Hello, A have a (simple) question: I have updated from ISPconfig 3.0.x to 3.1 and I've installed Let's Encrypt as described at the HOWTO guide. Will ISPconfig take care of cert renewals or do I also have to setup a cronjob? Thanks in advance.
Another question. How does this renew happen? For pureftpd i need a really fullchain which you cant get from letsencrypt. You have to create it by yourself with cat. There is a RENEW_HOOK in certbot, which could be usefull for this. Another option would be just die renew the fullchain every 7 days with a cron and dont care about if the certs did really change. What do you think or how do you do this?
I was going to take the latter approach (blindly rebuild fullchain in cron) as an interim measure. I believe there's a rfe to add letsencrypt support for the "full" control panel (ispconfig interface, mail services and ftp should be included).
Hmmm, you could also use a different client. I'm using acme.sh at the moment and writing a plugin to use ISPConfig API for DNS-01 challenge. The good thing about acme.sh is that it has a three step process. 1. Get the certs 2. Install/Copy the files where you want them... 3. Run some commands (e.g. reload server) All those steps are then saved in a config. In the 3. step you could be able to cat the files to where you want them and restart/reload pureftpd Just as example I give you the config file for my cp/mail certs: Code: Le_Domain="manager.roleplayer.org" Le_Alt="mail.roleplayer.org,mail.otherdomain.tld,mail.xxxdomain.tld" Le_Webroot="/var/www" Le_PreHook="" Le_PostHook="" Le_RenewHook="" Le_LocalAddress="" Le_API="https://acme-v01.api.letsencrypt.org" Le_Keylength="4096" Le_LinkCert="https://acme-v01.api.letsencrypt.org/acme/cert/xxx" Le_LinkIssuer="https://acme-v01.api.letsencrypt.org/acme/issuer-cert" Le_CertCreateTime="1475832597" Le_CertCreateTimeStr="Fri Oct 7 09:29:57 UTC 2016" Le_NextRenewTimeStr="Tue Dec 6 09:29:57 UTC 2016" Le_NextRenewTime="1480930197" Le_RealCertPath="/usr/local/ispconfig/interface/ssl/ispserver.crt" Le_RealCACertPath="" Le_RealKeyPath="/usr/local/ispconfig/interface/ssl/ispserver.key" Le_ReloadCmd="systemctl reload apache2; systemctl restart dovecot; systemctl reload postfix" Le_RealFullChainPath="/usr/local/ispconfig/interface/ssl/ispserver.bundle" I think the ReloadCmd could be abused to cat the certs into one file.
