Get SSL certificate for ISPConfig admin from LetsEncrypt?

Discussion in 'Installation/Configuration' started by zkvvoob, May 22, 2016.

  1. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    The pem file is supposed to be a combination of key and crt files. I used this command to create it:
    Code:
    cat /usr/local/ispconfig/interface/ssl/ispserver.{key,bundle} > /usr/local/ispconfig/interface/ssl/ispserver.pem
    chmod 600 /usr/local/ispconfig/interface/ssl/ispserver.pem
    
    After it is created you can symlink it to your pure-ftpd.
     
    Last edited: May 22, 2017
  2. Ovidiu

    Ovidiu Active Member

    Thanks but that means a manual intervention after every letsencrypt renewal.
     
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Currently, we use a script to automate the recreation of the said pem file on every LE's renewal, so please share if there is any other / better way.
     
  4. Ovidiu

    Ovidiu Active Member

    Is it not possible to "edit" this step and add the creation of a .pem file to the list so with every renewal a .pem file is additionally created?
    Code:
    sjau said:
    5. Install cert and reload/restart services
    The final step is to copy the issued cert to where it's needed. In case for ISPC this would be
    Code:
    acme.sh --installcert -d ispc.domain.tld \
    --certpath "/usr/local/ispconfig/interface/ssl/ispserver.crt"
    --keypath "/usr/local/ispconfig/interface/ssl/ispserver.key"
    --fullchainpath "/usr/local/ispconfig/interface/ssl/ispserver.bundle"
    --reloadcmd "systemctl reload apache2"
     
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    As suggested by @florian030 in other thread, you may be able to use --post-hook command but I personally am not so sure on the right implementation of it as I've never used it before.
     
    Ovidiu likes this.
  6. sjau

    sjau Local Meanie Moderator

    just enhance the --reloadcmd option to something like

    Code:
    cat /usr/local/ispconfig/interface/ssl/ispserver.{key,bundle} > /usr/local/ispconfig/interface/ssl/ispserver.pem; chmod 600 /usr/local/ispconfig/interface/ssl/ispserver.pem; systemctl reload apache2; systemctl reload pureftpd
    
     
    Last edited: May 24, 2017
    ahrasis likes this.
  7. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    You have to combine the key and fullchain for pureftpd, so have to "manually" do that with the certbot client (I've not used acme.sh, but I'd guess it's probably the same case or you wouldn't be asking). But you can just create a little script to do that for you and run from cron, then you don't have to manually do it each time it renews.
     
  8. chri.s

    chri.s New Member

    Some by the way question - is it planned to implement the scripts and update scenario in ispconfig?

    or ask it the another way round: are these upgrade-safe?
     
  9. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    As referred to earlier, post-hook might be implemented in ISPC for us to take advantage of in the future, especially in automatically running related scripts upon LE certs' renewal.

    Other than that, you can use acme.sh as suggested by @sjau earlier in this thread with modification of reloadcmd above, which I think in theory should work fine.

    But the one already available in ISPC is LE certs' creation for website, so for the time being, personally I'd prefer using that with incron and a script to create the required file and restart relevant services.

    Except after the confirmation of the first one, I think the second and the third option should currently be upgrade-safe.
     
  10. FFH

    FFH Member

    Hi all,
    I followed Jesse's small tutorial for this (Using Certbot) and the whole process went through with 0 errors. The issue I have is after the Apache restart, I am still using the self signed certificate. Sooo what am I missing? I am a complete noob with this CP (Coming from 15yrs of using DTC, which is now basically dead) but I can find my way around a nix box reasonably well.
    Cheers.
     
  11. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Run the following command and post what you got:
    ls -lt /usr/local/ispconfig/interface/ssl/
    Normally that happen when you did not move your self-signed certs to new names and/or create symlinks to LE certs in the above folder, or you didn't clear your cookies/caches, properly afterwards.
     
  12. FFH

    FFH Member

    Here ya go, cheers.
    Code:
    total 24
    lrwxrwxrwx 1 root root   61 May 25 05:05 ispserver.crt -> /etc/letsencrypt/live/<fqdn>/fullchain.pem
    lrwxrwxrwx 1 root root   59 May 25 05:05 ispserver.key -> /etc/letsencrypt/live/<fqdn>/privkey.pem
    -rwxr-x--- 1 root root   45 May 25 04:43 empty.dir
    -rwxr-x--- 1 root root 3247 May 25 04:43 ispserver.key.old.20170525050458
    -rwxr-x--- 1 root root 2171 May 25 04:43 ispserver.crt.old.20170525050458
    -rwxr-x--- 1 root root 1777 May 25 04:43 ispserver.csr.old.20170525050458
    -rwxr-x--- 1 root root 3311 May 25 04:42 ispserver.key.secure.old.20170525050458
    
     
  13. FFH

    FFH Member

    Actually, nevermind. I was still accessing the CP via the IP address instead of the FQDN.

    *Face Palm*
    :rolleyes:

    Thank you for your assistance anyway.

    FFH.
     
  14. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    That seems correct already. May be it just because of your old caches/cookies in your browser.
     
  15. Gixxa

    Gixxa New Member

    This worked perfect :) Question:

    Do I have to renew the certificate by hand or does ISPConfig do this on it's own?
     
  16. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    No, it will be renewed by ISPconfig's cronjob
     
  17. GarGamel55

    GarGamel55 Member

    Hi,
    For me, auto renewal did'nt work (SEC_ERROR_EXPIRED_CERTIFICATE)
    I can not access my ISPConfig panel anymore :(
    How can I manually renew this certificate?

    Thanks
     
  18. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    That might depends on how you installed letsencrypt, but if the certificate was issued via ISPConfig, I would look into why the renewal is failing (see the letsencrypt FAQ).
     
  19. GarGamel55

    GarGamel55 Member

    I used the method explained above:

    Code:
    /root/.local/share/letsencrypt/bin/letsencrypt auth --text --agree-tos --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@`hostname -d` --domains `hostname -f` --webroot-path /usr/local/ispconfig/interface/acme
    
    dt=`date '+%Y%m%d%H%M%S'`
    cd /usr/local/ispconfig/interface/ssl/
    for ext in csr key.secure key crt; do if [ -f ispserver.$ext ]; then mv ispserver.$ext ispserver.$ext.old.$dt; fi; done
    
    ln -s /etc/letsencrypt/live/`hostname -f`/privkey.pem ispserver.key
    ln -s /etc/letsencrypt/live/`hostname -f`/fullchain.pem ispserver.crt
    
    service apache2 restart
    it worked well for 90 days
    I Installed let's encrypt with this tutorial : https://www.howtoforge.com/tutorial...-9-stretch-apache-bind-dovecot-ispconfig-3-1/
     
  20. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    That tutorial says to run 'apt-get install certbot', in which case you could run "certbot renew" to request renewal. However, if that is indeed how you installed certbot, then the "/root/.local/share/letsencrypt/bin/letsencrypt" command you posted would never have worked; if you are positive that it did, perhaps you followed multiple instructions and installed both the certbot package and installed letsencrypt from source? (I suppose it's also possible that tutorial had different instructions at one time and they were changed to simplify installation.)
     

Share This Page