Letsencrypt: automated DNS-01 challenge for ISPC 3.1

Discussion in 'Tips/Tricks/Mods' started by sjau, Nov 25, 2016.

  1. sjau

    sjau Local Meanie Moderator

    Hi there

    I just wanted to let you know that the alternate LE client "acme.sh" has now a dns api plugin that will allow to issue certs through the DNS-01 challenge. This can be for useful for getting certs with no according webpage. E.g. you could request a cert for smtp.domain.tld and imap.domain.tld while not having those or if you host DNS for (sub)domains that aren't accessible from the internet...

    However the DNS must be hosted by ISPC 3.1 and be publicily available.

    Basic operation:
    1. Add remote user to ISPC that has access to DNS zone function and DNS txt function
    2. Install acme.sh
    3. Export remote api info by issuing:
    Code:
    export ISPC_User="user"
    export ISPC_Password="password"
    export ISPC_Api="https://ispc.domain.tld:8080/remote/json.php"
    export ISPC_Api_Insecure=1
    
    The data will be stored in ~/.acme.sh/account.conf
    Note: The Insecure option is whether to verify the SSL cert or not. If you already have proper SSL Certs for your config panel, then you can set it to 0.
    4. Request a cert by issuing:
    Code:
    acme.sh --issue --dns dns_ispconfig -d smtp.domain.tld -d imap.domain.tld -d private.domain.tld
    
    There are further options like
    -- test for using staging server so you won't hit the limit while testing
    --keylength 4096 for a 4096bit cert
    --keylength ec-256 (or ec-384) for requesting ECDSA certs with 256 or 384 bit)
    There is one drawback however: acme.sh has a 120 seconds wait period so that the according servers can write out the altered zone files.
    5. Certs are stored in ~/.acme.sh/domain.tld if the advance installation routine with different folders wasn't used
    6. Finally, you can issue a command for installation of the certs like:
    Code:
    acme.sh --installcert -d example.com \
    --certpath /path/to/certfile/in/apache/cert.pem \
    --keypath /path/to/keyfile/in/apache/key.pem \
    --fullchainpath /path/to/fullchain/certfile/apache/fullchain.pem \
    --reloadcmd "service apache2 restart"
    
    When I got LE certs for ISPC Interface and vanity mailserver certs (mail.domain.tld, not splitting up into smtp/imap) I used this:
    Code:
    acme.sh --installcert -d manager.roleplayer.org \
    --certpath /usr/local/ispconfig/interface/ssl/ispserver.crt \
    --keypath /usr/local/ispconfig/interface/ssl/ispserver.key \
    --fullchainpath /usr/local/ispconfig/interface/ssl/ispserver.bundle \
    --reloadcmd "systemctl reload apache2; systemctl restart dovecot; systemctl reload postfix"
    
    In Postfix I have:
    Code:
    smtpd_tls_cert_file = /usr/local/ispconfig/interface/ssl/ispserver.bundle
    smtpd_tls_key_file = /usr/local/ispconfig/interface/ssl/ispserver.key
    
    In Dovecot I have:
    Code:
    ssl_cert = </usr/local/ispconfig/interface/ssl/ispserver.bundle
    ssl_key = </usr/local/ispconfig/interface/ssl/ispserver.key
    
    For some reasons, Dovecot didn't seem to re-read the new certs with just a reload command, hence I had to use the restart command above.
     
    Last edited: Dec 9, 2016 at 8:21 AM
    soho, Jesse Norell and till like this.
  2. sjau

    sjau Local Meanie Moderator

    Pondering if I should make a small howto out of it.
     
  3. soho

    soho Member

    Likely to help many people.
     

Share This Page