Acme.sh Back-up & Monitoring

Discussion in 'Installation/Configuration' started by Canefield, May 6, 2021.

  1. Canefield

    Canefield New Member

    Dear All,

    I've got two questions -I'm running ISPConfig v3.2.4:
    #1 How do I properly back-up the generated certificates processed by acme.sh?
    >>> From the home-dir '/root/.acme.sh/<domain-name>/' I can see/list the generated files: ca.cer, <domain-name>.conf, <domain-name>.csr, <domain-name>.csr-conf, <domain-name>.key and fullchain.cer and the associated certificates in '/var/www/clients/client*/web*/ssl/': <domain-name>-le.crt and <domain-name>-le.key, but how do I properly back-up all certificates that are in use? Can all requested active certificates being placed to a backup directory (in case of unforeseen disruptions) as well? Is this configurable in any acme conf-file? Also within the directory '/root/.acme.sh/<domain-name>/' I see a folder named 'backup', but nothing is in there. Can somebody tell me the use of it?

    #2 From the GUI of ISPConfig I can't track errors from LE?
    >>> When browsing to ISPConfig > Monitor > Logfiles > Let's Encrypt logs, I get in return 'Unable to read logfile'. I'm assuming this is because of the former certbot that is replaced by acme.sh, however both are generating logfiles. So how to tackle this?

    Cheers,
    Canefield
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Is that true? Then you must have both certbot and acme.sh installed on that host.
    ISPConfig gets confused if both are installed. There was a thread on how to move from certbot to acme.sh, it was a bit long.
     
  3. Canefield

    Canefield New Member

    No, not both are installed only ACME. However what I deduced from the conf-file (accounts.conf) is that it logs in '/var/log/ispconfig/acme.log', though 'LOG_LEVEL' is default commented ('#') as the 'LOG_LEVEL'(s) are specified in the acme.sh file by default.

    So from this reasoning I assume that ACME also logs by default and that, with only ACME installed within ISPConfig, it should also be readable via the GUI.

    Do you have any intel on my first question too?
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I do not know what you mean by properly back-up. I run nightly file backups with BackupPC, I can restore the certificate files if needed from there. I do not know how to backup any more properly.
    Since my hosts are virtual hosts, I also run dump backup nightly so I could restore the complete host if need be.
     
    ahrasis likes this.
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    As Taleman indicated, a "proper" backup is one from which you can restore what you need, probably in a reasonable amount of time. As to what to backup, for acme.sh, in addition to /root/.acme.sh/ you might ensure your website backups include the ssl/ directory, which includes a copy of the latest certificate issued for the site (fwiw, certbot uses symlinks, acme.sh copies the files).
    A quick look at the source shows 4 files are looked for: $conf['ispconfig_log_dir'].'/acme.log' (which should be /var/log/ispconfig/acme.log), /root/.acme.sh/acme.sh.log, /usr/local/ispconfig/server/scripts/acme.sh.log and /var/log/letsencrypt/letsencrypt.log. The file timestamps are checked, and the most recently modified file is what should show up in the Monitor data. So, check what you have at all those locations.
     
  6. Canefield

    Canefield New Member

    All, thanks for intel. Anybody some answers in regards to my second (#2) question?
     
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Does /var/log/ispconfig/acme.log exist?
     

Share This Page