Let's Encrypt certificate not renewed on slave server

Discussion in 'Installation/Configuration' started by customhost, Sep 28, 2021.

  1. customhost

    customhost New Member

    Hi all,
    I found out recently that the server-wide Let's Encrypt SSL certificate was not renewed automatically on my slave server. Despite not having an ISPConfig web interface installed on the server, it's still important to have the Let's Encrypt certificate renewed as it's used for securing the FTP server and other tools (monitoring etc).

    To solve the issue, I needed to re-issue the certificate manually:
    Code:
    # Remove the expired certificate first
    rm -rf /etc/letsencrypt/live/SERVER.HOSTNAME*
    rm -rf /etc/letsencrypt/archive/SERVER.HOSTNAME*
    rm -f /etc/letsencrypt/renewal/SERVER.HOSTNAME*
    rm -f /usr/local/ispconfig/interface/ssl/*
    
    # Force update
    ispconfig_update.sh --force
    
    # Fix wrong file permissions
    chmod 0600 /usr/local/ispconfig/interface/ssl/ispserver.pem
    
    Is there any way to automate this so that the certificate gets renewed automatically like it does on the ISPConfig master server?
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. atle

    atle Member HowtoForge Supporter

  4. customhost

    customhost New Member

    Thank you both, you pointed me to the right direction.
    Still, there's the issue with the wrong permissions on the .pem file. They should be set correctly when creating/updating the certificate.
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    That actually shouldn't matter, the function (make_ispconfig_ssl_cert()) is not overwritten in any OS-specific files. So no idea why you would have any different permission, unless the file isn't created by the installer. You could put debug messages just ahead of and after that to ensure that's getting run, and "ls -l /usr/local/ispconfig/interface/ssl" before and after as well.
     
    customhost likes this.
  7. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    is that a recent (nightly) change?. i used the autoinstaller to install a new ispconfig server on ubuntu 20.04 on a digital ocean droplet last week. it created the cert files using acme.sh. all the cert files in /root/.acme.sh/<fqdn>/ had permissions 644. ownership root:root
    the crt, key and pem files in /usr/local/ispconfig/interface/ssl all add permissions 750. ownership root:root
    i link to this ispserver.pem file for monit, i had to manually change it's permissions to 600 to get the monit service to start.
     
  8. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Looks like 3.2.6 has the same code (been the same for about a year).
     

Share This Page