Integrate Let's Encrypt SSL certificates into ISPConfig

Discussion in 'Feature Requests' started by gkovacs, Sep 14, 2015.

  1. Schnacki

    Schnacki New Member

    Ok, sorry for the slow reply. Thanks for clarifying that letsencrypt is currently not used for the ISPConfig Frontend or the server services. Unfortunate, but ok, I'll get around that and hope for the future. :)
     
  2. davidak

    davidak New Member

  3. ahrasis

    ahrasis Well-Known Member

    I am glad that ISPConfig 3.1 has built in Letsencrypt. But then I noted that Letsencrypt got its limits and while testing our servers, we may fall into the said limits. Letsencrypt does suggest that if we are using Certbot, we can use its staging evironment with the --staging flag.

    Thus, my first question or request is, while the available feature is already very good, is there any way or chance that we can improve the available Letsencrypt feature by adding its staging evironment setting or option into ISPConfig, may be on by default but can be turned off, so that we might avoid falling into the limits, unintentionally.

    Further, if there is already an approved ssl by LetsEncrypt, it won't be deleted (but rather kept unless chosen to be permanently deleted) and the system automatically reinstall it, instead of requesting for a new one again, so it might not fall inside the its limits.

    Cheers.
     
  4. sjau

    sjau Local Meanie Moderator

    I tend to think the limits are rather high. You shouldn't hit them normally:

    The only real issue I can see is the 20 "registerted domain" limits per week. E.g. if you request a cert for www.domain.tld, another one for mail.domain.tld, anther one for pop.domain.tld, imap.domain.tld, smtp.domain.tld and one for domain.tld. If those all were requested individually, that would be 6 already.
     
  5. ahrasis

    ahrasis Well-Known Member

    I think you are getting close to my point sjau except that you are referring to normal using of a server instead of testing a server. Repeated testing of 4 times of what you mentioned above per domain will hit the limit. Adding --staging flag will allow up to 30,000 per week, which is much more better and safer while testing a server.
     
  6. sjau

    sjau Local Meanie Moderator

    with the current integration there is no testing needed. Click the checkbox and a cert for that domain will be issued. What do you need to test? That's what I don't understand.
     
  7. ahrasis

    ahrasis Well-Known Member

    Yes. You don't need to if your server is already working good in one setup. If not, you might want to redo it several times until you get it right, and while doing that normally you also want test a domain with lots of subdomains. That's is where it will become handy because the limits will stop you from doing it.

    I don't mind looking into adding that myself so long you or anyone else can highlight which relevant files to look into to do that.

    Edited: I find the one for apache in apache2_plugin.inc.php; and for the website in web_vhost_domain_edit.php and its related files.

    I think, when testing, I only need to add --staging (in apache2_plugin.inc.php) into this line of code:
    Code:
    $success = $this->_exec($letsencrypt . " certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected]$domain --domains $lddomain --webroot-path /usr/local/ispconfig/interface/acme");
    I don't think I will be adding anything new to the web_vhost_domain_edit.php file for now except if the suggestions are to be added as an option for easy use later.
     
    Last edited: Nov 27, 2016
  8. vikozo

    vikozo New Member

    is there a tutorial where and how exactly to install?
     
  9. sjau

    sjau Local Meanie Moderator

    tutorial for?
     
  10. ahrasis

    ahrasis Well-Known Member

    You should follow tutorial where LE is actually installed like in Ubuntu 16.04 and above e.g. https://www.howtoforge.com/tutorial...doveot-and-ispconfig/2/#-install-lets-encrypt. Do not activate LE ssl for any domain after certbot installation in the terminal as you will get trouble in activating in ISPC if you did so. Simply cancel when it shows all your domains. If your server works fine, then you should be able to simply tick LE ssl in Website or Subdomain (Vhost) or Aliasdomain (Vhost) creation or edit (preferrably edit as I think you should make sure your domain works first).
     
  11. lipoforall

    lipoforall New Member

    Hi, nice to see LE is implemented(and working like a charm) for hosted websites, but what about ISPC login page? i really dont uderstand why this option missing... so ive make new "page" with same domain like login page "server1.example.com" with LE enabled, then just copy and paste
    apache2 conf SSL part
    Code:
    SSLEngine on
    SSLProtocol All -SSLv2 -SSLv3
    SSLCertificateFile var/www/clients/client1/web1/ssl/server1.example.com-le.crt
    SSLCertificateKeyFile /var/www/clients/client1/web1/ssl/server1.example.com-le.key
    SSLCertificateChainFile /var/www/clients/client1/web1/ssl/server1.example.com-le.bundle
    to
    Code:
    /etc/apache2/sites-available/ispconfig.vhost
    which working but its not really nice and clear..
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Never edit the ispconfig.conf file manually, your server wil start to fail on nex update. the correct way is to not alter the ispconfig.conf file, instead you replace the old ssl files with symlinks to the new files that you want to use.
     
  13. lipoforall

    lipoforall New Member

    thanks, good to know.. so it will be implemented sometime in the future?
     
  14. Oitsuki

    Oitsuki Member

    Hello,
    I discover soon a pb with let's encrypt and I am lokking information it become certbot.
    What is the process to update let encrypt to cerbot in 3.1.
    Tk
     
  15. Jesse Norell

    Jesse Norell Well-Known Member

    Both are supported, just install certbot (into a location found in $PATH) and remove letsencrypt and it should work fine.
     
  16. ahrasis

    ahrasis Well-Known Member

    I noticed conf file created by letsencrypt is far longer than certbot conf. Since I think both can work fine, I might uninstall letsencrypt and use reinstall certbot. But is that a good choice?
     
  17. Oitsuki

    Oitsuki Member

    Where I found $PATH, in /Etc/apache2 ?
    Also I migrate on ispconfig 3.1.2, if I change the path what is the repercussion on an update
     
  18. Jesse Norell

    Jesse Norell Well-Known Member

    $PATH is an environment variable which is a list of directories to search for commands to run, eg. with PATH=/bin:/sbin:/usr/bin:/usr/sbin as an example (actual PATH's are usually longer than that), if you run the command 'certbot', it (ie. the shell) will look for /bin/certbot, then /sbin/certbot, then /usr/bin/certbot, then /usr/sbin/certbot and run the first one found - if not found you'd get a 'command not found' error.

    So what I really meant was simply to install certbot into a standard location for commands to be found. Eg. from the 'certbot' package in jessie-backports, it gets put in /usr/bin/:
    Code:
    # dpkg --listfiles certbot | grep bin
    /usr/bin
    /usr/bin/certbot
    /usr/bin/letsencrypt
    
    You don't need to change PATH or anything, just install it in a "normal" location.
     
  19. ahrasis

    ahrasis Well-Known Member

    To create LE for your server:
    1. Create a site for your server in ISPConfig panel via Sites > Website > Add new website.
    2. Check if your site is accessible online (you might or might not have to create dns for it).
    3. If it is already accessible via internet, click ssl and LE button and save.
    4. If you haven't enabled ssl during ISPConfig setup, enable it by typing ispconfig_update.sh in the terminal and select yes for ssl.
    5. If ssl is already enabled, then use this command to backup and replace the created ssl with LE ssl.
    Code:
    mv /usr/local/ispconfig/interface/ssl/ispserver.crt /usr/local/ispconfig/interface/ssl/ispserver.crt.bak
    mv /usr/local/ispconfig/interface/ssl/ispserver.key /usr/local/ispconfig/interface/ssl/ispserver.key.bak
    mv /usr/local/ispconfig/interface/ssl/ispserver.pem /usr/local/ispconfig/interface/ssl/ispserver.pem.bak
    ln -s /etc/letsencrypt/live/yourserverdomain/fullchain.pem /usr/local/ispconfig/interface/ssl/ispserver.crt
    ln -s /etc/letsencrypt/live/yourserverdomain/privkey.pem /usr/local/ispconfig/interface/ssl/ispserver.key
    cat /usr/local/ispconfig/interface/ssl/ispserver.{key,crt} > /usr/local/ispconfig/interface/ssl/ispserver.pem
    
    6. Then run "service nginx reload" or "service apache2 reload" accordingly.
    7. Check your server ssl info in the browser. It should now show LE ssl.

    I think that is it on how to use LE ssl for your server.
     
    Poliman and till like this.
  20. theoldgit

    theoldgit New Member

    Hi,

    Good to see Let's Encrypt integrated into ISPconfig. Great work!!

    A little confused here (you are dealing with someone dangerous here - knows enough to mess things up!).

    I have just set up a server with 3 domains/sites. I have an LE SSL Certificate on site a.com which reads correctly - matches site etc.. I tried to set up LE Certificates for B.com and C.com, but the are using the certificate from A.com - of course giving errors.

    I am using Ubuntu 16.04, ISPconfig 3.1.2 with nginx as the web server and wonder of the behaviour I am seeing is intended or not.
     

Share This Page