Renewal SSL for website not applying

Discussion in 'ISPConfig 3 Priority Support' started by unsichtbare, Jul 20, 2017.

  1. unsichtbare

    unsichtbare Member HowtoForge Supporter

    Hi all -
    My GoDaddy SSL expired and I cant seem to make the renewal work. When I browse to the site, the old certificate is still presented! Here's what I did:
    1. Downloaded the new Certificate and Bundle from GoDaddy (*.zip)
    2. Unzipped the archive with 7-Zip
    3. Opened the Certificate and Bundle in Notepad++
    4. Copied each into the respective place on ISPconfig
    5. Chose "save certificate"
    Still get the old (expired) certificate when I browse to the site.
    THX
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Are there any jobs listed in the job queue of the monitor in ISPConfig?
     
  3. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    If not, please try an
    Code:
    service apache2 force-reload
    if this solves it.
     
  4. unsichtbare

    unsichtbare Member HowtoForge Supporter

    "No results"
     
  5. unsichtbare

    unsichtbare Member HowtoForge Supporter

    I rebooted the entire server before, but I have run this - no luck, still old SSL
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

  7. unsichtbare

    unsichtbare Member HowtoForge Supporter

    I deleted the SSL completely form the site and disabled SSL for the site and crashed the entire server - including ISPconfig!

    Recovered by reverting snapshot
     
    Last edited: Jul 20, 2017
  8. unsichtbare

    unsichtbare Member HowtoForge Supporter

    Here is what I see:
    CONFIGURATION ERROR

    2017-07-20 10:38 :
    * Restarting web server apache2
    ...fail!
    * The apache2 configtest failed.
    Output of config test was:
    AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:72
    AH00526: Syntax error on line 179 of /etc/apache2/sites-enabled/100-owncloud.mydomain.com.vhost:
    Listen not allowed here
    Action 'configtest' failed.
    The Apache error log may have more information.
    Also, the directory has *.err on many of the files:

    root@azweb3:/var/www/owncloud.mydomain.com/ssl# ls -lahtr
    total 72K
    -rw-r--r-- 1 root root 1.2K Jul 16 2014 owncloud.mydomain.com.csr.bak
    -rw-r--r-- 1 root root 1.4K Jul 16 2014 owncloud.mydomain.com.crt.bak
    drwxr-xr-x 11 root root 4.0K Aug 30 2016 ..
    -r-------- 1 root root 1.8K Jan 9 2017 owncloud.mydomain.com.key.org.bak
    -r-------- 1 root root 1.7K Jan 9 2017 owncloud.mydomain.com.key.bak
    -r-------- 1 root root 1.8K Jul 20 10:41 owncloud.mydomain.com.key.org.err
    -r-------- 1 root root 1.7K Jul 20 10:41 owncloud.mydomain.com.key.err
    -rw-r--r-- 1 root root 1.2K Jul 20 10:41 owncloud.mydomain.com.csr.err
    -rw-r--r-- 1 root root 2.0K Jul 20 10:41 owncloud.mydomain.com.crt.err
    -r-------- 1 root root 1.8K Jul 20 10:41 owncloud.mydomain.com.key.org
    -r-------- 1 root root 1.7K Jul 20 10:41 owncloud.mydomain.com.key
    -rw-r--r-- 1 root root 1.2K Jul 20 10:41 owncloud.mydomain.com.csr
    -rw-r--r-- 1 root root 2.0K Jul 20 10:41 owncloud.mydomain.com.crt
    -rw-r--r-- 1 root root 4.8K Jul 20 10:41 owncloud.mydomain.com.bundle.err
    -rw-r--r-- 1 root root 4.8K Jul 20 10:41 owncloud.mydomain.com.bundle
    drwxr-xr-x 2 root root 4.0K Jul 20 10:42 .
    root@azweb3:/var/www/owncloud.mydomain.com/ssl#​
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    The .err files indicate a fatal error in the apache config that caused Apache restart to fail.

    I guess you put something wrong into the apache directives field of the site owncloud.mydomain.com. According to the Apache error message there was a listen statement added there but listen might not be used within vhosts, so you can not add that into the apache directives field.
     
  10. unsichtbare

    unsichtbare Member HowtoForge Supporter

    I am still having trouble with this. I have cleared the apache directives, and no longer have *.err files in SSL, but now I see this in the log:
    [Sun Jul 23 09:47:47.511224 2017] [fcgid:warn] [pid 2728] [client 97.115.192.2:52352] mod_fcgid: stderr: ddr":"97.115.192.2","app":"PHP","message":"session_write_close(): Failed to write session data (files). Please verify that the current setting of session.save_path is correct (\\/var\\/www\\/clients\\/client3\\/web4\\/tmp) at \\/var\\/www\\/clients\\/client3\\/web4\\/web\\/lib\\/private\\/session\\/internal.php#77","level":3,"time":"2017-07-23T16:47:47+00:00","method":"GET","url":"\\/status.php"}​
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Most likely you switched PHP mode of this site. delete all sess_* files in the tmp directory of that website-
     
  12. unsichtbare

    unsichtbare Member HowtoForge Supporter

    Thanks so much. Now we have this:
    [Mon Jul 24 06:06:03.154613 2017] [ssl:emerg] [pid 21899] AH02238: Unable to configure RSA server private key
    [Mon Jul 24 06:06:03.154726 2017] [ssl:emerg] [pid 21899] SSL Library Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch​
    Perviously, I had done the following:
    1. SSL Action > Delete Certificate > Save
    2. SSL Action > Create Certificate > Save
    3. Re-key SSL with GoDaddy
    4. Paste re-keyed certificate > SSL Action > Save Certificate
     
  13. unsichtbare

    unsichtbare Member HowtoForge Supporter

    [Mon Jul 24 06:45:02.290364 2017] [ssl:error] [pid 24390] AH02217: ssl_stapling_init_cert: can't retrieve issuer certificate! [subject: emailAddress=webmaster@owncloud.mysite.com,CN=owncloud.mysite.com,OU=Cloud,O=mysite,L=Flagstaff,ST=Arizona,C=US / issuer: emailAddress=webmaster@owncloud.mysite.com,CN=owncloud.mysite.com,OU=Cloud,O=mysite,L=Flagstaff,ST=Arizona,C=US / serial: E8FEB3322B5E1C6C / notbefore: Jul 23 16:56:02 2017 GMT / notafter: Jul 21 16:56:02 2027 GMT]
    [Mon Jul 24 06:45:02.290392 2017] [ssl:error] [pid 24390] AH02235: Unable to configure server certificate for stapling
     
    Last edited: Jul 24, 2017
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    This means that the new SSL cert was not issued with the CSR that was used before, this causes that the SSL cert key is not valid for the new SSL cert and therefore, apache can not open it, so ISPConfig will undo the SSL change as apache would stop working otherwise.

    When you sed a different CSR for this new SSL cert, then you have to put the new SSL key into the SSL key field as well.
     
  15. unsichtbare

    unsichtbare Member HowtoForge Supporter

    So when I choose: Delete Certificate > Save
    The SSL Key remains. How do I delete that so I can start over with a new key?
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Empty the key field and save.
     
    unsichtbare likes this.
  17. unsichtbare

    unsichtbare Member HowtoForge Supporter

    Working now.
    Apparently the part I missed all the while was the need to manually empty the key field and then save.
    My subscription to HowtoForge is invaluable. Thank You!
     
    till likes this.

Share This Page