Additional Domains To Exisiting ISPConfig LE SSL Certs

Discussion in 'Developers' Forum' started by ahrasis, Jan 11, 2021 at 2:41 AM.

  1. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Basically I am extending discussion from a thread in here where I noted that there are various requests or questions to add domain(s) to the existing ISPConfig LE SSL certs which is now can be issued automatically during install or update.

    After a revisit, I think some modifications may be made to the following code to include them:
    Code:
    //* Get hostname from user entry or shell command */
    if($conf['hostname'] !== 'localhost' && $conf['hostname'] !== '') {
       $hostname = $conf['hostname'];
    } else {
       $hostname = exec('hostname -f');
    }
    
    and
    Code:
    if($conf['nginx']['installed'] == true || $conf['apache']['installed'] == true) {
    exec("$acme --issue -w /usr/local/ispconfig/interface/acme -d " . escapeshellarg($hostname) . " $renew_hook", $out, $ret);
    }
    // Else, it is not webserver, so we use standalone
    else {
    exec("$acme --issue --standalone -d " . escapeshellarg($hostname) . " $hook", $out, $ret);
    }
    
    and
    Code:
    if($conf['nginx']['installed'] == true || $conf['apache']['installed'] == true) {
       exec("$le_client $certonly $acme_version --authenticator webroot --webroot-path /usr/local/ispconfig/interface/acme --email " . escapeshellarg('[email protected]' . $hostname) . " -d " . escapeshellarg($hostname) . " $renew_hook", $out, $ret);
    }
    // Else, it is not webserver, so we use standalone
    else {
       exec("$le_client $certonly $acme_version --standalone --email " . escapeshellarg('[email protected]' . $hostname) . " -d " . escapeshellarg($hostname) . " $hook", $out, $ret);
    }
    
    One of the issues to consider for this to work, I think is that, we need a file where admin may list their additional domain's names so it can be checked and added together upon issuing the LE SSL certs. For now I am thinking additional_domain.hostname.master in our default /conf-custom/install/ however that would not cover the issuance during install process though it may work in the update process. I would suggest server admin to create the file in /user/local/temp folder before install to resolve this issue.

    Another issue is acme.sh doesn't have any specific way to add domain as discussed in various LE community forum as well as acme.sh github except by two ways one of which is to modify the server hostname FQDN acme.sh conf, insert additional domains in Le_Alt='' and force renew file as mentioned here. The other is to remove the current certs and issue a new one with the additional domains. I haven't properly read and understood the way acme.sh in ISPConfig 3.2 append them for website but I guess it work in about the same but the later method is preferred.

    One other unconnected issue to note is the previous ISPConfig 3.1 non-hook / incron approach for the LE SSL certs, which I would suggest should be overcome by removing / deleting the existing certs if no prescribed hook exist in the server certs renewal conf, so a standard can be maintained instead of mixing the two hook and incron approach. I will try to include this as well, if all are agreeable that is.

    I will pause to get comments and feedback before attempting to rewrite the above code as it feels better if this can be worked out.
     
  2. Bocki

    Bocki New Member HowtoForge Supporter

    Thanks for taking this up!
    But shouldn't there be an option in the web GUI to specify additional names instead of a file in the file system? And, doing so, could you add the possibility to specify the notification e-mail-address for Let's Encrypt, too? Just my thoughts on that matter...
     
    ahrasis likes this.
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I personally prefer the general structure is agreeable by all in GUI (which basically mean will be in the master database) or in the CLI, so it doesn't matter to me to use whatever approach so long it is agreeable, because as I said, the coding part is not so hard, I think.

    I already went on researching on how to properly add this via CLI but so far I still see /usr/local/temp/ for pre-install location and /conf-custom/install/ pre-update location is for the yet to be properly named file (may be additional_server_fqdn.master?) as the best for now.

    I am not sure whether this is better added in the GUI compared to CLI but I personally do not prefer it to be added in there.

    About the email, I remember adding the email in the code but it was removed when it was re-written and improvised for acme.sh (still there for certbot though i.e. [email protected]), but I will look into adding it back together with this, once the general structure is agreed, as writing it now will waste a lot of time if the general structure is not finalized and keeps changing.
     
  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I was reading a lot on /etc/hosts in here and other articles / discussions and was thinking that this could the right place for multiple FQDN for a server.

    If there is no fixed ip for the server, the default will be 127.0.1.1, so the idea is to put one or more FQDN in an ISPConfig server in the /etc/hosts file like this:
    Code:
    ispc.server.fixed.ip    server1.example.com    web.example.com    db1.example.com    mail.example.com   ns1.example.com    ftp.example.com
    
    Meaning, the code should get ISPConfig Server fixed ip, then get all FQDN in that ip line, then add them in the request for issuance of LE SSL certs for the server.

    May be this is the best, but I am not so sure, so I'll be needing more response and feedback regarding this before pursuing further.
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    The installer already reads and writes some conf file where you can set some values, seems like that would be a good place to store a list of hostnames?

    Allowing to specify an email address is easy enough - have you tested what happens when that address is changed? Ie in both certbot and acme.sh can you update existing certificates, or have to issue new requests?
     
    ahrasis likes this.
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Yes, I will check deeper on it as I am not sure on certain things:
    1. Whether it accommodates to store a list of hostnames?
    2. Whether it can be used during an install other than during an update?

    Yes, this actually is quite easy, except in the code, we did specify the email in certbot, but not in acme.sh, which I think we should and already MR for that one alone.
     

Share This Page