Debian 11 and Lets Encrypt

Discussion in 'Installation/Configuration' started by iandoug, May 11, 2022.

  1. iandoug

    iandoug New Member

    Hi
    I see there are tons of messages regarding certs.
    I was following the Debian 10 set-up guide, and the acme.sh step failed.
    It was listed as "failing" for Debian this morning (and yesterday) but I see it is now "passing".
    https://github.com/acmesh-official/acme.sh
    I saw messages from the devs saying ISPConfig no longer uses acme.sh and to use the snap package instead.
    However, certbot's site only offers instructions for Debian 9, 10 and "Testing" branch. Which I assume became Debian 11.
    https://certbot.eff.org/instructions?ws=nginx&os=debiantesting
    Debian does offer certbot and python3-certbot-nginx
    Installing both seems to work. Server is test server on local LAN so cert is self-signed, have not tried this on live site yet.
    Are the devs still recommending the snap route, or are the Debian packages okay now?

    Thanks, Ian
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    For Debian 11, use ISPConfig autoinstaller. It supports Debian 11. I believe it uses acme.sh, since that is what ISPConfig recently started suggesting. If you want to use certbot, then the snap is the way to install it nowadays.
    If you install both certbot and acme.sh that should lead to problems. If your server is on local LAN and can not be reached from the public Internet, then Let's Encrypt can not be used. If you want to use LE, see https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    That's not the case. You mix up certbot with acme.sh here. acme.sh is the recommended LE client for recent ISPConfig versions and gets used by the Debian 11 installer too: https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/ acme.sh is a shell script and gets installed by ISPConfig automatically. Certbot is the one that's not recommended anymore. When you still use certbot, then its better to install it via snap, but this applies mainly to updating existing systems only anyway as all new installs should use acme.sh.

    If it works at the moment, then you can keep it as it is. For ISPConfig, it does not matter how you install certbot.
     
  4. iandoug

    iandoug New Member

    Hi
    Am not using auto-installer as I don't want or need everything.
    I actually tried the acme.sh route a few days back, it did not work. That's when I noticed it was marked as "failing" on github.
    The script seems to be "fixed" frequently, which worries me. Also the hundreds of open issues.

    Maybe I misunderstood this message:
    https://www.howtoforge.com/community/threads/migrating-from-certbot-to-acme-sh.88501/#post-432617
    I see Till recommends acme.sh.

    I am going to redo the server from scratch and will try acme.sh and report.

    Thanks, Ian
     
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You should use ISPConfig autoinstaller. You can prevent it from installing the parts you do not need, examine the options. It has --help to show currently implemented command line arguments.
     
    ahrasis and Th0m like this.
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I'd agree on your choice to redo from the scratch but do follow @Taleman advise because it will really ease you a lot.

    As for why you should use acme.sh in installing new server and only use snap to update existing server that's already using certbot, I guess @till already explained it above.

    However, if you find ISPConfig installer help also give choices as to what to install including LE client, please don't get confused but do read its note:

    As mentioned it is only to be used for migrating from an old server that uses certbot, so it is really not intended for new one.
     
  7. iandoug

    iandoug New Member

    My process has steps that are not in the Debian 10 guide and will probably not be in the auto-install.

    I will use acme.sh, the point is that when I tried it a few days ago it was broken. At their end. Auto-install would have had the same problem.

    Thanks for all the help and suggestions.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    please be aware that this might be the reason for the issue as well, your steps might just not be fully compatible with ISPConfig 3.2

    While it's possible of course, it is very unlikely as we would have seen many more reports in such case, there are hundreds of ISPConfig installs a day. The more likely reason is that no LE cert could be issued due to other issues like problems with DNS setup of the hostname or similar, you should check acme.sh.log for details, also the Let's encrypt error FAQ might help to identify the issue. https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
     
  9. iandoug

    iandoug New Member

    When I did the install it (acme.sh step) failed before I got to ISPconfig. At the time the github repo had Debian build as Failing.

    While I'm on the topic, during the set-ups you have to enter the same info several times to create certs. It would be nice if this could be entered once in a text file, and then just fed to the scripts. Probably not easily doable :-(.

    Cheers, Ian
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    You won't get asked these details when a working LE client (no matter if acme.sh or certbot) is installed, and continuing installation without meeting system requirements for ISPConfig will result in failures anyway, so you might. And it's so rare, maybe one of a few thousand users might see them at all, that it's not worth changing it. And you should not have continued at that point anyway as this meant installing ISPConfig without meeting its system requirements, having an LE client is not optional.
     
  11. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Details? It looks more like the LE cannot obtain LE certs therefore trying to create self-signed certs which normally will request details if that's the problem you faced while trying the autoinstaller.

    You should however note that the ISPConfig autoinstaller only work on clean OS install and for LE failure, you should really check the faq as @till suggested above.
     

Share This Page