Get SSL certificate for ISPConfig admin from LetsEncrypt?

Discussion in 'Installation/Configuration' started by zkvvoob, May 22, 2016.

  1. till

    till Super Moderator Staff Member ISPConfig Developer

  2. kabieror

    kabieror New Member

    Actually, I did read this page, but apparently not far enough. There was a problem with the Let's Encrypt installation, but I could only figure that out by inserting some debug output in the php scripts of ISPConfig. The warning "Let's Encrypt SSL Cert for: <domain> could not be issued." is not helpful. Repeating the install procedure for Let's Encrypt solved the problem.
    So sorry for the unnecessary post and thanks for your time.
     
  3. Tomas Benda

    Tomas Benda New Member

    Thank you a lot. It work well without any issue and as it expected. You save me a lot of time!
     
  4. quadraticone

    quadraticone New Member

    I can confirm that this works just as well on Ubuntu 16.04. Thank you very much! Let's say on server1.example.com, this method will not work for plain example.com, correct? What if I am hosting several sites on one IP address, do I need a unique public IP address for each site that requires a lets encrypt SSL cert like the official guide states? If so, that is fine, but my VPS uses floating point IP addresses, so I would have to figure out a lot more and do some more reading how to make ISPconfig recognize the new public IP. I guess thats part of the fun of learning:D
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    That depends on the client, not the server. You don't need a separate ip for each website if you use a recent web browser which supports SNI. A separate IP is only required for older web browsers.
     
    quadraticone likes this.
  6. quadraticone

    quadraticone New Member

    Excellent. Thank you till. I was having serious problems with trying to set up multiple ip's on my vps and getting the domains to resolve correctly. I'm positive this is because of my terrible understanding of making dns do what I want it to do. Anyway, thanks for the hard work!
     
  7. razor7

    razor7 Member

    Till, can you add to that post that in order to be able to use Let's Encrypt, the site must be reachable from the internet?

    Today I've got this issue, and the let's encrypt check got unchecked all the time, then I remembered that if the site is not reachable from the internet, LE fails and then ISPC unchecks that option...

    Thanks!
     
  8. KurtHamm

    KurtHamm New Member

    Great Job Jesse! This worked great for me. I worked on this for hours and couldn't figure it out. Ran your script, and poof.
     
  9. Ovidiu

    Ovidiu Active Member

    wondering about this as the ISPCFG3 manual and the perfect server guides advise to use and download certbot while there actually is a jessie-backports package.
     
  10. Ovidiu

    Ovidiu Active Member

    I'm also on ISPCFG 3.1 and Debian 8 - do you happen to have an update for using certbot instead of letsencrypt?
     
  11. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    I'm using certbot from jessie-backports now, without any problems. I originally installed letsencrypt from source manually (early on in pre-3.1) and later switched to the package, and all /etc/letsencrypt/ files were perfectly compatible/functional with both (at the same time, even). I don't have the exact commands handy, but it's about as simple as 'rm -rf /root/.local/; apt-get -t jessie-backports install certbot'.
     
  12. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    Just replace `/root/.local/share/letsencrypt/bin/letsencrypt` with `certbot` I believe, I think the syntax is compatible:
    Code:
    certbot auth --text --agree-tos --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected]`hostname -d` --domains `hostname -f` --webroot-path /usr/local/ispconfig/interface/acme
    
    dt=`date '+%Y%m%d%H%M%S'`
    cd /usr/local/ispconfig/interface/ssl/
    for ext in csr key.secure key crt; do if [ -f ispserver.$ext ]; then mv ispserver.$ext ispserver.$ext.old.$dt; fi; done
    
    ln -s /etc/letsencrypt/live/`hostname -f`/privkey.pem ispserver.key
    ln -s /etc/letsencrypt/live/`hostname -f`/fullchain.pem ispserver.crt
    
    service apache2 restart
    
     
    soho likes this.
  13. Ovidiu

    Ovidiu Active Member

    Here is some feedback:

    it seems the Debian version of certbot is older than the one I had manually downloaded as upon execution of the one installed from the jessie-backports I see this warning:
    Code:
    2016-11-02 13:57:21,288:WARNING:certbot.storage:Attempting to parse the version 0.9.3 renewal configuration file found at /etc/letsencrypt/renewal/domain.tld.conf with version 0.8.1 of Certbot. This might not work.
    Also, trying your little script above I have the problem that the authentication to
    http://myispcfg.tld/.well-known/acme-challenge/9jwyG1gYZrkE6GOlDmpP3ITZubCjqfHc10h22eFJJjU doesn't work as I am already using s STARTSSL certificate (which I am trying to replace with the letsencrypt one) and the link above redirects to https so it never works.

    I'm unsure how to allow http connections and how to handle the renewals as I like the current behavior where http is redirected to https.

    Hope I explained that properly and hoping to get some pointers.

    Also, manually installing certbot seems OK but running ./certbot-auto I see: http://take.ms/CmjHM
     
    Last edited: Nov 2, 2016
  14. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    http->https redirects need to make an exception for /.well-known/acme-challenge/ or letsencrypt won't work currently. (There's a feature request for dns-based authentication.) As an example, if you enable http->https redirect for a website, ispconfig adds this:
    Code:
                    RewriteEngine on
                    RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/
                    RewriteRule ^ - [END]
                    RewriteCond %{HTTPS} off
                            RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    
     
  15. Ovidiu

    Ovidiu Active Member

    That sounds great so I won't have to worry about sites managed by ISPCFG3 but we are talking about the ISPCFG3 admin panel itself here and I have no idea where this HTTP/HTTPS setting is located. I assume the corresponding vhost file would be /etc/nginx/sites-enabled/000-ispconfig.vhost and this vhost shows it is only listening on port 8080.
    So if I access the link I gave you above, it reverts from http to https and then loads the first website with a letsencrypt certificate.

    Any ideas about this?
    Also, manually installing certbot seems OK but running ./certbot-auto I see: http://take.ms/CmjHM
     
  16. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    I don't have an nginx setup to refer to, but try enabling the http->https redirect for a site and see what shows up in your vhosts file, then change your port 8080 http->https redirect accordingly.
     
  17. Ovidiu

    Ovidiu Active Member

    THanks, I'll give that a try and reply here with my findings but what about all the others in this thread? You're all running an up-to-date ISPCFG3 installation, right? Does nobody else have this problem? I didn't touch any redirections for the control panel so I assume this was the default behaviour.
     
  18. sjau

    sjau Local Meanie Moderator

    I switched meanwhile from certbot to acme.sh ( https://github.com/Neilpang/acme.sh ) for the single reason, that it's just a little shell script with no dependencies but wget or curl (and git). Also it has options to provide DNS-01 auth (still using ISPC 3.0.x).

    1. Login as root on your server

    2. Go to a dir where you want to clone to (I like /usr/local/src) and clone the repo:
    Code:
    git clone https://github.com/Neilpang/acme.sh.git
    
    3. Got into the dir an install it. There's a simple install command but I'd prefer to provide a few more options:
    Code:
    cd acme.sh
    ./acme.sh --install \
    --home /usr/local/acme.sh \
    --certhome /etc/acme.sh \
    --accountemail "[email protected]"
    
    --home is where the customized install of the acme.sh script will go.
    --certhome is where acme.sh saves the certs to
    --accountemail is the email used to register the account to LE
    There's more options, check out here: https://github.com/Neilpang/acme.sh/wiki/How-to-install#4-advanced-installation

    The installation performs 3 actions:
    a. create and copy the acme.sh into the given home dir
    b. create alias for acme.sh
    c. create everday cron to check if renew is needed - check your crontab, cron will look like this:
    Code:
    0 0 * * * /usr/local/acme.sh/acme.sh --cron --home /usr/local/acme.sh > /dev/null
    
    4. Issue a cert
    The cert issue is rather simple:
    Code:
    acme.sh --issue -d ispc.domain.tld -w /path/to/webroot/
    
    * this assumes the webroot method is selected and that you provide according webroot that works
    or multi domain (SAN)
    Code:
    acme.sh --issue -d ispc.domain.tld -d mail.domain.tld -d smtp.domain.tld -w /path/to/webroot/
    
    or if you want to issue ECDSA certs you can run it like
    Code:
    acme.sh --issue -d ispc.domain.tld -w /path/to/webroot/ --keylength "ec-384"
    
    For ECDSA certs see here: https://github.com/Neilpang/acme.sh#single-domain-ecc-cerfiticate ; if you want for example just a 4096 RSA cert, you'd use --keylength 4096

    5. Install cert and reload/restart services
    The final step is to copy the issued cert to where it's needed. In case for ISPC this would be
    Code:
    acme.sh --installcert -d ispc.domain.tld \
    --certpath "/usr/local/ispconfig/interface/ssl/ispserver.crt"
    --keypath "/usr/local/ispconfig/interface/ssl/ispserver.key"
    --fullchainpath "/usr/local/ispconfig/interface/ssl/ispserver.bundle"
    --reloadcmd "systemctl reload apache2"
    
    If you have for example linked postfix and dovecot cert also to this location, you can reload, restart them as well using:
    Code:
    --reloadcmd "systemctl reload apache2; systemctl restart dovecot; systemctl reload postfix"
    
    For some reason dovecot needs to be restarted and can't be just reloaded.
     
  19. Ovidiu

    Ovidiu Active Member

    @sjau thanks, I was looking at that solution too after seeing the tutorial to secure Proxmox with acme.sh.

    Its all straight forward except for one issue I mentioned above multiple times:
    I cannot access my ISPCFG3 via HTTP on port 80 thus the authentication via URL fails. Can any of you? Do I have to add the domain used for the control panel itself to the panel so a website is created thus allowing port 80 access?
     
  20. sjau

    sjau Local Meanie Moderator

    acme.sh supports dns auth. if you host dns with your ISPC install then you could use the API to answer the challenge automagically. Been pondering to code something like that but haven't tried yet.
     

Share This Page