Integrate Let's Encrypt SSL certificates into ISPConfig

Discussion in 'Feature Requests' started by gkovacs, Sep 14, 2015.

  1. felan

    felan Member HowtoForge Supporter

    I usually just use
    Code:
    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt
    letsencrypt-auto --help
     
  2. thibotus01

    thibotus01 Member

    While no one is answering to my previous messages, I have a new permission issue when attempting to renew:

    WARNING:letsencrypt.renewal:Attempting to renew cert from /etc/letsencrypt/renewal/domain.tld.conf produced an unexpected error: ("Couldn't create root for {0} http-01 challenge responses: {1}", 'domain.tld, OSError(13, 'Permission denied')). Skipping.
     
  3. Does the user running the command have permission to create folders in that location? Can you add an strace before the command to see where it fails?
     
  4. thibotus01

    thibotus01 Member

    Yeah it run as root.

    All renewal attempts failed. The following certs could not be renewed:
    /etc/letsencrypt/live/domain.tld/fullchain.pem (failure)
    1 renew failure(s), 0 parse failure(s)


    [{WIFEXITED(s) && WEXITSTATUS(s) == 1}], 0, NULL) = 23192
    rt_sigaction(SIGINT, {SIG_DFL, [], SA_RESTORER, 0x7efd3f6bc0e0}, {0x443660, [], SA_RESTORER, 0x7efd3f6bc0e0}, 8) = 0
    rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
    --- SIGCHLD {si_signo=SIGCHLD, si_code=CLD_EXITED, si_pid=23192, si_uid=0, si_status=1, si_utime=0, si_stime=0} ---
    wait4(-1, 0x7ffe86c72710, WNOHANG, NULL) = -1 ECHILD (No child processes)
    rt_sigreturn() = 0
    rt_sigprocmask(SIG_BLOCK, [CHLD], [], 8) = 0
    rt_sigprocmask(SIG_SETMASK, [], NULL, 8) = 0
    exit_group(1) = ?
    +++ exited with 1 +++
     
  5. malaperdas

    malaperdas New Member

    Hi there,
    I used Alex's script, but can't get it to work.
    I'm seeing this in the /var/log/letsencrypt logs:
    Code:
    2016-04-27 20:12:04,302:DEBUG:letsencrypt.main:Exiting abnormally:
    Traceback (most recent call last):
      File "/root/.local/share/letsencrypt/bin/letsencrypt", line 11, in <module>
        sys.exit(main())
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/main.py", line 692, in main
        return config.func(config, plugins)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/main.py", line 504, in obtain_cert
        le_client = _init_le_client(config, auth, installer)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/main.py", line 356, in _init_le_client
        acc, acme = _determine_account(config)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/main.py", line 341, in _determine_account
        config, account_storage, tos_cb=_tos_cb)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/client.py", line 122, in register
        if tos_cb is not None and not tos_cb(regr):
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/main.py", line 337, in _tos_cb
        return obj.yesno(msg, "Agree", "Cancel", cli_flag="--agree-tos")
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/display/util.py", line 164, in yesno
        yes_label=yes_label, no_label=no_label)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/dialog.py", line 3749, in yesno
        kwargs)
      File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/dialog.py", line 1765, in _widget_with_no_output
        widget_name, output))
    PythonDialogBug
    
    Btw, I have the Let's Encrypt git cloned into /opt/letsencrypt folder... does this matter ?
    Should I move it to /etc/letsencrypt? Because there is a file (cli.ini) needed to be placed there.

    UPDATE:
    I had to move it to that folder... silly me
     
    Last edited: Apr 29, 2016
  6. Nemis

    Nemis Member

    till likes this.
  7. felan

    felan Member HowtoForge Supporter

    Nice. Uhm... Do I need to delete the letsencrypt folders in root?
     
  8. Nemis

    Nemis Member

    no. not need.
    if u remove root .local/share/letsencrypt first time u launch cerbot it will reload all necessary stuff here
    (41Mb on my debian8)
     
  9. Ventzy

    Ventzy New Member

    Hi guys, quick question. Is letsencrypt certificate generation supported from remote API call on ISPConfig 3.1?

    I am currently using 3.0.5.4p8 multiserver setup with remove API with few hundred sites, and I need letsencrypt, so I am wondering which is the best route to take. I can wait for ISPConfig 3.1 to go live if I would be able to generate certificates by the API (although the last upgrade of ISPConfig didn't go smoothly), or I can try to make some patch outside of IPSConfig.
     
  10. sjau

    sjau Local Meanie Moderator

    since pretty much everything can be done through the api I think that can also be done. However not using 3.1 yet so I can't say for sure. Did you check the documentation whether it was already added?
     
  11. MitchTalmadge

    MitchTalmadge New Member

    Does ISPConfig automatically generate certificates for added subdomains? For example, if I had already checked the Let's Encrypt box, and the certificates have already been created for a domain and its subdomains, what happens when I add a new subdomain? Currently it doesn't seem to generate any more certificates.
     
  12. CK13

    CK13 New Member

    How do we renew the certificates? Or does ispconfig do it for us?
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig renews the certs automatically.
     
    CK13 likes this.
  14. Schnacki

    Schnacki New Member

    I just installed the Beta 2 because I want to experiment with this.

    Because I currently only have the FQDN of the server that is globally resolvable to this server, I decided to try to get the ISPConfig page itself to be encrypted using an Let's Encrypt certificate. But I seem to be completely unable to find where to tell ISPConfig to use Let's Encrypt for it's own certificate (or for IMAP, SMTP, POP3). Am I blind or is there no GUI for this? What's the preferred way to handle this?

    The server did (does) have a Let's Encrypt certificate for it's FQDN. I had configured ISPConfig 3.0 to use it. But after upgrading (and reconfiguring) ISPConfig fell back to the old (by now expired) certificate.
     
  15. till

    till Super Moderator Staff Member ISPConfig Developer

    Then your manually installed letsencrypt cert is located in the wrong folder. A cert for ispconfig has to be in the ssl folder of ispconfig and must have the correct name.

    ISPConfig uses letsencrypt for websites, not for other services.
     
  16. sjau

    sjau Local Meanie Moderator

    how about adding an option to also get LE certs for the actual ISPC "main domain" name/hostname?
     
  17. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

  18. sjau

    sjau Local Meanie Moderator

    mailserver etc will be more difficult as you can only have a limited amount of fqdn in SAN... that's why I do that seperate on chosen domains for postfix/dovecot
     
  19. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    I think the number of SAN names is pretty generous though, like 256? Maybe only 16. In any case, it'd be plenty for the server names of smaller (most common?) setups.

    It'd be nice to have the installer prompt to setup letsencrypt for the server's hostname; it can even use --standalone to configure mail servers that don't have a http server (as long as the firewall allows 80/443 connections).

    Then a second/optional question would be for alternative names for that server, where you could put mail.host.com and such, and the server's certificate be requested with all those names. Also have that list of names accessible in the ispconfig interface under System > Server Config
     
  20. sjau

    sjau Local Meanie Moderator

    current limit is 100 SANs per cert. But what would be smart way from ISPC Interface to add the which SAN to were. You can't use the DNS intro as e.g. you may only want to add mail.domain.tld to postfix/dovecot and domain.tld to sFTP.

    Currently I use a simple setup like this:

    Code:
    #!/usr/bin/env bash 
    
    days=60
    email="[email protected]"
    ispcDomain="ispc.domain.tld"
    
    
    #******************************************************************************#
    #                                                                              #
    #                              HERE BE DRAGONS                                 #
    #                                                                              #
    #******************************************************************************#
    
    
    declare -a maildomains=( "${ispcDomain}"
                             'mail.otherdomain.tld'
                             'mail.newdomain.tld'
                             '....'
                           ) 
    
    for i in "${maildomains[@]}"; do
     domains="${domains} -d ${i}"
    done 
    
    
    # Get the period after which certs should be renewed
    if [[ ! "${days}" -gt 0 ]]; then 
     echo "Couldn't get the correct amount of days after which certs should be renewed." 
     echo "Please check your config and retry." 
     exit 1 
    fi 
    
    fileTime=$(stat -c %Y "/etc/ispcSSL/live/${ispc.domain.tld}/fullchain.pem") 
    curTime=$(date +%s) 
    diff=$(( (curTime - fileTime) / 86400 )) 
    
    if [[ ${diff} -ge ${days} ]]; then 
     cd "/root/letsencrypt/" 
     ./letsencrypt-auto --config-dir /etc/ispcSSL --text --agree-tos --rsa-key-size 4096 --email "${email}" ${domains} -a webroot --webroot-path "/var/www/" certonly 
    
     systemctl reload postfix 
     systemctl restart dovecot 
    fi
    
    Of course I have a config in /etc/apache2/conf-available that rewrites all domain.tld/.well-known folders to /var/www/.well-known.

    As you can also see, I made a seperate folder fo the mail ssl certs in /etc so they won't interfere with the normal one (/etc/ispcSSL).

    The script itself is fairly simple.

    1. Manually supply a list of domains you want to get a cert for
    2. Read out the last modified time of the fullchain.pem (could be improved to read out the actual issue/expiration date using openssl)
    3. If 60 days or more have passed since creation of cert, then request a new cert
    4. Reload/restart services

    P.S.: Still using older git client...
     

Share This Page