LetsEncrypt ECC Certificates with ISPconfig

Discussion in 'Installation/Configuration' started by Steini86, Feb 1, 2020.

  1. Steini86

    Steini86 Active Member

    Hi,
    since ECC handshakes are faster than RSA, I wanted to provide them in the future. Have a few questions:
    1) Did someone already manage to get them running with ispconfig and automated renewal?

    As far as I have seen certbot does not support it, so I would have to switch to acme.sh. That seems to be supported by ispc, but I can't find any documentation (?).

    2) Is it enough to remove certbot and install acme.sh (via official guide) or do I have to change some config / reconfigure services?
    3) Where should I make changes (for example to choose cipher strength) to be compatible with future ispc changes?

    Thanks, Johannes

    Edit: Maybe I should bumb https://git.ispconfig.org/ispconfig/ispconfig3/issues/4315 ? ;)
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, acme.sh support is quite new and not documented yet, but it's fully supported in stable-3.1 branch.

    if ispconfig finds acme.sh and certbot is not installed anymore, then it should start using it as far as I know.
     
    Steini86 and ahrasis like this.
  3. ahrasis

    ahrasis Well-Known Member

    This a great news. I didn't realise this is already in 3.1 stable branch.
    The code is in letsencrypt.inc.php. You can view it in the git too: https://git.ispconfig.org/ispconfig...le-3.1/server/lib/classes/letsencrypt.inc.php
     
    Steini86 likes this.
  4. Steini86

    Steini86 Active Member

    Thanks for the reply. I have switched from certbot to acme.sh and will observe for a few days if everything still works as expected (I have some time, just renewed all certificates). Then I will try to add ECC certs.
    Thanks! Am I right, that it should be enough to add "--keylength ec-256" to line 77 in the issue command? Then deactivate letsencrypt for a website and reenable it to issue a new cert? -> I will just try it with a new subdomain ;)

    I am not sure how the renew works. Is it correct that this is not done by ispconfig (directly), but by the acme.sh cron script?
     
  5. ahrasis

    ahrasis Well-Known Member

    Me too. Reading from the git, the letsencrypt cron job seems to cover certbot only, so, unless otherwise is confirmed, I do think acme.sh will run its own cron job. Check it out in here: https://git.ispconfig.org/ispconfig...er/lib/classes/cron.d/900-letsencrypt.inc.php
     

Share This Page