acme.sh and using it certs in webhosts

Discussion in 'General' started by Bocki, Apr 20, 2021.

  1. Bocki

    Bocki Member HowtoForge Supporter

    Hello everybody,
    some time ago I've set up a new machine with Debian 10 and ISPConfig 3.2.2 following the "perfect tutorial", using acme.sh for LE certificates. Due to some other work I came back to to this machine just now and see the following:
    acme.sh seems to work just fine and renews the certs lying in /root/.acme.sh/some.domain.de
    But the webhosts use the certs lying for example in /var/www/clients/client1/web1/ssl - and the files from /root/.acme.sh/some.domain.de do not get copied or linked there. Therefore the webhost uses outdated certs, causing the browser to show an error.
    What did I miss or what is not configured as it should?
    Could you give a short explanation, which scripts are called in which order to renew and distribute the LE certs? I didn't even find a cron job to start acme.sh regularly. Thanks!
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    What is the content of /var/www/clients/client1/web1/ssl ?
    Which cert is used?
     
  3. Bocki

    Bocki Member HowtoForge Supporter

    Code:
    [email protected]:~# ls -al .acme.sh/moodle.mydomain.schule/
    total 40
    drwxr-xr-x 3 root root 4096 Jan 12 07:34 .
    drwx------ 8 root root 4096 Jan 12 07:34 ..
    drwxr-xr-x 2 root root 4096 Jan 12 07:34 backup
    -rw-r--r-- 1 root root 1587 Mar 13 00:02 ca.cer
    -rw-r--r-- 1 root root 3799 Mar 13 00:02 fullchain.cer
    -rw-r--r-- 1 root root 2212 Mar 13 00:02 moodle.mydomain.schule.cer
    -rw-r--r-- 1 root root 1004 Mar 13 00:02 moodle.mydomain.schule.conf
    -rw-r--r-- 1 root root 1691 Mar 13 00:02 moodle.mydomain.schule.csr
    -rw-r--r-- 1 root root  218 Mar 13 00:02 moodle.mydomain.schule.csr.conf
    -rw-r--r-- 1 root root 3243 Mar 13 00:02 moodle.mydomain.schule.key
    Code:
    [email protected]:~# ls -al /var/www/clients/client1/web1/ssl
    total 16
    drwxr-xr-x  2 root root 4096 Jan 12 07:34 .
    drwxr-xr-x 11 root root 4096 Jan 13 00:04 ..
    -rw-r--r--  1 root root 3799 Jan 12 07:34 moodle.mydomain.schule-le.crt
    -rw-------  1 root root 3243 Jan 12 07:34 moodle.mydomain.schule-le.key
    Code:
    [email protected]:~# cat /etc/apache2/sites-enabled/100-moodle.mydomain.schule.vhost
    [...]
    <VirtualHost *:443>
    [...]
      <IfModule mod_ssl.c>
                    SSLEngine on
                    SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
                    # SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
                    SSLHonorCipherOrder     on
                    # <IfModule mod_headers.c>
                    # Header always add Strict-Transport-Security "max-age=15768000"
                    # </IfModule>
                    SSLCertificateFile /var/www/clients/client1/web1/ssl/moodle.mydomain.schule-le.crt
                    SSLCertificateKeyFile /var/www/clients/client1/web1/ssl/moodle.mydomain.schule-le.key
                                      SSLUseStapling on
                      SSLStaplingResponderTimeout 5
                      SSLStaplingReturnResponderErrors off
                          </IfModule>
    [...]
    Thanks for the quick reply!
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Try the following:
    - Disable LE for the web
    - Go to the SSL tab and select "Delete certificate" as action, then save
    - Enable LE for the web
     
  5. Bocki

    Bocki Member HowtoForge Supporter

    Thanks, that helped!
    Can you give me some insights how the renewal process and the distribution of the certs work? Thanks!
     
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    It is automatic. Monitor the log in case some error prevents renew.
    What distribution? Distribution to where?
     
  7. Steini86

    Steini86 Active Member

    Can you verify that in your /root/.acme.sh/domain.com/domain.com.conf file you have the lines
    Code:
    Le_RealKeyPath='/var/www/domain.com/ssl/domain.com-le.key'
    Le_RealFullChainPath='/var/www/domain.com/ssl/domain.com-le.crt'
    This should ensure that your certs are copied to this path after renewal.

    Untested
    If this is missing, you can tell acme.sh to copy the files now (and for the future) with
    Code:
    acme.sh --install-cert -d domain.com -d www.domaion.com -d aliasdomain.com --key-file /var/www/domain.com/ssl/domain.com-le-ecc.key --fullchain-file /var/www/domain.com/ssl/domain.com-le-ecc.crt --reloadcmd ""
     
  8. Bocki

    Bocki Member HowtoForge Supporter

    Sorry, I should have been more specific in asking: To be automatic somewhere has to be an automatically executed script. Where is it? I did not find any in /etc/cron.*. And which script takes care of copying from /root/.acme.sh/moodle.mydomain.schule/ to
    /var/www/clients/client1/web1/ssl after renewal?
    An answer to this last question gives the following comment now - it is acme.sh itself:

    Thanks, I'll have a look!
     

Share This Page