LetsEncrypt not renewing on some domains and LE SSL fragile...

Discussion in 'ISPConfig 3 Priority Support' started by peterpetr, Jul 7, 2017.

  1. peterpetr

    peterpetr Member HowtoForge Supporter

    Configuration & Brief History: I have ISPConfig 3.1.5 installed on Ubuntu 16.04 with MariaDb, Nginx, PHP 7 based on your Install Guide:
    I've also upgraded MariaDb to 10.1 back in March, 2017. Then upgraded to ISPconfig to 3.1.4 when that version became available.
    I'm running mostly WordPress sites and using LetsEncrypt. My DNS records for all domains are hosted at the domain registrar (Godaddy and NameCheap). All was working correctly and SSL certs were working correctly, with DNS records for all domains and subdomains publicly accessible.
    Problems with SSL:
    (a) One of my sites started giving SSL errors: mydoamin.net uses an invalid security certificate. The certificate expired on July 3, 2017 10:54 PM. The current time is July 6, 2017 6:14 PM. Error code: SEC_ERROR_EXPIRED_CERTIFICATE (with IE, Chrome, Firefox...)
    This site was first created with a LE SSL cert and with "Rewrite HTTP to HTTPS" set on.
    After some research and Google searches, I read about someone resolving a similar issue by re-installing ISPconfig 3.1.5 using the Update commands at the bottom of the page at: https://www.ispconfig.org/blog/ispconfig-3-1-5-released/ then answering YES to recreate the LetsEncrypt SSL certs. This didn't fix the SSL problem. I tested with multiple browsers, cleared browser cache and also tested on a different PC. How do I fix this SSL problem?
    (b) With this ISPconfig system, as described at the top of the page, it has always been fragile when creating sites with LE SSL certs. When I create a new site, SSL usually works, but if I disable SSL and subsequently re-enable it (or other website changes), SSL seems to break. Often, my only fix is to backup the WordPress site, delete the site in ISPconfig, then create the same site again as a new LE SSL enabled site, finally restore the WordPress backup.

    I would prefer to actually fix the SSL renewal issue as described in (a) and avoid my long-winded work-around as described in (b). I'm wondering why Sites are so fragile (SSL breaking often if I make certain changes to the Site in ISPconfig)? Thanks for your help.
  2. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    the easiest way to fix the LE is to delete all contents for the domain from /etc/letsencrypt/renewal /etc/letsencrypt/archive and /etc/letsencrypt/live
    Then disable and re-enable SSL/LE
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The problem can be that LE renamed the SSL certs so that they have a new name now and LE updates these newly renamed certs but not the original ones. Take a look into the folders at /etc/letsencrypt/, there should be a folder with the domain name and inside a folder live which holds the symlink to the current SSL cert. Did LE start on your system to add a suffix like 001 002 etc. in the names? The cleanest fix is probably to do once what Croydon posted.
  4. peterpetr

    peterpetr Member HowtoForge Supporter

    @Croydon and @till, Thanks for your responses.
    To start, I deleted only the entries for the problem domain in:
    /etc/letsencrypt/renewal and /etc/letsencrypt/archive and /etc/letsencrypt/live
    Then disabled and then re-enabled SSL + LE for that domain's site. Success!
    Many thanks.

Share This Page