Need to switch from a LE certificate to a Sectigo cert

Discussion in 'ISPConfig 3 Priority Support' started by webguyz, Sep 16, 2020.

  1. webguyz

    webguyz Active Member HowtoForge Supporter

    When I remove Letsencrypt SSL from a single website within ISPConfig and go to the website I see the wrong domain website. How do I tell ISPconfig to use my private cert and not have the behaviour where Letsencypts tries to display the lowest number or letter website
    Is it just a matter of manually point the next 3 entries in the vhost to the correct SSL cert away from le certs? Will this survive a update thru ISPconfig?
    The Santigo cert was created thru the SSL option for that website and I have all info like cert and bundle installed. Just need to enable it without screwing up and having my customers domain show up with another domain name.
    Thanks!

    SSLCertificateFile /var/www/clients/client106/web182/ssl/xxxx.com-le.crt
    SSLCertificateKeyFile /var/www/clients/client106/web182/ssl/xxxxx.com-le.key
    SSLCertificateChainFile /var/www/clients/client106/web182/ssl/xxxxx.com-le.bundle
    SSLUseStapling on
    SSLStaplingResponderTimeout 5
    SSLStaplingReturnResponderErrors off
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Disable the Let's Encrypt option on the first tab of the website. Then enter the SSL key, SSL cert, and SSL bundle on the SSL tab of the website, select 'save certificate'a s action and press the save button.

    And yes, another site might show up for a few seconds, depends on how fast your web server restarts and how long you need to add the new cert after disabling Let#s encrypt. As alternative, you can try to add the new cert first before you disable let#s encrypt, but not sure if that works, so I would enable let#s encrypt first.
     
  3. webguyz

    webguyz Active Member HowtoForge Supporter

    Removed Letsencrypt checkboxs and saved. Created the SSL section and saved. For some reason the vhost is not getting the SSL section filled in. I also deleted the domain from LE but when I enter the domain in my browser its still going to the first LE encrypted site (starts with 3things). Not sure what to do. Is there a log that tracks ispconfig related
    <IfModule mod_ssl.c>
    </IfModule>
     
  4. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

    Disable LE, go to the SSL tab, select action "Delete", and then add the new SSL cert.

    Thinking out loud, maybe we should remove the LE cert when LE is disabled as it causes confusion very often.
     
  5. webguyz

    webguyz Active Member HowtoForge Supporter

    I disabled LE for this domain in the gui, even deleted the domain name from certbot. Deleted and added new SSL cert. problem is its not populating my vhost setting. All I see is
    <IfModule mod_ssl.c>
    </IfModule>
    Also I just realized that all my IP settings on that server are *, but with a public domain cert i will need a dedicated IP address for this one domain, will it confuse anything in LE since all the other domains us * and this site will be a dedicated IP?
     
  6. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    That may be a business requirement you have, but it is not a technical requirement, you can use a single ip address for all your ssl sites, no matter where the certificates are issued from.
     
  7. webguyz

    webguyz Active Member HowtoForge Supporter

    So if I use * for this website will it use SNI to find its way?
    Big problem now is the SSL section is not getting populated in vhost. Looked in syslog but don't see anything related to trying to install the SSL info. is there a log that says if it failed to install SSL and why?
    Thanks
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    You have to select 'save certificate' in the action field. It's not enough to click on save.

    LE and the normal SSL cert use different names, so this can't be mixed up anymore. This has been changed a few years ago already.

    Yes, there is no difference if the ssll cert is an LE cert or a cert that you bought from a SSL company.

    This happens when you don't chose 'save certificate' in the action field on the SSL tab. Another possibility is that the SSL cert you entered is incorrect e.g. because the SSL key does not belong to the SSL cert or that you password protected the SSL key.
     
  9. webguyz

    webguyz Active Member HowtoForge Supporter

    Definitely setting the save certificate and clicking green save button. The vhost file gets access time updated to when I save, but the SSL section does not get filled.
    Is there a log that shows if the certificate is not usable by ISPConfig? I have installed certs before LE came along but its been a while. I deleted all the files in the /ssl folder before I started create certfile, save, and so on.
     
  10. Th0m

    Th0m ISPConfig Developer ISPConfig Developer

    Is SSL enabled in the first tab? If not, enable it, if it is, try disabling and then re-enabling it.
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

  12. webguyz

    webguyz Active Member HowtoForge Supporter

    Doah! Totally forgot to check the SSL after unchecking it when I removed LE. Working now.

    Thanks all for the help guyz!
     
    till and Th0m like this.
  13. webguyz

    webguyz Active Member HowtoForge Supporter

    In case your wondering why I am switching from a LE ssl cert to a thrid party, its because this customer is using a a security cdn called SiteLock. The A and CNAME record for the domain get pointed to Sitelock and Sitelock redirects to the actual IP where the website is after doing security checks. Problem is LE verifies the Domain A and CNAME records every 60 days and when it checks, the A and CNAME are pointing to Sitelock and the renew fails. To renew I have to change the DNS A and CNAME record to the actual website and then renew the cert LE cert and then after its in place move the A and CNAME records back to Sitelock. Pain in the ass to do this every 60 days.Easier to use a different SSL cert.
     

Share This Page