Get SSL certificate for ISPConfig admin from LetsEncrypt?

Discussion in 'Installation/Configuration' started by zkvvoob, May 22, 2016.

  1. Ovidiu

    Ovidiu Active Member

    @sjau: awesome, with your hints and reading the documentation, here is what worked:

    Replaced your step 4. with this:
    Code:
    acme.sh --issue --dns -d ispcfg3.mydomain.tld
    manually adding the required DNS records
    Code:
    acme.sh --renew -d ispcfg3.mydomain.tld
     
  2. sjau

    sjau Local Meanie Moderator

    but upon next renewal you'll need to update the dns record again. From what I know you have to prove your authorization everytime you request a cert. Hence it would be interesting to code an ISPC dns template like there are for others.
     
  3. Ovidiu

    Ovidiu Active Member

    Are you sure there is a new DNS record needed with every update? I assumed I could keep the requested one in place.
    I could use the API as this domain is hosted on cloudflare and there are examples out there.
     
  4. sjau

    sjau Local Meanie Moderator

    I tend to think that upon each request a new challenge is posed. Who knows, maybe you lost control over the domain
     
  5. Ovidiu

    Ovidiu Active Member

    you seem to be right:
     
  6. soho

    soho Member

    Your tip works perfect (ISPConfig 3.1.1p1).
    I have a question: after the certificate expires, how would that command for the renewal be?
    Using cerbot automatically, it is only necessary to inform you that you want to renew (./path/to/certbot-auto renew --dry-run).

    Is it only necessary to add renew to the command?
    example:
    Code:
    certbot-auto renew auth --text --agree-tos --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected]`hostname -d` --domains `hostname -f` --webroot-path /usr/local/ispconfig/interface/acme
     
  7. sjau

    sjau Local Meanie Moderator

    it should be sufficient to just:

    Code:
    certbot renew
    
    for testing run:
    Code:
    certbot renew --dry-run --force-renew
    
    the --force-renew would renew certs that are not within the 30-days expiration period - so it would renew basically all certs....
    The --dry-run is just to not really renew but to test if it would try to renew.[/code]
     
  8. soho

    soho Member

    Hello sjau,
    Thank you for the clarifications and the quick answer.
     
  9. speciale

    speciale New Member

    For the ISPConfig Interface I did this and it works

    Code:
    certbot auth --text --agree-tos --update-registration --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] -d isp.org -d www.isp.org --renew-by-default --webroot-path /usr/local/ispconfig/interface/acme
    
    dt=`date '+%Y%m%d%H%M%S'`
    cd /usr/local/ispconfig/interface/ssl/
    for ext in csr key.secure key crt; do if [ -f ispserver.$ext ]; then mv ispserver.$ext ispserver.$ext.old.$dt; fi; done
    
    ln -s /etc/letsencrypt/live/isp.org/privkey.pem ispserver.key
    ln -s /etc/letsencrypt/live/isp.org/fullchain.pem ispserver.crt
    
    service apache2 restart
    Now I want to make another cert for another site, say client1
    Do I need to change the
    Code:
    --webroot-path
    to
    Code:
    /usr/local/ispconfig/client1/acme
    and cd to
    Code:
    /var/www/clients/client1/web1/ssl
    to make it work?

    And does
    Code:
    --renew-by-default
    grant that the certs will be automagically renewed?

    From what I understand here
    certbot eff org/ docs/ using.html #webroot
    it could be the way to do it. I'm asking this because my site is already in production and I'm trying not to break it.
     
  10. sjau

    sjau Local Meanie Moderator

    you shouldn't use
    Code:
    ` `
    
    anymore. Better to use
    Code:
    $( )
    
    In your case:
    Code:
    dt=$(date '+%Y%m%d%H%M%S')
    
     
  11. speciale

    speciale New Member

    Thanks sjau. But do you mean that's the only aspect to care about for my question?
    Did I well understood the use of
    Code:
    --webroot-path
    and paths?
    Code:
    /usr/local/ispconfig/client1/acme
    Code:
    /var/www/clients/client1/web1/ssl
     
  12. sjau

    sjau Local Meanie Moderator

    I didn't check the rest... I just noticed the backticks.
     
  13. speciale

    speciale New Member

    Got it. Thanks again sjau.
     
  14. Jesse Norell

    Jesse Norell Well-Known Member

    No, for websites you use the ispconfig interface to configure letsencrypt. All you do is check the checkbox and hit save (assuming your dns is already setup).
     
  15. speciale

    speciale New Member

    Thanks Jesse. I was making difficult and it can't be easier.
     
  16. Oitsuki

    Oitsuki Member

    I try this :

    certbot auth --text --agree-tos --update-registration --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] -d isp.org -d www.isp.org --renew-by-default --webroot-path /usr/local/ispconfig/interface/acme

    dt=`date '+%Y%m%d%H%M%S'`
    cd /usr/local/ispconfig/interface/ssl/
    for ext in csr key.secure key crt; do if [ -f ispserver.$ext ]; then mv ispserver.$ext ispserver.$ext.old.$dt; fi; done

    ln -s /etc/letsencrypt/live/isp.org/privkey.pem ispserver.key
    ln -s /etc/letsencrypt/live/isp.org/fullchain.pem ispserver.crt

    service apache2 restart

    I have this result
    IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at
    /etc/letsencrypt/live/............eu/fullchain.pem. Your
    cert will expire on 2017-04-21. To obtain a new or tweaked version
    of this certificate in the future, simply run certbot again. To
    non-interactively renew *all* of your certificates, run "certbot
    renew"
    - If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

    but when I try to restart my apache I have this

    Job for apache2.service failed. See 'systemctl status apache2.service' and 'journalctl -xn' for details.

    janv. 21 17:28:34 .....4.eu apache2[14453]: The apache2 configtest failed. ... (warning).
    janv. 21 17:28:34 .....4.eu apache2[14453]: Output of config test was:
    janv. 21 17:28:34.....4.eu apache2[14453]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/si....conf:69
    janv. 21 17:28:34 .....4.eu apache2[14453]: AH00526: Syntax error on line 63 of /etc/apache2/sites-enabled/000-ispconfig.vhost:
    janv. 21 17:28:34 ns304677.ip-94-23-214.eu apache2[14453]: SSLCertificateFile: file '/usr/local/ispconfig/interface/ssl/ispserver.crt' does not exist or is empty

    janv. 21 17:28:34 .....4.eu apache2[14453]: Action 'configtest' failed.
    janv. 21 17:28:34 .....4.eu apache2[14453]: The Apache error log may have more information.
    janv. 21 17:28:34 .....4.eu systemd[1]: apache2.service: control process exited, code=exited status=1
    janv. 21 17:28:34 .....4.eu systemd[1]: Failed to start LSB: Apache2 web server.
    janv. 21 17:28:34 .....4.eu systemd[1]: Unit apache2.service entered failed state.
    Hint: Some lines were ellipsized, use -l to show in full.


    How to resolve ?
     
  17. Ovidiu

    Ovidiu Active Member

    despite doing this, it looks like the bundle fiel is being ignored. Firefox complains about the certificate it looks like only my certificate is included and the letsencrypt ca one is missing. am I missing something?
     
    Last edited by a moderator: Jan 23, 2017
  18. sjau

    sjau Local Meanie Moderator

    What is the exact command you issued?
     
  19. Ovidiu

    Ovidiu Active Member

    omg. I just realized I typed in myispcfg.tld:8080 in Chrome but forgot the :8080 in firefox hence the warning as :oops: very, very blonde moment, my apologies.
     
  20. Ovidiu

    Ovidiu Active Member

    I've ben using this implementation forever and I would now like to start using the same certificate for pureftpd too. Apparently I need a .pem file for this. I tried creating a symlink inside /etc/ssl/private/pure-ftpd.pem -> /usr/local/ispconfig/interface/ssl/ispserver.crt but that gives an error when restarting pureftpd:
    Code:
    May 20 19:55:46 alfred pure-ftpd: ([email protected]?) [ERROR] SSL/TLS [/etc/ssl/private/pure-ftpd.pem](240): error:0906D06C:PEM routines:PEM_read_bio:no start line
    Can someone give me a hint how to solve this without breaking the currently working certificates and without manually converting them into a .pem?
     

Share This Page