Substitute acme.sh for certbot during installation

Discussion in 'Installation/Configuration' started by TonyG, Aug 22, 2020.

  1. TonyG

    TonyG Member

    As noted in another thread, I installed v3.1.15 over Ubuntu v20. Step 9 of the "Perfect Server" article for Ubuntu simply says "apt-get -y install certbot". I prefer acme.sh and installed that instead. From there the installation packages generate the certs.

    I don't know where ISPConfig components expect certs to be stored. acme.sh installs to the home folder of the current user, and also puts certs under that folder. I installed as root because I didn't know what user/group should be used. This configuration is not working, probably because of permissions, and probably because the certs are not found by components. Specifically, HTTPS to the site is not working. I can probably fix that one issue myself, but if that isn't working then it seems reasonable that other certs aren't correctly set either. So I believe I need to understand how this is all working, and then fix and confirm each location.

    Can someone please clarify where certs are placed as the installation proceeds, so that I can ensure these get replaced by new acme.sh updates. I can just look for key files but I'd rather be focused about where to look, and understand the package, rather than brute-forcing information out of the system.

    Is there some documentation for how to properly install acme.sh rather than certbot for ISPConfig 3? Maybe "everything you wanted to know about certs in a ISPConfig environment"? Please feel free to point me to pages to RTM. If there is none, I'd be happy to write it based on whatever info I find in these forums.

    It looks like PureFTPd needs a cert - I didn't install PureFTPD.
    It looks like Postfix needs a cert - I definitely need that. Would the solution here be found in Postfix resources?
    ISPConfig needs a cert for the UI - I'm using Apache and can probably fix that on my own if this is pure Apache.

    I don't know what I don't know, so some guidance on this is welcome.

    I posted similar notes in this thread about migration from certbot to acme.sh. This thread is different. As I learn more about ISPConfig, I believe that was the wrong thread for my situation. My situation is "I'd like to use acme.sh instead of certbot" and I thought that was the same as "migrating" to acme.sh. But now I think I know better. Installing from scratch is probably different than installing certbot and then migrating to acme.sh.

    Thanks!
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig downloads and installs acme.sh on its own when certbot is not present in 3.1dev (not sure if acme.sh is supported in 3.1.15 already), so no need for a manual install on ISPConfig versions with acme.sh support. acme.install is used for website certs only in the current stable version and not at install stage currently.
     
  3. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    3.1dev also supports Ubuntu 20, so it'd probably resolve most of your issues by updating to that, but would also cut short your learning, through which I am looking forward to some good documentation, so if you keep down your current path:
    As @till mentioned, acme.sh isn't used during installation, the installer can only generate a self-signed certificate currently.
    The installer creates self-signed certificate files under /usr/local/ispconfig/interface/ssl/; you can replace those with a symlink to ones that you setup.
    There's probably not a document for that, just forum discussion and code. Take a look at server/lib/classes/letsencrypt.inc.php, which is the only place acme.sh is called - it shows install_acme() which does a standard install, ie. results in /root/.acme.sh/ for install path. get_website_certificate_paths() shows that website certs are stored in the 'ssl' directory of the website (so /var/www/clients/client#/web#/ssl/) - it is possible that would be a symlink to the actual cert under /root/.acme.sh/, or could be the actual files, I don't have a live acme.sh based web server to check.
    You might note that the 3.1.15 version of server/lib/classes/letsencrypt.inc.php doesn't have any mention/use of acme.sh.
    Lots of threads in the forum on this, but read https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/ and the LE4ISPC script for the most common setup. Here is another example setup for a mail server node, and I think I've posted other scripts for pure-ftpd and other services at points (I don't find them right off, so no links). In short, the installer doesn't support server certificates yet, so you have to set the pieces up yourself.
     
  4. TonyG

    TonyG Member

    I have manually installed a cert via acme.sh, and set the related keys for ispconfig, postfix, dovecot, and MySQL/MariaDB.
    I think it's all working but it will take a while to verify that.
    The funny thing is that don't know how to test to see if anything is broken, or if certs are not being used somewhere.
    Suggestions? Logs? UI indicators?

    Info sources include this thread and:
    https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/
    https://github.com/ahrasis/LE4ISPC
    https://www.howtoforge.com/community/threads/letsencrypt-on-mail-server.73695/


    Thanks!!
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer ISPConfig Developer

    Just connect to the services you setup (ispconfig, postfix, dovecot and mysql) and see what certificate is presented, and if you have the intermediary certificates so you can verify trust. That doesn't test a certificate rollover and whatever you setup to monitor for certificate changes and restart services, but it at least shows if the certificates are setup correctly.
     

Share This Page