Hello all, I'm just starting to get to grips with ISPConfig. so far I'm getting along quite well, only I have a small problem with the config interface. How can I assign alternative DNS names to the SSL certificate under /usr/local/ispconfig/interface/ssl if I enter the data in /root/.acme.sh/server.name/*.conf, then the entries are deleted after a call to ispconfig_update.sh. In the interface itself I have not yet found a form where I can make this change. Does anyone have a hint for me? Thanks a lot. With kind regards Frank
Don't change those config files manually, and don't run acme.sh from the command line yourself (warning you in advance ) There is currently no guide for that. If you're interested, I can write it up when I'm in office.
yes, they are other hostnames than the one belonging to the website. If I use the certificate from the website, maybe Postfix and Dovecot are not restarted after the certificate update to load the new certificate. real hostname: server24.domain.tld the following must be added as alias only in the certificate for the interface for historical reasons: hosting24.domain.tld mail.domain.tld smtp.domain.tld imap.domain.tld pop3.domain.tld PS: the real website may well be located on a different server and use different hostnames. I think it is enough for me to add the required alias names to the certificate manually. The real website will not get a wildcard certificate either. so I don't think there can be any problems. Frank
I think it is possible to create LE certs for multiple domain manually that may be used by ISPConfig later so depending of what LE client your ISPConfig server is using, simply create that in advance with parameter that make the server main hostname as its main before others, then run force update ISPConfig SSL using latest git development (as there are some bugs in the stable release) choosing creating ssl certs during that process. You must however make sure that the renewal config file for the main hostname is changed accordingly to allow the use of pre and post hook scripts necessary to reload / restart certain services upon renewal process; of which you may learn from your working ISPConfig server.
can you please explain this to me in more detail - i've only been "experimenting" with ispconfig for a few days. i'm trying to switch from imscp to ispconfig right now, but still have some minor concerns. Or does @Th0m have another idea?
Here it is. - Create a site "panel.example.com" (or whatever the main name that the panel is reached on should be) - Enable LE for this site - When it succeeds, run these commands (change panel.example.com to the correct hostname): Code: cd /usr/local/ispconfig/interface/ssl/ mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak ln -s /root/.acme.sh/panel.example.com/fullchain.cer ispserver.crt ln -s /root/.acme.sh/panel.example.com/panel.example.com.key ispserver.key
You can always use dns challenge if you get the LE certs manually, that is why I advised above. Plus, I have been using this method for more than 4 years ever since the ISPConfig installer can already create LE certs for any of its server during install or update as it was finalized that existing LE certs will be respected i.e. used if there is any during create LE certs process for the server. I did also share the method of using dns challenge in the tips and tricks board at about the same time or just a bit later, but I guess this method never gain interest for many users, so I didn't finish my writing for this to be integrated with ISPConfig.
