Background:
One of the web Domain Aliases were pulled from one Web Site and added to another. In addition, another domain alias, no longer being renewed was removed.
The result is that for two "sets" of the Domains.
In addition, the log showed LE still trying, and not unexpected failing a renewal of an old domain of a customer marked inactive; LE was trying to renew their old site even though the domain no longer works.
Solution for Inactive Customer Domain:
Remove the long gone domain so it doesn't keep failing every run:
$ sudo certbot delete --cern-name defunctdomainname.tld
<answer yes>
Workarounds Employed on the Other Domains:
Found an error very similar on the ISPConfig forum that linked to issue 5258: git.ispconfig.org/ispconfig/ispconfig3/issues/5258
It appears the the domain checks are fowling it up. Using the LE FAQ, we took the server.sh out of cron, and ran it manually. It had no errors reported. The run just unchecks the SSL and LetsEncrypt checkboxes. Ironically, not for the domain that added a new domain, but the one that "lost" two -- the one no more, and the one given to the other site.
We tried various unchecking and checking to include in LE, tried turning off SSL and re-enabling it for domains. Nothing worked.
Per the FAQ, we tried a reconfigure of ISPConfig:
$ sudo ispconfig_update.sh --force
<took defaults and yes to the reconfigure>
Didn't help. After saving without enabled, and checking them both again, the site document SSL and LetsEncrypt checkboxes became unchecked again.
---
Tried the manual server.sh run in the forum and FAQ:
$ sudo crontab -e
<commented out the first line running server.sh>
$ sudo /usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
<no errors, just output the php file successfully>
After, checking both again in the Site document, they both became unchecked again.
The site document SSL and LetsEncrypt checkboxes were unchecked again. The LE configs were not created in the certbot renewal config folder.
---
Based on a conversation w/Till in the forum we decided to run the cert command manually while performing the steps:
$ sudo certbot delete --cern-name clientprimarydomain.tld
$ sudo /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@clientprimarydomain.tld --domains clientprimarydomain.tld --domains www.clientprimarydomain.tld --webroot-path /usr/local/ispconfig/interface/acme
We checked both Site checkboxes and saved. While the red circle updates were on the screen, we:
$ sudo /usr/local/ispconfig/server/server.sh 2>&1 | while read line; do echo `/bin/date` "$line" >> /var/log/ispconfig/cron.log; done
<no errors, just output the php file successfully>
This created the missing certificate with the correct domains (only the primary domain and its www variant -- and the old domain alias no longer included). But the Site document's checkboxes became unchecked again. No errors in the server.sh manual run.
The other alternate/secondary client Web Site and it's three domains (6 including the www variant/prefix for each) were also not successful.
Then we tried reversing the two commands (/usr/bin/encrypt certonly and the server.sh). Didn't make a difference.
We re-enabled cron, and uncommented out the server.sh line again.
$ sudo crontab -e
<removed the comment from the first line running server.sh>
---
After spending way too much time trying to debug it, when we noticed in the FAQ to make sure that the Migration option in the server config page was unchecked. Having only removing and recreating the client and its sites were left to try, we decided to try actually doing opposite of the FAQ - enabling that while we performed the following steps.
1. Removed both LE domain documents:
$ sudo certbot delete --cern-name alternateclientsitedomains.tld
$ sudo certbot delete --cern-name clientprimarydomain.tld
2. Changed the config document, migration checkbox to checked.
System --> Under System (left menu), clicked Server Config --> clicked our server FQDN to edit --> at the bottom, checked/enabled Server Migration Mode, clicked Save.
2. Sites --> edited the primary Site document, checked both SSL and LetsEncrypt boxes yet again. click Save.
3. As soon as we clicked save we ran the LE certonly command manually:
$ sudo /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@clientprimarydomain.tld --domains clientprimarydomain.tld --domains www.clientprimarydomain.tld --webroot-path /usr/local/ispconfig/interface/acme
$ sudo /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v02.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@clientprimarydomain.tld --domains clientsecondarydomain.tld --domains www.clientsecondarydomain.tld --domains clientsecondaryalias1domain.tld --domains www.clientsecondaryalias1domain.tld --domains clientsecondaryalias2domain.tld --domains www.clientsecondaryalias2domain.tld --webroot-path /usr/local/ispconfig/interface/acme
4. Waited until the pending tasks red circle disappeared.
5. Tested both sites domains and they both were loading the correctly.
6. Returned back to the server config and unchecked the migration checkbox.
System --> Under System (left menu), clicked Server Config --> clicked our server FQDN to edit --> at the bottom, unchecked/disabled Server Migration Mode, clicked Save.
previous page
|