Errors in issuing or replacing an SSL certificate for the platform

This article describes solutions to possible errors that may occur when issuing or replacing a platform certificate.

Failed to start new daemon with ssl

The ihttpd web server does not start when the certificate is replaced. The /opt/ispsystem/dnsmanager6/var/ihttpd.log has an error similar to:

Nov 23 06:57:11 [1680:1] main WARNING Failed to listen: ip '10.10.11.15', port '443'. Reason: Failed to start new daemon with ssl

The cause of the error is an incorrectly assembled certificate chain.

To fix this, delete the certificates and add them again according to the instructions:

1.   Delete the certificates in the platform interface in Control panel address → Certificates button → Delete button.
2.   Connect to the platform via SSH.

3.   Delete the certificates from the /opt/ispsystem/dnsmanager6/etc/ directory. You can check the file names in the configuration file /opt/ispsystem/dnsmanager6/etc/ihttpd.conf. An example of the listen section with the names of certificate files:

   listen {
   ip 10.10.11.15
   port 1515
   redirect
   certkey etc/ihttpd_cert.key
   cert etc/ihttpd_cert.crt
   cacert /etc/ssl/certs/ipa-ca.pem
   }

   Comment

   In this example, the certificate files are certkey, cert, and cacert lines
4. Add a certificate:
   1. Go to Settings → Control panel address → Certificates.
   2. Click Add button.
   3. Select Existing certificate.
      The certificate and chain will be sorted automatically.

Symlink_exists when issuing a Let's Encrypt certificate

When attempting to issue a platform certificate, the error Failed to obtain a Let's Encrypt certificate appears. The following error is found in the logs:

Type: 'file' Object: 'symlink_exists' Value: 'www/letsencrypt/.well-known/acme-challenge'

This error occurs when a certificate was previously force-deleted. Unlike the automatic renewal process, manually deleting and then re-adding a new certificate causes a conflict. The system tries to create the www/letsencrypt/.well-known/acme-challenge directory, which already exists, leading to a failure.

To solve the problem:

1. Connect to the server with the platform via SSH. For more information about connecting via SSH, see Workstation setup.

2. Delete the remaining files of the old certificate by means of the commands:

   rm -rf /opt/ispsystem/dnsmanager6/etc/scripts/acmesh/ca/
   rm -rf /opt/ispsystem/dnsmanager6/etc/scripts/acmesh/my.domain.ru/
   rm -rf /opt/ispsystem/dnsmanager6/www/letsencrypt/.well-known/

   Comment

   my.domain.ru — domain for which the certificate is issued
3. Re-issue the certificate.

The certificate is not automatically re-issued

If the certificate was not renewed automatically, check the log file at /opt/ispsystem/dnsmanager6/var/billmgr_acme_sh.log. If the log contains no errors, the cause may be an outdated acme.sh script. The script is located in the following directory:

/opt/ispsystem/dnsmanager6/etc/scripts/acmesh/

To resolve the issue, update the script to the latest version:

1. Connect to the server with the platform via SSH. For more information about connecting via SSH, see Workstation setup.

2. Check the script version: 

   /opt/ispsystem/dnsmanager6/etc/scripts/acmesh/acme.sh --version

3. If the version is lower than v3.0.5, update the script:

   /opt/ispsystem/dnsmanager6/etc/scripts/acmesh/acme.sh --upgrade