Let's Encrypt with > 100 domains aliases

Discussion in 'HOWTO-Related Questions' started by Figo, Sep 16, 2017.

  1. Figo

    Figo New Member

    Hi there,
    I'm trying to create a LEt's Encrypt SSL certificate within ISPConfig (or with command line).
    But the domain I want a certificate to have approx 180 domains aliases (all of them redirect to the main domain). But Let's Ecnrypt fails if certificates has more than 100 domains...
    How to get a Let's Encrypt certificate only for the main domain?

    I tries to launch certbot manualy, to get the certifcate for the main domain only, but I got this error :
    Code:
    Deploying Certificate for XXX to VirtualHost /etc/apache2/sites-available/XXX.vhost.err-le-ssl.conf
    Error while running apache2ctl configtest.
    Action 'configtest' failed.
    The Apache error log may have more information.
    
    Syntax error on line 169 of /etc/apache2/sites-enabled/XXX.vhost.err-le-ssl.conf:
    FastCgiExternalServer: redefinition of previously defined class "/var/www/clients/client1/web2/cgi-bin/php5-fcgi-*-80-XXX"
    
    Rolling back to previous server configuration...
    Is there some to help me? Thanks!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Certbot / and LE are not able to edit complex apache config files properly, that's what causes the above error. Ensure to delete the file
    /etc/apache2/sites-available/XXX.vhost.err-le-ssl.conf if it still exists as it will block ISPConfig from working too.
    Take a look at the commands that @SpudMuffin used here to create a cert manually without letting LE change any config files: https://www.howtoforge.com/communit...orking-centos-7-4-perfect-server-guide.77335/
     
  3. HSorgYves

    HSorgYves Active Member

    180 domain aliases? I would love to see that setup...
     
  4. Figo

    Figo New Member

    @till : thanks!
    Actually, the certificate is created, I can see it in /etc/letsencrypt/live/
    Now my problem is to create/change/edit my Apache conf file to integrate the SSL config...
    I'm not comfortable with SSSL apache config... Right now, accessing the serveur with https use the ispconfig certificate, that's not good because I want a certificate for all primary domains my server is hosting.
    Does I have to duplicate my current .confg file and adds the right options for Virtualhost XXX:443 ? Does the XXX.conf for :80 is used also when accessed with :443 (= the SSL config must have complete config or le 80 config is used?)
    If I have to duplicate my conf file, how to keep working the php-FPM extension working (especially without breaking ISPCofing, because the server hosts several others sites, so I want to keep the ISPConfig great help!)

    Sorry about my newbie style questions, I'm quite confused with SSL config :(

    @HSorgYves : yes, the apache config file is 1400+ lines ;) not very easy to read :) But becasue it's only redirections to the primary domain, it's not that complicated !
     
  5. HSorgYves

    HSorgYves Active Member

    Why don't you use the Let's Encrypt feature of ISPConfig, it would include all aliases in the cert as well and manage your configuration files too...
     
  6. Figo

    Figo New Member

    Because (see me first post), unfortunately, ISPConfig feature tries to embed all domains aliases redirecting to the site, and certificats are limited to 100 max. I could suspend all aliases to get the certificate, and re-enabled them, but I don't want to do that manual process every 3 months...
     
  7. Figo

    Figo New Member

    And also, on a simplier site (without aliases), process failed because of php-fpm config, same way taht when I triers to run certbot manually on my site with so many aliases
     
  8. ahrasis

    ahrasis Active Member

    Did you solve this yet? I was thinking to suggest the use of vhost aliases instead of normal aliases. You have to enable vhost alias first before you can use it at ISPC > System > Main Config. As the created aliasdomains via ISPC are considered as web sites, you may get away from 100 aliases limit without worry to their LE SSL renewal since ISPC should be able to perform that task. Just a thought...
     
    Last edited: Sep 19, 2017
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess we should add a few lines of code in ISPConfig to add the first 100 domains only so that you get at least a cert for the main domain plus the first 99 aliases.
     
    HSorgYves likes this.
  10. Figo

    Figo New Member

    Thanks @ahrasis!
    Not solved yet...
    I haven't seen any "vhost aliases" in ISPconfig... but as you described it, it would help me! Is this the "Create aliasdomains as web site" option?
    It could be great, but my interface (and config files) will be flooded ;) OK, if I have to choose between "comfort" and "it works", the choice became easy :)

    I keep going on searching to solve my other problem (php-fpm)... I'm not finding many help because I use apache and not Nginx...
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    yes
     
  12. Figo

    Figo New Member

    Or better, an option to choose the cert for the main domain only.
    Or even better, add the ability to choose which domains to include for the cert ;)
    But whatever solution is chosen, it would be great!
     
  13. HSorgYves

    HSorgYves Active Member

    If you enable SSL for less than 100, then all should be included IMHO.
    @till: When you touch that code, maybe think about the wildcard certificates that Let's Encrypt will start supporting in January 2018.
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    As far as I know, you can't use wildcards with domain based auth as we use it now, so that's nothing that we can implement easily. Wildcards require DNS based auth and that's not implemented at all yet.
     
  15. HSorgYves

    HSorgYves Active Member

    @till: I know, that's why I mentioned it ;-)
     
  16. sjau

    sjau Local Meanie Moderator

    If the DNS ist hosted by ISPC then wildcard support is easy... been using DNS-01 with ISPConfig and acme.sh for quite a while now.
     
    ahrasis likes this.
  17. Figo

    Figo New Member

    Buy the way, I succeeded solving my problems.
    I manually created certs with certbot, as I wanted to redirect all traffic to https, I changed my apache conf file to redirect all *:80 to *:443, and moving most of the :80 config to :443, so the FPM config has not changed...
    Although, I ran some tests to get the same FPM pool used by 2 virtual hosts, and I found the solution.
    Here was a standard FPM definition for :80 virtual host:
    Code:
    Action php5-fcgi /php5-fcgi
    Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi_testvm
    FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi_testvm -socket /var/run/php5-fpm-testvm.sock -pass-header Authorization
    
    To use the same FPM pool in another VirtualHost (port 443 for me), you can use this config:
    Code:
    Action php5-ssl-fcgi /php5-ssl-fcgi
    Alias /php5-ssl-fcgi /usr/lib/cgi-bin/php5-ssl-fcgi_testvm
    FastCgiExternalServer /usr/lib/cgi-bin/php5-ssl-fcgi_testvm -socket /var/run/php5-fpm-testvm.sock -pass-header Authorization
    
    It's just about renaming the alias (action too, but not sure it's mandatory).

    Thanks all for your help!
     

Share This Page