URGENT - Apache not starting - Problem LetsEncrypt after 3.2.2 update and ask for new SSL

Discussion in 'Installation/Configuration' started by Petar, Jan 11, 2021.

  1. Petar

    Petar Member HowtoForge Supporter

    During update from 3.2.1 to 3.2.2
    Create new ISPConfig SSL certificate (yes,no) [no]: yes

    Checking / creating certificate for domain.com
    Using certificate path /etc/letsencrypt/live/domain.com
    Using apache for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for domain.com
    Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.

    Broadcast message from [email protected] (Mon 2021-01-10 10:10:10 CET):

    Password entry required for 'Enter passphrase for SSL/TLS keys for domain.com:8080 (RSA):' (PID 14717).
    Please enter password with the systemd-tty-ask-password-agent tool:

    Waiting for verification...

    Challenge failed for domain domain.com
    http-01 challenge for domain.com
    Cleaning up challenges
    Some challenges have failed.
    Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus (2 primes)
    ports 80/443 open
    all known letsencrypt IP subnets whitelisted

    Any ideas?
    Mail clients not working without proper cert.
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  3. Petar

    Petar Member HowtoForge Supporter

    I had it open, but after failing, i cannot start the server anymore (apache2).
    its failing with:
    Starting The Apache HTTP Server...
    NameVirtualHost has no effect and will be removed in the next release...
    Syntax error on line 65 of /etc/apache2/sites-enabled/000-ispconfig.vhost
    SSLCertificateFile: file '/usr/local/ispconfig/interface/ssl/ispserver.crt' does not exist or is empty
    Action 'start' failed.
  4. Petar

    Petar Member HowtoForge Supporter

    I pulled an one week older backup and performed the LetsEncrypt creation and postfix symlink and update to 3.2.2 without any issues. So i guess that the problem occurs in specific scenario. You should prepare an rescue plan for this kind of situations. How to reset everything of the LE down to zero and start the update again.
    I will investigate thoroughly later. If any of you guys have a suggestion, please share your knowledge

  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    This is something that does not happen a lot and we can't write a guide for every possible issue that may ever arise.

    The simple fix would have been to put back the old certificate or comment out the SSL lines in the vhost temporarily. Then run the upgrade again and select yes for getting a new cert.
  6. stst

    stst New Member HowtoForge Supporter

    I had the same problem while updating to 3.2.3. Wanted to create a new certificate because the old one was expired.
    The "simple fix" did not work for me, apache kept asking for a passphrase.
    As a workaround I am using the old expired certificate now, just for apache to start correctly.
    What is the correct solution for this problem?
  7. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  8. stst

    stst New Member HowtoForge Supporter

    The certificate is LE, did not set a passphrase. The problem seems to be, that LE reported a challenge fail and switched back to self-signed.
    This occured for the ispconfig certificate, so there is no website setting for it.

    I solved it now by creating an empty website for the same domain and turned on LE for that. Is this the right way to configure it?

    One problem is still left: connecting by FTP reports an expired certificate. Where do I configure the certificate for pure-ftp?

    thanks for your help.
  9. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    ISPConfig does that automatically if it generates the certificate for the host. So if you force reconfigure services and let ISPConfig generate new certificate that is taken care of.
    When LE can not create certificate, follow the instructions in "please read before posting" like I wrote in #7.
  10. stst

    stst New Member HowtoForge Supporter

  11. till

    till Super Moderator Staff Member ISPConfig Developer

    The thread you refer to is about a LE renewal method that's not from ISPConfig, so nothing to be fixed in ISPConfig. ISPConfig 3.2 has an inbuilt method to create and renew LE certs, but this is not related or compatible to the method you posted.
  12. stst

    stst New Member HowtoForge Supporter

    Yes, I saw, that the method is different, but the fact, that pure-ftpd.pem didn't contain the correct key+crt was the reason in my case. Seems that also the inbuilt method does not always work correctly.

Share This Page