Supports for acme v2 wildcard

Discussion in 'Tips/Tricks/Mods' started by ahrasis, Feb 12, 2018.

  1. ahrasis

    ahrasis Active Member

    As I search for the implementation of acme v2 wildcard, I found that acme.sh by Neilpang already implemented it.
    Further samples for multi subdomains with wildcard can be seen in here.
    I am not sure whether certbot has implemented it but it already stated:
    Since the ETA is 28 February 2018, I think it should be available via certbot as well, soon enough.

    I am not sure when ISPConfig will add this in but most probably in version 3.1.12 or above?
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    It is planned to add suport for wildcard subdomain SSL certs with LE, but as these certs require dns auth and not webroot auth, we'll have to develop mechanisms for dns auth in ISPConfig first before we can implement that. DNS auth is a bit tricky as it works only when dns for that zone is managed within ISPConfig if that's not the case, the the user must manually add a token to the dns server where he manages dns for that domain before he can request an ssl cert. so as you can see, a lot more potential issues with LE where users might struggle :)
     
    ahrasis likes this.
  3. ahrasis

    ahrasis Active Member

    How far is DNS auth mechanism being developed currently @till? Where can we find it in the git?
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    We did not start with that yet.
     
  5. ahrasis

    ahrasis Active Member

    I just read this today that Let's Encrypt support for wildcard is already available: https://community.letsencrypt.org/t/acme-v2-production-environment-wildcards/55578

    Hopefully, ISPConfig will also start its support for this soon.

    I also have been looking to 900-letsencrypt.inc.php which I think is the file that create / renew Let's Encrypt SSL via ISPConfig. Is this the only file that need to be looked into and modified to add support to for the above Acme V2 or is there any other relevant files as well @till?
     
    Last edited: Mar 15, 2018
  6. Jesse Norell

    Jesse Norell Well-Known Member

    wildcard support requires DNS-01 challenge auth, and ispconfig does not support that yet; iirc, it's on the 3.2 roadmap to be done (possibly switching to auth.sh, or supporting both certbot and auth.sh?)
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    DNS-01 challenge auth is required for wildcard subdomain certs indeed and it's not that easy to implement, especially when ISPConfig is not the dns server of that domain.

    In any case, its a process of multiple phases with possibly longer wait times as you'll have to request a token, then publish this in dns, wait until all dns slaves got it and then request the actual cert. When ISPConfig is the dns server, then this can be done automatically, but it may take at least one minute. If ISPConfig is not the dns server, then you'll have to show instructions the web user, tell him to reconfigure his external dns server, wait until he has done that, verify that he did it correctly and then request the ssl cert.

    As you can see, not that straightforward to implement than the current file based auth mechanism as it might depend on manual actions of the user that he might have to perform at a different provider or website first. So not only the letsencrypt lib in ISPConfig must be changed, we probably need some kind of wizard as well for users with external dns servers.
     
  8. ahrasis

    ahrasis Active Member

    I don't say it's going to be easy and I know to make a perfect code will take a long shot, so take your time on that but don't make hoping a wrong doing in here.
    However, I do intend to try coding the above in a single server setup on my own, which I think should not be that difficult (but I could be wrong), so that is why I asked for the relevant files to look into.
    I will take note of this too. Thanks for being patient and for all the advices given.
     
  9. Loveless

    Loveless Member

    Meanwhile, you can use certbot and cloudflare to do it all for you. Cloudflare does provide free DNS zone services, as long as you pause all the rest, and you don't need wildcard DNS records (that's a different wildcard limitation, luckily).
    https://gist.github.com/jult/571e476a7f8d24c54c8c238c1ff3a5fe
     
  10. ahrasis

    ahrasis Active Member

    Thanks @Loveless. I already did the wildcard via certbot manually.

    What I am attempting to do now (as a start) is an automation hook so that its issued token can be grabbed and then inserted into the TXT record in ISPConfig single setup server.

    I think, basically we need it only once i.e. upon the creation of the new certs; thereafter, so long the certs are renewed between after 60 days and before expiry, it does not need a new token.

    I think it is better to do this gradually, from ISPConfig server setup, then ISPConfig multiple server setup, then maybe extend it other externel server via API or whatsoever.
     

Share This Page