Discussion in 'Tips/Tricks/Mods' started by ahrasis, Feb 14, 2017.
I have Let's Encrypt working on subdomains without own zone. A zone is not required!
wtf... i really dont understand. from what i read on google, LE uses google dns servers. Nslookup to panel.domain.com on the google dns servers worked. I could reach panel.domain.com on 80 and 443 (selfsigned) still LE said it didnt understand. When i added a DNS zone for panel.domain.com it worked, not with an A or AAA record on the zone of domain.com...
It could have been simply a problem at the side of LE.
Thank you very much, ahrasis and other contributors!
Just what I needed.
just to get it right ...
my setup follows the standard i guess:
SERVER FQDN => server1.domain.com
if i follow the initial tutorial from this thread and want to get that ssl-cert created through the ispconfig-control-panel, would need to create ...
1 - create the domain "domain.com" under CLIENT=>DOMAINS
2 - create the site "domain.com" under "SITES=>WEBSITES"
(because you cannot create server1.domain.com directly)
3 - create the subdomain "server1.domain.com" under "SITES=>SUBDOMAIN FOR WEBSITES"
4 - edit "domain.com" under "SITES=>WEBSITES"
and enablle SSL + Let's Encrypt SSL
that creates a certificate for domain.com that includes the name server1.domain.com in it.
there is no other way to have the certificate created only for server1.domain.com???
thx for you help - ralf
Why not? You may need to add server1 in domain.com dns A zone but you can always create server1.domain.com as a site (under site > websites) for having its own LE SSL certs.
Confirmed what ahrasis said. I did so and ik works like a charm for both my panels on two single vps.
I have a small problem, I am unable to renew my letsencrypt certificate.
Not sure why...
Issuer: Let's Encrypt Authority X3
Expires on: Oct 25, 2017
Current date: Nov 1, 2017
I followed this guide and figured the Cron that was setup would take care of this for me.
Check the logs (LE especially) on why as renewal is done by LE certbot.
The script works accordingly only when the ISPC domain renewal is successful; so make sure the domain is always accessible and online.
If you can enter your ISPC control panel (via local or public IP), uncheck the SSL and then recheck the LE for you ISPC website manually to try fixing this.
The script should do its work once ISPC domain SSL is renewed by LE certbot.
Thanks but I think it's my stuff up. I decided to use Certbot via CLI to register 10 domains and some sub domains on the one LE cert (I read somewhere you can do up to 100). I thought it would just be a case of running that command again to update the cert.
Interestingly some of the domains are using it fine, whilst others aren't.
So apologies, it is not the procedure you have provided but rather my own issue.
As a little side note, is there a procedure to revert back to Non SSL CP login?
Remove the ssl-settings from the ispconfig-vhost and restart apache / nginx?
You can do:
1. Go to path /etc/letsencrypt (on Debian/Ubuntu).
2. Turn off SSL and LE SSL in ISP Panel for this domain and wait for changes loading. If you can't enter your panel use IP address of the server.
3. Remove all files belonging to particular domain from few directories: live, renew, archive.
4. Turn on LE SSL and SSL and your domain get fresh LE certificate which will work as should.
You can try update ISP Panel and in question about generate new certificate you can answer "yes". Then your broken LE certificate will be upgraded by self-signed generated during ISP update.
@till or any otther mods, can we make this a sticky topic? Been searching for it quite a while because i lost it Found it in my history.
@ahrasis do you have a tutorial somewhere for multiserver setup with LE certs?
Never mind, found https://www.howtoforge.com/communit...utomated-dns-01-challenge-for-ispc-3-1.74850/
If you already have the LE cert for your ISPConfig, how would you get another for mail.domain.tld?
Or better yet, how can we secure our e-mail domains.
Usually someoe would use mail.hisdomain.tld for mailserver send/receive. How would we make that secure for all of the domains?
Personally, I would create aliasdomain for other servers (like mail.domain.tld etc) under the master-server.domain.tld.
Then I would add new lines of commands to the script (e.g. scp) to transfer a copy of that certs for other servers usages.
That way I won't have to unnecessarily install certbot or acme.sh etc or create website on other servers.
Edited: Please refer to post #203 for the scp command.
Yes but that is all 'manual' work then
Pardon me? The script should cover the transfer of the certs to other servers automatically upon their renewal as it does for the main and other services in the master server.
The only manual work to be done is only at the beginning if this guide is to be followed of course.
Even if one is to use certbot or acme.sh to create the certs, they still have to run it manually at the first instance, at all servers that is.
Is it possible to have LE work in a multi-server ISPConfig environement where I have some slave servers that are email only? I would like to create certs for those servers postfix and dovecot services but don't have web hosting on those servers and I understand you can't symlink across servers.
You can create a remote 'api' user in ISPConfig with access to DNS Zone and DNS TXT. Then use the acme.sh to use DNS challenge.
Separate names with a comma.