ISPC + Apache + Lets Encrypt

Discussion in 'Server Operation' started by Brad Trammell, Jan 11, 2020.

  1. Brad Trammell

    Brad Trammell New Member

    Hello! First time poster, long time user of the forums.
    I have an ISPC Server that just today started to have problems and I'm not sure where they started.
    When a client makes a configuration change the LetsEncrypt configuration gets removed from the configuration file for the domain. The only way to get LetsEncrypt into the configuration files and keep websites being served over SSL is to run 'certbot --apache' and select the websites and have it automatically add to the configuration file.

    However again, the next change through ISPC will remove it and overwrite the change.

    I'm not sure what happened, or why this is all of a sudden happening. Or if the master file somehow changed.

    Does anyone have any insight? I'm new to this forum, and this software so I'm not even really sure where to begin.

    Thanks

    Brad
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. Brad Trammell

    Brad Trammell New Member

    I don't mean to be rude, but this doesn't seem to be an issue with LetsEncrypt. The certificates generate properly and using the command line included with ISPC I can manually add them to the configuration files with ease.

    The problem is that ISPConfig does not insert that information into the configuration files when it resyncs or re-generates them, leading me to believe this is an ISPConfig issue, not a Lets Encrypt issue.

    Additionally, this was working fine originally for months. It just started out of no where yesterday. No changes were made to the server prior to this issue happening.
     
  4. ahrasis

    ahrasis Well-Known Member

    You run a certbot command not suitable for an ISPConfig web server which will, of course, be overwritten. @Taleman pointed you to the right direction if you still want to manage your web server with ISPConfig.
     
  5. Brad Trammell

    Brad Trammell New Member

    While I appreciate the insight, I know 100% after significant testing this is NOT a Lets Encrypt issue. The certificates WERE issued by the default lets encrypt function built into ISPC. They were issued, renewed, and then deleted and reissued to verify it was not the certificates using that same method. NOT BY USING certbot -d example.com or any other method.

    The only way that I was able to RESTORE the configuration that ISPConfig should be putting into the vhost configuration files when SSL and LetsEncrypt are selected in the Web GUI was to use the the certbot command with the apache plugin to manually add them to the vhost configuration file. The problem is that once the client updates the configuration, it overwrites the SSL configuration I manually added. Which is fine. The bigger problem is that ISPConfig is NOT adding the SSL information into the domains vhost file when the configuration is regenerated. Lets Encrypt does not generate the vhost files ISPConfig does, which means it's NOT Lets Encrypt.

    The fact that the certbot command is on the server is irrelevant, because it was not ever used to download any certificates used by ISPConfig or any of the client websites.
     
  6. ahrasis

    ahrasis Well-Known Member

    If you want your web server to be managed with ISPConfig, then do it its way.

    To issue letsencrypt certificates and modify a domain vhost to use its ssl, one must do it via ISPConfig web settings page, not via terminal.

    Many have use this feature without any problems, so do it the ISPConfig way, or don't use ISPConfig at all; otherwise, as said, vhost settings added or modified by the certbot command you run will be overwritten.
     
  7. Brad Trammell

    Brad Trammell New Member

    Again, and not to be rude. But this IS how I've been doing it, and I have stated that since the very beginning. I don't know how to much more clearly spell it out than to put it in every language I can think of.

    WE ARE NOT ISSUING SSL CERTIFICATES VIA TERMINAL, THEY ARE BEING ISSUED VIA ISPCONFIG's WEB INTERFACE!

    Danish: VI UDGIVER IKKE SSL-CERTIFIKATER VIA TERMINAL, DE UDSTEDES VIA ISPCONFIGS WEB-grænseflade!
    German: WIR STELLEN KEINE SSL-ZERTIFIKATE ÜBER DAS TERMINAL AUS, SIE WERDEN ÜBER DIE WEB-SCHNITTSTELLE VON ISPCONFIG AUSGESTELLT!
    Spanish: ¡NO ESTAMOS EMITIENDO CERTIFICADOS SSL A TRAVÉS DE LA TERMINAL, ESTÁN EMITIDOS POR LA INTERFAZ WEB DE ISPCONFIG!
    Persian: ما از گواهینامه های SSL از طریق TERMINAL استفاده نمی کنیم ، آنها از طریق وب سایت ISPCONFIG از طریق ISPCONFIG استفاده می شوند!
    Finnish: Emme anna SSL-TODISTUKSIA TERMINALISSA, JOTKA JULKAISETAAN ISPCONFIGIN WEB-LIITTYMÄSSÄ!
    French: NOUS N'ÉMETTRONS PAS DE CERTIFICATS SSL PAR TERMINAL, ILS SONT ÉMIS PAR L'INTERFACE WEB DE ISPCONFIG!
    Japanese: ターミナル経由でSSL証明書を発行するのではなく、ISPCONFIGのWebインターフェイス経由で発行されます!
    Korean: 우리는 터미널을 통해 SSL 인증서를 발급하지 않고 ISPCONFIG의 웹 인터페이스를 통해 발급됩니다!
    Latin: WE ARE NOT ISSUING SSL CERTIFICATES VIA TERMINAL, THEY ARE BEING ISSUED VIA ISPCONFIG's WEB INTERFACE!
    Malay: KAMI TIDAK MENGGUNAKAN SERTIFIKAT SSL VIA TERMINAL, MEREKA MENGGUNAKAN INTERFACE WEB ISPCONFIG!
    Polish: NIE WYDAWAMY CERTYFIKATÓW SSL ZA POMOCĄ TERMINALU, WYDAJĄ SIĘ ZA POMOCĄ INTERFEJSU INTERNETOWEGO ISPCONFIG!
    Portuguese: NÃO ESTAMOS EMITIDO CERTIFICADOS SSL ATRAVÉS DO TERMINAL, ESTÃO SENDO EMITIDOS PELA INTERFACE WEB DA ISPCONFIG!
    Russian: МЫ НЕ ВЫПУСКАЕМ СЕРТИФИКАТЫ SSL С ПОМОЩЬЮ ТЕРМИНАЛА, ОНИ ВЫДАЮТ НА ВЕБ-ИНТЕРФЕЙСЕ ISPCONFIG!
    Swedish: VI UTGÖR INTE SSL-CERTIFIKAT VIA TERMINAL, DE FÅR UTFÖRAS VIA ISPCONFIGS WEB-INTERFACE!
    Ukrainian: МИ НЕ ВИДАЄМО СЕРТИФІКАТИ SSL ВІД ТЕРМІНАЛІВ, ВИ ВИДАЄТЬСЯ ВЕБ-ІНТЕРФЕКЦІЮ ВІА ISPCONFIG!
    Chinese: 我们不是通过终端发布SSL证书,而是通过ISPCONFIG的Web界面发布的!


    Let's forget completely here the fact that I have certbot installed on the system. It's not there for all intents and purposes. Because I know that's not attributing to this issue.

    When I create a new domain name, or modify a domain configuration that already exists via the ISPConfig interface... ISPConfig (when SSL and LetsEncrypt are selected via the domains configuration) is supposed to go and get the SSL certificate for that domain (granted the DNS is pointed properly), and once it is retrieved, it is supposed to then add the new certificate files to the configuration file for the vhost.

    While it is generating the SSL certificate. The problem....which I've stated countless times now, is that ISPConfig is NOT adding the SSL configuration to the vhost files. It's almost as if the master file is damaged or corrupted, but I can see the SSL configuration information in the vhost master.


    @till or @florian030
    I'm hoping maybe either of you have some insight as you seem to be the men to ask on this subject, and I seem to get better no where fast on this thread.
     
  8. Steini86

    Steini86 Active Member

    Sounds silly, but have you tried switching it off and on again? Helped for me.
    Switch on debug logging, deactivate Letsencrypt for the host and activate it again after its executed.
     
  9. ahrasis

    ahrasis Well-Known Member

    You said the above.
    This has to be done to determine the cause of your problem.
    I merely explained what you have done to fix in your opening post is wrong and to determine the cause you need to follow the FAQ as suggested by @Taleman.

    I am not so sure whether you do understand but you don't fix thing using certbot command and making changes manually.

    Read the thread mentioned by @Taleman and follow the FAQ.
     
    Last edited: Jan 15, 2020
    Th0m likes this.

Share This Page