SSL Cert update for ISPC/Postfix/etc broken and not working

Discussion in 'Installation/Configuration' started by intrinsic, Feb 5, 2021.

  1. intrinsic

    intrinsic New Member

    Hello everyone. I have been having difficulty adjusting from a cPanel to ISPConfig migration, and I have put in many hours of troubleshooting into making this happen. However, I think it is very well worth it because ISPConfig is an outstanding product produced by very hard working and talented developers to support the web community.
    One last step in finalizing my migration is to secure ISPConfig, Pure-FTPD, phpmyadmin, postfix and other services on the server.

    Server readout htf_report.txt
    ##### SERVER #####
    IP-address (as per hostname): ***.***.***.***
    [WARN] could not determine server's ip address by ifconfig
    [INFO] OS version is Debian GNU/Linux 10 (buster)
    [INFO] uptime:  09:42:37 up  1:16,  1 user,  load average: 0.00, 0.00, 0.06
    [INFO] memory:
                  total        used        free      shared  buff/cache   available
    Mem:          3.9Gi       1.5Gi       361Mi        14Mi       2.0Gi       2.0Gi
    Swap:            0B          0B          0B
    [INFO] systemd failed services status:
    0 loaded units listed. Pass --all to see loaded but inactive units, too.
    To show all installed unit files use 'systemctl list-unit-files'.
    [INFO] ISPConfig is installed.
    ##### ISPCONFIG #####
    ISPConfig version is 3.2.2
    ##### VERSION CHECK #####
    [INFO] php (cli) version is 7.3.19-1~deb10u1
    ##### PORT CHECK #####
    ##### MAIL SERVER CHECK #####
    [INFO] I found the following web server(s):
            Unknown process (nginx:) (PID 2617)
    [INFO] I found the following mail server(s):
            Postfix (PID 4727)
    [INFO] I found the following pop3 server(s):
            Dovecot (PID 4770)
    [INFO] I found the following imap server(s):
            Dovecot (PID 4770)
    [INFO] I found the following ftp server(s):
            PureFTP (PID 4811)
    ##### LISTENING PORTS #####
    (only           ()
    Local           (Address)
    [localhost]:953         (4819/named)
    [anywhere]:25           (4727/master)
    [anywhere]:443          (2617/nginx:)
    [anywhere]:993          (4770/dovecot)
    [anywhere]:995          (4770/dovecot)
    [localhost]:10023               (5713/postgrey)
    [localhost]:10024               (4757/amavisd-new)
    [localhost]:10025               (4727/master)
    [localhost]:10026               (4757/amavisd-new)
    [localhost]:10027               (4727/master)
    [anywhere]:587          (4727/master)
    [localhost]:11211               (28176/memcached)
    [anywhere]:110          (4770/dovecot)
    [anywhere]:143          (4770/dovecot)
    [anywhere]:80           (2617/nginx:)
    [anywhere]:8080         (2617/nginx:)
    [anywhere]:465          (4727/master)
    [anywhere]:8081         (2617/nginx:)
    ***.***.***.***:53              (4819/named)
    [localhost]:53          (4819/named)
    [anywhere]:21           (4811/pure-ftpd)
    [anywhere]:22           (449/sshd)
    *:*:*:*::*:953          (4819/named)
    *:*:*:*::*:25           (4727/master)
    *:*:*:*::*:443          (2617/nginx:)
    *:*:*:*::*:993          (4770/dovecot)
    *:*:*:*::*:995          (4770/dovecot)
    *:*:*:*::*:10024                (4757/amavisd-new)
    *:*:*:*::*:10026                (4757/amavisd-new)
    *:*:*:*::*:3306         (4442/mysqld)
    *:*:*:*::*:587          (4727/master)
    [localhost]10           (4770/dovecot)
    [localhost]43           (4770/dovecot)
    *:*:*:*::*:80           (2617/nginx:)
    *:*:*:*::*:8080         (2617/nginx:)
    *:*:*:*::*:465          (4727/master)
    *:*:*:*::*:8081         (2617/nginx:)
    *:*:*:*::*:53           (4819/named)
    *:*:*:*::*:21           (4811/pure-ftpd)
    *:*:*:*::*:22           (449/sshd)
    ##### IPTABLES #####
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    Chain FORWARD (policy ACCEPT)
    target     prot opt source               destination
    Chain OUTPUT (policy ACCEPT)
    target     prot opt source               destination
    I have attempted to review the following posts below, but have not yielded any success:
    howtoforge(dot)com /tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/

    On the second thread, I have modified the ISPConfig commands for the path, replacing the bolded parts to reflect on the new location of the keys:

    cd /usr/local/ispconfig/interface/ssl/
    mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
    ln -s /root/$(hostname -f)/fullchain.pem ispserver.crt
    ln -s /root/$(hostname -f)/privkey.pem ispserver.key
    cat ispserver.{key,crt} > ispserver.pem
    chmod 600 ispserver.pem
    Removing the certificates from any previous requests have been removed and a force update using --force creates a new self-signed certificate instead of one issued by LE. I believe this thread details that git.ispconfig(dot)org/ispconfig/ispconfig3/-/issues/6016

    I am now unable to troubleshoot and secure the portals and postfix to make the migration complete. Any help would be very appreciated!
  2. till

    till Super Moderator Staff Member ISPConfig Developer

  3. intrinsic

    intrinsic New Member

    Hi Till thank you for the response. Having LE working correctly was the easy part- as your FAQ and other tutorials were thorough and setting them up easily. I have all the subdomains and domains secured with

    I have going through the FAQ as follows:
    Check that you have Let’s Encrypt (certbot) installed. ISPConfig 3.1.16 and newer will also support as client.
    certbot has not been installed, as 3.2.2 of ISPConfig was installed with
    - Check that the Let's encrypt client 'certbot' is updated (when using certbot). N/A
    - Check that you run the latest ISPConfig version. Latest stable version 3.2.2
    - When your server is behind a NAT router so that the server itself can not reach the hosted domains, then enable the option "Skip Letsencrypt check" under System > Server config > web. Setting was confirmed before first domain was added
    - Check that all domain names (icl auto subdomain www etc), subdomains and aliasdomains really point to the right website and are working. Open one after another in your browser and test that. All A records and subdomains working with HTTPS
    - If you still use Apache 2.2, then update your ispconfig to git-stable branch with the script to get an updated vhost template. After you did that, use Tools > resync to apply the new template to all sites or apply it to a single site by altering a value in the site settings and press save, before you try to activate Let’s Encrypt again. This is only necessary on apache 2.2 systems, newer apache 2.4 or nginx systems are not affected. Server is utilizing NGINX
    - If you updated to ISPConfig 3.1 and deselected the "reconfigure services" option during update (which is selected by default), then Let’s Encrypt will fail as your server is missing the Let’s Encrypt configuration in the ispconfig apache configuration files. Redo the update and chose to reconfigure services in that case. Reconfigure services was used during ISPConfig force update

    If I am missing anything, I would really be grateful to hear. Again, this is the last step needed for me to be able to break free from cPanel :D[/QUOTE]
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    This is about a very special edge case where certbot and LE are installed on old systems or the certbot or installation step from install guides was skipped, so nothing that applies to a common fresh ISPConfig installation that has certbot installed when you followed one of our install guides.

    This guide is not compatible with ISPConfig 3.2.2 and even altering it to use paths will just harm as it may prevent that the ispconfig updater can issue a cert, so better not do that if you want to get an LE cert issued for the other services.
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Have you checked the log?

Share This Page