acme.sh fails when self-signed certificates already exist for ISPConfig web interface
short description
Creating LE cert with acme.sh when running ispconfig_update.sh
or ispconfig_update.sh --force
fails with Verify error.....Timeout during connect (likely firewall problem)
error message.
Issue happens only if server already has self-signed certs created for ISPConfig web interface. During acme.sh domain verification stage, apache fails to start because it can't load SSL cert files.
environment
Server OS: debian Server OS version: buster ISPConfig version: 3.2.3
apachectl -v
Server version: Apache/2.4.38 (Debian)
Server built: 2020-08-25T20:08:29
proposed fix
Workaround that worked for me was to replace the following rename
functions with copy
in installer_base.lib.php
(from ISPConfig-3.2.3.tar.gz
), but maybe it's not a valid solution.
...
$issued_successfully = false;
// Backup existing ispserver ssl files
if(file_exists($ssl_crt_file) || is_link($ssl_crt_file)) {
--- rename($ssl_crt_file, $ssl_crt_file . '-temporary.bak');
+++ copy($ssl_crt_file, $ssl_crt_file . '-temporary.bak');
}
if(file_exists($ssl_key_file) || is_link($ssl_key_file)) {
--- rename($ssl_key_file, $ssl_key_file . '-temporary.bak');
+++ copy($ssl_key_file, $ssl_key_file . '-temporary.bak');
}
if(file_exists($ssl_pem_file) || is_link($ssl_pem_file)) {
--- rename($ssl_pem_file, $ssl_pem_file . '-temporary.bak');
+++ copy($ssl_pem_file, $ssl_pem_file . '-temporary.bak');
}
// Attempt to use Neilpang acme.sh first, as it is now the preferred LE client
if (is_executable($acme)) {
...
Second workaround that worked was to delete all files from /usr/local/ispconfig/interface/ssl/
, comment out all SSL lines in apps.vhost
, ispconfig.conf
and ispconfig.vhost
, and after that run ispconfig_update.sh --force
again.
references
log entries
Apache logs during acme.sh
domain verification stage.
Mar 22 17:28:51 gagi-ispc.nc-cloud.com apachectl[8232]: AH00526: Syntax error on line 20 of /etc/apache2/sites-enabled/000-apps.vhost:
Mar 22 17:28:51 gagi-ispc.nc-cloud.com apachectl[8232]: SSLCertificateFile: file '/usr/local/ispconfig/interface/ssl/ispserver.crt' does not exist or is empty
Mar 22 17:28:51 gagi-ispc.nc-cloud.com apachectl[8232]: Action 'stop' failed.