Migrating from CertBot to acme.sh

Discussion in 'Installation/Configuration' started by Mr. Goose, Feb 24, 2022.

  1. Mr. Goose

    Mr. Goose New Member

    We recently upgraded from Debian 9 to Debian 10, following the Debian official upgrade guide, c/w similar upgrade guides here. Everything went as planned. Well, we had an issue with the new Dovecot 2.3 config but that was relatively easy to fix. And a simple "force-update" made ISPconfig work just fine too.

    However a problem has emerged that I hope someone knowledgeable here can help me with please. In a nutshell we been using CertBot. At the time we installed it, ISPConfig did not support LetsEncrypt and Certbot seemed the only way to get free SSL certificates. However, Certbot update script is no longer supported (or works) on Debian 10. And TBH I was never 100% happy with CertBot anyway because it wasn't particularly ISPConfig-friendly either.

    Basically I would like to migrate to acme.sh with the an existing (latest) ISPConfig before our current certificates expire. I actually bought the ISPConfig manual, but this scenario does not seem to be covered. And I cannot find it in the forums here either. And I have studied https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/ but that doesn't actually cover this scenario either.

    So, in a nutshell, what do I need to do to move from CertBot to acme.sh in ISPConfig, safely, please?
     
  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    This scenario isn't in the faq yet, but it's common enough we might need to consider adding it. Have you searched the forums here? I think that exact scenario was discussed earlier this week (or maybe it was going from acme.sh to certbot).

    Does that mean you do not use the letsencrypt checkbox in site settings? How is it you created the SSL vhost and point it to the letsencrypt certificate currently?
     
    Mr. Goose likes this.
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Certbot is integrated with ISPConfig as well, so why not use it that way?

    Migrating to acme.sh is not a good idea, several users on this forum have tried without success.
     
    Mr. Goose likes this.
  4. Mr. Goose

    Mr. Goose New Member

    Thank you for your speedy replies. The box is ticked, but I don't think it does anything. The last cert (and indeed all our certificates so far) was created by running certbot-auto.(/opt/certbot/certbot-auto)

    However, certbot-auto no longer works and our certificates expire soon.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Mr. Goose likes this.
  6. Mr. Goose

    Mr. Goose New Member

  7. till

    till Super Moderator Staff Member ISPConfig Developer

    You posted:

    "The box is ticked, but I don't think it does anything."

    and this:

    https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/

    shows you why nothing happens and how to solve the issue. And this also solves your first question as there is no need to switch anymore. And as others told you already, switching is a really bad idea, at least if you plan to have a working setup afterward without having to reinstall.
     
    Mr. Goose likes this.
  8. Mr. Goose

    Mr. Goose New Member

    Quite happy to use Certbot, in principle. But Certbot is broken. certbot-auto is no longer supported. Is there some other way to get a working Certbot? What should I do please?
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    All you have to do is to remove certbot-auto and old certbot program and follow the instructions on certbot website to install a new version via snap.
     
    Mr. Goose and ahrasis like this.
  10. Mr. Goose

    Mr. Goose New Member

    Thank you. Much appreciated. I will look into that right now and get back to you.
     
  11. Mr. Goose

    Mr. Goose New Member

    OK in case anyone else has followed search engine of your choice, and landed up here, the link to snap installation of certbot is here:-
    https://certbot.eff.org/

    And specifically for Debian 10 (Buster)
    https://certbot.eff.org/instructions?ws=apache&os=debianbuster

    However @till I see that there is finally a dedicated Debian 10 certbot package, already in the Debian repositories c/w correct Python 3 dependencies. Sorry to keep asking you questions. I appreciate you are a busy man. But would it not be better to use the proper Debian package rather than a Snap?
    https://packages.debian.org/buster/certbot

    Seems there are debs for all the modern and near-future Debian releases too:-
    https://packages.debian.org/search?keywords=certbot

    I plan to upgrade to Debian 11 (Bullseye) next year, and I am keen to avoid upgrade issues. Besides, I'm not awfully keen on Snap and only use it when I absolutely have to.
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    If I remember correctly, it's a very old version that you get as Debian package, so not sure if it even works anymore, it has not been updated anymore for 2 years now. I'm not keen on Snap too and that's one of the reasons all new systems use acme.sh, but there is no good migration path between acme.sh and certbot and using the snap version has been tested and works.
     
    Mr. Goose likes this.
  13. Mr. Goose

    Mr. Goose New Member

    @till Fair comment. Thank you.
    I will leave it a few days, do some more reading then almost certainly do exactly as you suggest. I will also report back when I'm done because it might help other users in a similar situation to mine. Meantime, thanks for all your help. Very much appreciated.
     
    till likes this.
  14. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I share the same feeling for those who are still using certbot that they have to install via snap but certbot should be working fine once installed in such fashion. Just don't forget to remove the old certbot installed via apt-get letsencrypt / certbot or cetbot-auto.
     
    Mr. Goose likes this.
  15. Mr. Goose

    Mr. Goose New Member

    OK I finally sorted my certbot problem. TBH I was dreading doing it and left it until there was only a few days left on our old certificates. lol. "My Bad", as they say... :eek:

    Anyway, I did exactly as you guys suggested. Instead of attempting to migrate to ACME. I removed the old certbot-auto and its associated scripts, and installed a new certbot via snap. Which seems to have installed perfectly.

    I had a few issues with legacy "mydomain.com.vhost-le-ssl.conf" files. Seems these contained the ssl/port 443 entries whereas the "mydomain.com.vhost" files contained the port 80 stuff. Anyway I made sure all Port 80 and port 443 directives are all in "mydomain.com..vhost" files. Seems ISPConfig did some of these automatically when I tried to renew certs manually. But not all. But with a bit of additional manual tweaking was able to remove all the "mydomain.com.vhost-le-ssl.conf" files left behind by certbot-auto. Which also means that all sites are properly under control of ISPConfig now. My "sites-available" and "sites-enabled" directories look much tidier now too lol.

    I would add that ISPConfig seems to play very nicely with certbot installed via snap and the certs all seem to update automatically too. In fact, I am really rather impressed by how well it all seems to hang together now, compared to how it used to behave under certbot-auto.

    Finally I just wanted to say a big "thank you very much indeed" to all you chaps for all your help in this matter. All very much appreciated. :)
     
    till likes this.

Share This Page