Enabling SSL Lets Encrypt not changing vhost config

Discussion in 'ISPConfig 3 Priority Support' started by crankintheburn, Feb 10, 2021.

  1. crankintheburn

    crankintheburn New Member HowtoForge Supporter

    Hi Forum,

    the ISPConfig server.sh script doesn't add the SSL related part to the vhost config file ( <VirtualHost *:443> ) after activation SSL / Lets Encrypt.

    Background: Want to move my ISPConfig to a new VM. I freshly installed ISPConfig 3.2.2 on a freshly installed Debian 10 using the perfect server howto.
    I then manually copied /var/www and /var/vmail from my existing server, as well as the dbispconfig database. Manually deactivated SSL/LE SSL on any website, since I wanted ISPConfig to use acme.sh and reissue all certs, instead of using existing ones. Also wanted the apache vhost config files to be newly generated, I didn't copy any /etc/apache2/ configs from the existing server.

    /usr/local/ispconfig/server/server.sh gives me the following output:

    Code:
    /usr/local/ispconfig/server/server.sh
    10.02.2021-00:14 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    10.02.2021-00:14 - DEBUG - Found 1 changes, starting update process.
    10.02.2021-00:14 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    10.02.2021-00:14 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    10.02.2021-00:14 - DEBUG - safe_exec cmd: chattr -i '/var/www/clients/client10/web73' - return code: 0
    10.02.2021-00:14 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client10/web73' - return code: 0
    10.02.2021-00:14 - DEBUG - safe_exec cmd: df -T '/var/www/clients/client10/web73'|awk 'END{print $2,$NF}' - return code: 0
    10.02.2021-00:14 - DEBUG - safe_exec cmd: which 'setquota' 2> /dev/null - return code: 0
    10.02.2021-00:14 - DEBUG - safe_exec cmd: setquota -u 'web73' '0' '0' 0 0 -a &> /dev/null - return code: 0
    setquota: Not setting block grace time on /dev/mapper/hosting02--vg-root because softlimit is not exceeded.
    setquota: Not setting inode grace time on /dev/mapper/hosting02--vg-root because softlimit is not exceeded.
    10.02.2021-00:14 - DEBUG - safe_exec cmd: setquota -T -u 'web73' 604800 604800 -a &> /dev/null - return code: 0
    10.02.2021-00:14 - DEBUG - safe_exec cmd: chattr +i '/var/www/clients/client10/web73' - return code: 0
    10.02.2021-00:14 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    10.02.2021-00:14 - DEBUG - Create Let's Encrypt SSL Cert for: orangeblau.com
    10.02.2021-00:14 - DEBUG - Let's Encrypt SSL Cert domains:
    10.02.2021-00:14 - DEBUG - exec: R=0 ; C=0 ; /root/.acme.sh/acme.sh --issue  -d orangeblau.com -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [[ $R -eq 0 || $R -eq 2 ]] ; then /root/.acme.sh/acme.sh --install-cert  -d orangeblau.com --key-file '/var/www/clients/client10/web73/ssl/orangeblau.com-le.key' --fullchain-file '/var/www/clients/client10/web73/ssl/orangeblau.com-le.crt' --reloadcmd 'systemctl force-reload apache2.service' --log '/var/log/ispconfig/acme.log'; C=$? ; fi ; if [[ $C -eq 0 ]] ; then exit $R ; else exit $C  ; fi
    sh: 1: [[: not found
    sh: 1: 0: not found
    sh: 1: [[: not found
    10.02.2021-00:14 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    10.02.2021-00:14 - DEBUG - safe_exec cmd: which 'apache2ctl' 2> /dev/null - return code: 0
    10.02.2021-00:14 - DEBUG - safe_exec cmd: chattr -i '/var/www/php-fcgi-scripts/web73/.php-fcgi-starter' - return code: 0
    10.02.2021-00:14 - DEBUG - Creating fastcgi starter script: /var/www/php-fcgi-scripts/web73/.php-fcgi-starter
    10.02.2021-00:14 - DEBUG - safe_exec cmd: chattr +i '/var/www/php-fcgi-scripts/web73/.php-fcgi-starter' - return code: 0
    10.02.2021-00:14 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/orangeblau.com.vhost
    10.02.2021-00:14 - DEBUG - Apache status is: running
    10.02.2021-00:14 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    10.02.2021-00:14 - DEBUG - Restarting httpd: systemctl restart apache2.service
    10.02.2021-00:14 - DEBUG - Apache restart return value is: 0
    10.02.2021-00:14 - DEBUG - Apache online status after restart is: running
    10.02.2021-00:14 - DEBUG - Processed datalog_id 5170
    10.02.2021-00:14 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished server.php.
    
    I assume an error while calling acme.sh - even though the certificates are generated perfectly fine. /var/log/ispconfig/acme.log:
    Code:
    [Wed 10 Feb 2021 12:14:20 AM CET] Running cmd: issue
    [Wed 10 Feb 2021 12:14:20 AM CET] _main_domain='orangeblau.com'
    [Wed 10 Feb 2021 12:14:20 AM CET] _alt_domains='no'
    [Wed 10 Feb 2021 12:14:20 AM CET] Using config home:/root/.acme.sh
    [Wed 10 Feb 2021 12:14:20 AM CET] default_acme_server
    
    ...
    
    [Wed 10 Feb 2021 12:14:23 AM CET] keyauthorization='verified_ok'
    [Wed 10 Feb 2021 12:14:23 AM CET] dvlist='orangeblau.com#verified_ok#https://acme-v02.api.letsencrypt.org/acme/chall-v3/10738615429/3srdNw#http-01#/usr/local/ispconfig/interface/acme'
    [Wed 10 Feb 2021 12:14:23 AM CET] d
    [Wed 10 Feb 2021 12:14:23 AM CET] vlist='orangeblau.com#verified_ok#https://acme-v02.api.letsencrypt.org/acme/chall-v3/10738615429/3srdNw#http-01#/usr/local/ispconfig/interface/acme,'
    [Wed 10 Feb 2021 12:14:23 AM CET] d='orangeblau.com'
    [Wed 10 Feb 2021 12:14:23 AM CET] orangeblau.com is already verified, skip http-01.
    [Wed 10 Feb 2021 12:14:23 AM CET] ok, let's start to verify
    
    ...
    
    [Wed 10 Feb 2021 12:14:24 AM CET] Cert success.
    [Wed 10 Feb 2021 12:14:24 AM CET] Your cert is in  /root/.acme.sh/orangeblau.com/orangeblau.com.cer
    [Wed 10 Feb 2021 12:14:24 AM CET] Your cert key is in  /root/.acme.sh/orangeblau.com/orangeblau.com.key
    [Wed 10 Feb 2021 12:14:24 AM CET] v2 chain.
    [Wed 10 Feb 2021 12:14:24 AM CET] The intermediate CA cert is in  /root/.acme.sh/orangeblau.com/ca.cer
    [Wed 10 Feb 2021 12:14:24 AM CET] And the full chain certs is there:  /root/.acme.sh/orangeblau.com/fullchain.cer
    [Wed 10 Feb 2021 12:14:24 AM CET] _on_issue_success
    Any hint is welcome.
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Try disabling letsencrypt for a site, then remove the symlinks in that site's ssl/ directory, then enable ssl again. You will also need to make sure all your web# users and client# groups have the same IDs, and group membership is correct.
     
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Try resync tool since I think you have permission problem or sort of.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you switch the system shell to /bin/bash instead of /bin/dash as described in the perfect server installation guide?

     
  5. crankintheburn

    crankintheburn New Member HowtoForge Supporter

    Thank you all for your really quick replies!

    My shell was wrong, I must have missed this step, ouch. Thank you Till. Fixing that alone didn't solve the issue.
    Pretty sure my IDs and/or permissions were wrong. Thanks again, had some difficulties after 3 years "Elternzeit". A Resync did the trick.

    Jonas
     
    ahrasis and Th0m like this.

Share This Page