ssl Enable Let's Encrypt SSL certificate on a domain

[Rômulo Pereira]

I want to enable Let's Encrypt SSL certificate for a domain. I already checked in "System > Settings > SSL Settings" the options "Enable SSL usage" and "Enable Let's Encrypt".

Under "Resources > Domains > Edit  a domain", the options related to "Webserver SSL settings" are selected, including "Use Let's Encrypt".

I already reloaded apache after doing these selections. Unfortunately, when I point a domain to froxlor server IP in /etc/hosts to access the domain locally, I get unsecured connection.

What should I do next in order to enable Let's Encrypt SSL certificate on a domain? 

[d00p]

6 minutes ago, Rômulo Pereira said:

when I point a domain to froxlor server IP in /etc/hosts to access the domain locally,

locally being the keyword....you cannot change the /etc/hosts on letsencrypt.org-servers or for everyone else,...that's what DNS is for...set correct dns entries in the domains zone and it should work as expected

[Rômulo Pereira]

Thanks for the reply. I added the domain to DNS pointing to the froxlor server IP and checked with ping that the domain is being properly resolved, but I still get an insecure connection when I access the domain. What should I do next?

[Rômulo Pereira]

I get these messages on log for the domain:

"server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)" 

"server certificate does NOT include an ID which matches the server name"

How do I fix it?

[Rômulo Pereira]

Î found this issue related to it: https://github.com/Froxlor/Froxlor/issues/767

[d00p]

that issue is 6 years old....please specify the complete log-entries, not just parts.

[Rômulo Pereira]

Here it is:

[Wed May 07 12:15:20.487180 2025] [ssl:warn] [pid 1022:tid 1022] AH01906: [my-domain-here]:443:0 server certificate is a CA certificate (BasicConstraints: CA == TRUE !?)
[Wed May 07 12:15:20.487208 2025] [ssl:warn] [pid 1022:tid 1022] AH01909: [my-domain-here]:443:0 server certificate does NOT include an ID which matches the server name

[d00p]

it's just a warning...it you open my-domain-here in your browser with https and everything works it's just fine

[Rômulo Pereira]

Thanks for the reply. Unfortunately, the insecure connection continues to appear, without the let's encrypt ssl certificate. Even opening explicitly with https the connection remains insecure.

[d00p]

no idea, share the generated virtual-host config of that domain, show your configs, show logs....can't help with "it doesnt work"...

[Rômulo Pereira]

Here follows the Virtual host config for the domain. How do I change the self signed certificate for a let's encrypt certificate? Do I have to do it manually on the server? Regarding the log, it is exactly what I showed. I do appreciate any help. 

<VirtualHost [Server-IP-Here]:443>
  ServerName teste3.my-domain.com
  ServerAdmin teste3@email.com
  SSLEngine On
  SSLProtocol -ALL +TLSv1.2
  SSLCompression Off
  SSLSessionTickets on
  SSLHonorCipherOrder off
  SSLCipherSuite [CipherSuite-Here]
  SSLVerifyDepth 10
  SSLCertificateFile /etc/ssl/froxlor_selfsigned.pem
  SSLCertificateKeyFile /etc/ssl/froxlor_selfsigned.key
  <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=0"
  </IfModule>
  DocumentRoot "/var/customers/webs/teste3"
  <Directory "/var/customers/webs/teste3/">
  <FilesMatch \.(php)$>
    <If "-f %{SCRIPT_FILENAME}">
      SetHandler proxy:unix:/var/lib/apache2/fastcgi/1-teste3-teste3.my-domain.com-php-fpm.socket|fcgi://localhost
    </If>
  </FilesMatch>
    CGIPassAuth On
    Require all granted
    AllowOverride All
  </Directory>
  Alias /webalizer "/var/customers/webs/teste3/webalizer"
  LogLevel warn
  ErrorLog "/var/customers/logs/teste3-error.log"
  CustomLog "/var/customers/logs/teste3-access.log" combined
</VirtualHost>

[d00p]

deactivate and reactivate let's encrypt for the domain, then run `froxlor-cli froxlor:cron -fd` twice - post errors here if any. Double check that the domain you are obtaining a certificate for resolves correctly to the server IP

[Rômulo Pereira]

Thank you very much for your help. I followed the procedures as suggested and the following errors were returned:

[debug] Successful exit-code returned - storing certificate
[error] Could not find file 'teste3.my-domain.com.cer' in '/root/.acme.sh/teste3.my-domain.com/'
[error] Could not find file 'ca.cer' in '/root/.acme.sh/teste3.my-domain.com/'
[error] Could not find file 'fullchain.cer' in '/root/.acme.sh/teste3.my-domain.com/'
[error] Could not get Let's Encrypt certificate for teste3.my-domain.com:_https://github.com/acmesh-official/acme.sh_v3.1.1_[Thu May  8 10:10:39 -03 2025] Using CA: https://acme-v02.api.letsencrypt.org/directory_[Thu May  8 10:10:40 -03 2025] Creating domain key_[Thu May  8 10:10:43 -03 2025] The domain key is here: /root/.acme.sh/teste3.my-domain.com/teste3.my-domain.com.key_[Thu May  8 10:10:43 -03 2025] Generating next pre-generate key._[Thu May  8 10:10:43 -03 2025] Single domain_'teste3.my-domain.com'_[Thu May  8 10:10:46 -03 2025] Getting webroot for domain_'teste3.my-domain.com'_[Thu May  8 10:10:46 -03 2025] Verifying: teste3.my-domain.com_[Thu May  8 10:10:47 -03 2025] Pending. The CA is processing your order, please wait. (1/30)_[Thu May  8 10:10:50 -03 2025] Pending. The CA is processing your order, please wait. (2/30)_[Thu May  8 10:10:53 -03 2025] Pending. The CA is processing your order, please wait. (3/30)_[Thu May  8 10:10:55 -03 2025] Pending. The CA is processing your order, please wait. (4/30)_[Thu May  8 10:10:58 -03 2025] Pending. The CA is processing your order, please wait. (5/30)
[error] Could not find file 'teste3.my-domain.com.cer' in '/root/.acme.sh/teste3.my-domain.com/'
[error] Could not find file 'ca.cer' in '/root/.acme.sh/teste3.my-domain.com/'
[error] Could not find file 'fullchain.cer' in '/root/.acme.sh/teste3.my-domain.com/'
[error] Could not get Let's Encrypt certificate for teste3.my-domain.com:_
[information] Let's Encrypt certificates have been updated

[d00p]

- does /root/.acme.sh/teste3.my-domain.com/ exist?
- Disable let's encrypt for the domain, let the cronjob run (or run manually)
- run "/root/.acme.sh/acme.sh remove -d teste3.my-domain.com"
- delete the directory "rm -rf /root/.acme.sh/teste3.my-domain.com/"
- enable let's encrypt for the domain and let the cronjob run / manually run it 

 

[Rômulo Pereira]

- does /root/.acme.sh/teste3.my-domain.com/ exist?

Yes, it does. 

- Disable let's encrypt for the domain, let the cronjob run (or run manually)

Done

- run "/root/.acme.sh/acme.sh remove -d teste3.my-domain.com"

Log: "[Thu May  8 10:51:53 -03 2025] -d is not an issued domain, skipping."

- delete the directory "rm -rf /root/.acme.sh/teste3.my-domain.com/"

Done

- enable let's encrypt for the domain and let the cronjob run / manually run it

Log:

[Thu May  8 10:53:28 -03 2025] ===Starting cron===
[Thu May  8 10:53:28 -03 2025] Renewing: 'teste3.my-domain.com'
[Thu May  8 10:53:28 -03 2025] Renewing using Le_API=https://acme-v02.api.letsencrypt.org/directory
[Thu May  8 10:53:28 -03 2025] Skipping invalid cert for: teste3.my-domain.com
[Thu May  8 10:53:28 -03 2025] Skipped teste3.my-domain.com
[Thu May  8 10:53:28 -03 2025] Renewing: 'teste3.my-domain.com'
[Thu May  8 10:53:28 -03 2025] Renewing using Le_API=https://acme-v02.api.letsencrypt.org/directory
[Thu May  8 10:53:28 -03 2025] Skipping invalid cert for: teste3.my-domain.com
[Thu May  8 10:53:28 -03 2025] Skipped teste3.my-domain.com_ecc
[Thu May  8 10:53:28 -03 2025] Renewing: 'teste3.my-domain.com'
[Thu May  8 10:53:28 -03 2025] 'teste3.my-domain.com' is not an issued domain, skipping.
[Thu May  8 10:53:28 -03 2025] Skipped teste3.my-domain.com_ecc
[Thu May  8 10:53:28 -03 2025] ===End cron===

[Rômulo Pereira]

I really appreciate your help. I managed to place the certificate on a domain. In the end, all that was left was to adjust the access on the firewall.