Multiserver NS installation not able to obtain letsencrypt certificate

Discussion in 'Installation/Configuration' started by The_Cook, Oct 16, 2024.

  1. The_Cook

    The_Cook New Member

    Hi Guys,

    Im setting up a multiserver environment with 2 x servers, ISPConfig as VMs behind a PFSense load balancer/firewall and I am have having issues obtaining a LE certificate for the ns1.mydomain.com domain during install. This is (I presume) because there is not a webserver running on ns1. Am I meant to be able to create an LE certificate at this stage? LE acme.sh says the following in the setup console:
    What would be the best way to proceed, for installation and ongoing autorenewal?
    • Add the websever during setup.
    • Set this up after the initial install from CLI.
    • Configure something within the control panel to create some kind of alias/link to ns1.
    Thanks for your help.
     
  2. remkoh

    remkoh Active Member HowtoForge Supporter

    If there's no webserver installed Acme should create it's own temp webserver while validating.
    Ofcourse you do need to have opened port 80 in your firewall and NAT to that server.

    If you only have 1 WAN IP then you're in a bit of trouble as you can NAT a port only to 1 server.
    So change the NAT rule when you proceed to the next server.

    A better way, which will avoid all this, is using DNS authentication in Acme.
    But since you're talking about NS1 I'm guessing that's not an option for now.
    You can however change the certificate's conf file once it's aquired so renewal can be done using DNS instead of web.
     
  3. The_Cook

    The_Cook New Member

    Hi Remkoh,

    Thanks for your reply.

    So my PFSense has HAProxy installed and I have set NS1 up in exactly the same way as WEB1,MX1 and MX2 during this project and they worked. There is no firewall installed on the VM, its a fresh Debian 12 ready for IPConfig, and PFSence/HAProxy is configured to forward ns1.mydomain.com -> localIP:80 of the VM.

    From the console output, it looks like Acme/ISPConfig chooses Apache even though there is no Apache server/service installed [--no-web] so it doesn't surprise me that method fails. I think Acme requires a command line argument to request in standalone mode, unless it does this automatically because it doesn't detect a web server? But the documentation seems to require the '--standalone' argument. I was wondering if there was a way to configure the ISPConfig setup script with something like [--acme-standalone]? Probably not.
    From the Acme Documentation:
    Code:
    acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com
    Is there a manual way to get NS1 a certificate from the CLI using Acme standalone after ISPConfig installation and configure ISPConfig to manage it after initial installation/setup?

    As this is a Nameserver am I missing something obvious here???

    Thanks
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig runs acme.sh in standalone mode on nodes without a web server. Besides that, your NS servers do not need a signed SSL cert, as there is no services on a DNS server that would use it. So you can just let the ISPConfig installer create a self-signed certificate there if no LE cert can be obtained.
     
    ahrasis likes this.
  5. The_Cook

    The_Cook New Member

    Hi Till,

    Thanks for your reply.
    First off, SORRY... It was a misconfiguration on my part with DNS. All my messing around with mail servers and mx1/mx2 and my DNS contained nx1 instead of ns1. "If at first you don't succeed, always check DNS!". o_O Again, SORRY....

    This non-issue made me check what was going on with the ISPConfig installer because even though I'd called it with the argument '--no-web', Acme still wanted to use Apache for verification.
    Apache actually gets installed in the initial part of the ISPConfig installer (in the background not displayed in the console output), with PHP I think. I'm not sure if ISPConfig requires Apache to manage ns1.mydomain.com or its a dependency of PHP and ISPConfig doesn't require it? More clarification is need here.

    I maybe wrong here and please correct me if I am, but isn't a certificate needed for DoH (DNS over HTTPS) and DoT (DNS over TLS)?

    @till - I have done a few hours checking this nameserver installation/setup. If you'd like me to expand on this then let me know.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    ahrasis likes this.
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    DNS over HTTPS does not gets configured.
     
    ahrasis likes this.
  8. The_Cook

    The_Cook New Member

    Yes, an exact copy/paste.

    It also installs postfix and clamav packages even though the argument '--no-mail' is present, but I'm not sure if this is installed for any backend server notifications from cron etc. This is different from Apache2 thought, these are listed in the console output. Apache2 is not.
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Postfix must be installed, but ClamAV is not needed. But it might be that we install it as part of the base setup. Apache is most likely installed as a dependency by an other package and not explicitly by the installer.
     
  10. The_Cook

    The_Cook New Member

    Thats what I thought about Apache....

    Just to confirm its PHP that installs Apache2
    Code:
    root@isp:~# apt install php
    Reading package lists... Done
    Building dependency tree... Done
    Reading state information... Done
    The following additional packages will be installed:
      apache2 apache2-bin apache2-data apache2-utils libapache2-mod-php8.2 libapr1 libaprutil1
      libaprutil1-dbd-sqlite3 libaprutil1-ldap libcurl4 liblua5.3-0 libsodium23 php-common php8.2
      php8.2-cli php8.2-common php8.2-opcache php8.2-readline psmisc ssl-cert
    Suggested packages:
      apache2-doc apache2-suexec-pristine | apache2-suexec-custom www-browser php-pear
    The following NEW packages will be installed:
      apache2 apache2-bin apache2-data apache2-utils libapache2-mod-php8.2 libapr1 libaprutil1
      libaprutil1-dbd-sqlite3 libaprutil1-ldap libcurl4 liblua5.3-0 libsodium23 php php-common php8.2
      php8.2-cli php8.2-common php8.2-opcache php8.2-readline psmisc ssl-cert
    0 upgraded, 21 newly installed, 0 to remove and 0 not upgraded.
    Need to get 7,664 kB of archives.
    After this operation, 31.8 MB of additional disk space will be used.
    Do you want to continue? [Y/n]
    If I remove Apache during the ISPConfig installation (from another terminal) the certificate verification method used by Acme is still Apache and it fails with the follow:
    Code:
    Using apache for certificate validation
    Failed to restart apache2.service: Unit apache2.service not found.
    Its not really an issue as you say nothing will use it and I could just select 'no' to install a certificate and remove Apache2 after install.
    If I were to configure DoH/DoT manually on ns1/ns2 it would be nice that the hostname cert would be valid and autorenew.

    Thanks for your time @till
     
  11. remkoh

    remkoh Active Member HowtoForge Supporter

    Just run acme.sh by hand for the hostname certificate.
    Code:
    acme.sh --issue --standalone -d <hostname> --keylength 4096 --key-file "/usr/local/ispconfig/interface/ssl/ispserver.key" --fullchain-file "/usr/local/ispconfig/interface/ssl/ispserver.crt" --renew-hook "letsencrypt_renew_hook.sh"
    Acme.sh's cronjob will handle renewal after that.

    Make sure there's isn't running anything on port 80 and you nat port 80 to the server.

    Once you've got your dns up and running I suggest you change the certificate's config to ISPC-dns authentication and setup ISPC accordingly (assuming your own dns handles your domainname).
    Then you don't need to nat anything anymore for certificate authentication.

    If you already have your dns running publicly you can get the certificate by using dns authentication from the start.
    Code:
    acme.sh --issue --dns dns_ispconfig -d <hostname> --keylength 4096 --key-file "/usr/local/ispconfig/interface/ssl/ispserver.key" --fullchain-file "/usr/local/ispconfig/interface/ssl/ispserver.crt" --renew-hook "letsencrypt_renew_hook.sh"
    Ofcourse you do need to have setup acme.sh and ISPC prior to running this.
    For acme.sh setup add these lines in /root/.acme.sh/account.conf:
    Code:
    ISPC_User='<user>'
    ISPC_Password='<password>'
    ISPC_Api='<ISPC URL>'
    ISPC_Api_Insecure='1'
    
     
    Last edited: Oct 18, 2024

Share This Page