3.2 acme use dns challenge per default

Discussion in 'Installation/Configuration' started by truidix, May 21, 2024.

Tags:
  1. truidix

    truidix New Member

    Hey everyone,


    I do use ISPConfig for a while. I also managed to migrate to a new server.

    So far I’m happy with ISPConfig.

    But since I migrated to a new server and acme, I do have several errors while creating new certificates. There are several redirects to that the validation via .well-known is not working as expected for me.

    Anyways as my provider is supported by acme, I want to use the validation vie the dns challenge. If I create a certificate by my own /shell with the dns challenge that works like expected.

    But I can’t figure out how to tell ISPConfig to use the dns challenge per default. My guess would be to do that via “conf-custom”? I apricated any help/advise.


    Thanks
     
    truidix, May 21, 2024
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    You just have to exclude the .well-known folder from being redirected. ISPConfig does this by default when using redirects in ISPConfig. if you create redirects manually, you have to take care that you exclude that folder from being redirected.

    There is no DNS-auth for Let's Encrypt implemented in ISPConfig. But you can find several threads here in the forum from users who implemented DNS-auth manually. E.g. @ahrasis made some posts on that topic.
     
    till, May 21, 2024
    #2
    ahrasis likes this.
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    You don't have to because you can only do this via a custom approach in ISPConfig servers as it is not supported by default and this means dns challenge will be added in the renewal conf file once the certs are issued and any future renewal should follow the settings in that file.
     
    ahrasis, May 22, 2024
    #3
  4. truidix

    truidix New Member

    Thanks, that might be why I couldn't find anything about that;)

    Anyways, can I change the existing SSL configurations for each web to use the DBS challenge?
    Or do I have to revoke every cert and create new one manually?
    Thx
     
    truidix, May 22, 2024
    #4
  5. truidix

    truidix New Member

    I have trouble just on a few sites, basically I didn't touch the generated host configuration files, besides the 000-default.
    Maybe I give it another try. But I would prefere the DNS challenge.

    Thx.
     
    truidix, May 22, 2024
    #5
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    You could by comparing the one created via dns challenge with the one created by webroot, and thereafter modify the renewal conf to use the same settings.

    Note your secret file and dns server settings must be ready for this to work.

    To test you can disable http and https port, and therefafter force update the domain or subdomain that you want.

    If force update works, renewal will work too.

    You may want to re-enable http and https thereafter since those domains that use it can renew when its time comes.

    I don't think you have to.modify the vhost file for dns challenge to work, so just leave it as it is.
     
    ahrasis, May 22, 2024
    #6

Share This Page