Let's Encrypt steps for website

Discussion in 'General' started by unsichtbare, Sep 20, 2019.

  1. unsichtbare

    unsichtbare Member HowtoForge Supporter

    Hello,
    I love the Let's Encrypt idea, and it appears to be working on my site - but I don't understand how. I was wondering if we might summarize the steps?
    1. Install using 'The Perfect Server'
    2. In a Domain Config, put a checkbox beside: Let's Encrypt SSL
    3. In SSL tab, Create Certificate
    4. In SSL tab, Save Certificate
    That's it? No need to download certificate/bundle? No need to join letsencrypt.org or register your site?
    What happens after 3 months, which is the validity of the certificate my site is serving?

    THX,
    -J
     
  2. ahrasis

    ahrasis Well-Known Member

    There is no step 3 and 4.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The cert renews automatically.
     
  4. unsichtbare

    unsichtbare Member HowtoForge Supporter

    Incredible! So to get a certificate, I just check the box!?!! Amazing +thanks!
    Is it still one certificate/site per IP?
     
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    It is amazing. The most frustrating work for me was renewing the paid for certificates each year. Even using the notes I made the previous year it was a half a days work of constant struggle. I was very happy for the stuff @ahrasis made.
    LE creates one certificate for the website and all it alias hosts, so it is not always exactly one to one. But almost always it is just tick the box and wait 2 minutes, then you have certificate for that website. Reading this forum, one way to get it not working is to first use certbot from the command line, this creates certificate files that confuse the ISPConfig generated LE stuff.
    I believe IP number plays no role in this, Let's Encrypt certificate does not "certify" the IP-number.
     
  6. unsichtbare

    unsichtbare Member HowtoForge Supporter

    Not so long ago, there was a firm rule about certificates only being applied to one website (and sub-domains) per IP address. You could have unlimited HTTP per IP, but only one of them could be HTTPS.
    I don't think it was a certificate issue, so much as distinguishing host headers on the server side.
     
  7. Jesse Norell

    Jesse Norell Well-Known Member

    "Long ago" is pretty subjective; sharing one ip address for multiple sites has been supported for years.

    It was an issue at the ssl layer, the web server had no way to know what domain you were wanting to access, and hence what certificate it should present in the ssl conversation, so it simply used a single certificate per ip address, and any http hostnames not included in that certificate would get an error for a certificate name mismatch. SNI fixed that by allowing the client to indicate the hostname it wanted in the initial ssl connection, so the server could know which certificate to use in the ssl connection.

    ISPConfig has supported SNI for I think 8 years; one might almost say, "for a long time. " :)
     
    unsichtbare likes this.
  8. unsichtbare

    unsichtbare Member HowtoForge Supporter

    I was correct in that the second site on the same IP to which I applied a Let's Encrypt certificate is resolving the certificate of the first site!
    #1. IP is 1.2.3.4
    #2. I get a Let's Encrypt certificate for mysite.com on 1.2.3.4 and it works great!
    #3. I get a Let's Encrypt certificate for yoursite.com on 1.2.3.4 and it serves the certificate for my site.com
    In other words: one certificate per IP.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    No, that's not the case anymore, see explanation from @Jesse Norell . This would only happen if you use a client without SNI support, but all browsers support SNI for ages and ISPConfig enables SNI by default for many years as well. So what you write is only true in case a client lacks SNI support, but such clients are basically not in use anymore. All other clients will show the correct site. If you get a wrong site with a recent browser, then there is a config issue on your system, e.g. the second site does not has an SSL cert or you made a typo in the domain name or the second site points to a wrong IP or not all sites use the IP, if you mix * and IP, a wrong site must be shown as well.
     
  10. unsichtbare

    unsichtbare Member HowtoForge Supporter

    OK, then my server has a problem. More, as indicated in the FAQ, the Let's encrypt check-boxes are un-checked automatically.
    Only thing I can think of is site where Let's Encrypt works easily is native to this server, and site giving me trouble is migrated from much older ISPconfig.
    Code:
    2019-09-26 05:58:18,399:DEBUG:certbot.main:certbot version: 0.23.0
    2019-09-26 05:58:18,399:DEBUG:certbot.main:Arguments: ['-q']
    2019-09-26 05:58:18,399:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2019-09-26 05:58:18,405:DEBUG:certbot.log:Root logging level set at 30
    2019-09-26 05:58:18,405:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2019-09-26 05:58:18,410:DEBUG:certbot.plugins.selection:Requested authenticator <certbot.cli._Default object at 0x7f4450b3c240> and installer <certbot.cli._Default object at 0x7f4450b3c240>
    2019-09-26 05:58:18,415:INFO:certbot.renewal:Cert not yet due for renewal
    2019-09-26 05:58:18,415:DEBUG:certbot.renewal:no renewal failures
    Any ideas?
     
  11. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    That debug output shows no errors.
    Verify ISPConfig settings for all website the IP Address is the same for every site. That is, either * for all sites or IP-number for all sites. Mixing the two creates the situation of displaying wrong website.
    Certbot version 0.23 seems old, on Debian Stretch I have 0.28.0-1~deb9u2. What OS is your host?
    Check DNS info is correct for the problem website.
    https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
     
    unsichtbare likes this.
  12. unsichtbare

    unsichtbare Member HowtoForge Supporter

    I did read the error Let's Encrypt Error FAQ - but here was the issue:
    I used to host all my websites internally on VMware - but due to aging hardware, decided to move to UpCloud for Linux Webservers.
    UpCloud wants you to use their DHCP-supplied DNS along with your public IP - promised it wouldn't change. What did change was the DNS, so I set to: 8.8.8.8 now everything works!
     
    Last edited: Sep 26, 2019
    till likes this.
  13. Jesse Norell

    Jesse Norell Well-Known Member

    Note that for mail servers you should not use public dns servers, as you won't have as good of spam scanning, since many of the dns rbls have usage limits. In mail servers you should use a local caching, resolving name server (just use the already installed bind server if you also serve dns, otherwise install unbound).
     
    ahrasis and till like this.

Share This Page