We are happy to announce that Vesta is back under active development as of 25 February 2024. We are working on Vesta 2.0 and expect to release it by the end of 2024. Read more about it: https://vestacp.com/docs/vesta-2-development
Let's Encrypt for VestaCP System (8083) and exim4
Re: Let's Encrypt for VestaCP System (8083) and exim4
Congratz, you can register on the board and copy&paste your 3 line shell "solution" without any comment in two posts (here and viewtopic.php?p=56134#p56134). But can you answer me also a question? What will happen after 90days? If not, I will tell you: VestaCP backend will be outdated because you have to restart vesta service after changing/renewing the ssl cert.billmedina wrote:ln - s /etc/letsencrypt/live/[mydomain.com]/cert.pem /usr/local/vesta/ssl/certificate.crt
ln -s /etc/letsencrypt/live/[mydomain.com]/privkey.pem /usr/local/vesta/ssl/certificate.key
service vesta restart
So maybe next time: Read the thread where you are posting such a bullshit and try to understand, why it can maybe not work. Thanks.
-
- Posts: 5
- Joined: Tue Jan 31, 2017 10:29 pm
Re: Let's Encrypt for VestaCP System (8083) and exim4
Sorry that I stepped on the toes of your inefficient solution. Why should there be 2 copies of the file. DRY. symlink the files and if needed cron job panel restart. Sorry for your anger.ScIT wrote:Congratz, you can register on the board and copy&paste your 3 line shell "solution" without any comment in two posts (here and viewtopic.php?p=56134#p56134). But can you answer me also a question? What will happen after 90days? If not, I will tell you: VestaCP backend will be outdated because you have to restart vesta service after changing/renewing the ssl cert.billmedina wrote:ln - s /etc/letsencrypt/live/[mydomain.com]/cert.pem /usr/local/vesta/ssl/certificate.crt
ln -s /etc/letsencrypt/live/[mydomain.com]/privkey.pem /usr/local/vesta/ssl/certificate.key
service vesta restart
So maybe next time: Read the thread where you are posting such a bullshit and try to understand, why it can maybe not work. Thanks.
Re: Let's Encrypt for VestaCP System (8083) and exim4
Ok, maybe I was to direct. But let us start again: The script isnt inefficient, i had problems on my systems if I've done only a symlink. Because the default certs have to run under root:mail, so that exim4 can access them properly. Otherwise I've got an error of missing permission to open the files (unable to open private key file for reading: /usr/local/vesta/...).billmedina wrote:Sorry that I stepped on the toes of your inefficient solution. Why should there be 2 copies of the file. DRY. symlink the files and if needed cron job panel restart. Sorry for your anger.
This was written on top on my "HowTo", and that's why I write you: "Please read before you post". Also, if you will be longer than 4 posts in this board, you will understand why you can't just post 4 lines without any comment, what is by the way not really friendly if you do this inside of two different posts.
About the restart: When would you do this? Every night after the v-update-letsencrypt-ssl system cronjob? How do you detect if the cert was updated?
Let us discuss here, not in two posts.
-
- Posts: 3
- Joined: Mon Feb 13, 2017 6:35 am
Re: Let's Encrypt for VestaCP System (8083) and exim4
This a great script ScIT. Thank you!
Re: Let's Encrypt for VestaCP System (8083) and exim4
Thanks for sharing! This works a charm for me :)
Re: Let's Encrypt for VestaCP System (8083) and exim4
I`ve added also
because you afaik you will need to restart dovecot also.
Code: Select all
service dovecot restart &> /dev/null
Re: Let's Encrypt for VestaCP System (8083) and exim4
Hello everyone,
I tried this script and it worked, however now vesta service does not start and give this error:
Starting vesta-nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/vesta/ssl/certificate.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
Why is this happening?
I tried this script and it worked, however now vesta service does not start and give this error:
Starting vesta-nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/vesta/ssl/certificate.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
Why is this happening?
-
- Posts: 14
- Joined: Sun Sep 24, 2017 6:00 am
Re: Let's Encrypt for VestaCP System (8083) and exim4
Exact same issue as you :/ everything worked for a while I believe over 24hours and now suddenly I get errr connection refused on the vestaCP and error if I try to restart vesta service manually via terminal!zeknoss wrote:Hello everyone,
I tried this script and it worked, however now vesta service does not start and give this error:
Starting vesta-nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/vesta/ssl/certificate.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
Why is this happening?
have you had any success resolving this issue?
-
- Posts: 14
- Joined: Sun Sep 24, 2017 6:00 am
Re: Let's Encrypt for VestaCP System (8083) and exim4
JakeTheDog420 wrote:Exact same issue as you :/ everything worked for a while I believe over 24hours and now suddenly I get errr connection refused on the vestaCP and error if I try to restart vesta service manually via terminal!zeknoss wrote:Hello everyone,
I tried this script and it worked, however now vesta service does not start and give this error:
Starting vesta-nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/vesta/ssl/certificate.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
Why is this happening?
have you had any success resolving this issue?
Managed to get it working (not sure if the fix is a permenant solution or if it just managed to get the control panel accessible again but hopefully at the bare minimum its repeatable if the issue persists until a full fix is found)
First step is to find a working set of SSL keys. I wasn't sure where to find these or but I re-issued my command v-add-letsencrypt-domain mydomain.com alias.mydomain.com serverip hoping that it would work.
Now when that didn't work and I saw the error was about an SSL mismatch my assumption was maybe the command is issuing new keys but not updating the server so the wrong keys were getting used...
The directory with the keys that are created upon the v-add command is /home/[USER]/[YOURDOMAIN]/conf/web/
Here you will find at least one .key and one .crt file.
I actually had 8files all with the SSL prefix.
Choosing which one to use felt like mostly guess work as it seems that it generated seperate ssl keys for each of my domains I specified even though one was a subdomain and the other was my server IP and they were supposed to be made as an alias.. I decided to go with my subdomain key and crt file.
I then proceeded to make a backup of the current SSL files vesta was referring to. I did this twice once locally on the server and then again externally on my local machine. I used SSH to make the backup files.
CD to /usr/local/vesta/ssl/
cp certificate.crt certificate.crt.bkup
cp certificate.key certificate.key.bkup
Then you can FTP into your server and go to the same directory and download either the original or the backup files to your local machine. They should be the same so eithers fine. Then proceed to delete the original cert.key and cert.crt files leaving only the .bkups on your server.
From here return to your SSH terminal session and change directory again if you're in the vesta/ssl directory back to your user directory which contains your SSL keys.
Simply copy them over using the cp command again example below:
cp subdomain.domain.com.crt /usr/local/vesta/ssl/certificate.crt
cp subdomain.domain.com.key /usr/local/vesta/ssl/certificate.key
This will create a copy with the correct name in the vesta ssl directory.
Last step is simply to restart the vestaCP service and prey that you get the OK on both nginx and vestaphp service's this time!
I can confirm this fixed my mismatch and allowed the vesta service to restart. Once restarted my serverIP:8083 was accessible again however displayed a SSL insecure warning showing the certificate is registered to my subdomain.
I can also confirm if I access the vesta control panel via subdomain.domain.com:8083 I go straight to the login page and see a green padlock confirming the page is being loaded securely.
Hopefully this fixes it if anyone else runs into similar problems! Shame this forum isn't more active I feel like vesta has a lot to offer but without an active community many people probably move to cpanel or possibly even other free options with more active communities.. Anyway I'll post this in the other places I saw similar issues where I posted looking for help here so maybe it can help others (Y)
Re: Let's Encrypt for VestaCP System (8083) and exim4
The forum is not inactiv, here is still life :).JakeTheDog420 wrote: Shame this forum isn't more active I feel like vesta has a lot to offer but without an active community many people probably move to cpanel or possibly even other free options with more active communities.. Anyway I'll post this in the other places I saw similar issues where I posted looking for help here so maybe it can help others (Y)
For the missmatch problem it is quite simple: The published script just compares and copy the cert files, like you wrote on your post (you do just the steps manualy, missed to set the permission).JakeTheDog420 wrote: Starting vesta-nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/vesta/ssl/certificate.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)
The script is only a few lines long and also do not use complicated commands. So if you configure it properly (set the right user and domain name) the script will work without any troubles. Also you should not delete the web domain you used for the let's encrypt domain. otherwise the cert will not be refreshed anymore.
For VestaCP there is a bit of linux base knowledge needed, to understand his processes and how it is working. Maybe have a look at the script, try to understand what it does and also maybe why it could not work on your system (or why it stopped working after some time).