Hey everyone, I do use ISPConfig for a while. I also managed to migrate to a new server. So far I’m happy with ISPConfig. But since I migrated to a new server and acme, I do have several errors while creating new certificates. There are several redirects to that the validation via .well-known is not working as expected for me. Anyways as my provider is supported by acme, I want to use the validation vie the dns challenge. If I create a certificate by my own /shell with the dns challenge that works like expected. But I can’t figure out how to tell ISPConfig to use the dns challenge per default. My guess would be to do that via “conf-custom”? I apricated any help/advise. Thanks
You just have to exclude the .well-known folder from being redirected. ISPConfig does this by default when using redirects in ISPConfig. if you create redirects manually, you have to take care that you exclude that folder from being redirected. There is no DNS-auth for Let's Encrypt implemented in ISPConfig. But you can find several threads here in the forum from users who implemented DNS-auth manually. E.g. @ahrasis made some posts on that topic.
You don't have to because you can only do this via a custom approach in ISPConfig servers as it is not supported by default and this means dns challenge will be added in the renewal conf file once the certs are issued and any future renewal should follow the settings in that file.
Thanks, that might be why I couldn't find anything about that Anyways, can I change the existing SSL configurations for each web to use the DBS challenge? Or do I have to revoke every cert and create new one manually? Thx
I have trouble just on a few sites, basically I didn't touch the generated host configuration files, besides the 000-default. Maybe I give it another try. But I would prefere the DNS challenge. Thx.
You could by comparing the one created via dns challenge with the one created by webroot, and thereafter modify the renewal conf to use the same settings. Note your secret file and dns server settings must be ready for this to work. To test you can disable http and https port, and therefafter force update the domain or subdomain that you want. If force update works, renewal will work too. You may want to re-enable http and https thereafter since those domains that use it can renew when its time comes. I don't think you have to.modify the vhost file for dns challenge to work, so just leave it as it is.
