Let's Encrypt renewal after upgrade

Discussion in 'Installation/Configuration' started by afonic, Oct 24, 2016.

  1. afonic

    afonic New Member

    Hello,

    A have a (simple) question: I have updated from ISPconfig 3.0.x to 3.1 and I've installed Let's Encrypt as described at the HOWTO guide.

    Will ISPconfig take care of cert renewals or do I also have to setup a cronjob?

    Thanks in advance.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPconfig takes care to renew letsencrypt certs that you created in ispconfig 3.1.
     
  3. afonic

    afonic New Member

    Thanks a lot for the reply!
     
  4. LyrX

    LyrX New Member

    Another question.
    How does this renew happen?
    For pureftpd i need a really fullchain which you cant get from letsencrypt. You have to create it by yourself with cat. There is a
    RENEW_HOOK in certbot, which could be usefull for this.
    Another option would be just die renew the fullchain every 7 days with a cron and dont care about if the certs did really change.
    What do you think or how do you do this?
     
  5. Jesse Norell

    Jesse Norell Active Member

    I was going to take the latter approach (blindly rebuild fullchain in cron) as an interim measure. I believe there's a rfe to add letsencrypt support for the "full" control panel (ispconfig interface, mail services and ftp should be included).
     
    LyrX likes this.
  6. sjau

    sjau Local Meanie Moderator

    Hmmm, you could also use a different client. I'm using acme.sh at the moment and writing a plugin to use ISPConfig API for DNS-01 challenge.
    The good thing about acme.sh is that it has a three step process.
    1. Get the certs
    2. Install/Copy the files where you want them...
    3. Run some commands (e.g. reload server)
    All those steps are then saved in a config.
    In the 3. step you could be able to cat the files to where you want them and restart/reload pureftpd

    Just as example I give you the config file for my cp/mail certs:
    Code:
    Le_Domain="manager.roleplayer.org"
    Le_Alt="mail.roleplayer.org,mail.otherdomain.tld,mail.xxxdomain.tld"
    Le_Webroot="/var/www"
    Le_PreHook=""
    Le_PostHook=""
    Le_RenewHook=""
    Le_LocalAddress=""
    Le_API="https://acme-v01.api.letsencrypt.org"
    Le_Keylength="4096"
    Le_LinkCert="https://acme-v01.api.letsencrypt.org/acme/cert/xxx"
    Le_LinkIssuer="https://acme-v01.api.letsencrypt.org/acme/issuer-cert"
    Le_CertCreateTime="1475832597"
    Le_CertCreateTimeStr="Fri Oct  7 09:29:57 UTC 2016"
    Le_NextRenewTimeStr="Tue Dec  6 09:29:57 UTC 2016"
    Le_NextRenewTime="1480930197"
    Le_RealCertPath="/usr/local/ispconfig/interface/ssl/ispserver.crt"
    Le_RealCACertPath=""
    Le_RealKeyPath="/usr/local/ispconfig/interface/ssl/ispserver.key"
    Le_ReloadCmd="systemctl reload apache2; systemctl restart dovecot; systemctl reload postfix"
    Le_RealFullChainPath="/usr/local/ispconfig/interface/ssl/ispserver.bundle"
    
    I think the ReloadCmd could be abused to cat the certs into one file.
     
    LyrX likes this.
  7. LyrX

    LyrX New Member

    Thanks! I added a cron witch is executed at 5am every day.
    Excuse me but what does "rfe" mean?
     
  8. Jesse Norell

    Jesse Norell Active Member

    request for enhancement, aka feature request.
     

Share This Page