Hi I see there are tons of messages regarding certs. I was following the Debian 10 set-up guide, and the acme.sh step failed. It was listed as "failing" for Debian this morning (and yesterday) but I see it is now "passing". https://github.com/acmesh-official/acme.sh I saw messages from the devs saying ISPConfig no longer uses acme.sh and to use the snap package instead. However, certbot's site only offers instructions for Debian 9, 10 and "Testing" branch. Which I assume became Debian 11. https://certbot.eff.org/instructions?ws=nginx&os=debiantesting Debian does offer certbot and python3-certbot-nginx Installing both seems to work. Server is test server on local LAN so cert is self-signed, have not tried this on live site yet. Are the devs still recommending the snap route, or are the Debian packages okay now? Thanks, Ian
For Debian 11, use ISPConfig autoinstaller. It supports Debian 11. I believe it uses acme.sh, since that is what ISPConfig recently started suggesting. If you want to use certbot, then the snap is the way to install it nowadays. If you install both certbot and acme.sh that should lead to problems. If your server is on local LAN and can not be reached from the public Internet, then Let's Encrypt can not be used. If you want to use LE, see https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
That's not the case. You mix up certbot with acme.sh here. acme.sh is the recommended LE client for recent ISPConfig versions and gets used by the Debian 11 installer too: https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/ acme.sh is a shell script and gets installed by ISPConfig automatically. Certbot is the one that's not recommended anymore. When you still use certbot, then its better to install it via snap, but this applies mainly to updating existing systems only anyway as all new installs should use acme.sh. If it works at the moment, then you can keep it as it is. For ISPConfig, it does not matter how you install certbot.
Hi Am not using auto-installer as I don't want or need everything. I actually tried the acme.sh route a few days back, it did not work. That's when I noticed it was marked as "failing" on github. The script seems to be "fixed" frequently, which worries me. Also the hundreds of open issues. Maybe I misunderstood this message: https://www.howtoforge.com/community/threads/migrating-from-certbot-to-acme-sh.88501/#post-432617 I see Till recommends acme.sh. I am going to redo the server from scratch and will try acme.sh and report. Thanks, Ian
You should use ISPConfig autoinstaller. You can prevent it from installing the parts you do not need, examine the options. It has --help to show currently implemented command line arguments.
I'd agree on your choice to redo from the scratch but do follow @Taleman advise because it will really ease you a lot. As for why you should use acme.sh in installing new server and only use snap to update existing server that's already using certbot, I guess @till already explained it above. However, if you find ISPConfig installer help also give choices as to what to install including LE client, please don't get confused but do read its note: As mentioned it is only to be used for migrating from an old server that uses certbot, so it is really not intended for new one.
My process has steps that are not in the Debian 10 guide and will probably not be in the auto-install. I will use acme.sh, the point is that when I tried it a few days ago it was broken. At their end. Auto-install would have had the same problem. Thanks for all the help and suggestions.
please be aware that this might be the reason for the issue as well, your steps might just not be fully compatible with ISPConfig 3.2 While it's possible of course, it is very unlikely as we would have seen many more reports in such case, there are hundreds of ISPConfig installs a day. The more likely reason is that no LE cert could be issued due to other issues like problems with DNS setup of the hostname or similar, you should check acme.sh.log for details, also the Let's encrypt error FAQ might help to identify the issue. https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
When I did the install it (acme.sh step) failed before I got to ISPconfig. At the time the github repo had Debian build as Failing. While I'm on the topic, during the set-ups you have to enter the same info several times to create certs. It would be nice if this could be entered once in a text file, and then just fed to the scripts. Probably not easily doable :-(. Cheers, Ian
You won't get asked these details when a working LE client (no matter if acme.sh or certbot) is installed, and continuing installation without meeting system requirements for ISPConfig will result in failures anyway, so you might. And it's so rare, maybe one of a few thousand users might see them at all, that it's not worth changing it. And you should not have continued at that point anyway as this meant installing ISPConfig without meeting its system requirements, having an LE client is not optional.
Details? It looks more like the LE cannot obtain LE certs therefore trying to create self-signed certs which normally will request details if that's the problem you faced while trying the autoinstaller. You should however note that the ISPConfig autoinstaller only work on clean OS install and for LE failure, you should really check the faq as @till suggested above.
