Posts by kess

    Hi fulltilt ,

    thx for your reply.

    With that solution, nothing has been changed in i-MSCP files or Database, everything is original.

    Regarding snapd, it runs in its own sandbox... everything you have on your systems is included in /snap directory.

    Problems ? I can't see... but if you don't like it in 1 or 2 years, just uninstall it using apt or apt-get and everything will be exactly as before...

    certbot-auto has become unsupported, this is the only official method for managing LE Certs (Certbot documentation on

    I didn't test using the Debian Packaged Certbot in order to see if it works... I don't know if the new chains are managed or not. I'm sure the --preferred-chain option will not work on version 0.28.0 (Debian 9 packaged version).

    It's up to you...

    Bye Kess

    Hello guys,

    there you can find the solution I've adopted in order to get the systems working with every type of certificate (self signed, from CA or Let's Encrypt)

    I didn't change absolutely nothing in the code of i-MSCP, everything is original.

    The following has been tested ONLY on Debian Stretch x64, with a standard i-MSCP installation. No strange things.

    1. Integrate the new LE CAs in your system:

    1. mkdir /usr/share/ca-certificates/letsencrypt
    2. curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/isrgrootx1.crt
    3. curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/isrg-root-x2.crt
    4. curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/isrg-root-x1-cross-signed.crt
    5. curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/lets-encrypt-r3.crt
    6. curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/lets-encrypt-r3-cross-signed.crt
    7. curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/lets-encrypt-r4.crt
    8. curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/lets-encrypt-e2.crt
    9. dpkg-reconfigure ca-certificates

    Here a Dialog appears.

    - In the first dialog choose "yes"

    - In the second select your new 7 CA certificates to import and then click OK

    The result should be as follows:

    1. Updating certificates in /etc/ssl/certs...
    2. 7 added, 0 removed; done.
    3. Running hooks in /etc/ca-certificates/update.d...
    4. done.

    2. Remove any previous certbot versions:

    1. apt remove certbot

    3. Install the new and supported certbot version

    1. apt install snapd
    2. snap install core && snap refresh core
    3. snap install --classic certbot

    4. Optional, but recommended, edit the file /var/www/imscp/gui/plugins/LetsEncrypt/config.php and update the section as follows:

    1. 'certbot_create_options' => [
    2. '--preferred-chain ISRG Root X1'
    3. ],

    Save and close;

    5. Remove previous symlinks that could still exist, we'll fix them in next steps:

    1. rm /usr/bin/certbot
    2. rm /usr/local/sbin/certbot

    6. HIT THE "UPDATE PLUGINS" BUTTON here: https://your.server.panel:1234/admin/settings_plugins.php

    If everything goes well, the LE Plugin will reconfigure.

    7. Now it's time to fix the symlinks:

    1. rm /usr/bin/certbot
    2. ln -s /snap/bin/certbot /usr/bin/certbot
    3. rm /usr/local/sbin/certbot
    4. ln -s /usr/bin/certbot /usr/local/sbin/certbot

    8. Now a little check:

    1. which certbot
    2. Result:
    3. - /usr/local/sbin/certbot
    4. which -a certbot
    5. Result:
    6. - /usr/local/sbin/certbot
    7. - /usr/bin/certbot
    8. - /snap/bin/certbot

    9. And the final check:

    1. /usr/local/sbin/certbot --version
    2. Result:
    3. certbot 1.19.0

    Now your system will have:

    - The new CA from LE that it didn't have before

    - The new supported version of certbot that knows the new chains

    I tested the procedure on more boxes and it works for certificates creation and for certificates revocations. I don't know if it works for renewals. Please test it and kindly report back.

    Hope it helps,

    bye Kess.

    memcache shouldnt be installed using apt-get, you should check if it's present as in your /opt/...... directory.

    If not install it using pecl.

    Btw, try to use sury repository. It has everything built for you, ready to be installed using apt-get and used !