Hi there I just wanted to let you know that the alternate LE client "acme.sh" has now a dns api plugin that will allow to issue certs through the DNS-01 challenge. This can be for useful for getting certs with no according webpage. E.g. you could request a cert for smtp.domain.tld and imap.domain.tld while not having those or if you host DNS for (sub)domains that aren't accessible from the internet... However the DNS must be hosted by ISPC 3.1 and be publicily available. Basic operation: 1. Add remote user to ISPC that has access to DNS zone function and DNS txt function 2. Install acme.sh 3. Export remote api info by issuing: Code: export ISPC_User="user" export ISPC_Password="password" export ISPC_Api="https://ispc.domain.tld:8080/remote/json.php" export ISPC_Api_Insecure=1 The data will be stored in ~/.acme.sh/account.conf Note: The Insecure option is whether to verify the SSL cert or not. If you already have proper SSL Certs for your config panel, then you can set it to 0. 4. Request a cert by issuing: Code: acme.sh --issue --dns dns_ispconfig -d smtp.domain.tld -d imap.domain.tld -d private.domain.tld There are further options like -- test for using staging server so you won't hit the limit while testing --keylength 4096 for a 4096bit cert --keylength ec-256 (or ec-384) for requesting ECDSA certs with 256 or 384 bit) There is one drawback however: acme.sh has a 120 seconds wait period so that the according servers can write out the altered zone files. 5. Certs are stored in ~/.acme.sh/domain.tld if the advance installation routine with different folders wasn't used 6. Finally, you can issue a command for installation of the certs like: Code: acme.sh --installcert -d example.com \ --certpath /path/to/certfile/in/apache/cert.pem \ --keypath /path/to/keyfile/in/apache/key.pem \ --fullchainpath /path/to/fullchain/certfile/apache/fullchain.pem \ --reloadcmd "service apache2 restart" When I got LE certs for ISPC Interface and vanity mailserver certs (mail.domain.tld, not splitting up into smtp/imap) I used this: Code: acme.sh --installcert -d manager.roleplayer.org \ --certpath /usr/local/ispconfig/interface/ssl/ispserver.crt \ --keypath /usr/local/ispconfig/interface/ssl/ispserver.key \ --fullchainpath /usr/local/ispconfig/interface/ssl/ispserver.bundle \ --reloadcmd "systemctl reload apache2; systemctl restart dovecot; systemctl reload postfix" In Postfix I have: Code: smtpd_tls_cert_file = /usr/local/ispconfig/interface/ssl/ispserver.bundle smtpd_tls_key_file = /usr/local/ispconfig/interface/ssl/ispserver.key In Dovecot I have: Code: ssl_cert = </usr/local/ispconfig/interface/ssl/ispserver.bundle ssl_key = </usr/local/ispconfig/interface/ssl/ispserver.key For some reasons, Dovecot didn't seem to re-read the new certs with just a reload command, hence I had to use the restart command above.
A "how to" would be very fine. i don't understand where to put the commands in basic instructions part 3.
on the machine where you have acme.sh installed because of DNS-01, every computer that can run bash can request a cert through the DNS-01 method. All you need to do is first provide the login data for the remote api (export commands) and then request a cert.
In looking at this method (acme.sh talking to ispconfig remote api), it appears there is no way to restrict an api user to specific zones, is that correct? Ie. it would not work to allow a client to use this method to maintain their own dns zone, because they would have access to all other zones as well?
Seems like the ability for a client to use acme.sh's ISPConfig plugin to update their own zones would be useful, so: https://git.ispconfig.org/ispconfig/ispconfig3/issues/5145
