Upgrading ISPConfig 3.0.x to 3.1x - LetsEnCrypt

Discussion in 'Installation/Configuration' started by MITDK, Jun 26, 2017.

  1. MITDK

    MITDK New Member

    Hi,
    I've just upgraded as the title says. Using Ubuntu 14.04 + Apache. Installed CertBot:
    apt-get install software-properties-common
    add-apt-repository ppa:certbot/certbot
    apt-get update
    apt-get install python-certbot-apache
    certbot --apache certonly
    Applied HTTPS for 1 website only, the rest I'll manage with the webinterface. Should be possible?

    However, the "Lets Encrypt SSL" get's unselected after a short time.
    The log:
    2017-06-26 11:XX:DEBUG:certbot.reporter:Reporting to user: Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/SITE.TLD/fullchain.pem. Your cert will expire on 2017-09-24. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew"

    What am I missing?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Do not run:
    certbot --apache certonly
    as this will disable the ability to use letsencrypt with this web site in ispconfig for this domain.

    When you want to have an LE cert for a website, just login to ISPConfig and enable the letsencrypt checkbox in the website settings of the site where you want to get an LE cert for.
     
  3. MITDK

    MITDK New Member

    So what can I do now? Remove Certbot, or the created SSL, then reinstall as shown? Except from the "--apache certonly" part :)
     
  4. MITDK

    MITDK New Member

    Just tried enabling SSL for another website, and it does not work either. Must be missing something?
     
  5. MITDK

    MITDK New Member

    I've just reinstalled Certbot, without the command you suggested, but it seems to still not work.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Did you delete everything in /etc/letsencrypt as well before you installed certbot again?
     
  7. MITDK

    MITDK New Member

    Yes. It's strange the guides for installations here, ain't updated for LetsEncrypt yet. It claims for apt-get install letsencrypt, which seems to be outdated.
    Any other suggestions for getting LE to work with ISPConfig 3.1.4? :)
     
    Last edited: Jun 27, 2017
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    The guides are up to date and show you how to install a supported LE client. Installing it from another untested source like you try to do it might work, but it is untested.

    If you want to find out why LE fails on your server, see LE FAQ: https://www.howtoforge.com/community/forums/general.25/
     
  9. MITDK

    MITDK New Member

  10. till

    till Super Moderator Staff Member ISPConfig Developer

    I'm not using Ubuntu 14.04 anymore and we did not test that version with LE. But I see no reason why it should not work as long as either letsencrypt or certbot client is installed. The FAQ shows you what to check and you can also use the general ISPConfig debug mode to get more debug output when you enable lE. Regarding Ubuntu 16.04, the steps in the tutorial should work fine. There is always someone who did not get something to work when a tutorial is used by many thousand users., even when the tutorial is correct. And almost all problems with LE occur because domains or subdomains are not reachable from the server or from outside or the cert has been created outside of ISPConfig like in your case which then blocks the domain and will cause renewals to fail.

    You updated to ISPConfig 3.1.x with "reconfigure services = yes"? And you don't use a custom vhost template for the websites? In case you have a ustom template, then you need to adjust it for ISPConfig 3.1. Ubuntu 14.04 has probable a very old apache version, so it might even be that you have to run Tools > resync to update all website vhosts to make them LE compatible.
     
  11. MITDK

    MITDK New Member

    I updated ISPConfig from 3.0.x to 3.1.x yes, and with "yes" for reconfigure services. No custom templates.
    I've also done the resync, but do still have the LE issue.

    Please, again, how would you install LE on Ubuntu 14.04? I must be missing something, or maybe an ISPConfig bug for Ubuntu 14.04?
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

  13. MITDK

    MITDK New Member

    Done.
    The most interesting part is:
    Could not verify domain domain.tld
    Could not verify domain www.domain.tld

    DNS records for domain.tld and www.domain.tld are created, and works very well with HTTP requests.

    Looking forward to your reply :)
     
  14. MITDK

    MITDK New Member

  15. till

    till Super Moderator Staff Member ISPConfig Developer

    Is your server behind a router? If yes, then it might be impossible to reach the domains from the server (which ispconfig tries). In that case, disable the LE check under System > server config. You have to take care yourself then that no website contains a domain or subdomain where a dns record is missing as LE will fail for all domains in that case.
     
  16. MITDK

    MITDK New Member

    Yes, always ISPConfig / any other webserver, behind a router / firewall.
    Now it seems to be working on 1 website.

    When I try to enable it for another website too, it says the site is insecure.
    Example:
    Enabling SSL for www.domain1.tld, works.
    Enabling SSL for another website, www.domain2.tld, gives a warning in a browser afterwards, and shows content from www.domain1.tld.

    Should LE not work for any website you create? Unique SSL certificates for each site? Where DNS are fine of course.
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

Share This Page