Fix Found: YES
Fix Complexity: MOSTLY EASY
Bug Description/Symptom
After using the ECHP force control panel, your website no longer has a valid SSL (https) certificate and you see browser warnings when you visit your site (and/or your control panel). The browser warning could be on your main domain, or a subdomain that you have added yourself in the CP.
If affected, you should visit all the sites that use Letsencrypt to see which ones are affected. Then make a list of them. If its only a user defined subdomain, still add the main domain name to the list, as we are going to rebuild the entire domain certificate, as well as for all the user defined subdomain certificates for that domain.
This issue is much less likely to occur if you used the script in THIS post to add the EHCP force built in subdomains to Letsencrypt, rather than using the old method that I removed from the site on the 19th October 2022. However due to Letsencrypt auto renewals there is still a chance that this can occur.
This issue occurs because EHCP force and Apache expect your SSL certificate to be in this folder.
/etc/letsencrypt/live/yourdomainname.com
Alternatively, this folder for a user defined subdomain.
/etc/letsencrypt/live/yousubdomain.yourdomainname.com
NOTE: Your folder name will not be as above as your domain name will not be yourdomainname.com and your subdomain will not be called yousubdomain.yourdomainname.com
But, instead Letsencrypt has put the certificate in another folder, for example.
/etc/letsencrypt/live/yourdomainname.com-0001
/etc/letsencrypt/live/yourdomainname.com-0003
/etc/letsencrypt/live/yourdomainname.com-0006
/etc/letsencrypt/live/yousubdomain.yourdomainname.com-0001
/etc/letsencrypt/live/yousubdomain.yourdomainname.com-0003
/etc/letsencrypt/live/yousubdomain.yourdomainname.com-0006
It is not advised the you simply rename the folder as this may just crash your server and corrupt Letsencrypt.
The Fix
Please be aware this is not the fault of EHCP force, this is a bug within Letsencrypt, although some may argue that this is not a bug, more just the way Letsencrypt works.
Login to your web based control panel using your browser.
Please select the first effected domain name from the drop-down box.
NOTE: Even if it is a user defined subdomain that is not working, still select the main domain name.
NOTE: If you have more than one domain on your server protected by Letsencrypt (certbot) you may have to use this fix for each of them before you are fully up and running again. Hence the list you may have made.
Now, click on Add SSL Certificate.
Next, its “Click to Remove and Reset SSL Configuration for Domain”
When you get the confirmation notice on screen, I would wait a couple of minutes to allow the EHCP force daemon to do its work.
Now, go back and re-add the Letsencrypt to the first effected domain name.
So, under Domain Operations click Add SSL Certificate.
Ok, next click on Use FREE SSL.
At this point, I would wait maybe 3 or 4 minutes for the Daemon to catch up.
Next, click the home icon, at the top (or Main Options).
Scroll down to System Operations, then click Reload DNS Zones.
Now wait a minute or two to give the Daemon time to catch up.
Next, its Main Options again.
Then scroll down again to System Operations, then click Synchronize Domains.
Leave your control panel open for the time being (just minimised).
If you are not already, log into your server using PuTTY.
Now, we are going to use the script file form THIS post.
If you previously downloaded the script, we can use it straight away but if you did not, here is how to download it.
Issue this command to download the script.
wget https://downloads.ghostnetwork.co.uk/scripts/ehcpforce/certbotfix.sh -O certbotfix.sh
Next give the script permission to execute by entering this command (you may have to re-enter your password).
sudo chmod +x certbotfix.sh
Use the script for the first effected domain.
NOTE: Never type any of the built in subdomains like cp.mydomain.com or mail.mydomain.com into the script as this WILL CAUSE MAJOR ISSUES
When prompted to do so, enter the first effected domain name (without www or http etc).
Yours won’t say mydomain.com of course!
Now, please wait….
Eventually, all being well you should see a confirmation that looks a bit like this.
If you got a confirmation as above, go back to your control panel and Synchronize Domains again (Main Options >> System Operations >> Synchronize Domains).
Then use the script for any user defined subdomains that you may have created for the first effected domain, then RESYNC DOMAINS again.
IMPORTANT NOTE: The script will automatically be able to determine if you have entered a subdomain and then deploy a new certificate for it. If you enter one of the EHCP force built in subdomains into the script then YOU WILL CRASH your server (So Important, I need to repeat it).
If you got a confirmation as above, go back to your control panel and Synchronize Domains again (Main Options >> System Operations >> Synchronize Domains).
If you do have more than one effected domain on your server, please follow the procedure again for each effected domain.
So, as long as Letsencrypt (Certbot) worked ok, you can close PuTTY as that should be it fixed!
Although, due to Letsencrypt (Certbot) being a bit buggy (its FREE at the end of the day), there is no guarantee that this won’t happen again, sorry to say.
The problem it that Letsencrypt (Certbot) automatically renews all SSL certificate every 3 months, it should be fine, but there are no guarantees.