Use Acme v2 if supported

Discussion in 'Developers' Forum' started by ahrasis, May 6, 2018.

  1. ahrasis

    ahrasis Active Member

    I have opened this issue at https://git.ispconfig.org/ispconfig/ispconfig3/issues/5030 but I was thinking may be I just talk about it in here as well.

    As discussed at the git, with some minor additions, I was thinking about changing from this (in letsencrypt.inc.php):
    Code:
                        $letsencrypt_cmd = $letsencrypt . " certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected]$domain $cli_domain_arg --webroot-path /usr/local/ispconfig/interface/acme";
    To this:
    Code:
                        $certbot_version = shell_exec('apt-cache policy certbot | grep -i Installed | tr -d "Installed: "');
                        if ($certbot_version >=0.22) {
                            $acme_version = 'https://acme-v02.api.letsencrypt.org/directory';
                        } else {
                            $acme_version = 'https://acme-v01.api.letsencrypt.org/directory';
                        }
                        $letsencrypt_cmd = $letsencrypt . " certonly -n --text --agree-tos --expand --authenticator webroot --server $acme_version --rsa-key-size 4096 --email [email protected]$domain $cli_domain_arg --webroot-path /usr/local/ispconfig/interface/acme";
    This will allow the usage of Acme v2 for those who have certbot v0.22 and above installed.

    As stated there, this is not intended to support wildcard that is offered via Acme v2 as I understand the difficulty in accessing and updating dns server but could be a first step towards it that need not be that perfect yet.

    I hope this will get a good feedback from the developers.
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    That's fine for me, if you tested it and LE still works like before, then please feel free to submit a merge request.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    Just one thing, you can not use apt to find out the certbot version as this will not work on CentOS, Fedora and OpenSuSE. In the 900-le cron file there is a version check which works on all distributions, you might want to use that as basis for your code.
     
  4. ahrasis

    ahrasis Active Member

    Thank you for your feedback @till. Basically the same was pointed out by Florian and Markus too, so it was fixed and it was merged in the git with the following code was used instead.
    Code:
                        $letsencrypt_version = exec($letsencrypt . ' --version  2>&1', $ret, $val);
                        if(preg_match('/^(\S+|\w+)\s+(\d+(\.\d+)+)$/', $letsencrypt_version, $matches)) {
                            $letsencrypt_version = $matches[2];
                        }
                        if ($letsencrypt_version >=0.22) {
                            $acme_version = 'https://acme-v02.api.letsencrypt.org/directory';
                        } else {
                            $acme_version = 'https://acme-v01.api.letsencrypt.org/directory';
                        }
                        $letsencrypt_cmd = $letsencrypt . " certonly -n --text --agree-tos --expand --authenticator webroot --server $acme_version --rsa-key-size 4096 --email [email protected]$domain $cli_domain_arg --webroot-path /usr/local/ispconfig/interface/acme";
    
     
    till likes this.

Share This Page