acme.sh on new install

Discussion in 'Installation/Configuration' started by nhybgtvfr, Mar 8, 2021.

  1. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    hi,
    i'm installing ispconfig 3.2.2 on a new standalone server (ubuntu 20.04) for a client.
    i'm following the ubuntu 20.04 (apache) perfect server guide.

    everything i've seen in these forums suggested that acme.sh is installed by ispconfig if it doesn't find letsencrypt, so i skipped installed letsencrypt.
    i installed ispconfig. that was all fine, except it created a self-signed cert.
    i thought maybe it would just do that the first time, so i ran php -q update.php --force.
    chose reconfigure services, create a new certificate. it again went straight to creating a new self-signed cert.

    so i figured i'd install acme.sh manually. i ran:
    Code:
    git clone https://github.com/Neilpang/acme.sh.git
    cd ./acme.sh
    ./acme.sh --install
    source ~/.bashrc
    
    and ran a forced update again. this time it requested a new full cert.

    Code:
    Create new ISPConfig SSL certificate (yes,no) [no]: yes
    Checking / creating certificate for comptonhost.comptoncymru.com
    Using certificate path /etc/letsencrypt/live/comptonhost.comptoncymru.com
    Using apache for certificate validation
    Issuing certificate seems to have succeeded but /usr/local/ispconfig/interface/ssl/ispserver.crt seems to be missing. Falling back to self-signed.
    Generating RSA private key, 4096 bit long modulus (2 primes)
    .................................................................................................................................++++
    ...............................................................................................................................................................................................................................................................................................................................................................++++
    e is 65537 (0x010001)
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    
    i'm not sure why it's trying to use /etc/letsencrypt, that path doesn't exist, i thought it should be using ~/.acmh.sh/<domain name>/
    or why it thinks /usr/local/ispconfig/interface/ssl/ispserver.crt seems to be missing seems to be missing. it isn't.

    acme.sh seems to have actually created the certificate ok:
    Code:
    [email protected]:~/.acme.sh/comptonhost.comptoncymru.com# ls -l
    total 32
    drwxr-xr-x 2 root root 4096 Mar  8 12:03 backup
    -rw-r--r-- 1 root root 1587 Mar  8 12:03 ca.cer
    -rw-r--r-- 1 root root 1874 Mar  8 12:03 comptonhost.comptoncymru.com.cer
    -rw-r--r-- 1 root root  926 Mar  8 12:03 comptonhost.comptoncymru.com.conf
    -rw-r--r-- 1 root root 1013 Mar  8 12:03 comptonhost.comptoncymru.com.csr
    -rw-r--r-- 1 root root  223 Mar  8 12:03 comptonhost.comptoncymru.com.csr.conf
    -rw-r--r-- 1 root root 1675 Mar  8 12:03 comptonhost.comptoncymru.com.key
    -rw-r--r-- 1 root root 3461 Mar  8 12:03 fullchain.cer
    
    but it doesn't seem to remove the self-signed cert, and symlink to the new cert:
    Code:
    [email protected]:/usr/local/ispconfig/interface/ssl# ls -l
    total 44
    -rwxr-x--- 1 root root   45 Mar  8 12:04 empty.dir
    -rwxr-x--- 1 root root 1939 Mar  8 12:04 ispserver.crt
    -rwxr-x--- 1 root root 1939 Mar  8 11:57 ispserver.crt-20210308120348.bak
    -rwxr-x--- 1 root root 1651 Mar  8 12:04 ispserver.csr
    -rwxr-x--- 1 root root 3247 Mar  8 12:04 ispserver.key
    -rwxr-x--- 1 root root 3247 Mar  8 11:57 ispserver.key-20210308120348.bak
    -rwxr-x--- 1 root root 3311 Mar  8 12:04 ispserver.key.secure
    -rwxr-x--- 1 root root 5186 Mar  8 12:04 ispserver.pem
    -rwxr-x--- 1 root root 5186 Mar  8 11:57 ispserver.pem-20210308120348.bak
    
    should i be doing that part manually? am i missing something obvious or do i have a problem somewhere?

    i could just remove all the acme.sh stuff and go back to using letsencrypt, which i've never had a problem with, but if the goal is to switch everything in ispconfig to acme.sh and drop letsencrypt, i might as well get problems like this resolved now.

    *just to be clear, this is just to secure the interface and services, i haven't attempted to create and secure any client website at this point.
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    This is a bug in 3.2.2, which will be fixed in 3.2.3. Undo the acme.sh install steps so the default acme.sh install is used, and then run a force update like this:
    Code:
    ispconfig_update.sh --force
    By the way, the difference is between acme.sh and certbot - they both create a Let's Encrypt cert for you :)
     
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  4. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    ok, so exactly when/how does acme.sh get installed then?
    i've done the ~/acme.sh/acme.sh --uninstall so it should be back to how it was before.
    i tried ispconfig_update.sh --force, that said no valid acme client (acme or certbot)

    so i remove the test client site (created after i opened this thread, and which created a cert for itself without problems).
    dropped the dbispconfig database, and ran rm -rf /usr/local/ispconfig

    i then re-installed a fresh copy of ispconfig (from the 3.2.2.tar.gz download) and attempted to secure the interface. it created a self-signed cert.
    i've now run ispconfig_update.sh --force against the new ispconfig install, and still i get:

    Code:
    Create new ISPConfig SSL certificate (yes,no) [no]: yes
    Checking / creating certificate for comptonhost.comptoncymru.com
    Using certificate path /etc/letsencrypt/live/comptonhost.comptoncymru.com
    Using apache for certificate validation
    Did not find any valid acme client (acme.sh or certbot)
    
    note i'm selecting the stable version when running ispconfig_update.sh --force, should i be using nightly or git-develop instead?
     
    Last edited: Mar 8, 2021
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    You must install acme.sh or certbot before you install ISPConfig 3.2.2, acme.sh is only installed automtically later if there is no LE client, but not at install time.

    So the steps to fix your system are:

    1) Install acme.sh with the command:

    curl https://get.acme.sh | sh -s

    2) then run:

    ispconfig_update.sh --force

    and chose to recreate the SSL cert to get a new LE cert.
     
    nhybgtvfr and Th0m like this.
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    It's odd that you would have a /etc/letsencrypt/ directory if this really is a new server setup, without certbot being installed. In addition to the preceding, you might also check all install paths for certbot (ie. packages and install via certbot-auto) and purge all that, and rename /etc/letsencrypt/ before re-running the installer.
     
    ahrasis likes this.
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    No, you can use the stable version - creating the cert when updating should work.
    The installer can show the wrong path, so I'm not sure if the directory really exists - you should check that.
     
  8. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Agreed.
    I think not.
     
  9. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You think but I know ;) It shows the wrong path when installing in 3.2.2 if you are using acme.sh.
     
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Last edited: Mar 9, 2021
  11. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    ok. just to confirm, certbot was not installed. in any way whatsoever. and the /etc/letsencrypt folder definitely did not exist on the server.

    i was under the impression from previous comments on other threads here that acme.sh didn't need to be manually installed, ispconfig would add it if it didn't find any letsencrypt client installed.

    it appeared originally that the only issue was with securing the ispconfig interface, once acme.sh was installed, it would create the cert, but not remove the self-signed cert, or symlink to the letsencrypt cert. a test site was created and successfully secured.

    although it did create the actual cert files in /root/.acme.sh/<domain name> and a copy of the files were in /var/www/<domain name>/ssl/
    is this correct? it's supposed to actually has a full copy of the files there and not symlinks to the files in ~/root/.acme.sh ?

    anyway, i had to go out for a couple of hours yesterday and after getting back, it all got strange. i couldn't ssh to the server from my main pc, but could from my laptop. (same ssh key, same public ip, and it definitely wasn't anything to do with fail2ban or ufw) and i saw messages about some issues at digitalocean, including with firewalls, and logins / console connections etc. so i couldn't do anything further.

    will try it again today.
     
  12. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Me too... :(
    I think so since last time I checked, if acme.sh ISPConfig do install certs to ssl folder while if certbot ISPConfig merely do a symlink to it.
     
  13. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    This should happen when the installer tries to create a cert and no client is in place, so it should not be necessary, I thought...
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    I thought the same, but in fact, it happens only for websites in 3.2.2 and not at install time, this should be fixed in nightly and 3.2.3 though.
     
  15. nhybgtvfr

    nhybgtvfr Well-Known Member HowtoForge Supporter

    ok, after some fun and games with connectivity yesterday, that i thought was digitalocean issues continued this morning... and turned out to be malwarebytes interfering.. don't know why it has to get involved in blocking an outbound ssh connection :mad:
    i decided to start clean and rebuild the vps. i followed the perfect server ubuntu (apache) guide, skipped certbot, and installed acme.sh using the command shown by @till in his post above. then installed ispconfig 3.2.2
    it created an acme.sh cert, didn't validate it, and failed back to a self-signed cert.
    than i ran ispconfig_update.sh --force, which isn't exactly clear if it created a new cert, or re-used the existing letsencrypt cert:
    Code:
    Create new ISPConfig SSL certificate (yes,no) [no]: yes
    Checking / creating certificate for comptonhost.comptoncymru.com
    Using certificate path /root/.acme.sh/comptonhost.comptoncymru.com
    Using apache for certificate validation
    
    but it did validate ok, and ir did replace the self-signed cert in /usr/local/ispconfig/interface/ssl and symlink the pure-ftpd certs in /etc/ssl/private to the ispserver files.

    so all working flawlessly this time, i've even created a test site and secured that ok, no problems anywhere. :D

    thanks everyone.
     
    till and Th0m like this.
  16. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    No, it does (or it should):
    PHP:
               if((!$acme || !is_executable($acme)) && (!$le_client || !is_executable($le_client))) {
                   
    $success $this->install_acme();
                   if(!
    $success) {
                       
    swriteln('Failed installing acme.sh. Will not be able to issue certificate during install.');
                   } else {
                       
    $acme explode("\n"shell_exec('which /usr/local/ispconfig/server/scripts/acme.sh /root/.acme.sh/acme.sh'));
                       
    $acme reset($acme);
                       if(
    $acme && is_executable($acme)) {
                           
    swriteln('Installed acme.sh and using it for certificate creation during install.');
                       } else {
                           
    swriteln('Failed installing acme.sh. Will not be able to issue certificate during install.');
                       }
                   }
               }
    This is from the installer_base script. The only reason it currently fails is the issue that is already resolved in 3.2.3, I think.
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    The code to download acme.sh automatically is in develop branch and not in 3.2.2. So it is part of the current nightly build and it will be part of the 3.2.3 release. Until 3.2.3 gets released, the fix is to follow the procedure I've posted in #5 of this thread.
     
    ahrasis and nhybgtvfr like this.
  18. calbasi

    calbasi Member

    Trying this, but I get another error and a self-signed cert:

     
  19. till

    till Super Moderator Staff Member ISPConfig Developer

    Check dns records of the moodle3 subdomain and ensure it points to your server with a DNS A-Record and that it's reachable from the internet and check that you do not block port 80 so that the system can be reached on port 80 from the internet.
     
  20. calbasi

    calbasi Member

    Hi, moodle3.calbasi.net is reachable (you can do a ping to test it). In fact, this server is running for several years...
    It had several websites hosted, and for example you can access to:
    http://anticimex.campustecnic.com:80
    So I guess it's not a problem with websites hosted in it.
    But I wonder, do I need to host a http://moodle3.calbasi.net website?? I can access to ISPconfig website, but it is done at port 8080.
    In fact, when trying to access http://moodle3.calbasi.net:80, a successful apache default page is shown.
     

Share This Page