Is it possible to assign SSL to DNS similar to Cloudflare?

Discussion in 'Installation/Configuration' started by ISPNoob, Mar 14, 2020.

  1. ISPNoob

    ISPNoob New Member

    I want to use ISPConfig as an authoritative DNS server and was wondering if it supports Let's Encrypt / SSL certificates the way that Cloudflare does, where the website doesn't have to be hosted on the same machine in order to receive the benefits of SSL. My ISPConfig setup is installed on a separate machine than my other websites (which are all isolated as well from one another)
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    There is no need for such a complicated setup when using ISPConfig. All you have to do is to enable the Let's encrypt checkbox in the website settings and ISPConfig takes care to generate and authenticate the Let's encrypt SSL cert. It does not matter where you host DNS for that or if your DNS server is isolated.
     
  3. Ole Vangen

    Ole Vangen Member

    I am using Cloudflare and ISPConfig3 server. I enable Let´s Encrypt on Ipsconfig and configure Cloudflare as normal with nothing related to SSL.
    Make sure that you have latest version of Ispconfig. Some of the previous has had some issues related to SSL and Let´s Encrypt.
     
  4. Steini86

    Steini86 Active Member

    When you use acme.sh instead of certbot it is possible, but you should know what you are doing because it is more a hack and not officially supported. The ispc api for dns challenge is built in into acme.sh: https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_ispconfig.sh
    Be aware that changing from certbot to acme.sh has some difficulties. I have done it and would suggest a clean new install ;)
     
  5. ahrasis

    ahrasis Well-Known Member

    What are the difficulties?
     
  6. Steini86

    Steini86 Active Member

    • Find all installations of certbot (I had a package installed and certbot-auto in /opt/eff, which was not even in the PATH variable, so I missed that)
    • You have to remove the links in /var/www/domain.com/ssl prior to installing certs with acme.sh
    • Then if you restart apache during that time, it will throw an error. Solution would be to first deactivate SSL for all domains
    • With the above points, you cannot reactivate all domains at once, because apache won't come up. Instead install letsencypt one ater the other for all domains
    • Make sure you do not hit the letsencryt rate limit when getting all certificates at once (50/domain/week). Certificates for subdomains count to the main domain!
    If you have only a small bunch of domains there is no problem.
     

Share This Page