Integrate Let's Encrypt SSL certificates into ISPConfig

Discussion in 'Feature Requests' started by gkovacs, Sep 14, 2015.

  1. sjau

    sjau Local Meanie Moderator

    this is weird... the domainInfo array is populated. Also the get_clientid lookup would fail if groupid was empty.

    Code:
    [email protected] ~ # ./letsencrypt.php test.sjau.ch
    Array
    (
        [domain_id] => 61
        [sys_userid] => 1
        [sys_groupid] => 2
        [sys_perm_user] => riud
        [sys_perm_group] => ru
        [sys_perm_other] => 
        [server_id] => 1
        [ip_address] => *
        [ipv6_address] => 
        [domain] => test.sjau.ch
        [type] => vhost
        [parent_domain_id] => 0
        [vhost_type] => name
        [document_root] => /var/www/clients/client1/web61
        [web_folder] => 
        [system_user] => web61
        [system_group] => client1
        [hd_quota] => -1
        [traffic_quota] => -1
        [cgi] => n
        [ssi] => n
        [suexec] => y
        [errordocs] => 1
        [is_subdomainwww] => 1
        [subdomain] => www
        [php] => fast-cgi
        [ruby] => n
        [python] => n
        [perl] => n
        [redirect_type] =>
        [redirect_path] =>
        [seo_redirect] =>
        [ssl] => n
        [ssl_state] =>
        [ssl_locality] =>
        [ssl_organisation] =>
        [ssl_organisation_unit] =>
        [ssl_country] =>
        [ssl_domain] =>
        [ssl_request] =>
        [ssl_cert] =>
        [ssl_bundle] =>
        [ssl_key] =>
        [ssl_action] =>
        [stats_password] =>
        [stats_type] => webalizer
        [allow_override] => All
        [apache_directives] =>
        [nginx_directives] =>
        [php_fpm_use_socket] => y
        [pm] => dynamic
        [pm_max_children] => 10
        [pm_start_servers] => 2
        [pm_min_spare_servers] => 1
        [pm_max_spare_servers] => 5
        [pm_process_idle_timeout] => 10
        [pm_max_requests] => 0
        [php_open_basedir] => /var/www/clients/client1/web61/web:/var/www/clients/client1/web61/tmp:/var/www/test.sjau.ch/web:/srv/www/test.sjau.ch/web:/usr/share/php:/usr/share/php5:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin
        [custom_php_ini] => 
        [backup_interval] => none
        [backup_copies] => 1
        [backup_excludes] => 
        [active] => y
        [traffic_quota_lock] => n
        [fastcgi_php_version] => 
        [proxy_directives] => 
        [last_quota_notification] => 
        [rewrite_rules] => 
        [added_date] => 2015-10-22
        [added_by] => admin
    )
    <?xml version="1.0" encoding="UTF-8"?>
    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>data_processing_error</faultcode><faultstring>no_server_error&lt;br /&gt;&#13;
    domain_error_empty&lt;br&gt;&#13;
    hd_quota_error_empty&lt;br /&gt;&#13;
    hd_quota_error_regex&lt;br /&gt;&#13;
    traffic_quota_error_empty&lt;br /&gt;&#13;
    traffic_quota_error_regex&lt;br /&gt;&#13;
    documentroot_error_empty&lt;br /&gt;&#13;
    sysuser_error_empty&lt;br /&gt;&#13;
    invalid_system_user_or_group_txt&lt;br&gt;&#13;
    sysgroup_error_empty&lt;br /&gt;&#13;
    invalid_system_user_or_group_txt&lt;br&gt;&#13;
    allow_override_error_empty&lt;br /&gt;&#13;
    pm_process_idle_timeout_error_regex&lt;br /&gt;&#13;
    pm_max_requests_error_regex&lt;br /&gt;&#13;
    </faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope>
    SOAP Error: no_server_error<br />
    domain_error_empty<br>
    hd_quota_error_empty<br />
    hd_quota_error_regex<br />
    traffic_quota_error_empty<br />
    traffic_quota_error_regex<br />
    documentroot_error_empty<br />
    sysuser_error_empty<br />
    invalid_system_user_or_group_txt<br>
    sysgroup_error_empty<br />
    invalid_system_user_or_group_txt<br>
    allow_override_error_empty<br />
    pm_process_idle_timeout_error_regex<br />
    pm_max_requests_error_regex<br />
    
    I did now add a print_r($domainInfo); on line 46

    But I'll look at that get method you mentioned :)
     
  2. dannyM

    dannyM New Member

    First to your error: sites_web_domain_update needs 4 parameters! Third parameter is the domain_id, fourth parameter then the $params array.

    Querying the current state using sites_web_domain_get works well, however you need to pass the domain_id, not the domain name.

    Now to your comments in #19:

    First, I'm well aware of the $argv array. However, when you call your script without parameters as you did in #17 $argv[1] will be undefined. Hence PHP prints "PHP Notice: Undefined offset: 1 in /root/letsencrypt.php on line 25".

    Second, concerning the two approaches that you proposed in #8 and that I'm commented on: the first approach is what you've implemented with your script. In the second approach, you propose to "autofill the stuff", i.e. to get the data from letsencrypt and fill it into the ssl_cert/ssl_bundle fields in the database and let ISPC act upon as if filled manually.

    What I propose is different: I propose NOT to fill the fields. Instead, if there is a (new) checkbox ticked in ISPC that letsencrypt manages the certs, ISPC will NOT create files in /var/www/clients/client[client_id]/web[website_id]/ssl, but will set SSLCertificateFile/SSLCertificateKeyFile/SSLCertificateChainFile of the apache configuration for this domain to point to the libencrypt output files in /etc/letsencrypt/live/sub.domain.tld/.

    Then, letsencrypt can handle the certs automatically and much less regular work needs to be done by ISPC.
     
    Nemis likes this.
  3. sjau

    sjau Local Meanie Moderator

    I noticed about the 4th parameter. Somehow I deleted that :)

    As for how ISPC will handle this later, it might make sense to have such an option/checkbox. Another good option would then also be "Force SSL" in the control panel.
     
  4. sjau

    sjau Local Meanie Moderator

    So, that script works now fine it seems... tested it on 5 domains.
     
  5. sjau

    sjau Local Meanie Moderator

    Btw, got new infos regarding renewal. It seems that's easy. From #letsencrypt:

     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    You can also query for domain name by passing an array: array('domain' => 'domain.tld') as $domain_id.
     
  7. sjau

    sjau Local Meanie Moderator

    btw Till, you red that little IRC discussion? If I correctly understand, you'd just need to run the (current) letsencrypt-auto script on a daily base and it will auto-renew certs that are close to validation. So that should make ssl-renewel rather simple.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    I havent read the discusion yet. Nice that they provide a ready made script for such a cron job.
     
  9. sjau

    sjau Local Meanie Moderator

    not the -auto but the -renew script... it still has some issues as it sounds like but I'm sure they'll be fixed. So the renew script would then also just update the certs in /etc/letsencrypt/live/domain.tld/{privkey,cert,chain,fullchain}.pem and so ISPC can just link to them in the vhost.

    Actually sounds easy to manage :)
     
    Nemis likes this.
  10. Jesse Norell

    Jesse Norell Well-Known Member

    For multiserver setup with a single webserver, you just need letsencrypt installed on the webserver.

    If you had a second webserver that mirrored the first, well, I don't know what the right thing to do would be. This might be the same consideration if/when using a letsencrypt certificate for email, you'd have to put the certificates on the mail server as well. Could setup an rsync of the individual subdomains under /etc/letsencrypt maybe? (You have to keep in mind multiple webservers and/or multiple mail servers.) I don't believe a mailserver could do the letsencrypt setup itself, as the cli output indicates it reconfigures/utilizes apache for challenge/response, and the mail server won't usually have apache.

    So single server setups, and multiserver setups without mirrored webservers seem pretty doable. What's it take to secure the ispconfig control panel itself? Is it just a prompt during the install.php and/or update.php scripts, run the letsencrypt program then, and generate slightly different vhost config pointing to the subdomain files under /etc/letsencrypt/? Or is that too soon (because apache won't be setup/usable yet for letsencrypt to perform challenge/auth), so it needs done later, say from System > Server Config > {server} > Web?
     
  11. Nemis

    Nemis Member

    easy way,
    https://smallhacks.wordpress.com/2015/11/01/lets-encrypt/
    so ISPconfig , on SSL page, per domain may will
    1-generate a %domain% cli.ini file.
    2-run LE-auto %domain% cli.ini
    3-pickup/store SSL on internal db or what have to do to see on SSL page
    4-add to cron LE-auto %domain% cli.ini
    5-re pickup/store SSL on internal db or what have to do to see on SSL page at every rennovate, with same cron as point 4
    done
     
  12. Nemis

    Nemis Member

    no. u can generate SSL on remote server, like docker version.
    all need is that u can let LE write some data on ww page of live server, the put ssl. ssh vpn...
     
  13. sjau

    sjau Local Meanie Moderator

  14. Nemis

    Nemis Member

    i try use webroot for 2 domain (1 in whitelist ,1 not),
    letsencryp script (or letsencrypt-auto) write the ... /.well-known/acme-challenge/--some-data-- as root (so not exposed to the world ?) and fail to autenticate.
     
  15. sjau

    sjau Local Meanie Moderator

    I did add that apache config and tested it with staging. That worked fine.
     
  16. Nemis

    Nemis Member

    i do the nginx way , add the snippet ,resync isp, restart nginx.
    i think i (o nginx) have some issue on file/user permission .
    what user/group own your .well-known subdir?
     
  17. sjau

    sjau Local Meanie Moderator

    Code:
    drwxr-xr-x  3 root root    4.0K Nov  3 10:28 .well-known
    
    I run LE as root.
     
    Nemis likes this.
  18. Nemis

    Nemis Member

    ok the problem have to comment this part on nginx.conf
    Code:
    #        location ~ /\. {
    #            deny all;
    #            access_log off;
    #            log_not_found off;
    #        }
    
     
  19. sjau

    sjau Local Meanie Moderator

  20. Nemis

    Nemis Member

    check you chipersuite, firefox say not secure
     

Share This Page