this is weird... the domainInfo array is populated. Also the get_clientid lookup would fail if groupid was empty. Code: root@manager ~ # ./letsencrypt.php test.sjau.ch Array ( [domain_id] => 61 [sys_userid] => 1 [sys_groupid] => 2 [sys_perm_user] => riud [sys_perm_group] => ru [sys_perm_other] => [server_id] => 1 [ip_address] => * [ipv6_address] => [domain] => test.sjau.ch [type] => vhost [parent_domain_id] => 0 [vhost_type] => name [document_root] => /var/www/clients/client1/web61 [web_folder] => [system_user] => web61 [system_group] => client1 [hd_quota] => -1 [traffic_quota] => -1 [cgi] => n [ssi] => n [suexec] => y [errordocs] => 1 [is_subdomainwww] => 1 [subdomain] => www [php] => fast-cgi [ruby] => n [python] => n [perl] => n [redirect_type] => [redirect_path] => [seo_redirect] => [ssl] => n [ssl_state] => [ssl_locality] => [ssl_organisation] => [ssl_organisation_unit] => [ssl_country] => [ssl_domain] => [ssl_request] => [ssl_cert] => [ssl_bundle] => [ssl_key] => [ssl_action] => [stats_password] => [stats_type] => webalizer [allow_override] => All [apache_directives] => [nginx_directives] => [php_fpm_use_socket] => y [pm] => dynamic [pm_max_children] => 10 [pm_start_servers] => 2 [pm_min_spare_servers] => 1 [pm_max_spare_servers] => 5 [pm_process_idle_timeout] => 10 [pm_max_requests] => 0 [php_open_basedir] => /var/www/clients/client1/web61/web:/var/www/clients/client1/web61/tmp:/var/www/test.sjau.ch/web:/srv/www/test.sjau.ch/web:/usr/share/php:/usr/share/php5:/tmp:/usr/share/phpmyadmin:/etc/phpmyadmin:/var/lib/phpmyadmin [custom_php_ini] => [backup_interval] => none [backup_copies] => 1 [backup_excludes] => [active] => y [traffic_quota_lock] => n [fastcgi_php_version] => [proxy_directives] => [last_quota_notification] => [rewrite_rules] => [added_date] => 2015-10-22 [added_by] => admin ) <?xml version="1.0" encoding="UTF-8"?> <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><SOAP-ENV:Fault><faultcode>data_processing_error</faultcode><faultstring>no_server_error<br /> domain_error_empty<br> hd_quota_error_empty<br /> hd_quota_error_regex<br /> traffic_quota_error_empty<br /> traffic_quota_error_regex<br /> documentroot_error_empty<br /> sysuser_error_empty<br /> invalid_system_user_or_group_txt<br> sysgroup_error_empty<br /> invalid_system_user_or_group_txt<br> allow_override_error_empty<br /> pm_process_idle_timeout_error_regex<br /> pm_max_requests_error_regex<br /> </faultstring></SOAP-ENV:Fault></SOAP-ENV:Body></SOAP-ENV:Envelope> SOAP Error: no_server_error<br /> domain_error_empty<br> hd_quota_error_empty<br /> hd_quota_error_regex<br /> traffic_quota_error_empty<br /> traffic_quota_error_regex<br /> documentroot_error_empty<br /> sysuser_error_empty<br /> invalid_system_user_or_group_txt<br> sysgroup_error_empty<br /> invalid_system_user_or_group_txt<br> allow_override_error_empty<br /> pm_process_idle_timeout_error_regex<br /> pm_max_requests_error_regex<br /> I did now add a print_r($domainInfo); on line 46 But I'll look at that get method you mentioned
First to your error: sites_web_domain_update needs 4 parameters! Third parameter is the domain_id, fourth parameter then the $params array. Querying the current state using sites_web_domain_get works well, however you need to pass the domain_id, not the domain name. Now to your comments in #19: First, I'm well aware of the $argv array. However, when you call your script without parameters as you did in #17 $argv[1] will be undefined. Hence PHP prints "PHP Notice: Undefined offset: 1 in /root/letsencrypt.php on line 25". Second, concerning the two approaches that you proposed in #8 and that I'm commented on: the first approach is what you've implemented with your script. In the second approach, you propose to "autofill the stuff", i.e. to get the data from letsencrypt and fill it into the ssl_cert/ssl_bundle fields in the database and let ISPC act upon as if filled manually. What I propose is different: I propose NOT to fill the fields. Instead, if there is a (new) checkbox ticked in ISPC that letsencrypt manages the certs, ISPC will NOT create files in /var/www/clients/client[client_id]/web[website_id]/ssl, but will set SSLCertificateFile/SSLCertificateKeyFile/SSLCertificateChainFile of the apache configuration for this domain to point to the libencrypt output files in /etc/letsencrypt/live/sub.domain.tld/. Then, letsencrypt can handle the certs automatically and much less regular work needs to be done by ISPC.
I noticed about the 4th parameter. Somehow I deleted that As for how ISPC will handle this later, it might make sense to have such an option/checkbox. Another good option would then also be "Force SSL" in the control panel.
You can also query for domain name by passing an array: array('domain' => 'domain.tld') as $domain_id.
btw Till, you red that little IRC discussion? If I correctly understand, you'd just need to run the (current) letsencrypt-auto script on a daily base and it will auto-renew certs that are close to validation. So that should make ssl-renewel rather simple.
not the -auto but the -renew script... it still has some issues as it sounds like but I'm sure they'll be fixed. So the renew script would then also just update the certs in /etc/letsencrypt/live/domain.tld/{privkey,cert,chain,fullchain}.pem and so ISPC can just link to them in the vhost. Actually sounds easy to manage
For multiserver setup with a single webserver, you just need letsencrypt installed on the webserver. If you had a second webserver that mirrored the first, well, I don't know what the right thing to do would be. This might be the same consideration if/when using a letsencrypt certificate for email, you'd have to put the certificates on the mail server as well. Could setup an rsync of the individual subdomains under /etc/letsencrypt maybe? (You have to keep in mind multiple webservers and/or multiple mail servers.) I don't believe a mailserver could do the letsencrypt setup itself, as the cli output indicates it reconfigures/utilizes apache for challenge/response, and the mail server won't usually have apache. So single server setups, and multiserver setups without mirrored webservers seem pretty doable. What's it take to secure the ispconfig control panel itself? Is it just a prompt during the install.php and/or update.php scripts, run the letsencrypt program then, and generate slightly different vhost config pointing to the subdomain files under /etc/letsencrypt/? Or is that too soon (because apache won't be setup/usable yet for letsencrypt to perform challenge/auth), so it needs done later, say from System > Server Config > {server} > Web?
easy way, https://smallhacks.wordpress.com/2015/11/01/lets-encrypt/ so ISPconfig , on SSL page, per domain may will 1-generate a %domain% cli.ini file. 2-run LE-auto %domain% cli.ini 3-pickup/store SSL on internal db or what have to do to see on SSL page 4-add to cron LE-auto %domain% cli.ini 5-re pickup/store SSL on internal db or what have to do to see on SSL page at every rennovate, with same cron as point 4 done
no. u can generate SSL on remote server, like docker version. all need is that u can let LE write some data on ww page of live server, the put ssl. ssh vpn...
I tend to think using the webroot method is probably the best way to pass the ACME challenge: https://letsencrypt.readthedocs.org...ht=webroot#module-letsencrypt.plugins.webroot For apache it's simply, just extend conf-available and load it. With nginx that piece of code has to go into according domain vhost stanza. Which can easily be achieved when ISPC creates a vhost entry.
i try use webroot for 2 domain (1 in whitelist ,1 not), letsencryp script (or letsencrypt-auto) write the ... /.well-known/acme-challenge/--some-data-- as root (so not exposed to the world ?) and fail to autenticate.
i do the nginx way , add the snippet ,resync isp, restart nginx. i think i (o nginx) have some issue on file/user permission . what user/group own your .well-known subdir?
ok the problem have to comment this part on nginx.conf Code: # location ~ /\. { # deny all; # access_log off; # log_not_found off; # }
