ISPCONFIG 3.2.4 SSL for Panel and mail did not renew

Discussion in 'ISPConfig 3 Priority Support' started by ganewbie, May 10, 2021.

Tags:
  1. ganewbie

    ganewbie Member HowtoForge Supporter

    The server is Ubuntu 20.04.1 LTS (Focal Fossa)) ISPConfig 3.2.4.
    Server is functioning OK, but one issue.
    srv1.example.com is the host that has a valid SSL certificate and the certificate renewed properly.
    Code:
    Checking / creating certificate for srv1.example.com
    Using certificate path /etc/letsencrypt/live/srv1.example.com
    Using apache for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Cert not yet due for renewal
    Keeping the existing certificate
    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]:
    
    Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]:
    
    
    The issue here is:
    The Panel and the mail server did not get the newed certificate. It appears that the symlink if pointing to something wrong. How come and how to fix it.
    Thanks in advance,
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Rerun the update with
    Code:
    ispconfig_update.sh --force
     
    ganewbie likes this.
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    You cannot force renewal on LE certs not yet passed 60 days from 90 days expiry term.
     
    ganewbie likes this.
  4. ganewbie

    ganewbie Member HowtoForge Supporter

    @Th0m
    Yes, and I answered yes to renew services. I did that but no luck.
    Agreed,
    But my dilemma is the srv1.example.com has a renewed LE cert properly.
    but srv1.example.com:8080 and smtp seem to be pointing (symlink) to something else!!??
     
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    You should check what is the symlink in ispconfig ssl folder to know what is the source and whether it is the right source.
     
  6. ganewbie

    ganewbie Member HowtoForge Supporter

    Here is what the symlink is pointing to, which is correct, but the certificate is not updated. Yet when I go to srv1.example.com the browser shows green bar.
    Code:
    [email protected]:~# ls -l /etc/letsencrypt/live/srv1.example.com
    total 4
    lrwxrwxrwx 1 root root  42 Feb  1 15:56 cert.pem -> ../../archive/srv1.example.com/cert1.pem
    lrwxrwxrwx 1 root root  43 Feb  1 15:56 chain.pem -> ../../archive/srv1.example.com/chain1.pem
    lrwxrwxrwx 1 root root  47 Feb  1 15:56 fullchain.pem -> ../../archive/srv1.example.com/fullchain1.pem
    lrwxrwxrwx 1 root root  45 Feb  1 15:56 privkey.pem -> ../../archive/srv1.example.com/privkey1.pem
    -rw------- 1 root root 692 Feb  1 15:56 README
    I have a weired host domain that has been updated not sure how?
    Code:
    [email protected]:~# ls -l /etc/letsencrypt/live/srv1.example.com-0001/
    total 4
    lrwxrwxrwx 1 root root  47 Apr 14 18:12 cert.pem -> ../../archive/srv1.example.com-0001/cert2.pem
    lrwxrwxrwx 1 root root  48 Apr 14 18:12 chain.pem -> ../../archive/srv1.example.com-0001/chain2.pem
    lrwxrwxrwx 1 root root  52 Apr 14 18:12 fullchain.pem -> ../../archive/srv1.example.com-0001/fullchain2.pem
    lrwxrwxrwx 1 root root  50 Apr 14 18:12 privkey.pem -> ../../archive/srv1.example.com-0001/privkey2.pem
    -rw-r--r-- 1 root root 692 Feb 13 14:38 README
     
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    @ahrasis meant the symlinks in /usr/local/ispconfig/interface/ssl/ .. what do those files/symlinks look like?
     
  8. ganewbie

    ganewbie Member HowtoForge Supporter

    Here you are:
    Code:
    [email protected]:~# ls -l /usr/local/ispconfig/interface/ssl/
    total 64
    -rwxr-x--- 1 root root   45 May 10 15:30 empty.dir
    lrwxrwxrwx 1 root root   54 May 10 15:30 ispserver.crt -> /etc/letsencrypt/live/srv1.example.com/fullchain.pem
    -rwxr-x--- 1 root root 2025 Jan 25 14:07 ispserver.crt-20210131172109.bak
    lrwxrwxrwx 1 root root   54 Jan 31 17:21 ispserver.crt-20210201151502.bak -> /etc/letsencrypt/live/srv1.example.com/fullchain.pem
    lrwxrwxrwx 1 root root   54 Feb  1 15:15 ispserver.crt-20210201155630.bak -> /etc/letsencrypt/live/srv1.example.com/fullchain.pem
    lrwxrwxrwx 1 root root   54 Feb  1 15:56 ispserver.crt-20210214070449.bak -> /etc/letsencrypt/live/srv1.example.com/fullchain.pem
    lrwxrwxrwx 1 root root   54 Feb 14 07:04 ispserver.crt-20210510153025.bak -> /etc/letsencrypt/live/srv1.example.com/fullchain.pem
    -rwxr-x--- 1 root root 1716 Jan 31 20:41 ispserver.csr
    lrwxrwxrwx 1 root root   52 May 10 15:30 ispserver.key -> /etc/letsencrypt/live/srv1.example.com/privkey.pem
    -rwxr-x--- 1 root root 3243 Jan 25 14:07 ispserver.key-20210131172109.bak
    -rwxr-x--- 1 root root 3247 Jan 31 20:41 ispserver.key-20210201151502.bak
    lrwxrwxrwx 1 root root   52 Feb  1 15:15 ispserver.key-20210201155630.bak -> /etc/letsencrypt/live/srv1.example.com/privkey.pem
    lrwxrwxrwx 1 root root   52 Feb  1 15:56 ispserver.key-20210214070449.bak -> /etc/letsencrypt/live/srv1.example.com/privkey.pem
    lrwxrwxrwx 1 root root   52 Feb 14 07:04 ispserver.key-20210510153025.bak -> /etc/letsencrypt/live/srv1.example.com/privkey.pem
    -rwxr-x--- 1 root root 3311 Jan 31 20:41 ispserver.key.secure
    -rwxr-x--- 1 root root 7057 May 10 15:30 ispserver.pem
    -rwxr-x--- 1 root root 5268 Jan 25 14:07 ispserver.pem-20210131172109.bak
    -rwxr-x--- 1 root root 5312 Jan 31 20:41 ispserver.pem-20210201151502.bak
    -rwxr-x--- 1 root root 7057 Feb  1 15:56 ispserver.pem-20210214070449.bak
    -rwxr-x--- 1 root root 7057 Feb 14 07:04 ispserver.pem-20210510153025.bak
    
     
    Last edited: May 11, 2021
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    I suspect the certs in
    /etc/letsencrypt/live/srv1.example.com-0001/ are used for your site currently, and
    /etc/letsencrypt/live/srv1.example.com/ for your panel. Try symlinking the certs to the 0001 certs.
     
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I don't normally like when there are additional 0001, 0002, etc, so I would delete them all and request for new certs instead. For that I would run rm-rf /etc/letsencrypt/*/srv1.example.com* and since it is for the server itself, force update ispconfig and choose creating ssl certs should, in my mind, issue new certs under /etc/letsencrypt/*/srv1.example.com. This is because I think symlinking ISPConfig SSL certs to 0001 LE SSL certs may not be future-update safe / proof but I could be wrong.
     
  11. ganewbie

    ganewbie Member HowtoForge Supporter

    @Th0m Tried that and it works. Thanks.
    @ahrasis I like your approach, when i did that.
    Cannot restart apache2 for the following reason.
    Code:
    May 12 10:06:35 srv1 apachectl[2921107]: AH00526: Syntax error on line 129 of /etc/apache2/sites-enabled/100-srv1.example.com.vhost:
    May 12 10:06:35 srv1 apachectl[2921107]: SSLCertificateFile: file '/var/www/clients/client0/web9/ssl/srv1.example.com-le.crt' does not exist or is empty
    May 12 10:06:36 srv1 apachectl[2921098]: Action 'start' failed.
    
    
    [email protected]:~# ls -l /var/www/clients/client0/web9/ssl/
    total 0
    lrwxrwxrwx 1 root root 55 Feb 13 14:38 srv1.example.com-le.bundle -> /etc/letsencrypt/live/srv1.example.com-0001/chain.pem
    lrwxrwxrwx 1 root root 59 Feb 13 14:38 srv1.example.com-le.crt -> /etc/letsencrypt/live/srv1.example.com-0001/fullchain.pem
    lrwxrwxrwx 1 root root 57 Feb 13 14:38 srv1.example.com-le.key -> /etc/letsencrypt/live/srv1.example.com-0001/privkey.pem
    Is it safe to edit the symlink, or what is the best way to get this fixed
     
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    The cert for the site web9 is symlinked to the /etc/letsencrypt cert. That causes Apache to fail. What you can do is:
    - remove the files in /var/www/clients/client0/web9/ssl that are symlinked to the Let's Encrypt folder
    - remove the folders as @ahrasis described
    - start apache
    - disable LE for srv1.example.com through the ISPConfig panel and re-enable it.
    - Wait for it to finish and check if the cert is succesfully created
    - Run a forced update, choose to get a new SSL cert
     
  13. ganewbie

    ganewbie Member HowtoForge Supporter

    Thanks for the quick response, but I have already got a new certificate for srv1.example.com after I followed @ahrasis recommendation, is there a way to edit the symlink without requesting another certificate?
    I am not sure who is creating the symlink is it ISPConfig3 panel? and if it is safe to delete the current and create the symlink manually?
     
    Last edited: May 12, 2021
  14. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    When running the update, it will recognize there is a existing cert and use it.
     
  15. ganewbie

    ganewbie Member HowtoForge Supporter

    Thanks @Th0m
    I guess you replied while I am typing my message.
    What I have done is the:
    Code:
    ln -sfn /etc/letsencrypt/live/srv1.example.com/chain.pem srv1.example.com-le.bundle
    ln -sfn /etc/letsencrypt/live/srv1.example.com/fullchain.pem srv1.example.com-le.crt
    ln -sfn /etc/letsencrypt/live/srv1.example.com/privkey.pem srv1.example.com-le.key
    Restart apache and everything is in order.
    Do I expect that this action would cause any issues or what i have done was safe to do?
    As FYI for any newbies:
    -n option is necessary when linking to a different target folder to avoid creating a sub-folder inside that symbolic link and instead replace the symbolic link completely
     
    Last edited: May 12, 2021
  16. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    This guide can be followed if you want to do it manually: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
     

Share This Page