Enabling SSL Lets Encrypt not changing vhost config

Discussion in 'ISPConfig 3 Priority Support' started by crankintheburn, Feb 10, 2021.

  1. crankintheburn

    crankintheburn New Member

    Hi Forum,

    the ISPConfig server.sh script doesn't add the SSL related part to the vhost config file ( <VirtualHost *:443> ) after activation SSL / Lets Encrypt.

    Background: Want to move my ISPConfig to a new VM. I freshly installed ISPConfig 3.2.2 on a freshly installed Debian 10 using the perfect server howto.
    I then manually copied /var/www and /var/vmail from my existing server, as well as the dbispconfig database. Manually deactivated SSL/LE SSL on any website, since I wanted ISPConfig to use acme.sh and reissue all certs, instead of using existing ones. Also wanted the apache vhost config files to be newly generated, I didn't copy any /etc/apache2/ configs from the existing server.

    /usr/local/ispconfig/server/server.sh gives me the following output:

    Code:
    /usr/local/ispconfig/server/server.sh
    10.02.2021-00:14 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    10.02.2021-00:14 - DEBUG - Found 1 changes, starting update process.
    10.02.2021-00:14 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    10.02.2021-00:14 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    10.02.2021-00:14 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client10/web73' - return code: 0
    10.02.2021-00:14 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client10/web73' - return code: 0
    10.02.2021-00:14 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client10/web73'|awk 'END{print $2,$NF}' - return code: 0
    10.02.2021-00:14 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
    10.02.2021-00:14 - DEBUG - safe_exec cmd: setquota -u 'web73' '0' '0' 0 0 -a &> /dev/null - return code: 0
    setquota: Not setting block grace time on /dev/mapper/hosting02--vg-root because softlimit is not exceeded.
    setquota: Not setting inode grace time on /dev/mapper/hosting02--vg-root because softlimit is not exceeded.
    10.02.2021-00:14 - DEBUG - safe_exec cmd: setquota -T -u 'web73' 604800 604800 -a &> /dev/null - return code: 0
    10.02.2021-00:14 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client10/web73' - return code: 0
    10.02.2021-00:14 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    10.02.2021-00:14 - DEBUG - Create Let's Encrypt SSL Cert for: orangeblau.com
    10.02.2021-00:14 - DEBUG - Let's Encrypt SSL Cert domains:
    10.02.2021-00:14 - DEBUG - exec: R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue  -d orangeblau.com -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [[ $R -eq 0 || $R -eq 2 ]] ; then /root/.acme.sh/acme.sh --install-cert  -d orangeblau.com --key-file '/var/www/clients/client10/web73/ssl/orangeblau.com-le.key' --fullchain-file '/var/www/clients/client10/web73/ssl/orangeblau.com-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [[ $C -eq 0 ]] ; then exit $R ; else exit $C  ; fi
    sh: 1: [[: not found
    sh: 1: 0: not found
    sh: 1: [[: not found
    10.02.2021-00:14 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    10.02.2021-00:14 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    10.02.2021-00:14 - DEBUG - safe_exec cmd: chattr -i '/var/www/php-fcgi-scripts/web73/.php-fcgi-starter' - return code: 0
    10.02.2021-00:14 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web73/.php-fcgi-starter
    10.02.2021-00:14 - DEBUG - safe_exec cmd: chattr +i '/var/www/php-fcgi-scripts/web73/.php-fcgi-starter' - return code: 0
    10.02.2021-00:14 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/orangeblau.com.vhost
    10.02.2021-00:14 - DEBUG - Apache status is: running
    10.02.2021-00:14 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    10.02.2021-00:14 - DEBUG - Restarting httpd: systemctl restart apache2.service
    10.02.2021-00:14 - DEBUG - Apache restart return value is: 0
    10.02.2021-00:14 - DEBUG - Apache online status after restart is: running
    10.02.2021-00:14 - DEBUG - Processed datalog_id 5170
    10.02.2021-00:14 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished server.php.
    
    I assume an error while calling acme.sh - even though the certificates are generated perfectly fine. /var/log/ispconfig/acme.log:
    Code:
    [Wed 10 Feb 2021 12:14:20 AM CET] Running cmd: issue
    [Wed 10 Feb 2021 12:14:20 AM CET] _main_domain='orangeblau.com'
    [Wed 10 Feb 2021 12:14:20 AM CET] _alt_domains='no'
    [Wed 10 Feb 2021 12:14:20 AM CET] Using config home:/root/.acme.sh
    [Wed 10 Feb 2021 12:14:20 AM CET] default_acme_server
    
    ...
    
    [Wed 10 Feb 2021 12:14:23 AM CET] keyauthorization='verified_ok'
    [Wed 10 Feb 2021 12:14:23 AM CET] dvlist='orangeblau.com#verified_ok#https://acme-v02.api.letsencrypt.org/acme/chall-v3/10738615429/3srdNw#http-01#/usr/local/ispconfig/interface/acme'
    [Wed 10 Feb 2021 12:14:23 AM CET] d
    [Wed 10 Feb 2021 12:14:23 AM CET] vlist='orangeblau.com#verified_ok#https://acme-v02.api.letsencrypt.org/acme/chall-v3/10738615429/3srdNw#http-01#/usr/local/ispconfig/interface/acme,'
    [Wed 10 Feb 2021 12:14:23 AM CET] d='orangeblau.com'
    [Wed 10 Feb 2021 12:14:23 AM CET] orangeblau.com is already verified, skip http-01.
    [Wed 10 Feb 2021 12:14:23 AM CET] ok, let's start to verify
    
    ...
    
    [Wed 10 Feb 2021 12:14:24 AM CET] Cert success.
    [Wed 10 Feb 2021 12:14:24 AM CET] Your cert is in  /root/.acme.sh/orangeblau.com/orangeblau.com.cer
    [Wed 10 Feb 2021 12:14:24 AM CET] Your cert key is in  /root/.acme.sh/orangeblau.com/orangeblau.com.key
    [Wed 10 Feb 2021 12:14:24 AM CET] v2 chain.
    [Wed 10 Feb 2021 12:14:24 AM CET] The intermediate CA cert is in  /root/.acme.sh/orangeblau.com/ca.cer
    [Wed 10 Feb 2021 12:14:24 AM CET] And the full chain certs is there:  /root/.acme.sh/orangeblau.com/fullchain.cer
    [Wed 10 Feb 2021 12:14:24 AM CET] _on_issue_success
    Any hint is welcome.
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Try disabling letsencrypt for a site, then remove the symlinks in that site's ssl/ directory, then enable ssl again. You will also need to make sure all your web# users and client# groups have the same IDs, and group membership is correct.
     
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Try resync tool since I think you have permission problem or sort of.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you switch the system shell to /bin/bash instead of /bin/dash as described in the perfect server installation guide?

     
  5. crankintheburn

    crankintheburn New Member

    Thank you all for your really quick replies!

    My shell was wrong, I must have missed this step, ouch. Thank you Till. Fixing that alone didn't solve the issue.
    Pretty sure my IDs and/or permissions were wrong. Thanks again, had some difficulties after 3 years "Elternzeit". A Resync did the trick.

    Jonas
     
    ahrasis and Th0m like this.

Share This Page