lets encrypt again

Discussion in 'ISPConfig 3 Priority Support' started by elmacus, Oct 5, 2016.

  1. elmacus

    elmacus Member HowtoForge Supporter

    I installed certbot from debian 8 backports instead of manual way.
    Do i need to do any config with it or does ispconfig fix the rest?
    What does ispconfig do anyway? I found only symlinks in SSL folder pointing to /etc/letsencrypt/live/domain.some.tld after manually adding it with certbot.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The certbot package of the os shold work as well. ispconfig does the wholeprocess to create an ssl cert with letsencrypt, do not create certs for websites with letsencrypt manually as this may cause the process in ispconfig to fail later.
     
  3. elmacus

    elmacus Member HowtoForge Supporter

    I manually removed the cert from /etc/letsencrypt and started over.
    ISPconfig created new ones there after i activate LetsEncrypt in gui, and symlinks to /SSL/, good.
    But the vhost is not updated to reflect this, how to troubleshoot ? I cant find any valid error log yet.
    Both SSL and LetsEncrypt is checked in the site, and the SSL gui shows the cert but empty textboxes.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

  5. elmacus

    elmacus Member HowtoForge Supporter

    Single testserver, well letsencrypt seems to work, its just that the vhost does not get the SSL settings and show the 000-default-ssl.vhost instead of 900-testdomain.vhost (testdomain work and is valid in DNS).
    Resync did not help. Its an Apache 2.4, upgrade in the past from 2.2, could it be some old template "got stuck"?
    Services is reconfigured, twice.
    Should i try the Apache 2.2 trick anyway ?
     
  6. elmacus

    elmacus Member HowtoForge Supporter

    Did a new testsite and that one worked as expected.
    So something strange in old testsite. I probaly should build a completly new testserver so i dont waste time chasing ghosts.
    Thanks for the help anyway with troubleshooting and narrowing in the fault.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Take a look at the /etc/apache2/sites-evailable/ folder. i there a vhost file for the site with .err file ending? If yes, then apache rejected the new configuration of the site. Remove the .err file extension from the file and restart apache to see the error message that causes apache to fail.
     
  8. elmacus

    elmacus Member HowtoForge Supporter

    No errors there. That was first i checked.
    But something with that 3.1 cant upgrade an old already SSL site to LetsEncrypt instead.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you deleted the certs before you tried to enable letsencrypt? letsebcrpyt will not overwrite custom certs.
     
  10. elmacus

    elmacus Member HowtoForge Supporter

    No but i deleted all certs after a while and LetsEncrypt does work, no problem there.
    This is a testsite so no problem, but lets hope other production sites that have SSL can convert to LetsEncrypt.
    I suppose that is already tried and should work.
    I dont have any more old testsite on that server so i cant confirm as a bug, need more test on production server now.
     
  11. elmacus

    elmacus Member HowtoForge Supporter

    SOLVED.
    After changing Auto-Subdomain and SSL domain from: *. to: NONE or WWW it worked.
    Changing back to *. worked also, but in some cases ISPconfig just dont update the vhost, and its "stuck" so there might be a bug here.
     
  12. elmacus

    elmacus Member HowtoForge Supporter

    Had a custumer on a production site, that have exactly same problem.
    He did install SSL selfmade cert first by misstake, and after that without delete it, he activated LetsEncrypt. (same as i did on the testserver)
    Changing auto-subdomain does not help in this case so im stuck.
    The vhost file does not include the SSL part. Its like ispconfig does not know that letsencrypt is activated, database error ?
    Activating LetsEncrypt first works as expected.
    So this must clearly be a bug in 3.1.
    So either block that its possible to create LetsEncrypt when there is an SSL cert already or better find the real cause.
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Feel free to make a report in the bugtracker so we can check that for the next release.
     

Share This Page