ISPC 3.1.14 removing SSLCertificateChainFile

Discussion in 'General' started by ethraza, Aug 20, 2019.

  1. ethraza

    ethraza New Member

    Hi.
    I have SSL setup with https://acme.sh. Before, with ISPC 3.1.13, I had no problens with it but, after I've updated to ISPC 3.1.14p2, I can no longer change anything in Site/Web Domain in the panel, or ISPC will remove the SSLCertificateChainFile line from /etc/apache2/sites-enabled/100-domain.com.vhost file and get the SSL defective.

    In the panel Web Domain/Domain tab, I have the SSL option ticked on and the Letsencrypt option ticked off. In the SSL tab I have HTTP2 ticked on.

    Setup:
    Slave ISPC domain.com: Ubuntu 16.04.2 / PHP 7.1.31 / Apache 2.4.39
    Master ISPC Panel: Ubuntu 10.04.4 / PHP 5.3.2

    Acme install cert command line:
    Code:
    /usr/local/acme.sh/acme.sh --home /usr/local/acme.sh --install-cert -d domain.com --cert-file "/var/www/domain.com/ssl/domain.com.crt" --key-file "/var/www/domain.com/ssl/domain.com.
    key" --fullchain-file "/var/www/domain.com/ssl/domain.com.bundle"
    Is this an ISPC 3.1.14 bug? If no, there is something I can do to prevent this unwanted change?

    Thank you.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    This is no bug. The SSLCertificateChainFile directive is deprecated, Apache 2.4.8 and newer expect the chain cert(s) inside the ssl cert file, a separate chain file is not used anymore and therefore the directive needs to be removed.
     
  3. ethraza

    ethraza New Member

    Thank you for the quick answer.
    If there is a way to get acme.sh to install the cert file like this, I was unable to find it. I guess that rollback to ISPC to 3.1.13 will maybe be my temporary/definitive solution.

    If someone knows how to "fix" that, please, let me know.
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Why don't you use the builtin Let's encrypt functionality from ISPConfig which handles SSL files for newer Apache versions correctly?

    And regarding acme.sh, just run a second command afterwards which appends the bundle to the cert file.
     
  5. ethraza

    ethraza New Member

    I tryed to use the builtin option, but I was unable to get letsencrypt stuff to run on my old Ubuntu 10.04 installations. Acme.sh comes to my rescue and so I spread it to all my servers.

    Wow! Just a
    Code:
    cat /var/www/domain.com/ssl/domain.com.bundle >> /var/www/domain.com/ssl/domain.com.crt
    Gona try.

    Thank you so much
     
  6. ahrasis

    ahrasis Well-Known Member

    I think that will work.
    You can always use a customized vhost template by simply copying default in server/conf folder to server/conf-custom and modify it.
    However the best way for the future I think is to fix this command by choosing to name the file right so crt will always use fullchain, which I believe will be very useful especially upon renewal.
     
  7. ethraza

    ethraza New Member

    Now I understand it.

    The right install command will be
    Code:
    /usr/local/acme.sh/acme.sh --home /usr/local/acme.sh --install-cert -d domain.com --key-file "/var/www/domain.com/ssl/domain.com.
    key" --fullchain-file "/var/www/domain.com/ssl/domain.com.crt"
    since the cert content is inside the fullchain bundle file as well.

    Thank you.
     
    ahrasis likes this.

Share This Page