URGENT - Apache not starting - Problem LetsEncrypt after 3.2.2 update and ask for new SSL

Discussion in 'Installation/Configuration' started by Petar, Jan 11, 2021.

  1. Petar

    Petar Member HowtoForge Supporter

    During update from 3.2.1 to 3.2.2
    Create new ISPConfig SSL certificate (yes,no) [no]: yes

    Checking / creating certificate for domain.com
    Using certificate path /etc/letsencrypt/live/domain.com
    Using apache for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator webroot, Installer None
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for domain.com
    Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.

    Broadcast message from [email protected] (Mon 2021-01-10 10:10:10 CET):

    Password entry required for 'Enter passphrase for SSL/TLS keys for domain.com:8080 (RSA):' (PID 14717).
    Please enter password with the systemd-tty-ask-password-agent tool:

    Waiting for verification...

    Challenge failed for domain domain.com
    http-01 challenge for domain.com
    Cleaning up challenges
    Some challenges have failed.
    Issuing certificate via certbot failed. Please check log files and make sure that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus (2 primes)
    ports 80/443 open
    all known letsencrypt IP subnets whitelisted

    Any ideas?
    Mail clients not working without proper cert.
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  3. Petar

    Petar Member HowtoForge Supporter

    I had it open, but after failing, i cannot start the server anymore (apache2).
    its failing with:
    Starting The Apache HTTP Server...
    NameVirtualHost has no effect and will be removed in the next release...
    Syntax error on line 65 of /etc/apache2/sites-enabled/000-ispconfig.vhost
    SSLCertificateFile: file '/usr/local/ispconfig/interface/ssl/ispserver.crt' does not exist or is empty
    Action 'start' failed.
  4. Petar

    Petar Member HowtoForge Supporter

    I pulled an one week older backup and performed the LetsEncrypt creation and postfix symlink and update to 3.2.2 without any issues. So i guess that the problem occurs in specific scenario. You should prepare an rescue plan for this kind of situations. How to reset everything of the LE down to zero and start the update again.
    I will investigate thoroughly later. If any of you guys have a suggestion, please share your knowledge

  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    This is something that does not happen a lot and we can't write a guide for every possible issue that may ever arise.

    The simple fix would have been to put back the old certificate or comment out the SSL lines in the vhost temporarily. Then run the upgrade again and select yes for getting a new cert.

Share This Page