Certbot-auto renew Not Working As Expected with ISPCONFIG


#1

I have ISPCONFIG on Debian 8. I installed this type of configuration following the instruction of ISPCONFIG perfect server with the purpose to automatise also the renewal of Let’s Encypy certificate.
**I received the message of expiry for domain welcometoparma.eu and i was questioning about auto-renew features of ispconfig. **
The great @serverco tells me that if autorenewal from ispconfig doesn’t work i had to use command-line. So today the last day useful to renw i do it like written in this official guide:

https://certbot.eff.org/all-instructions/

"Automating renewal

Certbot can be configured to renew your certificates automatically before they expire. Since Let’s Encrypt certificates last for 90 days, it’s highly advisable to take advantage of this feature. You can test automatic renewal for your certificates by running this command:

./path/to/certbot-auto renew --dry-run

If that appears to be working correctly, you can arrange for automatic renewal by adding a cron or systemd job which runs the following:

./path/to/certbot-auto renew --no-self-upgrade

More detailed information and options about renewal can be found in the full documentation.
Note:

if you’re setting up a cron or systemd job, we recommend running it twice per day (it won’t do anything until your certificates are due for renewal or revoked, but running it regularly would give your site a chance of staying online in case a Let’s Encrypt-initiated revocation happened for some reason). Please select a random minute within the hour for your renewal tasks"

I’ve done it but the result is:

"The following certs could not be renewed:
/etc/letsencrypt/live/domain2.com/fullchain.pem (failure)
** DRY RUN: simulating ‘certbot renew’ close to cert expiry
** (The test certificates above have not been saved.)
1 renew failure(s), 0 parse failure(s)

IMPORTANT NOTES:

  • The following errors were reported by the server:

    Domain: www.domain2.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    df1e057d2b230fcc317ae05a220e13d4.ccaad77e143d0b2f9c16ea2f813c571a.acme.invalid
    from 94.28.3.195:443. Received 2 certificate(s), first certificate
    had names “domain1.om, www.domain1.com

    Domain: domain2.com
    Type: unauthorized
    Detail: Incorrect validation certificate for tls-sni-01 challenge.
    Requested
    d8d3f0e75ecfda1d5c32e4fe4197f871.cd5be13c5686d076da49acc4493e095b.acme.invalid
    from 94.28.3.195:443. Received 2 certificate(s), first certificate
    had names “domain1.com, www.domain1.com

    To fix these errors, please make sure that your domain name was
    entered correctly and the DNS A record(s) for that domain
    contain(s) the right IP address.

  • Your account credentials have been saved in your Certbot
    configuration directory at /etc/letsencrypt. You should make a
    secure backup of this folder now. This configuration directory will
    also contain certificates and private keys obtained by Certbot so
    making regular backups of this folder is ideal."

So what can i do? The time is passing and i don’t understand what to do, all is configured with ISPCONFIG but if ISPCONFIG fails… i’ve a lot of domain on that machines…


#2

Another thing: it tells me that domain1.com is not due to renewal.
It expires today. WHY? WHY? WHY? It doesn’t work!!!


#3

Since you use ISPconfig, you can’t do a default “renew” using the tls challenge with certbot. Try creating a new certificate, using the webroot challenge.


#4

The reason why it’s sating that your “domain1” is not due for renewal is because you already have a certificate on your server for it, you just aren’t using that certificate :wink: Try checking at https://www.google.com/transparencyreport/https/ct/


#5

hi @francescolia

You really need to have a plan when it comes to certificates.

There are multiple management vendors, web servers and making letsencrypt work with them straight of the box may not be as simple as some thinnk.

Currently there are 2 web server which certbot natively integrates with (APACHE and NGINX)

Control Panels such as CPANEL, PLESK and ISPCONFIG usually have their own plugins or use a combination of certbot + integration hooks

A) Have a look at the IPSCONFIG github for letsencrypt issues and there are several of them: https://git.ispconfig.org/ispconfig/ispconfig3/issues?utf8=✓&search=letsencrypt
B) Do you fundamentally understand how the challenges work and what is the difference between
C) Do you have a game plan on which challenges you are going to use and how you are going to get a reliable result
D) Have you reviewed other options such as this one https://github.com/alexalouit/ISPConfig-letsencrypt that provide a more native integration?
E) Try to keep emotions out of it. People are happy to help and I have a linux server which I would be more than happy to install IPSCONFIG on however I do ask people work calmly and explain the problems

Andrei


#6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.