Let's Encrypt 2 ISPConfig

Discussion in 'Tips/Tricks/Mods' started by sjau, Oct 28, 2015.

  1. Sir Henry

    Sir Henry Member

    No, this only works for subdomains created as "Subdomain" or "Aliasdomain" in ISPC, not for subdomains created as an own "Website".
     
  2. sjau

    sjau Local Meanie Moderator

    it's been a long time ;) thx for clarification ;)
     
  3. sjau

    sjau Local Meanie Moderator

    Because of the subdomain question yesterday, I did add now a check to auto-add subdomains as well. This works if yo create a subdomain in ISPC as subdomain and not just use something like sub.domain.tld to createa new website.
     
  4. Nap

    Nap Member

    Another question sjau, the email address for the domain will depend on the domain. I think that could be retrieved from the DNS record, or possibly from the matching email domain, though there may be many email addresses for the domain and would need to pick the right one?
    I don't think the client's email address is suitable as they may have multiple domains.
    Otherwise, it would need to be manually configured.

    I've written some code that extracts emails from all the possible sources for the domain passed into the script.
    Suggested Priority:
    1) DNS mbox record (if the zone exists on the server),
    2) 1st email account for the domain (if it exists),
    3) Client email address (if it exists)?
    4) ???? Some other source?

    What would be the priority? Any comments?
     
    Last edited: Feb 28, 2016
  5. sjau

    sjau Local Meanie Moderator

    since clients can't run that as root, the admin of the box should get the reminder if something's not working. Hence I don't exctract client email for this.

    It might be different with the official LE integragation into ISPC.
     
  6. Nap

    Nap Member

    There is a small problem with sub-domains. The implementation in ISPConfig using the rewrite rule prevents access to /.well-known.
     
  7. sjau

    sjau Local Meanie Moderator

    hmmm, that's true..... how to solve that... I'm at a loss
     
  8. Nap

    Nap Member

    I'm trying to use Apache Directive snippets. I've managed to get the redirect working, but LE doesn't like how I did it, so it's still not working. I think the problem is that I'm actually rewriting to the parent domain:

    RewriteCond %{HTTP_HOST} ^subdomain\.domain\.com$ [NC]
    RewriteCond %{REQUEST_URI} ^/.well-known$
    RewriteRule . http://domain.com/.well-known [L]

    I'm about to adjust the rewriterule using a normal rewrite.
     
  9. Nap

    Nap Member

    One solution is to modify the default rewrite rules that are installed when the subdomain is added by adding an extra condition:
    Code:
        RewriteCond %{REQUEST_URI} !^/\.well-known
    
    I'm still trying to figure out a way that will work through the Apache Directive snippets
     
    Last edited: Feb 29, 2016
  10. sjau

    sjau Local Meanie Moderator

    Hmmmm, there should be a solution somehow... hmmm....
     
  11. Nap

    Nap Member

    Another option that also works is to place a symlink in the root folder of the subdomain that points to the .well-known directory:
    Code:
    ln -s /var/www/letsencrypt/.well-known/ .well-known
     
  12. Nap

    Nap Member

    I could not get a rewrite rule snippet that follows on from the standard sub-domain rewrite to work , so I've given up on this approach.
    The other two options above do work.
    Whilst the symlink can be installed without any modifications to ISPConfig's software or data, since I'm using LE, my preferred option is to modify /server/conf/vhost.conf.master and add RewriteCond %{REQUEST_URI} !^/\.well-known to the default rules. But others wouldn't want this.
     
  13. sjau

    sjau Local Meanie Moderator

    Btw, here's another little snippet that I use:
    https://paste.simplylinux.ch/view/7b81ca23

    I set dovecot and postfix to use the SAN. I have no viable way to read out all the mail domain mx entries thingies... so I did make the manual list in the bash file since it doesn't change often.

    Then of course add/alter entries in the postfix main.cf file like:

    Code:
    smtpd_tls_cert_file = /etc/ispcSSL/live/server.name.tld/fullchain.pem
    smtpd_tls_key_file = /etc/ispcSSL/live/server.name.tld/privkey.pem
    
    and in the dovecot.conf file like this:
    Code:
    ssl_cert = </etc/ispcSSL/live/server.name.tld/fullchain.pem
    ssl_key = </etc/ispcSSL/live/server.name.tld/privkey.pem
    
    You can add the entries below the existing ones.
     
    Jesse Norell likes this.
  14. Jesse Norell

    Jesse Norell Well-Known Member

    @sjau, do you use that for mail certs only, or also the ispconfig panel itself? Having those covered out of the box would be nice (eg. installer gives option to obtain/use a letsencrypt certificate or create self-signed).
     
  15. sjau

    sjau Local Meanie Moderator

    I use that for mail certs only. However I ponder if I should use it for ispconfig panel as well as to not get the untrusted message everytime - chromium is a pain to add self-sigend certs.

    Would be great, if it would be all handled by ISPC itself though.

    I just thought since I only have a few mail domains I just make that list manually. I just use mail.domain.tld. Others might use smtp/imap/pop/pop3.domain.tld...
     
  16. Jesse Norell

    Jesse Norell Well-Known Member

    do you know what the limit is for the number of SAN names you can add? I would imagine automating that for all domains might not work on large servers. But you could have a textarea where you list the names to be added, and manually put a limited number in there, or something similar.
     
  17. sjau

    sjau Local Meanie Moderator

  18. sjau

    sjau Local Meanie Moderator

    Ok, made now push that apache 2.4 uses redirect permanent instead of mod_rewrite. It'll also check and filter out old mod rewrite rules.

    I wonder if I should add an option for htst as well.
     
  19. bch

    bch Member

    I have no problems getting Let's Encrypt to create certifcates for subdomains created as a web site.
    I use this snippet server-wide (not sure if it fixes the issues you're talking about).
    Code:
    # Block Access To All Hidden Files And Directories With Exceptions
    <IfModule mod_rewrite.c>
        RewriteEngine On
        RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC]
        RewriteCond %{SCRIPT_FILENAME} -d [OR]
        RewriteCond %{SCRIPT_FILENAME} -f
        RewriteRule "(^|/)\." - [F]
    </IfModule>
    Also, there has to be a www prefix in DNS for LE to issue the certifikate, like www.sub.example.com.
     
    Last edited: Apr 26, 2016
  20. sjau

    sjau Local Meanie Moderator

    Well, this tool will be buried soon anyway since ISPC 3.1 is already released as beta :)
     

Share This Page