Wrong LE certificate path used with acme.sh
short description
ISPConfig updater uses /etc/letsencrypt/live/hostname
as certificate path when issuing LE cert with acme.sh for the first time. This leads to error message below, because cert is actually issued in /root/.acme.sh/hostname/
, but ispconfig updater tries to find it in the wrong folder after issuing.
Issuing certificate seems to have succeeded but /usr/local/ispconfig/interface/ssl/ispserver.crt seems to be missing. Falling back to self-signed.
environment
Server OS: debian
Server OS version: stretch and buster
ISPConfig version: 3.2.2
Run on multiple server instances, either with no LE client installed before or they had certbot before (which was cleaned along with all files/folders before update).
proposed fix
Took a glance on the update script/code and I think that this part should be modified in "installer_base.lib.php".
swriteln('Checking / creating certificate for ' . $hostname);
$acme_cert_dir = '/usr/local/ispconfig/server/scripts/' . $hostname;
$check_acme_file = $acme_cert_dir . '/' . $hostname . '.cer';
if(!@is_dir($acme_cert_dir)) {
$acme_cert_dir = '/root/.acme.sh/' . $hostname;
$check_acme_file = $acme_cert_dir . '/' . $hostname . '.cer';
if(!@is_dir($acme_cert_dir)) {
$acme_cert_dir = '/etc/letsencrypt/live/' . $hostname;
$check_acme_file = $acme_cert_dir . '/cert.pem';
}
}
to
swriteln('Checking / creating certificate for ' . $hostname);
$acme_cert_dir = '/usr/local/ispconfig/server/scripts/' . $hostname;
$check_acme_file = $acme_cert_dir . '/' . $hostname . '.cer';
if(!@is_dir($acme_cert_dir)) {
$acme_cert_dir = '/etc/letsencrypt/live/' . $hostname;
$check_acme_file = $acme_cert_dir . '/cert.pem';
if(!@is_dir($acme_cert_dir)) {
$acme_cert_dir = '/root/.acme.sh/' . $hostname;
$check_acme_file = $acme_cert_dir . '/' . $hostname . '.cer';
}
}
references
log entries
acme-certification-path.txt - terminal log of two consecutive update runs. I used "manual update instruction" because of the issue mentioned in #6015 (closed) .