lets encrypt, my be a bit OT

Discussion in 'ISPConfig 3 Priority Support' started by muekno, Feb 21, 2017.

  1. muekno

    muekno Member HowtoForge Supporter

    As I am running 32 bit Jessie, the LetsEncrypt feature of does not work as it requires 64 bit.
    So I got a certificate manually and save it with ISPConfig web ssl form. So far so good. my site is www.mydomain.com and I use the ISPConfig feature to to call wit mydomain.com too.
    Use the certbot tool LetsEncypt let me generate certificates for www.mydomain.com and mydomain.com, as I think, I cat enter only one certificate in ISPConfig i got a certificate for mydomain.com, that works with my startssl certificates (who are not more acceptet by Chrome and other Browsers). But now if I call my website with maydomain.com it is secure, but if I call it with www.mydomain.com it is marked unsecure. With the startssl certificate both worked.
    Does anybody has a solution, other than redirecting www.mydomain.com to mydomain.com or getting a certificate for www.mydomain.com and redirecting vice versa.

    By the way in LetsEncrypt with the certbot, you can't even create a CSR and specify owner of the website or emamiladdress. Also you you have to have root access to the server and you can get certificates for every website on that server, no other verification. Is that more secure than that startssl does, I think not. I hope startssl will have there new infrastructure up shortly and will be trusted by all browsers again.

    Any comments and help wellcome

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig includes all domains of a website (incl. the auto subdomain, alias domains and subdomains) in the letsencrypt SSL cert that it creates and not just one domain. If you create an SSL cert manually with LE, then you can do the same, just specify all domains in that cert.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Btw, are you sure that the certbot command does not run on 32bit? I could not find any info that it works on 64bit only and certbot is the tool that ispconfig uses to create the letsencrypt cert, so I don't see why it should not work on a 32bit server, but I haven't any 32bit systems anymore for years now, so I can't verify that.
  4. muekno

    muekno Member HowtoForge Supporter

    certbot runs on 32 bit, but one of the programms you should install to use letEncrypt as wiriiten in teh manual, seams to be only avaiable in 64bit

    see that post
    problem with HHVM and Let's Encrypt
    Discussion in 'ISPConfig 3 Priority Support' started by muekno, Oct 14, 2016.
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    This thread does not cover letsencrypt or certbot, it is about HHVM only. The chapter 3.1.1 of the manual describes how to install the software that is needed for the HHVM and Letsencrypt features that have been added in ISPConfig 3.1, it nowhere mentions that HHVM is a dependency of certbot.
  6. muekno

    muekno Member HowtoForge Supporter

    Sorry I think you understand me wrong, as I can not install HHVM on my 32bis system I can not user the LetsEncrypt feature in ISPConfig, that means automaticly getting certs from LetsEncrypt and automaticly update the by checking the LetsEncrypt SSL Checkbox.
    So I have to do get the certs manualy useing certbot wich ist ok so far. But with LetsEncrypt it seam I need separate certs for www.mydomain.com an mydomain.com which points to the same website which is possible by defineing a mydomain.com with autosubdomain www. (which is quite userfriendly from ISPConfig)
    certbot lets my create both certs for mydoain.com and www.mydomain.com, but in ISPConfig I can only enter one certificate in the sites SSL tab.
    So the is no problem with certbot, nor realy with HHVM as there is a manual workaround, execept that I can enter only one certificate for may website.

  7. till

    till Super Moderator Staff Member ISPConfig Developer

    I understand you right but you understand me wrong :)

    1) HHVM and Certbot are not related to each other in any way. Neither I nor the manual ever said that they depend on each other.
    2) That you can not install HHVM has nothing to do with the use of Certbot nor creating of SSL certs in ISPConfig.
    3) You do not have to create SSL certs with Certbot manually. Of course, you can do it manually if you prefer to not use the builtin function in ISPConfig, but there is no technical reason for not using the ISPConfig LE function on your server.
    4) An apache server has always just one SSL cert for a vhost and that's why multiple SSL domains are inside the same cert. You may want to reread post #2 of this thread where I explained that.

    I would like to extend that a bit:

    - There is no problem with Certbot.
    - There is no problem with ISPConfig.
    - There is no workaround required.
    - There is no problem with the way SSL certs are handled nor is there such a thing like a one domain per SSL cert limitation that you claimed to exist.

    The only problem here is that you simply do not use the LE function by enabling the Letsencrypt checkbox of the website.

    Note: ensure that you use the latest ISPConfig 3.1.2 and that you do not use any custom vhost templates without adapting them to match the ones from ISPConfig 3.1.2.
  8. muekno

    muekno Member HowtoForge Supporter

    OK so the final question is, does LE function in ISPConfig by enableing the LetEncrypt checkbox work without HHVM which I can not install in case of having a 32bit system
    Thank you

  9. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    Really? You are again asking a question that till has answered in each and every post over and over again? Oh dear. Re-read till's posts for god's sake …
  10. muekno

    muekno Member HowtoForge Supporter

    So as I found out, the simple answer on my question has been, "You do not need HHVM, to use let's Encrypt automatic feature in ISPConfig"
    Sorry I misunderstood the manual under 3.1.1 where I thought HHVM is needed for Let's Encrypt feature,
    Sorry was my fault.

  11. till

    till Super Moderator Staff Member ISPConfig Developer

    No problem :) There is one thing with your manually created LE cert though, you have to completely remove that in the certbot config to be able to use it in ispconfig as certbot will not create the certificate in ispconfig again when it exists in your manual configuration. Do to the certbot config directory and remove all config files and folders / certs of that domain.

Share This Page