May 7May 7 I want to enable Let's Encrypt SSL certificate for a domain. I already checked in "System > Settings > SSL Settings" the options "Enable SSL usage" and "Enable Let's Encrypt". Under "Resources > Domains > Edit a domain", the options related to "Webserver SSL settings" are selected, including "Use Let's Encrypt". I already reloaded apache after doing these selections. Unfortunately, when I point a domain to froxlor server IP in /etc/hosts to access the domain locally, I get unsecured connection. What should I do next in order to enable Let's Encrypt SSL certificate on a domain?
May 7May 7 6 minutes ago, Rômulo Pereira said: when I point a domain to froxlor server IP in /etc/hosts to access the domain locally, locally being the keyword....you cannot change the /etc/hosts on letsencrypt.org-servers or for everyone else,...that's what DNS is for...set correct dns entries in the domains zone and it should work as expected
May 7May 7 Author Thanks for the reply. I added the domain to DNS pointing to the froxlor server IP and checked with ping that the domain is being properly resolved, but I still get an insecure connection when I access the domain. What should I do next?
May 7May 7 Author I get these messages on log for the domain: "server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)" "server certificate does NOT include an ID which matches the server name" How do I fix it?
May 7May 7 Author Here it is: [Wed May 07 12:15:20.487180 2025] [ssl:warn] [pid 1022:tid 1022] AH01906: [my-domain-here]:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?) [Wed May 07 12:15:20.487208 2025] [ssl:warn] [pid 1022:tid 1022] AH01909: [my-domain-here]:443:0 server certificate does NOT include an ID which matches the server name
May 7May 7 it's just a warning...it you open my-domain-here in your browser with https and everything works it's just fine
May 7May 7 Author Thanks for the reply. Unfortunately, the insecure connection continues to appear, without the let's encrypt ssl certificate. Even opening explicitly with https the connection remains insecure.
May 7May 7 no idea, share the generated virtual-host config of that domain, show your configs, show logs....can't help with "it doesnt work"...
May 7May 7 Author Here follows the Virtual host config for the domain. How do I change the self signed certificate for a let's encrypt certificate? Do I have to do it manually on the server? Regarding the log, it is exactly what I showed. I do appreciate any help. <VirtualHost [Server-IP-Here]:443> ServerName teste3.my-domain.com ServerAdmin teste3@email.com SSLEngine On SSLProtocol -ALL +TLSv1.2 SSLCompression Off SSLSessionTickets on SSLHonorCipherOrder off SSLCipherSuite [CipherSuite-Here] SSLVerifyDepth 10 SSLCertificateFile /etc/ssl/froxlor_selfsigned.pem SSLCertificateKeyFile /etc/ssl/froxlor_selfsigned.key <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=0" </IfModule> DocumentRoot "/var/customers/webs/teste3" <Directory "/var/customers/webs/teste3/"> <FilesMatch \.(php)$> <If "-f %{SCRIPT_FILENAME}"> SetHandler proxy:unix:/var/lib/apache2/fastcgi/1-teste3-teste3.my-domain.com-php-fpm.socket|fcgi://localhost </If> </FilesMatch> CGIPassAuth On Require all granted AllowOverride All </Directory> Alias /webalizer "/var/customers/webs/teste3/webalizer" LogLevel warn ErrorLog "/var/customers/logs/teste3-error.log" CustomLog "/var/customers/logs/teste3-access.log" combined </VirtualHost>
May 7May 7 deactivate and reactivate let's encrypt for the domain, then run `froxlor-cli froxlor:cron -fd` twice - post errors here if any. Double check that the domain you are obtaining a certificate for resolves correctly to the server IP
May 8May 8 Author Thank you very much for your help. I followed the procedures as suggested and the following errors were returned: [debug] Successful exit-code returned - storing certificate [error] Could not find file 'teste3.my-domain.com.cer' in '/root/.acme.sh/teste3.my-domain.com/' [error] Could not find file 'ca.cer' in '/root/.acme.sh/teste3.my-domain.com/' [error] Could not find file 'fullchain.cer' in '/root/.acme.sh/teste3.my-domain.com/' [error] Could not get Let's Encrypt certificate for teste3.my-domain.com:_https://github.com/acmesh-official/acme.sh_v3.1.1_[Thu May 8 10:10:39 -03 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory_[Thu May 8 10:10:40 -03 2025] Creating domain key_[Thu May 8 10:10:43 -03 2025] The domain key is here: /root/.acme.sh/teste3.my-domain.com/teste3.my-domain.com.key_[Thu May 8 10:10:43 -03 2025] Generating next pre-generate key._[Thu May 8 10:10:43 -03 2025] Single domain_'teste3.my-domain.com'_[Thu May 8 10:10:46 -03 2025] Getting webroot for domain_'teste3.my-domain.com'_[Thu May 8 10:10:46 -03 2025] Verifying: teste3.my-domain.com_[Thu May 8 10:10:47 -03 2025] Pending. The CA is processing your order, please wait. (1/30)_[Thu May 8 10:10:50 -03 2025] Pending. The CA is processing your order, please wait. (2/30)_[Thu May 8 10:10:53 -03 2025] Pending. The CA is processing your order, please wait. (3/30)_[Thu May 8 10:10:55 -03 2025] Pending. The CA is processing your order, please wait. (4/30)_[Thu May 8 10:10:58 -03 2025] Pending. The CA is processing your order, please wait. (5/30) [error] Could not find file 'teste3.my-domain.com.cer' in '/root/.acme.sh/teste3.my-domain.com/' [error] Could not find file 'ca.cer' in '/root/.acme.sh/teste3.my-domain.com/' [error] Could not find file 'fullchain.cer' in '/root/.acme.sh/teste3.my-domain.com/' [error] Could not get Let's Encrypt certificate for teste3.my-domain.com:_ [information] Let's Encrypt certificates have been updated
May 8May 8 - does /root/.acme.sh/teste3.my-domain.com/ exist? - Disable let's encrypt for the domain, let the cronjob run (or run manually) - run "/root/.acme.sh/acme.sh remove -d teste3.my-domain.com" - delete the directory "rm -rf /root/.acme.sh/teste3.my-domain.com/" - enable let's encrypt for the domain and let the cronjob run / manually run it
May 8May 8 Author - does /root/.acme.sh/teste3.my-domain.com/ exist? Yes, it does. - Disable let's encrypt for the domain, let the cronjob run (or run manually) Done - run "/root/.acme.sh/acme.sh remove -d teste3.my-domain.com" Log: "[Thu May 8 10:51:53 -03 2025] -d is not an issued domain, skipping." - delete the directory "rm -rf /root/.acme.sh/teste3.my-domain.com/" Done - enable let's encrypt for the domain and let the cronjob run / manually run it Log: [Thu May 8 10:53:28 -03 2025] ===Starting cron=== [Thu May 8 10:53:28 -03 2025] Renewing: 'teste3.my-domain.com' [Thu May 8 10:53:28 -03 2025] Renewing using Le_API=https://acme-v02.api.letsencrypt.org/directory [Thu May 8 10:53:28 -03 2025] Skipping invalid cert for: teste3.my-domain.com [Thu May 8 10:53:28 -03 2025] Skipped teste3.my-domain.com [Thu May 8 10:53:28 -03 2025] Renewing: 'teste3.my-domain.com' [Thu May 8 10:53:28 -03 2025] Renewing using Le_API=https://acme-v02.api.letsencrypt.org/directory [Thu May 8 10:53:28 -03 2025] Skipping invalid cert for: teste3.my-domain.com [Thu May 8 10:53:28 -03 2025] Skipped teste3.my-domain.com_ecc [Thu May 8 10:53:28 -03 2025] Renewing: 'teste3.my-domain.com' [Thu May 8 10:53:28 -03 2025] 'teste3.my-domain.com' is not an issued domain, skipping. [Thu May 8 10:53:28 -03 2025] Skipped teste3.my-domain.com_ecc [Thu May 8 10:53:28 -03 2025] ===End cron===
May 9May 9 Author I really appreciate your help. I managed to place the certificate on a domain. In the end, all that was left was to adjust the access on the firewall.
November 10Nov 10 On 5/7/2025 at 11:19 PM, Rômulo Pereira said:Here follows the Virtual host config for the domain. How do I change the self signed certificate for a let's encrypt certificate? Do I have to do it manually on the server? Regarding the log, it is exactly what I showed. I do appreciate any help. <VirtualHost [Server-IP-Here]:443> ServerName teste3.my-domain.com ServerAdmin teste3@email.com SSLEngine On SSLProtocol -ALL +TLSv1.2 SSLCompression Off SSLSessionTickets on SSLHonorCipherOrder off SSLCipherSuite [CipherSuite-Here] SSLVerifyDepth 10 SSLCertificateFile /etc/ssl/froxlor_selfsigned.pem SSLCertificateKeyFile /etc/ssl/froxlor_selfsigned.key <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=0" </IfModule> DocumentRoot "/var/customers/webs/teste3" <Directory "/var/customers/webs/teste3/"> <FilesMatch \.(php)$> <If "-f %{SCRIPT_FILENAME}"> SetHandler proxy:unix:/var/lib/apache2/fastcgi/1-teste3-teste3.my-domain.com-php-fpm.socket|fcgi://localhost </If> </FilesMatch> CGIPassAuth On Require all granted AllowOverride All </Directory> Alias /webalizer "/var/customers/webs/teste3/webalizer" LogLevel warn ErrorLog "/var/customers/logs/teste3-error.log" CustomLog "/var/customers/logs/teste3-access.log" combined</VirtualHost>You can visit here to check my website as wellI have the same question. I’m trying to enable a Let’s Encrypt SSL certificate for one of my domains as well. I’ve already enabled “Enable SSL usage” and “Enable Let’s Encrypt” in the SSL settings, and also selected “Use Let’s Encrypt” under the domain’s webserver SSL settings. After reloading Apache, I still get an unsecured connection when accessing the domain locally via the hosts file.I’m not sure if there’s another step required like triggering the certificate generation manually, adjusting file permissions, or checking logs for Let’s Encrypt validation errors. If anyone knows what needs to be done next or what might be missing in the configuration, I’d really appreciate some guidance.
November 10Nov 10 Gerade eben schrieb Joe Root: when accessing the domain locally via the hosts file.there is your problem. The domain might work for you locally as you tell your system what IP the domain resolves to....when requesting a Let's Encrypt certificate, the letsencrypt.org servers try to validate your domain by opening a special file via http - as they do not have your manual /etc/hosts entry, they cannot resolve the domain - hence no validation for the certificate
Create an account or sign in to comment