In the "this weeks weird problem" dept - Cant get SSL cert to stick

Discussion in 'Installation/Configuration' started by RobPatton, Oct 5, 2019.

  1. RobPatton

    RobPatton Member

    latest ispconfig
    centos7.6

    create a new site, tick the ssl/lets encrypt boxes

    lets encrypt log shows success and downloads the files into /etc/letsencrypt/live/domain-name/

    2019-10-04 22:01:18,442:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/domainname.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/domainname.com/privkey.pem
    Your cert will expire on 2020-01-03. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"


    But it never puts the files in the var/www/domain/ssl folder, and never creates a .crt file.

    The domain .vhost file in sites-enable only has the NON SSL section, seems that that the SSL section that starts with

    <VirtualHost *:443> just never gets written.

    If I re-tick the ssl/lets encrypt boxes, its goes through the renew process, which it doesnt need, and ends up doing the same thing. Currently have 3 domains that work fine, and have valid certs, but ispconfig just wont cooperate.

    Suggestions?

    I feel like certbot is failing to move files to the right place, or ispcofig is failing at something, but I'm not sure where the line is between the two things.
     
  2. ahrasis

    ahrasis Well-Known Member

    What is the content of renewal conf file for that domain?
     
  3. RobPatton

    RobPatton Member

    04.10.2019-22:01 - DEBUG - Adding the user: web71
    04.10.2019-22:01 - DEBUG - Creating symlink: ln -s /var/www/clients/client1/web71/ /var/www/domainname.com
    04.10.2019-22:01 - DEBUG - Creating symlink: ln -s /var/www/clients/client1/web71/ /var/www/clients/client1/domainname.com
    04.10.2019-22:01 - DEBUG - exec: chown -R web71:client1 /var/www/clients/client1/web71/web
    04.10.2019-22:01 - DEBUG - exec: chown web71:client1 /var/www/clients/client1/web71/web
    04.10.2019-22:01 - DEBUG - exec: usermod --groups sshusers web71 2>/dev/null
    04.10.2019-22:01 - DEBUG - Writing the vhost file: /etc/httpd/conf/sites-available/domainname.com.vhost
    04.10.2019-22:01 - DEBUG - Creating symlink: /etc/httpd/conf/sites-enabled/100-domainname.com.vhost->/etc/httpd/conf/sites-available/domainname.com.vhost
    04.10.2019-22:01 - DEBUG - Created AWStats config file: /etc/awstats/awstats.domainname.com.conf
    04.10.2019-22:01 - DEBUG - Apache status is: running
    04.10.2019-22:01 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    04.10.2019-22:01 - DEBUG - Restarting httpd: systemctl restart httpd.service
    04.10.2019-22:01 - DEBUG - Apache restart return value is: 0
    04.10.2019-22:01 - DEBUG - Apache online status after restart is: running
    04.10.2019-22:01 - DEBUG - Processed datalog_id 2960
    04.10.2019-22:01 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    04.10.2019-22:01 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    04.10.2019-22:01 - DEBUG - Verified domain domainname.com should be reachable for letsencrypt.
    04.10.2019-22:01 - DEBUG - Verified domain www.domainname.com should be reachable for letsencrypt.
    04.10.2019-22:01 - DEBUG - Create Let's Encrypt SSL Cert for: domainname.com
    04.10.2019-22:01 - DEBUG - Let's Encrypt SSL Cert domains: --domains domainname.com --domains www.domainname.com
    04.10.2019-22:01 - DEBUG - exec: /bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --domains domainname.com --domains www.domainname.com --webroot-path /usr/local/ispconfig/interface/acme
    04.10.2019-22:01 - DEBUG - Let's Encrypt Cert file: does not exist.
    04.10.2019-22:01 - DEBUG - Writing the vhost file: /etc/httpd/conf/sites-available/domainname.com.vhost
    04.10.2019-22:01 - DEBUG - Apache status is: running
    04.10.2019-22:01 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    04.10.2019-22:01 - DEBUG - Restarting httpd: systemctl restart httpd.service
    04.10.2019-22:01 - DEBUG - Apache restart return value is: 0
    04.10.2019-22:01 - DEBUG - Apache online status after restart is: running
    04.10.2019-22:01 - DEBUG - Processed datalog_id 2961
     
  4. RobPatton

    RobPatton Member

    Sorry, was posting that just as you replied.
    Contents of the renewal file for the domain


    # renew_before_expiry = 30 days
    version = 0.38.0
    archive_dir = /etc/letsencrypt/archive/domainname.com
    cert = /etc/letsencrypt/live/domainname.com/cert.pem
    privkey = /etc/letsencrypt/live/domainname.com/privkey.pem
    chain = /etc/letsencrypt/live/domainname.com/chain.pem
    fullchain = /etc/letsencrypt/live/domainname.com/fullchain.pem

    # Options used in the renewal process
    [renewalparams]
    account = d96377783318765671714b7af1c7cdff
    server = https://acme-v02.api.letsencrypt.org/directory
    authenticator = webroot
    rsa_key_size = 4096
    webroot_path = /usr/local/ispconfig/interface/acme,
    [[webroot_map]]
     
    Last edited: Oct 5, 2019
  5. ahrasis

    ahrasis Well-Known Member

    There should be domain name(s) under this otherwise your LE SSL option box will become unticked.

    What is your ISPConfig and certbot version, because this was aready fixed since some version ago.
     
  6. RobPatton

    RobPatton Member

    Ok, I think I have it resolved. In my efforts to fix some show stopper problems with amavis, I restored to a backup that was running 3.1.13 / 38 of certbot I have since upgraded to latest of both, which has corrected 2 of the 3 sites I having problems with. The 3rd still behaves similarly. Will keep working on sorting out whats on with the 3rd. I assume this problem was corrected before 3.1.13 as I never saw it, but whatever the upgrade to 3.1.15 seems to have fixed most of it.

    Update. the 3rd domain has failed because of rate limits with letsencrypt passed during testing. So I'll have to wait a few days and try again with that 3rd site.
     
    Last edited: Oct 5, 2019
    till and ahrasis like this.

Share This Page