ISPConfig 3.1.2: letsencrypt certificates were not renewed automatically

Discussion in 'General' started by zenny, Mar 6, 2017.

  1. zenny

    zenny Member

    Hi,

    I have a same problem like @Jigal van Hemert reported at [https://www.howtoforge.com/community/threads/ispconfig-3-1-and-letsencrypt.73787/], but with 3.1.2

    The DNS servers were pointing right because they retrieved the certificates two months back, now after 60 days it keeps on reporting that "failed client authentication" while renewing as follows:

    Tried in command line:

    This has been happening to some domains, but not to some others?!!!
     
  2. sjau

    sjau Local Meanie Moderator

    Are the DNS server still pointing to the correct IP?
     
  3. zenny

    zenny Member

    Yes, they do. And even the site is reachable over the browser as seen in the attachment, fyi.
     

    Attached Files:

  4. ahrasis

    ahrasis Active Member

    I will prefer untick and reticking LE in ISPC, then see how it goes. My guess is renewal problem may be caused by installing certificates not from ISPC at the first place.
     
  5. zenny

    zenny Member

    I have already ticked/unticked serveral times in the site tab of the ISPConfig panel without success. Deleted all old relevant keys for specific domains from the directories under /etc/letsencrypt folder as well as deleting the .well-known directory. Letsencrypt log does not show any relevant info nor ispconfig log!
     
    Last edited: Mar 7, 2017
  6. LAKSHA

    LAKSHA Member

    I updated to ispconfig 3.1.2 (Followed correct process)
    Added new website ncr.today
    checked SSL and LetsEncrypt and Saved
    Agained Open the ncr.today website to create the SSL by filling information.
    I filled the information and created the certificate and saved.
    I saw 4 file in the ncr.today folder which is in /var/www/clients/client*/web*/ssl
    ncr.today.crt
    ncr.today.csr
    ncr.today.key
    ncr.today.key.org


    I am missing
    /etc/letsencrypt/live/ncr.today/ this folder structure and hence the above mentioned solution is not of any use.
    Now i googled and thought i will Comment
    <IfModule ssl_module>
    Listen 443
    </IfModule>

    <IfModule mod_gnutls.c>
    Listen 443
    </IfModule>
    to this
    #<IfModule ssl_module>
    Listen 443
    #</IfModule>

    #<IfModule mod_gnutls.c>
    Listen 443
    #</IfModule>
    in port.conf in etc/apache2/

    tested and it didnt work
    then i added Listen 443 https to 100-ncr.today.vhost in /etc/apache2/sites-enabled
    <VirtualHost 185.83.216.138:80>
    Listen 443 https
    Its still not working

    @till @sjau or any experienced member please help me :)
     
  7. LAKSHA

    LAKSHA Member

    I comment the following section
    #<IfModule mod_gnutls.c>
    #Listen 443
    #</IfModule>
    so Listen 443 is not repeated
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    1) Do not comment out or change any apache config lines, undo all changes that you made there as this is not related to your problem.
    2) If letsencrypt is not able to issue an ssl cert, then the problem can be found in the letsencrypt log file. Look at the logfile to see why the cert was not issued.
    3) Do not fill in or enter anything on the ssl tab of the website, the ssl tab is for manually creatd ssl certs only and not for letsencrypt, if you woul enter there something, then your letsencrypt cert gets overriidden by a manual ssl cert.
     
  9. LAKSHA

    LAKSHA Member

    I did not fill anything in SSL section but just copied everything in reverse order in the Bundle section.
    I have reversed the changes made to port.conf and ncr.today.vhost files
    which was the following code
    <IfModule ssl_module>
    Listen 443
    </IfModule>

    <IfModule mod_gnutls.c>
    Listen 443
    </IfModule>
    to this
    #<IfModule ssl_module>
    Listen 443
    #</IfModule>

    #<IfModule mod_gnutls.c>
    Listen 443
    #</IfModule>
    in port.conf in etc/apache2/

    Now i really dont know where to chack letsencrypt log file as i dont see any folder of letsencrypt in apache2 or root or any other places.
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

  11. LAKSHA

    LAKSHA Member

    Hello @till thank you for your proompt help!
    - Check that you have Let’s Encrypt installed.
    IT is not installed

    - Check that all domain names (icl auto subdomain www etc), subdomains and aliasdomains really point to the right website and are working. Open one after another in your browser and test that.
    I checked and deleted few

    - If you still use Apache 2.2, then update your ispconfig to git-stable branch with the ispconfig_update.sh script to get an updated vhost template. After you did that, use Tools > resync to apply the new template to all sites or apply it to a single site by altering a value in the site settings and press save, before you try to activate Let’s Encrypt again. This is only necessary on apache 2.2 systems, newer apache 2.4 or nginx systems are not affected.
    I followed and complete this process

    - If you updated to ISPConfig 3.1 and deselected the "reconfigure services" option during update (which is selected by default), then Let’s Encrypt will fail as your server is missing the Let’s Encrypt configuration in the ispconfig apache configuration files. Redo the update and chose to reconfigure services in that case.
    Since i am on 3.1.2 i "reconfigure services" and followed the process without any Error
    I added a new website and enabled ssl and letsencrypt and saved. I saw that no certificate was created and so i went on to SSL tab created certificate.
    I saw 4 files in /var/www/clients/client*/web*/ssl
    topappmakers.com.crrt
    topappmakers.com.csr
    topappmakers.com.key
    topappmakers.com.key.org

    I didnt find letsencrypt folder on my server so i assume that letsencrypt is not installed. so i do not know if i have to install it manually and if i do then which folder to install it in? and what about the symlinks i see in many forums? do i have to create symlinks ?Please guide and help.
    Thank you in advance for all your support!


     
  12. ahrasis

    ahrasis Active Member

    Basically, what you may want to do is install letsencrypt or certbot but its how to depends on your server build.
     
  13. Turbanator

    Turbanator Member HowtoForge Supporter

    I may have missed it, but what Distro are you running? Look at the Perfect Server for that distro with ISPC 3.1.2 and install (or reinstall) LE as it shows in that section, then update ISPC again and reconfigure services. Report back once you do those steps and try to LE SSL a site.
     

Share This Page