Mirror Server + LetsEncrypt

Discussion in 'Installation/Configuration' started by Tuumke, May 26, 2017.

  1. Tuumke

    Tuumke Member

    I am seeing that letsencrypt dirs are not synchronised. Should this happen with Unison? I checked the (bought) config manual but it's not in there?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Letsencrypt on mirror setups is a problem and not covered yet as mirroring /etc/letsencrypt is not enough, the LE cert would break on the next LE renewal (at least on multiple active nodes) as it is not predictable that the server which requested the new LE cert will receive the callback request. The only option that I see at the moment (beside using DNS based LE verification outside of ISPConfig) is to have /etc/letsencrypt and /usr/local/ispconfig/interface/acme/ on a shared filesystem (e.g. share these folders from master to all slaves with nfs.
     
    Tuumke likes this.
  3. Tuumke

    Tuumke Member

    Okidoki, thnx Till
     
  4. sjau

    sjau Local Meanie Moderator

    Wouldn't it be sufficient on the the mirror to just rsync the /etc/letsencrypt folder regularly?

    I mean the LE certs are valid for 90 days. After 60 days the should get autorenewed.

    So with a daily cron ( rsync -avp /etc/letsencrypt/ [email protected]:/etc/letsencrypt ) it would sync the current certs once per day to the mirror. Since there's a 30-day grace period before the certs expire I think it's not harmful if the sync of the new cert is like 1 day laters.
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes and no. The problem is that the site creation on the slave might fail when the ssl cert has not been synced yet and we will have to ensure that the slave does not try to get or renew any LE certs.
     
  6. sjau

    sjau Local Meanie Moderator

    I see. I don't use mirror setup so I know too little about it.
     
  7. Tuumke

    Tuumke Member

    I think im gonna switch back to a single server and just have a 2nd web/mysql host.
     
  8. nighty985

    nighty985 New Member

    Hey Guys,

    i have set up an ISPConfig mirror Setup with two nodes. With Shared IP on 2 local load-balancers. DNS for Websites is set on the Shared-IP.

    i have added an acl in haproxy that the access to "/.well-known/acme-challenge" reach every time only server 1.

    there is a cert-Sync between the servers with unison, all no problem. If Cert gets created, there is no problem with website access, even if automatic loadbalanced.

    My Problem is: 2nd server tries to created Cert Request and i do not know how to prevent him from doing this.

    Is there any chance to let certs only create/requested on server 1? This little thing is missing for me to have a perfect Ispconfig Mirror :)

    thx for help
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    This has been fixed in GIT already, the code is in the stable-3.1 branch, the one that you get when running ispconfig_update.sh and choose git-stable as version. But it's always better to wait for the official release, in this case 3.1.12.
     
    ahrasis likes this.
  10. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    Currently ( I don't use ISPConfig mirror feature ) I use some hackish ( cronjob, not inode watch based yet ) attempt best described in code:
    Code:
    $data = '';
    
    try {
        //* Login to the remote server
        if($backup_session_id = $backup_client->login($backup_username,$backup_password)) {
            $data .= 'Logged into remote server sucessfully. The SessionID is '.$backup_session_id."\n";
            $webseiten = array(10,11,12,13,14);
    //        $webseiten = array(10);
            foreach($webseiten as $id) {
                $r = $backup_client->sites_web_domain_get($backup_session_id, $id);
    
                $filename = '/var/www/'.$r['domain'].'/ssl/'.$r['domain'].'-le.bundle';
                $ssl_bundle = file_get_contents($filename);
                $filename = '/var/www/'.$r['domain'].'/ssl/'.$r['domain'].'-le.crt';
                $ssl_cert = file_get_contents($filename);
                $filename = '/var/www/'.$r['domain'].'/ssl/'.$r['domain'].'-le.key';
                $ssl_key  = file_get_contents($filename);
    
                $r['ssl_bundle'] = $ssl_bundle;
                $r['ssl_cert']   = $ssl_cert;
                $r['ssl_key']    = $ssl_key;
                $r['ssl_action'] = 'save';
    
                $backup_client->sites_web_domain_update($backup_session_id, 0, $id, $r);
            }
            if($backup_client->logout($backup_session_id)) {
                mail('zguzig', 'sync', 'SSL-Zertifikate synchronisiert'. "\n". $data);
            }
    
        }
    
    I just don't use LE on backup-server but let it save the files as it has been issued by some commercial cert provider.
     
    Last edited: May 17, 2018
    ahrasis likes this.
  11. Gabbel

    Gabbel New Member

    I am also using the mirrored solution for ISPconfig. When i click on the Letsencrypt checkbox the certificate is requested and approved for Letsencrypt. But the checkboxes for SSL en Letsencrypt are not checked. Is this also the same problem described by till? The website can be accessed througd https.
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    yes
     
  13. Gabbel

    Gabbel New Member

    And i can solve this to create a NFS share and put the LE folder on this share? Or is this solved in the git-stable release?
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    A nfs share is required as the LE cert has to exist on both servers in realtime.
     
  15. Gabbel

    Gabbel New Member

    Can you tell me how to do this? the NFS is clear for me but not how to put the Letsencrypt and acme folder on the NFS share:

    The only option that I see at the moment (beside using DNS based LE verification outside of ISPConfig) is to have /etc/letsencrypt and /usr/local/ispconfig/interface/acme/ on a shared filesystem (e.g. share these folders from master to all slaves with nfs.
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Wit the patch, you just have to put /etc/letsencrypt on a shared BFS filesystem. The folder /usr/local/ispconfig/interface/acme/ does not has to be shred anymore.
     
    ahrasis and ztk.me like this.
  17. nighty985

    nighty985 New Member

    I have setup a running Version with Unison and iWatch.

    iWatch Daemon looks for Directory Changes in Letsecrypt folders (see above). And Unison will sync needed Files. Until now, it works ok. I think shared FS should be better as well

    Thx for help
     
    ahrasis and ztk.me like this.
  18. ahrasis

    ahrasis Active Member

    Thanks @nighty985. It sound like this iwatch you mentioned is almost similar to inotifywait.
     
  19. Gabbel

    Gabbel New Member

    What i did right now is i create 3 VPS. 1 NFS and 2 ISPconfig server where the second server is a mirror of the first server. Everything is now working perfect :)
     
    till likes this.
  20. nighty985

    nighty985 New Member

    yes, you´re right, but it is easier to use as daemon:

    when the challenges for letsencryp are created, we have to immediately sync these files. if not, maybe validation fails. this scenario works good for me until now.

    seemts that ispconfig tries in my case 12:06, 03:00 and 00:38 to do something with letsencrypt certificates.
    I got Mails that locks for certbot are created. Maybe this is a check for cert renewals.

    here are the configs (still testing, but maybe it helps someone):
    /etc/iwatch/iwatch.xml:

    Code:
    <?xml version="1.0" ?>
    <!DOCTYPE config SYSTEM "/etc/iwatch/iwatch.dtd" >
    
    <config charset="utf-8">
      <guard email="[email protected]" name="iWatch"/>
      <watchlist>
        <title>Letsencrypt+Webroot</title>
        <contactpoint email="[email protected]" name="nighty"/>
        <path type="recursive" syslog="on" exec="/usr/bin/unison">/etc/letsencrypt</path>
        <path type="recursive" syslog="on" exec="/usr/bin/unison">/usr/local/ispconfig/interface/acme/</path>
        <path type="regexception">.log</path>
      </watchlist>
    </config>
    
    in your Unison these pathes have to be synced, in my case /var/www is also included in the unison profile, but it is not needed to get notified via iwatch for changes.

    additional i have a cron that triggers unison to sync /var/www folder - thats in this case not mission critical.
     

Share This Page