How to use Let's Encrypt in ISPConfig 3.1

Discussion in 'Installation/Configuration' started by tjbcham, May 16, 2016.

  1. tjbcham

    tjbcham New Member

    Just installed the latest Beta version 3.1 - upgraded from older install.
    According to the feature request thread, Let's Encrypt is integrated in 3.1, but I am not sure how it works or what procedures are required?

    I presumed I had to install Let's Encrypt, which I did, however there were a few screens I was not expecting about selecting which domains to enable SSL and I got errors on install with a "Failed authorization procedure" as the process seemed to be looking for the reverse dns of the server ":: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A."

    I then checked both the the SSL and Let's Encrypt boxes for the domain in the ISPConfig 3.1 control panel.

    Went to SSL tab and filled in info and country, then selected to create certificate, then returned to save certificate.

    However certificate is just a self signed untrusted certificate with broken https and .err document.

    Any walk through for installation and pointers on how to use Let's Encrypt please?
     
  2. Jesse Norell

    Jesse Norell Active Member

    This is right from https://www.howtoforge.com/tutorial...ovecot-ispconfig-3-1/2/#-install-lets-encrypt:
    Code:
    apt-get install git
    cd /opt
    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt/
    ./letsencrypt-auto --help
    That's all you need to install letsencrypt, and it shouldn't ask any questions about what domains to enable SSL on or anything like that. Sounds like the procedure you used varied somewhat.

    After that, all you need to do is go to the website in question and check both the SSL
    and Let's Encrypt SSL checkboxes. Don't even visit the SSL tab. Wait a minute or two, and you should have https working on the site.
     
  3. tjbcham

    tjbcham New Member

    Thanks for the info. That helps to know that other than install and check the box that it should work without visiting the SSL tab.
    I had followed another install for let's encrypt initially (probably to create certificates), but had found the install you mentioned.
    However, with Let's encrypt and SSL boxes checked but without visiting the SSL tab, https://mydomain.com still gives me an untrusted page warning and then the apache2 debian default page loads.
    "This page is insecure (broken HTTPS)." warning.
    The certificate is valid 10 years and issued by the server name, not the site.
    There are no certificates in the SSL directory.
     
  4. Jesse Norell

    Jesse Norell Active Member

    this is the same domain that you created a certificate (on the SSL tab) earlier? go back there and select the action to delete the certificate and hit save.

    If it's not running on a letsencrypt certificate at this point, try turning letsencrypt off, save settings (maybe resync websites at this point), wait a minute or two, then turn it back on. I've not walked through this part, so guessing here, but try that and report back your findings to this thread.
     
  5. tjbcham

    tjbcham New Member

    Thanks,
    This was for a newly created domain which had not had let's encrypt box checked or the SSL tab touched. There were no certs in the ssl directory.
    Did as suggested above, resynced and now it is working with the certs in the ssl directory for the domain.
    One other question... What happens about the certificate renewals after 90 days?
     
  6. Jesse Norell

    Jesse Norell Active Member

    It should renew automatically, ispconfig cronjob runs 'letsencrypt -n renew' (nightly at 3am).
     
  7. tjbcham

    tjbcham New Member

    Great! Each site gets https:// automatically and free with no hassle with the check of a box.
    Thanks for the info, and I apologise for the confusion. I missed that nothing needed to be done with the SSL tabs once the box was checked.
     
  8. tjbcham

    tjbcham New Member

    Returning to this after a couple of weeks...
    The creation of Certificates seems to be very flaky .
    Sometimes I manage to create a cert by turning on and off and back on Lets Encrypt. Now I don't seem to be able to create certs at all, never mind how many times I turn on and off the Lets Encrypt button and resync.
    https for failed certificates shows the web of the first site on the server with the broken SSL cert saying.
    Certificate Error
    There are issues with the site's certificate chain (net::ERR_CERT_COMMON_NAME_INVALID).
     
  9. tjbcham

    tjbcham New Member

    Impossible to get a certificate to create now with which ever combinations I try.
    Why would a cert have been generated for a domain yesterday but not today?
     
  10. tjbcham

    tjbcham New Member

    I installed a server cert from the comments https://www.howtoforge.com/communit...fig-admin-from-letsencrypt.73097/#post-344008
    Got a nice green https for the ISPcontrol panel with a Lets Encrypt cert.

    However domain cert still not functioning.
    Repeated the Lets Encrypt install from post #2 above just in case there was upgrade or something. No joy.

    Also, now there are some domains where the SSL cert did get created that want to use the domain mail, but these domains cannot send mail out through the mail.domain.tld smtp server, whereas domains without the cert can without issue.
     
  11. tjbcham

    tjbcham New Member

    Found part of the problem...
    The Cert will not be created until the DNS records have propagated fully to the server, so need to check that DNS is correct for the domain before attempting to create a certificate.
    To see errors you can try to create a cert manually by
    cd /opt/letsencrypt
    ./letsencrypt-auto --apache -d domin.tld
    Will show the errors if any.
    To see certs created go to
    /etc/letsencrypt/live
     
  12. Jesse Norell

    Jesse Norell Active Member

    Yep, it requires DNS pointing at your server to get a letsencrypt certificate setup.

    There is nothing done/setup for email with letsencrypt certificates, it simply requests/renews them and points the website to the cert files under /etc/letsencrypt/live/*. Postfix does not support SNI at all, so it's going to present the same certificate to your clients no matter what hostname they use to connect - it will simply match the CN for some (or probably one) name(s) and won't for the others. You may be able to manually request a single letsencrypt certificate that covers all the names you need and point postfix config to that, if the number of those names isn't too large (I forget what the limit is in a single cert - it was mentioned on the forum here not too long ago), although I don't know if that works for adding "mail.domainname.com" when letsencrypt can't make an HTTP request back to that same hostname (eg. if it can verify www.domainname.com via HTTP, will it let you use mail.domainname.com in another cert? I'd guess maybe not, but could try.)
     

Share This Page