Skip to content

GitLab

  • Projects
  • Groups
  • Snippets
  • Help
    • Loading...
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in / Register
I
ISPConfig 3
  • Project overview
    • Project overview
    • Details
    • Activity
    • Releases
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 480
    • Issues 480
    • List
    • Boards
    • Labels
    • Service Desk
    • Milestones
  • Merge Requests 22
    • Merge Requests 22
  • CI / CD
    • CI / CD
    • Pipelines
    • Jobs
    • Schedules
  • Operations
    • Operations
    • Incidents
    • Environments
  • Analytics
    • Analytics
    • CI / CD
    • Repository
    • Value Stream
  • Wiki
    • Wiki
  • Snippets
    • Snippets
  • Members
    • Members
  • Collapse sidebar
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
  • ISPConfig
  • ISPConfig 3
  • Issues
  • #6016

Closed
Open
Opened Jan 13, 2021 by Dragan Savic@dsgagi

Wrong LE certificate path used with acme.sh

short description

ISPConfig updater uses /etc/letsencrypt/live/hostname as certificate path when issuing LE cert with acme.sh for the first time. This leads to error message below, because cert is actually issued in /root/.acme.sh/hostname/, but ispconfig updater tries to find it in the wrong folder after issuing.

Issuing certificate seems to have succeeded but /usr/local/ispconfig/interface/ssl/ispserver.crt seems to be missing. Falling back to self-signed.

environment

Server OS: debian

Server OS version: stretch and buster

ISPConfig version: 3.2.2

Run on multiple server instances, either with no LE client installed before or they had certbot before (which was cleaned along with all files/folders before update).

proposed fix

Took a glance on the update script/code and I think that this part should be modified in "installer_base.lib.php".


        swriteln('Checking / creating certificate for ' . $hostname);

        $acme_cert_dir = '/usr/local/ispconfig/server/scripts/' . $hostname;
        $check_acme_file = $acme_cert_dir . '/' . $hostname . '.cer';
        if(!@is_dir($acme_cert_dir)) {
            $acme_cert_dir = '/root/.acme.sh/' . $hostname;
            $check_acme_file = $acme_cert_dir . '/' . $hostname . '.cer';
            if(!@is_dir($acme_cert_dir)) {
                $acme_cert_dir = '/etc/letsencrypt/live/' . $hostname;
                $check_acme_file = $acme_cert_dir . '/cert.pem';
            }
        }

to


        swriteln('Checking / creating certificate for ' . $hostname);

        $acme_cert_dir = '/usr/local/ispconfig/server/scripts/' . $hostname;
        $check_acme_file = $acme_cert_dir . '/' . $hostname . '.cer';
        if(!@is_dir($acme_cert_dir)) {
            $acme_cert_dir = '/etc/letsencrypt/live/' . $hostname;
            $check_acme_file = $acme_cert_dir . '/cert.pem';
            if(!@is_dir($acme_cert_dir)) {
                $acme_cert_dir = '/root/.acme.sh/' . $hostname;
                $check_acme_file = $acme_cert_dir . '/' . $hostname . '.cer';
            }
        }

references

https://www.howtoforge.com/community/threads/lets-encrypt-ssl-not-working-no-errors.85534/page-3#post-416008

log entries

acme-certification-path.txt - terminal log of two consecutive update runs. I used "manual update instruction" because of the issue mentioned in #6015 .

Assignee
Assign to
None
Milestone
None
Assign milestone
Time tracking
None
Due date
None
Reference: ispconfig/ispconfig3#6016