Fix VestaCP Admin Panel SSL Certificate Error
VestaCP is an open source free web hosting control panel alternative to cPanel which also has built in features for hosting Websites, Emails, Databases, DNS, SSL Encryption and many more.
OVERVIEW OF THE ISSUE
You can generate Lets Encrypt SSL certificate by VestaCP for the Web Domain used for the VestaCP Admin Panel for free. But you will see the SSL warning, although you have successfully generated it. I will walk you through the steps to fix this issue.
First login to the VestaCP Admin Panel with admin credentials. Then navigate to WEB section and edit the Domain used for the VestaCP Admin Panel. You will see that the Domain has enabled with Lets Encrypt SSL certificate.
FIX FOR THE ISSUE
SSH to your VestaCP server. Then navigate to the directory /home/admin/conf/web. Generated SSL files for the Domain can be found in this directory with the file names started with ssl.[Domain].crt and ssl.[Domain].key.
But the VestaCP Admin Panel content is served from the directory path /usr/local/vesta/ and its default SSL certificate files certtificate.crt and certificate.key are serving from the directory /usr/local/vesta/ssl. Now this is the issue we are experiencing as the default SSL certificate has not been generated from valid certificate authority. So we need to replace these default SSL certificate with the files we have generated from the Lets Encrypt support.
In order to fix this rename the default ssl certificate files certtificate.crt and certificate.key as certtificate.crt_old and certificate.key_old.
Now copy same generated valid certificate files ssl.[Domain].crt and ssl.[Domain].key from /home/admin/conf/web to /usr/local/vesta/ssl. Then rename those as certtificate.crt and certificate.key.
cd /usr/local/vesta/ssl
mv certificate.crt certificate.crt_old
mv certificate.key certificate.key_old
cp /home/admin/conf/web/ssl.[Domain].crt /usr/local/vesta/ssl/certificate.crt
cp /home/admin/conf/web/ssl.[Domain].key /usr/local/vesta/ssl/certificate.key
Finally, restart the VestaCP service executing the command.
/etc/init.d/vesta restart
Now open the web browser and browse the VestaCP Admin Panel URL again. You will see the VestaCP Admin Panel certificate warning issue is now fixed and valid SSL certificate is in placed.
Please note Lets Encrypt certificate is valid for 3 months and you will have to copy the updated file accordingly or add a symbolic links as “Mike Flowers” suggested in the comment section.
That’s it. ?
Great Fix. After copying the files also restart dovecot to fix IMAP & SMTP certificate errors
why not use symbolic links so that the cert does not need copying every 3 months? In Ubuntu
ln -s /home/admin/conf/web/domain.key /usr/local/vesta/ssl/certificate.key
ln -s /home/admin/conf/web/domain.crt /usr/local/vesta/ssl/certificate.crt
Yes. you can add a symbolic links as well. I have modified the post with your suggestion. Thank you Mike
Easier and great solution.
I just saw this, and I find it much more effective.
After about 40 minutes, with this problem following Mike Flowers’ recommendation, I was able to solve everything.
First of all, colleague Mike Flowers has a small error, and it took me 40 minutes to find him, it took me a long time since he looked for all the ways to do it following him, because I thought I was the one with the problem. I put the commands in a different order, it didn’t work, I followed in the footsteps of Charitha Buddhika again and if it did work, then try the Mike Flowers recommendation again, and it didn’t work. Then I compared both file paths, and there I found the error, how always something small can make it not work.
hehe, it’s even funny now that I don’t think so.
Let’s restructure everything first.
For it to work, as fellow Mike Flowers says, we must make a small change.
1) You enter your server with your root user.
2) Then you run this command: “cd /usr/local/vesta/ssl”
2) Then follow this command “mv certificate.crt certificate.crt_old”
3) Then this command “mv certificate.key certificate.key_old”
Here we follow what Mike Flowers recommends, and for it to work you must put it as I have.
4) I wanted to restart the server, do it, just in case. Run this command “shutdown -r now”
5) ln -s /home/admin/conf/web/ssl.putyourdomainhere.com.crt /usr/local/vesta/ssl/certificate.crt
6) ln -s /home/admin/conf/web/ssl.putyourdomainhere.com.key /usr/local/vesta/ssl/certificate.key
In total many commands I could make Mike Flowers’ recommendation work perfectly, the error in his recommendation is something simple:
He recommends using:
ln -s /home/admin/conf/web/domain.key /usr/local/vesta/ssl/certificate.key
AND
ln -s /home/admin/conf/web/domain.crt /usr/local/vesta/ssl/certificate.crt
Finished.
(the error is that it is missing putting this “ssl.” in the file path)
The correct one is as follows:
ln -s /home/admin/conf/web/ssl.putyourdomain.com.key /usr/local/vesta/ssl/certificate.key
/home/admin/conf/web/ssl.putyourdomain.com.crt /usr/local/vesta/ssl/certificate.crt
And it works perfect, already in about 3 months, I’ll see if it works. On paper, yes it should work.
The list of commands that you use in chronological order is the following, for those who have more knowledge and do not want an explanation:
1) Login with your root user to your server
2) cd /usr/local/vesta/ssl
3) mv certificate.crt certificate.crt_old
4) mv certificate.key certificate.key_old
5) shutdown -r now
6) Login with your root user to your server
7) ln -s /home/admin/conf/web/ssl.puthereyourdomain.com.crt /usr/local/vesta/ssl/certificate.crt
8) ln -s /home/admin/conf/web/ssl.puthereyourdomain.com.key /usr/local/vesta/ssl/certificate.key
9) shutdown -r now
It works perfect.
An additional note, I use a translator to write all this, and the translator adds spaces to the text so if it doesn’t work as I describe it, check the spaces when executing any command in the console.
I already did it, remove the spaces, but some could have escaped me.
Thanks to Charitha Buddhika and Mike Flowers.
I’ve used this method until now (I don’t monitor server usually) and seem the key and crt not work well even I’ve renew the ssl. May it only happen in CENTOS 7 and not Ubuntu server. I’m not sure about it.
Thank you very much. This tutorial help fix the SSL issue on my VestaCP admin panel, although quick question, do I have to do this every three months or will the SSL certificate get renewed automatically if there is a CRON Job to reissue the SSL certificate every three months?
Renewal need to be done manually by default but you can configure it to renew automatically. Here is a good guide to integrate auto renew on Vestacp Web Panel.
Good.
I prefer to fix easier, and do a clean install to avoid future problems.
Thanks!
How to fix ssl error in /mail and /phpmyadmin url too ?
Please add the VestaCP HTTP to HTTPS Proxy Template and force the traffic to use HTTPS with editing the WEB > Website Name > Select the “force-https” from Proxy Template drop down menu > Save. Please check the link to add the template: https://vestacp.com/docs/#how-to-force-https
Thanks a ton.. it helped..
Hello thank you for this post but i have something strange happened to me after installing ssl for my domain suddenly i cant login to ftp users i only can enter with the ftp user “root” i chcked ftp users i even created new ftp users via vesta and still cant connect i tried both ftp sftp everything
i used letsencrypt for ssl
sorry for the replies but i checked the passwrd file and it contains the ftp user but its not connecting it says 530 incorrect
It looks that the FTP ports have not allowed from your firewall. Please allow inbound firewall ports 20,21,12000-12100 and try to connect. Thanks
Thanks, It’s working fine.
Thanks to you I was able to solve the problem.
I only did it to learn, but that of going every three months to renew the certificate does not go with me, what I will do is install everything again because I have installed several servers and in all the SSL certificate it works for me at the first time.
But excellent information.
In my case, I will install everything again so that it works automatically, as it is very simple to do, in about 30 minutes I can install everything again, and without problems.
My website is small, or more or less. hehe
PS: I have several servers, and in the others this problem never happened to me.
Thank you.
I take a look and seem we can config it in web interface now. You can try take a look in: Server – Configure – Vesta SSL.
Yes. Now this option is available in the web interface for the Panel SSL and Webmail SSL and the renewal is automated. Thanks
The official solution is to execute the following command.
#/usr/local/vesta/bin/v-update-host-certificate admin your.website.tld
where “your.website.tld” is your default website where you have uploaded the certificate.