, max-age=0, no-cache
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    
    {
      "keyChange": "https://acme-v02.api.letsencrypt.org/acme/key-change",
      "mSYCQ6HAddc": "https://community.letsencrypt.org/t/adding-random-entries-to-the-directory/33417",
      "meta": {
        "caaIdentities": [
          "letsencrypt.org"
        ],
        "termsOfService": "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf",
        "website": "https://letsencrypt.org"
      },
      "newAccount": "https://acme-v02.api.letsencrypt.org/acme/new-acct",
      "newNonce": "https://acme-v02.api.letsencrypt.org/acme/new-nonce",
      "newOrder": "https://acme-v02.api.letsencrypt.org/acme/new-order",
      "revokeCert": "https://acme-v02.api.letsencrypt.org/acme/revoke-cert"
    }
    2021-12-17 10:16:11,397:DEBUG:acme.client:Requesting fresh nonce
    2021-12-17 10:16:11,397:DEBUG:acme.client:Sending HEAD request to https://acme-v02.api.letsencrypt.org/acme/new-nonc>
    2021-12-17 10:16:11,533:DEBUG:urllib3.connectionpool:https://acme-v02.api.letsencrypt.org:443 "HEAD /acme/new-nonce >
    2021-12-17 10:16:11,534:DEBUG:acme.client:Received response:
    HTTP 200
    Server: nginx
    Date: Fri, 17 Dec 2021 10:16:11 GMT
    Connection: keep-alive
    Cache-Control: public, max-age=0, no-cache
    Link: <https://acme-v02.api.letsencrypt.org/directory>;rel="index"
    Replay-Nonce: 0002VbCVsbWFK7-E3iUAQz2HQk9YDyIL61JpO-tfo-Gv9Z8
    X-Frame-Options: DENY
    Strict-Transport-Security: max-age=604800
    
    ---/ and so on...
    What bothers me here is that it says " Server: nginx " - I'm runing Apache... (is this normal or just a quirk in the script?)
    In any case, the certificats aren't generated correctly and now, no secure connection on anything...
    Chrome allows me to login to ISPConfig ignoring the security (Firefox won't).
    Going to hosted websites send me to Apache2 Ubuntu Default Page (I suppose the site-enabled links are down? I do have a backup of them, maybe just restore ?)
    Seems like I've screwed things up more than fixed them.
    Any ideas as to why the challenge failed for my server name and certbot failed ? Have I installed a wrong package somewhere making my install think it's on nginx when I added the multiple PHP versions? It's the only thing I did that isn't in the perfect server guide....
    I don't want to goof things up more and could use a little guidance.
    Not yet in 'panic mode' here, but starting to feel the heat, yet unconfortable bugging you guys with yet another certificate problem.
    Thanks for any help.
    Enzo
     
  2. Enzo2424

    Enzo2424 Member

    I restored the site-enabled links, and now websites are showing, but still navigators are complaining that the connection is not secure.
    And now, the ISPConfig admin panel is also not secure.
    I've tried unchecking the LetsEncrypt box & SSL box, saving, and then rechecking the boxes, saving and then checked back on the website settings to be sure the box stayed checked (it does) and this, if I understood, should regenerate a new key.
    Yet, when I go to website, I still get message that site isn't secure. (I've cleared cache & cookies in both navigators to be sure...)

    I wonder if it wouldn't be best to manually erase all the certificates and do an ISPConfig update to have all regenerated ?
    What's the best way to do this ?
    Should I remove /usr/local/ispconfig/interface/ssl/ispserver.crt and /usr/local/ispconfig/interface/ssl/ispserver.key beforehand so that the ISPConfig interface will be secure after update or will the update overwrite it ?
    Should I delete other things before trying to update ISPConfig ? (i.e. clear out the /etc/letsencrypt/ and /etc/apache2/sites-enabled/ directory and restart apache like I did first time around)
     
    Last edited: Dec 17, 2021
  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  4. Enzo2424

    Enzo2424 Member

    Thankyou Taleman.
    Reading replys to older posts are getting me confused. Shoud I send a debug report for this ?
    I'll already just do an update without removing anything and see if the ISPConfig panel will get a secure connection.
    Thanks again
     
  5. Enzo2424

    Enzo2424 Member

    I did
    ispconfig_update.sh --force
    when asked to regenerate certificate, here's the output :
    Code:
    Create new ISPConfig SSL certificate (yes,no) [no]: yes
    
    Checking / creating certificate for ns310142.ip-188-165-201.eu
    Using certificate path /etc/letsencrypt/live/ns310142.ip-188-165-201.eu
    Using apache for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for ns310142.ip-188-165-201.eu
    Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
    Waiting for verification...
    Cleaning up challenges
    PHP Warning:  symlink(): File exists in /tmp/update_runner.sh.jAW8QftkpT/install/lib/installer_base.lib.php on line 3135
    PHP Warning:  symlink(): File exists in /tmp/update_runner.sh.jAW8QftkpT/install/lib/installer_base.lib.php on line 3136
    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]:
    
    Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]:
    
    Reconfigure Crontab? (yes,no) [yes]:
    
    
    Seems the certificate was generated, but some complaints about the php and symlinks already existing...
    I checked, my ISPConfig control pane is still not secure.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Please post the result of the command:

    ls -la /usr/local/ispconfig/interface/ssl/
     
  7. Enzo2424

    Enzo2424 Member

    This is the report of the test script :
    Code:
    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] OS version is Ubuntu 20.04.3 LTS
    
    [INFO] uptime:  14:28:50 up 4 days, 15:22,  1 user,  load average: 0.28, 0.48, 0.46
    
    [INFO] memory:
                  total        used        free      shared  buff/cache   available
    Mem:           31Gi       2.1Gi        20Gi        95Mi       9.2Gi        28Gi
    Swap:         2.0Gi          0B       2.0Gi
    
    [INFO] systemd failed services status:
      UNIT                      LOAD   ACTIVE SUB    DESCRIPTION
    ● snap.lxd.activate.service loaded failed failed Service for snap application lxd.activate
    
    LOAD   = Reflects whether the unit definition was properly loaded.
    ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
    SUB    = The low-level unit activation state, values depend on unit type.
    
    1 loaded units listed.
    
    [INFO] ISPConfig is installed.
    
    ##### ISPCONFIG #####
    ISPConfig version is 3.2.7p1
    
    
    ##### VERSION CHECK #####
    
    [INFO] php (cli) version is 7.4.26
    [INFO] php-cgi (used for cgi php in default vhost!) is version 7.4.26
    
    ##### PORT CHECK #####
    
    
    ##### MAIL SERVER CHECK #####
    
    
    ##### RUNNING SERVER PROCESSES #####
    
    [INFO] I found the following web server(s):
            Apache 2 (PID 1130573)
    [INFO] I found the following mail server(s):
            Postfix (PID 1130495)
    [INFO] I found the following pop3 server(s):
            Dovecot (PID 1130547)
    [INFO] I found the following imap server(s):
            Dovecot (PID 1130547)
    [INFO] I found the following ftp server(s):
            PureFTP (PID 1130615)
    
    ##### LISTENING PORTS #####
    (only           ()
    Local           (Address)
    ***.***.***.***:53              (1130622/named)
    ***.***.***.***:53              (1130622/named)
    ***.***.***.***:53              (1130622/named)
    ***.***.***.***:53              (1130622/named)
    ***.***.***.***:53              (1130622/named)
    ***.***.***.***:53              (1130622/named)
    ***.***.***.***:53              (1130622/named)
    ***.***.***.***:53              (1130622/named)
    ***.***.***.***:53              (1130622/named)
    ***.***.***.***:53              (1130622/named)
    ***.***.***.***:53              (1130622/named)
    ***.***.***.***:53              (1130622/named)
    ***.***.***.***:53              (1130622/named)
    ***.***.***.***:53              (1130622/named)
    ***.***.***.***:53              (1130622/named)
    ***.***.***.***:53              (1130622/named)
    ***.***.***.***:53              (1130622/named)
    [localhost]:53          (1130622/named)
    [anywhere]:21           (1130615/pure-ftpd)
    ***.***.***.***:53              (746/systemd-resolve)
    [anywhere]:22           (1019/sshd:)
    [localhost]:953         (1130622/named)
    [anywhere]:25           (1130495/master)
    [anywhere]:993          (1130547/dovecot)
    [anywhere]:995          (1130547/dovecot)
    [localhost]:10023               (1380/postgrey)
    [localhost]:10024               (1130529/amavisd-new)
    [localhost]:10025               (1130495/master)
    [localhost]:10026               (1130529/amavisd-new)
    [localhost]:10027               (1130495/master)
    [anywhere]:587          (1130495/master)
    [localhost]:11211               (821/memcached)
    [anywhere]:110          (1130547/dovecot)
    [anywhere]:143          (1130547/dovecot)
    [anywhere]:465          (1130495/master)
    *:*:*:*::**:*:*:*::*53          (1130622/named)
    *:*:*:*::*:53           (1130622/named)
    *:*:*:*::*:21           (1130615/pure-ftpd)
    *:*:*:*::*:22           (1019/sshd:)
    *:*:*:*::*:25           (1130495/master)
    *:*:*:*::*:953          (1130622/named)
    *:*:*:*::*:443          (1130573/apache2)
    *:*:*:*::*:993          (1130547/dovecot)
    *:*:*:*::*:995          (1130547/dovecot)
    *:*:*:*::*:10024                (1130529/amavisd-new)
    *:*:*:*::*:10026                (1130529/amavisd-new)
    *:*:*:*::*:3306         (1129698/mysqld)
    *:*:*:*::*:587          (1130495/master)
    [localhost]10           (1130547/dovecot)
    [localhost]43           (1130547/dovecot)
    *:*:*:*::*:8080         (1130573/apache2)
    *:*:*:*::*:80           (1130573/apache2)
    *:*:*:*::*:8081         (1130573/apache2)
    *:*:*:*::*:465          (1130495/master)
    
    
    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    f2b-postfix  tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 25
    f2b-pure-ftpd  tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 21
    f2b-sshd   tcp  --  [anywhere]/0            [anywhere]/0            multiport dports 22
    
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    
    Chain f2b-postfix (1 references)
    target     prot opt source               destination
    RETURN     all  --  [anywhere]/0            [anywhere]/0
    
    Chain f2b-pure-ftpd (1 references)
    target     prot opt source               destination
    RETURN     all  --  [anywhere]/0            [anywhere]/0
    
    Chain f2b-sshd (1 references)
    target     prot opt source               destination
    REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***         [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***      [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
    REJECT     all  --  ***.***.***.***       [anywhere]/0            reject-with icmp-port-unreachable
    RETURN     all  --  [anywhere]/0            [anywhere]/0
    
    
    
    
    ##### LET'S ENCRYPT #####
    Certbot is installed in /usr/bin/letsencrypt
    
    Lots of listening ports...
     
  8. Enzo2424

    Enzo2424 Member

    Thank you Till for jumping in...
    Result for ls -la /usr/local/ispconfig/interface/ssl/
    Code:
    total 52
    drwxr-x--- 2 root      root      4096 Dec 17 14:20 .
    drwxr-x--- 9 ispconfig ispconfig 4096 Nov 30 08:43 ..
    -rwxr-x--- 1 root      root        45 Dec 17 14:20 empty.dir
    -rwxr-x--- 1 root      root      2179 Dec 17 10:18 ispserver.crt
    lrwxrwxrwx 1 root      root        62 Nov 30 08:41 ispserver.crt-20211217093756.bak -> /etc/letsencrypt/live/ns310142.ip-188-165-201.eu/fullchain.pem
    -rwxr-x--- 1 root      root      2179 Dec 17 14:20 ispserver.crt-20211217142003.bak
    -rwxr-x--- 1 root      root      3272 Dec 17 10:16 ispserver.key
    lrwxrwxrwx 1 root      root        60 Nov 30 08:41 ispserver.key-20211217093756.bak -> /etc/letsencrypt/live/ns310142.ip-188-165-201.eu/privkey.pem
    -rwxr-x--- 1 root      root      3272 Dec 17 14:20 ispserver.key-20211217142003.bak
    -rwxr-x--- 1 root      root      5451 Dec 17 14:20 ispserver.pem
    -rwxr-x--- 1 root      root      5451 Dec 17 14:20 ispserver.pem-20211217142003.bak
    
     
  9. Enzo2424

    Enzo2424 Member

  10. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    That is what the acme client recieved, ie. letsencrypt's verification servers are running nginx.

    What do you get from
    Code:
    ls -l /etc/letsencrypt/live/ns310142.ip-188-165-201.eu/
    ls -l /etc/letsencrypt/archive/ns310142.ip-188-165-201.eu/
    
     
  11. Enzo2424

    Enzo2424 Member

    Hi Jesse, and thanks for helping!
    I get the following
    Code:
    [email protected]:/tmp/ispconfig3_install/install# ls -l /etc/letsencrypt/live/ns310142.ip-188-165-201.eu/
    total 4
    -rw-r--r-- 1 root root 692 Dec 17 14:20 README
    lrwxrwxrwx 1 root root  50 Dec 17 14:20 cert.pem -> ../../archive/ns310142.ip-188-165-201.eu/cert1.pem
    lrwxrwxrwx 1 root root  51 Dec 17 14:20 chain.pem -> ../../archive/ns310142.ip-188-165-201.eu/chain1.pem
    lrwxrwxrwx 1 root root  55 Dec 17 14:20 fullchain.pem -> ../../archive/ns310142.ip-188-165-201.eu/fullchain1.pem
    lrwxrwxrwx 1 root root  53 Dec 17 14:20 privkey.pem -> ../../archive/ns310142.ip-188-165-201.eu/privkey1.pem
    [email protected]:/tmp/ispconfig3_install/install# ls -l /etc/letsencrypt/archive/ns310142.ip-188-165-201.eu/
    total 20
    -rw-r--r-- 1 root root 2220 Dec 17 14:20 cert1.pem
    -rw-r--r-- 1 root root 3750 Dec 17 14:20 chain1.pem
    -rw-r--r-- 1 root root 5970 Dec 17 14:20 fullchain1.pem
    -rw------- 1 root root 3272 Dec 17 14:20 privkey1.pem
    [email protected]:/tmp/ispconfig3_install/install#
    
    
    Is it normal that the live is pointing to the archive ?
     
  12. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Yes.

    Run
    Code:
    /usr/local/ispconfig/server/scripts/letsencrypt_renew_hook.sh
    and test the control panel again.
     
  13. Enzo2424

    Enzo2424 Member

    I did.... however, https://ns310142.ip-188-165-201.eu:8080/index.php (ISPConfig admin) is still showing up insecure...
    I've tried with Chrome, Firefox and Edge, all showing up insecure... just in case, could you test that URL ? I don't understand why it's not secure... unless it's on my side ?
     
  14. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    There is a self-signed certificate on port 8080:
    Code:
    $ openssl s_client -connect ns310142.ip-188-165-201.eu:8080 -servername ns310142.ip-188-165-201.eu -showcerts
    CONNECTED(00000003)
    depth=0 C = FR, ST = AQUITAINE, L = PERIGUEUX, O = PERSONAL, OU = IT, CN = ns310142.ip-188-165-201.eu, emailAddress = [email protected]
    verify error:num=18:self signed certificate
    verify return:1
    depth=0 C = FR, ST = AQUITAINE, L = PERIGUEUX, O = PERSONAL, OU = IT, CN = ns310142.ip-188-165-201.eu, emailAddress = [email protected]
    verify return:1
    ---
    
    You might try restarting apache manually; the renewal script should have done that, but just to be sure.

    Post 'ls -la /usr/local/ispconfig/interface/ssl/ again, and also what do you get from 'openssl x509 -noout -text < /etc/letsencrypt/live/$(hostname -f)/fullchain.pem'
     
  15. Enzo2424

    Enzo2424 Member

    Restarted Apache, no change...
    here's the output of the 2 commands :
    Code:
    [email protected]:/# ls -la /usr/local/ispconfig/interface/ssl/
    total 36
    drwxr-x--- 2 root      root      4096 Dec 17 16:04 .
    drwxr-x--- 9 ispconfig ispconfig 4096 Nov 30 08:43 ..
    -rwxr-x--- 1 root      root        45 Dec 17 14:20 empty.dir
    -rwxr-x--- 1 root      root      2179 Dec 17 10:18 ispserver.crt
    -rwxr-x--- 1 root      root      3272 Dec 17 10:16 ispserver.key
    -rw------- 1 root      root      5451 Dec 17 16:04 ispserver.pem
    -rwxr-x--- 1 root      root      5451 Dec 17 14:20 ispserver.pem-211217160457.bak
    [email protected]:/# openssl x509 -noout -text < /etc/letsencrypt/live/$(hostname -f)/fullchain.pem
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                04:5c:cb:7c:2b:7e:f0:39:25:55:b7:e7:29:a1:25:c1:17:1b
            Signature Algorithm: sha256WithRSAEncryption
            Issuer: C = US, O = Let's Encrypt, CN = R3
            Validity
                Not Before: Dec 17 13:20:08 2021 GMT
                Not After : Mar 17 13:20:07 2022 GMT
            Subject: CN = ns310142.ip-188-165-201.eu
            Subject Public Key Info:
                Public Key Algorithm: rsaEncryption
                    RSA Public-Key: (4096 bit)
                    Modulus:
                        00:b6:fa:99:f2:5e:85:dd:03:40:05:94:1c:e5:2c:
                        27:e8:5e:e3:91:a4:fd:d5:58:42:9f:4b:de:f3:fe:
                        29:97:03:cd:52:e0:77:b7:67:fd:ee:14:03:cf:25:
                        4b:0f:46:96:b7:f6:10:fb:39:a9:62:79:57:01:b5:
                        b2:a8:1b:83:52:b8:e6:a7:ad:3b:e3:ba:84:82:27:
                        20:64:eb:b7:94:c9:c3:f0:1a:48:bb:70:3e:8f:52:
                        75:ea:99:81:f6:71:81:81:df:da:c5:91:1e:aa:6c:
                        27:b1:36:ea:83:d6:a9:c9:6f:28:d0:6c:d1:ca:58:
                        71:ff:0a:c8:c9:55:39:30:de:b4:b6:bf:e7:f1:86:
                        cf:65:85:b9:7e:24:63:23:e0:33:bb:d1:0e:be:10:
                        06:7c:24:55:20:aa:27:46:41:9a:44:49:98:fe:fb:
                        ef:54:59:fa:d2:79:f0:a2:ce:05:3a:88:c0:58:be:
                        51:45:80:36:4a:7d:d8:a3:14:d2:eb:67:0e:73:98:
                        17:12:fc:12:0c:a7:8d:cb:c4:7e:b4:18:f2:1d:99:
                        97:32:ff:0d:ce:4d:29:74:f1:8a:5b:1b:4d:f6:7e:
                        4c:85:ea:79:c0:4f:b8:f4:fc:4f:d5:b8:16:08:0b:
                        da:a3:f2:45:82:fe:02:72:e0:90:2f:c9:cd:14:2c:
                        ac:9c:3c:31:6f:d8:cd:9c:1a:b2:85:56:5d:b6:c8:
                        94:a8:4d:b3:1a:59:f4:a8:cb:d7:af:62:84:8c:84:
                        bf:f0:66:1d:b1:55:44:3d:26:c8:ac:ca:6c:50:4e:
                        ce:a0:93:ff:34:9a:69:20:7f:4b:92:e5:15:b5:0e:
                        7f:40:c3:b0:8a:ba:48:a5:e8:8d:e6:ac:56:05:82:
                        4b:7a:ae:42:97:d3:c3:5b:52:86:98:60:a1:95:d3:
                        7c:5c:e3:28:a6:ff:96:17:7e:87:9c:68:ce:0c:24:
                        55:a1:f4:97:c0:2a:38:d2:2a:8a:39:6c:56:a9:7b:
                        c2:c0:9f:63:f6:3b:4e:d7:e4:4e:27:ff:49:ef:29:
                        dd:6a:78:90:0a:5f:38:4d:f2:f5:32:4f:7f:32:04:
                        32:e9:bc:b8:76:f1:bf:be:b4:b3:db:c3:2e:8a:5b:
                        91:b0:34:a2:06:30:b6:97:83:11:03:9a:48:55:91:
                        a5:7a:55:39:03:58:e0:e7:5f:6e:d8:7b:12:a4:9e:
                        18:03:95:09:55:06:b2:2f:95:3e:97:92:71:23:b7:
                        a9:93:f4:50:7e:b6:bb:c5:4c:34:73:4d:36:69:53:
                        f3:63:ad:be:b7:a6:e4:4d:78:f1:02:48:9b:32:6b:
                        ce:b7:3f:30:55:d4:30:41:93:b8:0e:db:88:75:00:
                        06:52:e5
                    Exponent: 65537 (0x10001)
            X509v3 extensions:
                X509v3 Key Usage: critical
                    Digital Signature, Key Encipherment
                X509v3 Extended Key Usage:
                    TLS Web Server Authentication, TLS Web Client Authentication
                X509v3 Basic Constraints: critical
                    CA:FALSE
                X509v3 Subject Key Identifier:
                    CF:E6:69:A1:E6:86:0B:8B:ED:62:E8:55:03:ED:58:14:C7:65:BA:96
                X509v3 Authority Key Identifier:
                    keyid:14:2E:B3:17:B7:58:56:CB:AE:50:09:40:E6:1F:AF:9D:8B:14:C2:C6
    
                Authority Information Access:
                    OCSP - URI:http://r3.o.lencr.org
                    CA Issuers - URI:http://r3.i.lencr.org/
    
                X509v3 Subject Alternative Name:
                    DNS:ns310142.ip-188-165-201.eu
                X509v3 Certificate Policies:
                    Policy: 2.23.140.1.2.1
                    Policy: 1.3.6.1.4.1.44947.1.1.1
                      CPS: http://cps.letsencrypt.org
    
                CT Precertificate SCTs:
                    Signed Certificate Timestamp:
                        Version   : v1 (0x0)
                        Log ID    : 46:A5:55:EB:75:FA:91:20:30:B5:A2:89:69:F4:F3:7D:
                                    11:2C:41:74:BE:FD:49:B8:85:AB:F2:FC:70:FE:6D:47
                        Timestamp : Dec 17 14:20:08.848 2021 GMT
                        Extensions: none
                        Signature : ecdsa-with-SHA256
                                    30:46:02:21:00:D4:47:47:31:4B:74:21:5E:CF:45:7C:
                                    4D:76:3E:3B:CF:D9:B9:A3:42:00:88:B6:53:29:BA:DF:
                                    8F:AC:2E:4A:5A:02:21:00:E3:EB:56:D2:25:AB:DF:DA:
                                    9B:C6:CA:ED:AD:E8:82:51:28:56:3E:D8:70:2A:97:F9:
                                    D9:DE:16:66:EF:39:39:8F
                    Signed Certificate Timestamp:
                        Version   : v1 (0x0)
                        Log ID    : 6F:53:76:AC:31:F0:31:19:D8:99:00:A4:51:15:FF:77:
                                    15:1C:11:D9:02:C1:00:29:06:8D:B2:08:9A:37:D9:13
                        Timestamp : Dec 17 14:20:09.035 2021 GMT
                        Extensions: none
                        Signature : ecdsa-with-SHA256
                                    30:45:02:20:63:28:76:DA:DE:0D:58:C4:7C:F9:42:08:
                                    6A:06:0F:4E:C3:45:63:70:7D:54:81:1B:9C:F0:A1:B5:
                                    BB:68:DB:EF:02:21:00:BD:51:1C:85:D2:34:56:6D:00:
                                    C1:21:6A:3D:09:2F:F5:5F:E4:8F:97:2B:41:0C:4D:90:
                                    F7:C3:85:B5:1E:1C:06
        Signature Algorithm: sha256WithRSAEncryption
             7a:96:50:d3:5d:fa:a1:2d:3a:55:7d:0e:9e:bc:52:ed:30:b0:
             2c:26:e3:db:b8:bc:27:3d:3b:36:90:05:c7:29:02:89:29:aa:
             43:ab:e8:a0:d0:9d:a0:ad:64:a5:42:1c:10:ab:96:42:00:a1:
             b6:4a:ce:23:fe:8e:82:ba:36:19:ca:0e:18:96:37:dc:5f:c2:
             0b:55:75:8f:8c:c1:36:2b:4e:02:8d:e0:fd:10:d2:24:b3:13:
             cf:f3:b9:63:73:29:a7:d6:59:3f:d0:96:70:6c:e1:e4:48:89:
             ab:8f:8a:25:09:7e:4b:a1:11:85:1d:b8:fe:d0:af:2e:1a:e4:
             3d:9b:2a:41:93:29:d5:b4:52:53:fb:2b:8e:78:35:ba:cf:25:
             0f:60:c6:94:eb:86:95:04:25:61:91:19:9f:bf:de:82:47:42:
             64:3f:fc:0d:0b:cc:c4:7b:ca:3a:ea:b7:50:4e:26:fb:f5:1c:
             da:85:8f:2e:51:44:20:e9:a2:99:9a:dd:90:96:cb:f2:47:b3:
             89:4e:33:ea:da:bb:55:61:a8:60:5b:9e:87:34:8b:77:df:c5:
             b4:f0:d8:db:93:94:01:6b:97:5c:e8:41:db:ba:66:dd:8c:f3:
             f7:13:54:f6:67:3f:39:f7:f4:ad:d4:5f:9a:fd:72:2a:32:43:
             b0:cd:04:92
    [email protected]:/#
    
    
     
  16. Enzo2424

    Enzo2424 Member

    hmmm... maybe this has to do when I filled in the FQDN field of the certificate generator when I updated ISPConfig... I put in the name ns310142.ip-188-165-201.eu. I had checked /etc/hosts that that name pointed to 127.0.0.1, and it does... so that should be ok...
    I just tried checking with a ssl validator site, ns310142.ip-188-165-201.eu doesn't reply if not on port 8080. Could this be related ?
    I'm really at a loss...
     
  17. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Ah, I thought the renew hook took care of all the cert files, but it doesn't; run:
    Code:
    rm /usr/local/ispconfig/interface/ssl/ispserver.{crt,key}
    ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem /usr/local/ispconfig/interface/ssl/ispserver.crt
    ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem /usr/local/ispconfig/interface/ssl/ispserver.key
    /usr/local/ispconfig/server/scripts/letsencrypt_renew_hook.sh
    
     
  18. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Yes. That could be related as the script check the host fqdn.
     

Share This Page