Securing ISPc

Discussion in 'Installation/Configuration' started by FredZ, Jul 7, 2021.

  1. FredZ

    FredZ Member HowtoForge Supporter

    Hello all

    I've just installed a new deb10 server and installed ISPc using the automatic install script. All seems to have installed correctly. I have also successfully migrated from the old server to this new server.

    However I can't seem to secure ISPc using a Letsecrypt SSL cert. All other domains on the server are secured.

    I have run the ISPc update script using --force and answered yes to create a new cert. But the ISPc consol still seems to be insecure.

    Code:
    Checking / creating certificate for mydomain.tld
    Using certificate path /etc/letsencrypt/live/mydomain.tld
    Using apache for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Missing command line flag or config entry for this setting:
    Please choose an account
    Choices: ['[email protected]:32:10Z (3423)', '[email protected]:55:11Z (2b50)', '[email protected]:22:33Z (64ee)']
    Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating a RSA private key
    For the purpose of this post I changed the actual domain name to mydomain.tld

    So my questions are:
    1. How do I now secure ISPc?
    2. Do I still use the update SSL script as per this howto?
    This new server has been online (live) for the past week, so I doubt it is DNS related. But I may be wrong.

    Debian 10
    ISPConfig 3.2.5

    Regards

    Fred
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Seems as if you have more than one account configured in certbot, there should be just one account, you will have to remove all accounts except of the one with the most SSL certs. The certs from other accounts will fail to renew, that#s why it#s important to remove the account which has no certs at all or the least amount of certs.
     
  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  4. FredZ

    FredZ Member HowtoForge Supporter

    OK, I don't understand what you mean by having more than on account for certbot.

    I have tried the new autoinstall script (thank you Taleman) I have managed to secure ISPc after 4 attempts at running the update script. But now non of my sites will allow me to activate Let's Encrypt SSL. I can turn on SSL.

    Migrated everything using the Migrate Tool.

    Regards

    Fred
     
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Make sure you don't mix certbot and acme.sh script and always use the one you were using in your old server before the migration.
     
  6. FredZ

    FredZ Member HowtoForge Supporter

    OK, so I have no idea what the autoinstall script installs by default.

    When I did the migration it said the certs coudn't be transfered, so I assumed the system would generate new certs.

    Now ISPc is secured.
    But I cannot create/activate Let's Encrypt SSL from the consol for any domain. I also cannot create a cert under the SSL tab for any domain.

    I have not installed any other apps after the script finished.
    I ran the script without any options.

    Regards

    Fred
     
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    You should read thoroughly before using it where there should be a step to skip installing acme.sh and install certbot instead. (I haven't use it yet).

    By default it will install acme.sh but most of old ISPConfig servers are using certbot thereby if you are not careful, you will end up migrating old ISPConfig server with certbot to new server with acme.sh.

    This is the basic cause for such failure as asked and reported several times in this forum as long as I can remember.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    @ahrasis: according to the log from 1, FredZ initially was not using acme.sh, he was using certbot, which was correct, see:

    He just had a duplicate certbot entry, which you can see from here:

    That's why I suggested to him to remove one account, which could have been done easily by either using certbot command or by deleting the account file in /etc/letsencrypt and has been described multiple times in the forum as well. So his initial setup was perfectly fine, he just had to remove one account in certbot as I instructed him in #2. Instead of doing what I suggested, he now reinstalled and made things worse by mixing certbot and acme.sh. The solution is way more complicated now and includes a lot of manual work. To be able to issue new certs on this system due to certbot/acme.sh mix, you will have to manually clean up each website 'ssl' folder and remove the obsolete symlinks to the old Let's encrypt SSL certs. Then you can re-issue a new SSL cert through ISPConfig.
     
  9. FredZ

    FredZ Member HowtoForge Supporter

    OK. This is clearly beyond my understanding.
    I'll request paid support to have this resolved.

    Regards

    Fred
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    That's not really complicated, you just have to go into the SSL folder of the sites that use Let's encrypt, e.g.:

    Code:
    cd /var/www/yourdomain.tld/ssl/
    replace the domain name if the name of the website domain and there you have to remove the symlinks:

    Code:
    rm *-le.bundle
    rm *-le.crt
    rm *-le.key
     
  11. FredZ

    FredZ Member HowtoForge Supporter

    Thank you Till

    My lack of knowledge and frustration had set in.

    Regards

    Fred
     
  12. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    While you were right before that @till, my answer was in response to his replies later on where he followed @Taleman advise and faced new problems due to that (as quoted above).

    I understand your frustation and I feel sorry for it but his action has already been done even before I participated in this thread.

    The way I see it he can fix manually one by one as per your advise or he can reset and redo his new server properly this time i.e. with certbot option and migrate again thereafter.
     
    Last edited: Jul 9, 2021

Share This Page