Letsencrypt symbolic link to the wrong domain

Discussion in 'Installation/Configuration' started by brainsys, Apr 10, 2021.

  1. brainsys

    brainsys Member

    I have a site with lots of aliased domains. ISPConfig Control Panel generates a new set of Letsencrypt certificates whenever I add/delete an aliased domain as it should.

    I noticed the certificate had apparently not been renewed for the last aliasdomain deletion. On investigation I found the wrong symbolic links had been created in /var/www/domain.tld/ssl. When I corrected the links and restarted Apache the proper updated certificate was used.

    The "wrong.domain.tld" in the symbolic link was an aliased domain and not the host domain. I presume ISPConfig creates the symbolic link. Any idea how this could have happened and how can I prevent it be repeated either at the next automatic renewal or when I add/delete another aliased domain?

    ISPConfig 3.2.4 on Debian Buster - installed using Perfect Server tutorial.
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    In what way was the symbolic link wrong? Output of ls -lh?
  3. brainsys

    brainsys Member

    This is what some previous update had created for the private key - other keys had same error. ls -lh of /var/www/host.domain.tls/sll shows:
    host.domain.tld-le.key -> /etc/letsencrypt/live/aliased.domain.tld/privkey.pem
    The correct entry should have been:
    host.domain.tld-le.key -> /etc/letsencrypt/live/host.domain.tld-0005/privkey.pem
    aliased.domain.tld was just one of many aliased domains to this host. The /etc/letsencrypt/live directory had created an aliased.domain.tld subdirectory which pointed to the aliased.domain.tld archive directory which had an old version of the host.domain.tld domain list. Hence when one of these domains had been removed from the alased domain list and had its DNS deleted letsencrypt correctly fails to renew the certificates for aliased.domain.tld. Paradoxically it did renew the host.domain.tld certificates. But these were not seen by any browser until I repointed the symbolic links to host.domain.tld-0005 and restarted apache.

    aliased.domain.tld was never a host on this machine. The erroneous directory was setup on Feb 5th. I seem to recall there was another problem resulting from a bug in the letsencrypt software around that time. Could this be related?

Share This Page