Let's Encrypt for VestaCP System (8083) and exim4

[ScIT]

ln - s /etc/letsencrypt/live/[mydomain.com]/cert.pem /usr/local/vesta/ssl/certificate.crt
ln -s /etc/letsencrypt/live/[mydomain.com]/privkey.pem /usr/local/vesta/ssl/certificate.key
service vesta restart

Congratz, you can register on the board and copy&paste your 3 line shell "solution" without any comment in two posts (here and viewtopic.php?p=56134#p56134). But can you answer me also a question? What will happen after 90days? If not, I will tell you: VestaCP backend will be outdated because you have to restart vesta service after changing/renewing the ssl cert.

So maybe next time: Read the thread where you are posting such a bullshit and try to understand, why it can maybe not work. Thanks.

[billmedina]

ln - s /etc/letsencrypt/live/[mydomain.com]/cert.pem /usr/local/vesta/ssl/certificate.crt
ln -s /etc/letsencrypt/live/[mydomain.com]/privkey.pem /usr/local/vesta/ssl/certificate.key
service vesta restart

Congratz, you can register on the board and copy&paste your 3 line shell "solution" without any comment in two posts (here and viewtopic.php?p=56134#p56134). But can you answer me also a question? What will happen after 90days? If not, I will tell you: VestaCP backend will be outdated because you have to restart vesta service after changing/renewing the ssl cert.

So maybe next time: Read the thread where you are posting such a bullshit and try to understand, why it can maybe not work. Thanks.

Sorry that I stepped on the toes of your inefficient solution. Why should there be 2 copies of the file. DRY. symlink the files and if needed cron job panel restart. Sorry for your anger.

[ScIT]

Sorry that I stepped on the toes of your inefficient solution. Why should there be 2 copies of the file. DRY. symlink the files and if needed cron job panel restart. Sorry for your anger.

Ok, maybe I was to direct. But let us start again: The script isnt inefficient, i had problems on my systems if I've done only a symlink. Because the default certs have to run under root:mail, so that exim4 can access them properly. Otherwise I've got an error of missing permission to open the files (unable to open private key file for reading: /usr/local/vesta/...).

This was written on top on my "HowTo", and that's why I write you: "Please read before you post". Also, if you will be longer than 4 posts in this board, you will understand why you can't just post 4 lines without any comment, what is by the way not really friendly if you do this inside of two different posts.

About the restart: When would you do this? Every night after the v-update-letsencrypt-ssl system cronjob? How do you detect if the cert was updated?

Let us discuss here, not in two posts.

[cmslauncher]

This a great script ScIT. Thank you!

[youradds]

Thanks for sharing! This works a charm for me :)

[lexa500]

I`ve added also

Code: Select all

service dovecot restart &> /dev/null

because you afaik you will need to restart dovecot also.

[zeknoss]

Hello everyone,
I tried this script and it worked, however now vesta service does not start and give this error:

Starting vesta-nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/vesta/ssl/certificate.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

Why is this happening?

[JakeTheDog420]

Hello everyone,
I tried this script and it worked, however now vesta service does not start and give this error:

Starting vesta-nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/vesta/ssl/certificate.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

Why is this happening?

Exact same issue as you :/ everything worked for a while I believe over 24hours and now suddenly I get errr connection refused on the vestaCP and error if I try to restart vesta service manually via terminal!

have you had any success resolving this issue?

[JakeTheDog420]

Hello everyone,
I tried this script and it worked, however now vesta service does not start and give this error:

Starting vesta-nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/vesta/ssl/certificate.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

Why is this happening?

Exact same issue as you :/ everything worked for a while I believe over 24hours and now suddenly I get errr connection refused on the vestaCP and error if I try to restart vesta service manually via terminal!

have you had any success resolving this issue?

Managed to get it working (not sure if the fix is a permenant solution or if it just managed to get the control panel accessible again but hopefully at the bare minimum its repeatable if the issue persists until a full fix is found)

First step is to find a working set of SSL keys. I wasn't sure where to find these or but I re-issued my command v-add-letsencrypt-domain mydomain.com alias.mydomain.com serverip hoping that it would work.

Now when that didn't work and I saw the error was about an SSL mismatch my assumption was maybe the command is issuing new keys but not updating the server so the wrong keys were getting used...

The directory with the keys that are created upon the v-add command is /home/[USER]/[YOURDOMAIN]/conf/web/

Here you will find at least one .key and one .crt file.
I actually had 8files all with the SSL prefix.

Choosing which one to use felt like mostly guess work as it seems that it generated seperate ssl keys for each of my domains I specified even though one was a subdomain and the other was my server IP and they were supposed to be made as an alias.. I decided to go with my subdomain key and crt file.

I then proceeded to make a backup of the current SSL files vesta was referring to. I did this twice once locally on the server and then again externally on my local machine. I used SSH to make the backup files.

CD to /usr/local/vesta/ssl/
cp certificate.crt certificate.crt.bkup
cp certificate.key certificate.key.bkup

Then you can FTP into your server and go to the same directory and download either the original or the backup files to your local machine. They should be the same so eithers fine. Then proceed to delete the original cert.key and cert.crt files leaving only the .bkups on your server.

From here return to your SSH terminal session and change directory again if you're in the vesta/ssl directory back to your user directory which contains your SSL keys.

Simply copy them over using the cp command again example below:
cp subdomain.domain.com.crt /usr/local/vesta/ssl/certificate.crt
cp subdomain.domain.com.key /usr/local/vesta/ssl/certificate.key

This will create a copy with the correct name in the vesta ssl directory.

Last step is simply to restart the vestaCP service and prey that you get the OK on both nginx and vestaphp service's this time!

I can confirm this fixed my mismatch and allowed the vesta service to restart. Once restarted my serverIP:8083 was accessible again however displayed a SSL insecure warning showing the certificate is registered to my subdomain.

I can also confirm if I access the vesta control panel via subdomain.domain.com:8083 I go straight to the login page and see a green padlock confirming the page is being loaded securely.

Hopefully this fixes it if anyone else runs into similar problems! Shame this forum isn't more active I feel like vesta has a lot to offer but without an active community many people probably move to cpanel or possibly even other free options with more active communities.. Anyway I'll post this in the other places I saw similar issues where I posted looking for help here so maybe it can help others (Y)

[ScIT]

Shame this forum isn't more active I feel like vesta has a lot to offer but without an active community many people probably move to cpanel or possibly even other free options with more active communities.. Anyway I'll post this in the other places I saw similar issues where I posted looking for help here so maybe it can help others (Y)

The forum is not inactiv, here is still life :).

Starting vesta-nginx: nginx: [emerg] SSL_CTX_use_PrivateKey_file("/usr/local/vesta/ssl/certificate.key") failed (SSL: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch)

For the missmatch problem it is quite simple: The published script just compares and copy the cert files, like you wrote on your post (you do just the steps manualy, missed to set the permission).

The script is only a few lines long and also do not use complicated commands. So if you configure it properly (set the right user and domain name) the script will work without any troubles. Also you should not delete the web domain you used for the let's encrypt domain. otherwise the cert will not be refreshed anymore.

For VestaCP there is a bit of linux base knowledge needed, to understand his processes and how it is working. Maybe have a look at the script, try to understand what it does and also maybe why it could not work on your system (or why it stopped working after some time).