Multiserver NS installation not able to obtain letsencrypt certificate

Hi Guys,

Im setting up a multiserver environment with 2 x servers, ISPConfig as VMs behind a PFSense load balancer/firewall and I am have having issues obtaining a LE certificate for the ns1.mydomain.com domain during install. This is (I presume) because there is not a webserver running on ns1. Am I meant to be able to create an LE certificate at this stage? LE acme.sh says the following in the setup console:

What would be the best way to proceed, for installation and ongoing autorenewal?

• Add the websever during setup.
• Set this up after the initial install from CLI.
• Configure something within the control panel to create some kind of alias/link to ns1.

Thanks for your help.

 

If there's no webserver installed Acme should create it's own temp webserver while validating.
Ofcourse you do need to have opened port 80 in your firewall and NAT to that server.

If you only have 1 WAN IP then you're in a bit of trouble as you can NAT a port only to 1 server.
So change the NAT rule when you proceed to the next server.

A better way, which will avoid all this, is using DNS authentication in Acme.
But since you're talking about NS1 I'm guessing that's not an option for now.
You can however change the certificate's conf file once it's aquired so renewal can be done using DNS instead of web.

 

Hi Remkoh,

Thanks for your reply.

So my PFSense has HAProxy installed and I have set NS1 up in exactly the same way as WEB1,MX1 and MX2 during this project and they worked. There is no firewall installed on the VM, its a fresh Debian 12 ready for IPConfig, and PFSence/HAProxy is configured to forward ns1.mydomain.com -> localIP:80 of the VM.

From the console output, it looks like Acme/ISPConfig chooses Apache even though there is no Apache server/service installed [--no-web] so it doesn't surprise me that method fails. I think Acme requires a command line argument to request in standalone mode, unless it does this automatically because it doesn't detect a web server? But the documentation seems to require the '--standalone' argument. I was wondering if there was a way to configure the ISPConfig setup script with something like [--acme-standalone]? Probably not.
From the Acme Documentation:

Code:

acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com

Is there a manual way to get NS1 a certificate from the CLI using Acme standalone after ISPConfig installation and configure ISPConfig to manage it after initial installation/setup?

As this is a Nameserver am I missing something obvious here???

Thanks

 

Hi Till,

Thanks for your reply.
First off, SORRY... It was a misconfiguration on my part with DNS. All my messing around with mail servers and mx1/mx2 and my DNS contained nx1 instead of ns1. "If at first you don't succeed, always check DNS!". Again, SORRY....

This non-issue made me check what was going on with the ISPConfig installer because even though I'd called it with the argument '--no-web', Acme still wanted to use Apache for verification.
Apache actually gets installed in the initial part of the ISPConfig installer (in the background not displayed in the console output), with PHP I think. I'm not sure if ISPConfig requires Apache to manage ns1.mydomain.com or its a dependency of PHP and ISPConfig doesn't require it? More clarification is need here.

I maybe wrong here and please correct me if I am, but isn't a certificate needed for DoH (DNS over HTTPS) and DoT (DNS over TLS)?

@till - I have done a few hours checking this nameserver installation/setup. If you'd like me to expand on this then let me know.

 

Yes, an exact copy/paste.

It also installs postfix and clamav packages even though the argument '--no-mail' is present, but I'm not sure if this is installed for any backend server notifications from cron etc. This is different from Apache2 thought, these are listed in the console output. Apache2 is not.

 

Thats what I thought about Apache....

Just to confirm its PHP that installs Apache2

Code:

root@isp:~# apt install php
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
  apache2 apache2-bin apache2-data apache2-utils libapache2-mod-php8.2 libapr1 libaprutil1
  libaprutil1-dbd-sqlite3 libaprutil1-ldap libcurl4 liblua5.3-0 libsodium23 php-common php8.2
  php8.2-cli php8.2-common php8.2-opcache php8.2-readline psmisc ssl-cert
Suggested packages:
  apache2-doc apache2-suexec-pristine | apache2-suexec-custom www-browser php-pear
The following NEW packages will be installed:
  apache2 apache2-bin apache2-data apache2-utils libapache2-mod-php8.2 libapr1 libaprutil1
  libaprutil1-dbd-sqlite3 libaprutil1-ldap libcurl4 liblua5.3-0 libsodium23 php php-common php8.2
  php8.2-cli php8.2-common php8.2-opcache php8.2-readline psmisc ssl-cert
0 upgraded, 21 newly installed, 0 to remove and 0 not upgraded.
Need to get 7,664 kB of archives.
After this operation, 31.8 MB of additional disk space will be used.
Do you want to continue? [Y/n]

If I remove Apache during the ISPConfig installation (from another terminal) the certificate verification method used by Acme is still Apache and it fails with the follow:

Code:

Using apache for certificate validation
Failed to restart apache2.service: Unit apache2.service not found.

Its not really an issue as you say nothing will use it and I could just select 'no' to install a certificate and remove Apache2 after install.
If I were to configure DoH/DoT manually on ns1/ns2 it would be nice that the hostname cert would be valid and autorenew.

Thanks for your time @till