LE does not renew on port 8080

Discussion in 'ISPConfig 3 Priority Support' started by atle, Jun 4, 2021.

  1. atle

    atle Member HowtoForge Supporter

    Time to renew the LE cert for the panel on port 8080, and it has failed, or not been done. Cant see from the logs what is going wrong.
    The server was installed a month or so ago, with the autoinstall script and on 3.2.4, hence acme has been used all the time.
    Any idea how I can trouble shoot this further?
    Certs on websites works, and port 8080 used to work.
    The ispserver.pem file is from May 3rd.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Hmm, not sure but I think a LE cert is not due for renewal after 1 month. According to the LE website, renewal happens after 60 days, so your cert is just not due for renewal yet, and that's why renewal did not happen yet.
     
  3. atle

    atle Member HowtoForge Supporter

    Yes, you are right, the acme log says:

    Code:
    [Fri 04 Jun 2021 12:34:14 AM CEST] di='/root/.acme.sh/ic.*****.com/'
    [Fri 04 Jun 2021 12:34:14 AM CEST] d='ic.*****.com'
    [Fri 04 Jun 2021 12:34:14 AM CEST] Using config home:/root/.acme.sh
    [Fri 04 Jun 2021 12:34:14 AM CEST] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Fri 04 Jun 2021 12:34:14 AM CEST] DOMAIN_PATH='/root/.acme.sh/ic.*****.com'
    [Fri 04 Jun 2021 12:34:14 AM CEST] Renew: 'ic.*****.com'
    [Fri 04 Jun 2021 12:34:14 AM CEST] Le_API='https://acme-v02.api.letsencrypt.org/directory'
    [Fri 04 Jun 2021 12:34:14 AM CEST] Using config home:/root/.acme.sh
    [Fri 04 Jun 2021 12:34:14 AM CEST] ACME_DIRECTORY='https://acme-v02.api.letsencrypt.org/directory'
    [Fri 04 Jun 2021 12:34:14 AM CEST] Skip, Next renewal time is: Thu 01 Jul 2021 10:34:12 PM UTC
    [Fri 04 Jun 2021 12:34:14 AM CEST] Add '--force' to force to renew.
    [Fri 04 Jun 2021 12:34:14 AM CEST] Return code: 2
    [Fri 04 Jun 2021 12:34:14 AM CEST] Skipped ic.*****.com
    But the the expire date in the browser says 2021-06-02.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Then your config on port 8080 must point to a different SSL cert. Post the output of:

    ls -la /usr/local/ispconfig/interface/ssl/
     
  5. atle

    atle Member HowtoForge Supporter

    Code:
    [email protected]:admin_tools [16]# ll /usr/local/ispconfig/interface/ssl
    total 40
    -rwxr-x--- 1 root root   45 Apr  7 20:39 empty.dir
    -rwxr-x--- 1 root root 3441 Mar  5 20:40 ispserver.crt
    -rwxr-x--- 1 root root  985 Mar  5 07:14 ispserver.csr
    -rwxr-x--- 1 root root 1675 Mar  5 07:14 ispserver.key
    -rwxr-x--- 1 root root 3311 Mar  4 21:07 ispserver.key.secure
    -rw------- 1 root root 5116 May  3 00:34 ispserver.pem
    -rwxr-x--- 1 root root 3529 Mar  5 08:41 ispserver.pem-
    -rwxr-x--- 1 root root 5116 Mar 10 18:13 ispserver.pem-210503003412.bak
    And the acme dir

    Code:
    drwxr-xr-x 2 root root 4096 Mar  4 21:07 backup
    -rw-r--r-- 1 root root 1587 May  3 00:34 ca.cer
    -rw-r--r-- 1 root root 3441 May  3 00:34 fullchain.cer
    -rw-r--r-- 1 root root 1854 May  3 00:34 ic.**********************.com.cer
    -rw-r--r-- 1 root root 1038 May  3 00:34 ic.**********************.com.conf
    -rw-r--r-- 1 root root  985 May  3 00:34 ic.**********************.com.csr
    -rw-r--r-- 1 root root  213 May  3 00:34 ic.**********************.com.csr.conf
    -rw-r--r-- 1 root root 1675 Mar  4 21:07 ic.**********************.com.key
    **********************
    They seem to be equivalent.
    All certs on ftp/smtp/imap etc shows expire date 2021-06-02, IIRC they use ispserver.pem
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Try to restart the web server and check again in browser after closing and opening browser.
     
  7. atle

    atle Member HowtoForge Supporter

    Yes, I have already tried that. I have tried to reboot the server as well.
    Its not restricted to the web server, the other services, ftp/smtp etc, that use ispserver.pem also says expired cert. So ispserver.pem and ispserver.key seem to have been expired, but acme checks something else.
    This server as installed with one of the first versions of the autoinstall script and with this there were issues with LE. IIRC Tom helped me out with that.
     
  8. atle

    atle Member HowtoForge Supporter

    The server name is like ic.foo.com, and what I understand the cert for https://ic.foo.com:8080 resides in /usr/local/ispconfig/interface/ssl
    I also have a regular website on the server for ic.foo.com. Its certificate resides in /var/www/clients/client1/web67/ssl/ic.foo.com-le.key
    I believe it is this cert acme shows its expire date for in the logs.
    I did a `acme.sh -r -d ic.foo.com' and it did update the /var/www/clients/client1/web67/ssl/ic.foo.com-le.key. The .crt and .key in /usr/local/ispconfig/interface/ssl were untouched and a new .pem file was created by letsencrypt_renew_hook.sh, but from the old .crt and .key files.
    How do I get the files ispserver.crt and ispserver.key to be renewed?
    Is it a problem I have a regular website for the server name?
     
  9. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    If you want it setup that way, delete the files in
    /usr/local/ispconfig/interface/ssl and recreate then as symlinks to the website files.
     
  10. atle

    atle Member HowtoForge Supporter

    Thanks Jesse, yes I did that as a work-around to get it going. But, is there anything wrong with my setup that does not make the ispserver.* files to renew?
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    The problem is most likely caused by the website that you created for the hostname. The symlink is probably the best solution for that.
     
  12. atle

    atle Member HowtoForge Supporter

    Oki, if I recall right I did set up the website to provide access to phpmyadmin non-chrooted since customers are chrooted. Will look in to another solution for that.
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    It should be fine to keep the symlink setup. The issue it probably that both places share the same cert, but unlike certbot, acme.sh copies the cert to the destination, but it does this probably only for the latest destination, so it will copy the cert to the site's SSL folder, but not to the ispconfig SSL folder anymore. The symlink solution should be ok, just take care to not delete the website in this case though :)
     
    Jesse Norell and atle like this.
  14. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Ispconfig runs renewals from a nightly cron job, you would have to enable debugging and check the logs to see what is going on there.

    You could switch to the newer style setup by removing that website and the symlinks to it's ssl files, then create the symlinks to the acme files, or even run the installer and reconfigure services to let it create the symlinks for you.
     
  15. atle

    atle Member HowtoForge Supporter

    Like this?
    Code:
    ln -s /root/.acme.sh/ic.foo.com/fullchain.cer ispserver.crt
    ln -s /root/.acme.sh/ic.foo.com/ic.foo.com.key ispserver.key
    
     
  16. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    You might have used the old techniques in securing your ISPConfig server and UI, if so, you need to undo it and re-secure them via latest ISPConfig 3.2 update and choose create SSL during that update process. Otherwise, there could a lot more for you to fix in the future. Please also make sure, you don't have both certbot and acme.ch install.
     
  17. atle

    atle Member HowtoForge Supporter

    I am not sure what "old" and "new" is, I've read Thoms article at https://www.howtoforge.com/communit...encrypt-certificate-when-using-acme-sh.86950/, but it does not make it any clearer for me.

    The server was installed with auto install script in March, version 3.2.3 I believe. The updated to 3.2.4 using ispconfig_update. I don't know at all what is "new" and/or "old" method and when it was introduced. Reading Thoms post and finding there no symlinks in
    /usr/local/ispconfig/interface/ssl/ on my server, which then Tom refers to the "old" method, I assume I am on the "new" method. However, Jesse in this thread refers to the "new" method as the one using symlinks, it does not make any sense for me.
    Right now I have created the files in /usr/local/ispconfig/interface/ssl/ manually by copying the website certs. I have removed the website, so I will wait for the next time the certs needs renewal and see what happens. When 3.2.5 turns up, I will do the upgrade, won't force one on 3.2.4 since it is working now.
     
    Last edited: Jun 5, 2021
  18. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    By new vs old, I meant creating a website for ispconfig to setup the certificate request/renewals; now the installer can request a certificate directly for the server hostname.
     
  19. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    If this is a new setup using the auto installer with acme.sh I don't see why there should be a failure to renew unless you manually changed things setup by ISPConfig or your new server setup was not clean, that is why I asked the questions.
     
  20. atle

    atle Member HowtoForge Supporter

    Hm, yes, no the server is 100% native, installed from scratch with the auto install script, directly on 3.2.3, and no customisations at all.
    I believe the answer is what Till said, if there is a website with the same name as the server, there is one cert for it and as well a cert for the server, that is 2 certs for the same hostname, but acme addresses just one of them. If I want to have a website with the server name I need to do some customisation in /usr/local/ispconfig/interface/ssl/, symlinks to the website or to the acme dir. If I don't have a website with the server name, the it should work out of the box. Right now I prefer the latter.
     

Share This Page