letsencrypt renew

Discussion in 'ISPConfig 3 Priority Support' started by chico11mbit, Dec 15, 2016.

  1. sjau

    sjau Local Meanie Moderator

  2. chico11mbit

    chico11mbit Member HowtoForge Supporter

  3. sjau

    sjau Local Meanie Moderator

    good :)
     
  4. chico11mbit

    chico11mbit Member HowtoForge Supporter

    so my strategy is for now:
    1. Set all sites to non-ssl in ISPconfig
    2. Delete all directories in ../live ../archive ../renewal in /etc/letsencrypt.
    3. Delete all symlinks in /var/www/*/ssl
    4. Set all site to ssl in ISPconfig
    is that the proper way to reset the mechanism and set new certificates? Or must i change entries in the ispconfig database?

    edit: it should not be necessary to set all sites to non-ssl. i can skip point 1 and 4 and only resync the ispconfig website data after point 3.
     
    Last edited: Dec 15, 2016
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The LE certs point to the live folder and not the archive folder, take a look at the sourcecode (from current ISPConfig git stable release):

    Code:
    $crt_tmp_file = "/etc/letsencrypt/live/".$domain."/cert.pem";
                $key_tmp_file = "/etc/letsencrypt/live/".$domain."/privkey.pem";
                $bundle_tmp_file = "/etc/letsencrypt/live/".$domain."/chain.pem";
                $webroot = $data['new']['document_root']."/web";
    
    Maybe your system is not up to date or you use a cert party LE implementation and not the orignal code form ispconfig?
     
  6. chico11mbit

    chico11mbit Member HowtoForge Supporter

    in which file is the code? i want to check it.
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    You can find it in the apache2 plugin in /usr/local/ispconfig/server/plugins-available/ and some similar code in the nginx plugin as well.
     
  8. chico11mbit

    chico11mbit Member HowtoForge Supporter

    that's weird.

    ispconfig is 3.1.1p and the letsencrypt installation ist from a "how to perfect server" tutorial. Installed is certbot-auto in /opt/certbot



    the code is similar to yours..
    Code:
    $crt_tmp_file = "/etc/letsencrypt/live/".$domain."/cert.pem";
                            $key_tmp_file = "/etc/letsencrypt/live/".$domain."/privkey.pem";
                            $bundle_tmp_file = "/etc/letsencrypt/live/".$domain."/chain.pem";
                            $webroot = $data['new']['document_root']."/web";
    and this is in the ssl folder:
    Code:
    lrwxrwxrwx  1 root root   73 Dez 16 09:02 mydomain.de-le.bundle -> ../../../../../../etc/letsencrypt/archive/mydomain.de/chain1.pem
    lrwxrwxrwx  1 root root   72 Dez 16 09:02 mydomain.de-le.crt -> ../../../../../../etc/letsencrypt/archive/mydomain.de/cert1.pem
    lrwxrwxrwx  1 root root   75 Dez 16 09:02 mydomain.de-le.key -> ../../../../../../etc/letsencrypt/archive/mydomain.de/privkey1.pem
    Also i cannot find the string "/archive/" in no file in the whole ispconfig folder. There is no entry in ispconfigs cron.log (debug mode) for creating this symlinks.

    is there another place to look? How can i investigate what happens there?

    also i don't understand how to update certbot like mentioned in ispcconfig cron.log and what does the error message in bold stands for? System is Ubuntu 14.04.5 LTS
    Code:
    Fr 16. Dez 13:32:02 CET 2016 You are running with an old copy of letsencrypt-auto that does not receive updates, and is less reliable than more recent versions. We recommend upgrading to the latest certbot-auto script, or using native OS packages.
    .
    .
    Fr 16. Dez 13:32:06 CET 2016 Unable to clean up challenge directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
     
    Last edited: Dec 17, 2016
  9. chico11mbit

    chico11mbit Member HowtoForge Supporter

    Hi Till,
    after investigation i found the problem. Perhaps you can help me to solve it:
    When i create manually a symlink with
    Code:
    ln /etc/letsencrypt/live/MYDOMAIN.de/cert.pem test.bundle
    it creates a symlink like this:
    Code:
    test.bundle -> ../../archive/MYDOMAIN.de/cert2.pem
    (cert2.pem because of a created subdomain.)
    when i create a symlink with "-s" option:
    Code:
    ln -s /etc/letsencrypt/live/MYDOMAIN.de/cert.pem test2.bundle
    it creates a symlink like this:
    Code:
    test2.bundle -> /etc/letsencrypt/live/MYDOMAIN.de/cert.pem
    Perhaps this is the answer and a problem with the difference between "LN" and "LN -s" ?
    PHP for ispconfig itself is 5.5.9 fastcgi.

    Can anybody help me out of this?
     
    Last edited: Dec 17, 2016
  10. chico11mbit

    chico11mbit Member HowtoForge Supporter

    Ok, got it...

    When you check "System/Server config/web/make relative symlinks" the ssl link goes to the file in archive folder directly.
    When you uncheck it all is ok. Then just a resync of all websites and all is fixed. Now i have to wait that autorenew is running flawlessly.

    @till
    Perhaps a hint for an improvement in the next version of ispconfig?
     
    Last edited: Dec 17, 2016
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    I've added a note in the bug report that it is a problem with the relative symlink feature.
     

Share This Page