acme Letsencrypt verification [resolved]

Discussion in 'Installation/Configuration' started by dmgeurts, Oct 8, 2022.

  1. dmgeurts

    dmgeurts Member

    Having built a new ISPConfig 3.2 server with only Nginx and MySQL, the admin portal is not publicly available (2 interfaces, one private and the other public). Am I correct in thinking that acme (at least initially) uses the same domain as the admin portal? Is there a way to change this default domain used for/by acme to a different one?

    The server_name in /etc/nginx/sites-enabled/999-acme.vhost is easy to change, but that doesn't cover ISPConfig internals. I'm new to acme as all my other servers are still 3.1 with traditional Letsencrypt (certbot). For non-ISPConfig, I've moved to DNS-01 domain verification where the web server interacts with authoritative DNS on another server.

    There's no acme log file in either of /var/log/ispconfig/ or /root/.acme.sh/
     
    Last edited: Oct 8, 2022
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    It is true that server FQDN is used to obtain LE certs for ISPConfig server but I am not sure that caused your ISPConfig admin not publicly available. Try to follow Please read before posting! to find out what went wrong with your server or Let’s Encrypt Error FAQ to find out what is wrong with your LE client. In my experience, ISPConfig installation normally works fine.

    As side note, you said you are using MySQL compared to MariaDB, which is preferred by ISPConfig installation, this might or might not be related to your problem but do check.

    On further note, you can use DNS-01 domain verification or dns challenge in an ISPConfig server as I am using that on mine about three years already. The easiest way is to get it before you install ISPConfig but you can also do that thereafter but it will be a little bit more technical if so.

    Edited: I would also change its renewal conf especially renewal params to something like this for certbot to advocate letsencrypt_renew_hook.sh:
    Code:
    # renew_before_expiry = 30 days
    version = 1.13.0
    archive_dir = /etc/letsencrypt/archive/server.domain.tld
    cert = /etc/letsencrypt/live/server.domain.tld/cert.pem
    privkey = /etc/letsencrypt/live/server.domain.tld/privkey.pem
    chain = /etc/letsencrypt/live/server.domain.tld/chain.pem
    fullchain = /etc/letsencrypt/live/server.domain.tld/fullchain.pem
    
    # Options used in the renewal process
    [renewalparams]
    account = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    rsa_key_size = 4096 (this depends on your key size)
    renew_hook = letsencrypt_renew_hook.sh
    server = https://acme-v02.api.letsencrypt.org/directory
    authenticator = dns-cloudflare (change to your dns)
    dns_cloudflare_credentials = /usr/local/ispconfig/interface/ssl/.secrets/server.domain.tld
    post_hook = echo '1' > /usr/local/ispconfig/server/le.restart
    
     
    Last edited: Oct 8, 2022
    dmgeurts likes this.
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The Let'sEncrypt SSL cert is based on the hostname of the server. The server hostname is configured in the files /etc/hostname and /etc/hosts. To get a let's encrypt SSL cert, the server hostname must exist in DNS and reachable from the internet so LE can verify it before issuing the cert.
     
    dmgeurts likes this.
  4. dmgeurts

    dmgeurts Member

    Sorry for not being clearer, I don't want the admin publicly available, it wasn't a mistake. I picked a non-public server hostname, it's only internally available. The server has two interfaces, management is not exposed externally.

    Don't worry it's MariaDB under the hood.

    How did you do this? DNS-01 makes tight outbound firewall rules so much easier, in comparison to Certbot which connects to a CDN.

    Thank you for the suggestion. I wonder how much effort it would be to swap acme.sh for something like dehydrated in order to use ddns-tsig.
     
  5. dmgeurts

    dmgeurts Member

    Thank you for confirming this. As @ahrasis suggested, I think I'll look to go the DNS-01 route rather than trying to change the server's hostname. It's a new build so not much time is lost if I need to trash the server and rebuild.
    The Autoinstaller is great by the way!
     
  6. dmgeurts

    dmgeurts Member

    Right now, what I can't figure out is how to swap acme.sh for certbot, or can acme.sh be configured with a ddns target and tsig key? As this is a new install, there's no certbot present and the autoinstall did not give an option. the .acme.sh folder ended up under /root/.
     
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    1. You may not have to change LE client depending on your domain dns service provider because most of them already supported by acme.sh script. Do check if yours is in its support list.

    2. ISPConfig autoinstall do have option for certbot but you may not need to set it up in most new installation cases except in migration from an ISPConfig server with certbot.

    3. You can already use acme.sh via dns challenge manually to issue LE certs for your ISPConfig server and install LE certs to your preferred location which is in this case is ISPConfig ssl folder. Though I would prefer not to run such install command but use symlink to each its LE certs file in acme.sh folder instead, you don't have to do this.*

    4. You may want to modify its renewal conf file after you have successfully obtained the LE certs to add renewal hook like the one you have in your current ISPConfig server with acme.sh script. Renewal hook is important to recreate ispserver.pem upon renewal of the server LE certs.

    * Explanation: ISPConfig installer by default currently uses command install to copy LE certs from acme.sh folder to ISPConfig ssl folder and this may overwrite the symlink on each install / update, if one choose to use symlink like me. So, it is best to follow the default built in code of ISPConfig installer / updater as much as possible.
     
    Last edited: Oct 10, 2022
    dmgeurts likes this.
  8. dmgeurts

    dmgeurts Member

    I've already sorted the certificate for the admin portal, through an internal CA.
    I'm looking to use DNS-01 via own PowerDNS servers that host the domain(s) (not ISPConfig managed). RFC-2136 should work as it's supported by both acme.sh and PowerDNS.

    So what I need to work out is how to reconfigure acme.sh for RFC2136 instead of the default method, so that I can have LE certs issued to websites created from ISPConfig. They would all be on a couple of domains that reside on the same PowerDNS authoritative server, so a single TSIG-key for one server will work fine in this case. I wasn't able to find a config file which provides details on how acme.sh is called and which option it uses for obtaining a certificate.

    Or is it really as simple as just adding a couple of lines to `/root/.acme.sh/acme.sh.env`?! https://github.com/acmesh-official/...rdns-embedded-api-to-automatically-issue-cert
     
  9. dmgeurts

    dmgeurts Member

    In fact, as I keep reading up on this. acme.sh does have a PowerDNS API plugin, but I prefer not to use the pdns-API as it only supports a single API key (without restriction, which is a major issue when all I need is a ddns update from a DMZ server) and it requires enabling the HTTP API (minor point, but still).

    RFC-2136 is preferred, and it looks like the nsupdate plugin may work https://github.com/acmesh-official/acme.sh/wiki/dnsapi#7-use-nsupdate-to-automatically-issue-cert ?
     
    Last edited: Oct 9, 2022
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Why do you want to use nsupdate when there is a plugin for your powerdns server which is definitely more easy and convenient? What really worries you?

    Personally I prefer to use default plugin most of the case so do read again at: https://github.com/acmesh-official/...rdns-embedded-api-to-automatically-issue-cert

    I did discuss the use of nsupdate with tsig key in my thread if you really need it but I do not advise to use it since there is a specific plugin for yours. I think powerdns server use mysql database like ISPConfig dns server so using nsupdate may face some conflicts.
     
    Last edited: Feb 13, 2024
  11. dmgeurts

    dmgeurts Member

    I clearly really need to do my homework better! The API key can be tied to a specific domain*. Either I completely missed this a year ago, or it's been changed since, most likely I missed it...

    [edit:] *) I use PowerDNS-admin which gives this granularity, PowerDNS on its own does not allow for this. On a technical level, PowerDNS-admin simply relays the API calls, adding a layer of security not present in PowerDNS's API implementation. Thus YMMV, depending on your implementation.

    Thank you for your patience and comprehensive threads on this forum! So to use the plugin, do I just add the config lines to acme.sh.env and that's it?
     
    Last edited: Oct 10, 2022
  12. dmgeurts

    dmgeurts Member

    How do I get ISPConfig to use `--dns dns_pdns` when it calls acme.sh?

    Inspecting `/usr/local/ispconfig/server/lib/classes/letsencrypt.inc.php` I see:
    PHP:
            public function get_acme_command($domains$key_file$bundle_file$cert_file$server_type 'apache') {
                    global 
    $app$conf;

                    
    $letsencrypt $this->get_acme_script();

                    
    $cmd '';
                    
    // generate cli format
                    
    foreach($domains as $domain) {
                            
    $cmd .= (string) " -d " $domain;
                    }


                    if(
    $cmd == '') {
                            return 
    false;
                    }

                    if(
    $server_type != 'apache' || version_compare($app->system->getapacheversion(true), '2.4.8''>=')) {
                            
    $cert_arg '--fullchain-file ' escapeshellarg($cert_file);
                    } else {
                            
    $cert_arg '--fullchain-file ' escapeshellarg($bundle_file) . ' --cert-file ' escapeshellarg($cert_file);
                    }

                    
    $cmd 'R=0 ; C=0 ; ' $letsencrypt ' --issue ' $cmd ' -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [[ $R -eq 0 || $R -eq 2 ]] ; then ' $letsencrypt ' --install-cert ' $cmd ' --key-file ' escapeshellarg($key_file) . ' ' $cert_arg ' --reloadcmd ' escapeshellarg($this->get_reload_command()) . ' --log ' escapeshellarg($conf['ispconfig_log_dir'].'/acme.log') . '; C=$? ; fi ; if [[ $C -eq 0 ]] ; then exit $R ; else exit $C  ; fi';

                    return 
    $cmd;
            }
    do I edit this file to add `--dns dns_pdns ` in the last line before `return $cmd;`?
     
  13. dmgeurts

    dmgeurts Member

    Solved the puzzle. The missing piece was the Let's Encrypt registration. Trying to issue a cert manually gave me a hint.

    Code:
    sudo /root/.acme.sh/acme.sh --register-account -m [email protected]
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    You don't need an account unless you are using the wrong CA while issuing the cert manually. With wrong settings, you don't get a Let's encrypt cert but you get a cert from ZeroSSL (which requires registration).
     
  15. dmgeurts

    dmgeurts Member

    I see. All I did was add the following to /root/.acme.sh/acme.sh.env. What am I missing, I thought ISPConfig defaulted to Letsencrypt?

    Code:
    export PDNS_Url="http://ns.example.com:8081"
    export PDNS_ServerId="localhost"
    export PDNS_Token="0123456789ABCDEF"
    export PDNS_Ttl=60
    
     
    Last edited: Oct 10, 2022
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, ISPConfig defaults to Let's encrypt. But LE does not require registration, so it's strange that you had to register. have you checked the created cert to see which authority has issued it? Or maybe registration is required for DNS auth but not domain auth.
     
    dmgeurts likes this.
  17. dmgeurts

    dmgeurts Member

    The auth was requested when I manually tried to get the certs issued. Hence I figured I needed to register. Once done I was able to issue the cert from ISPConfig. But alas not a Let's Encrypt certificate. So I've gone back to the terminal en unregistered, then changed the default CA to LetsEncrypt like so:

    Code:
    `sudo su`
    `cd /root/.acme.sh`
    `./acme.sh --server letsencrypt --set-default-ca`
    `exit`
    Then went back to ISPConfig to turn SSL off then on again. And now it's working.

    So the steps needed to switch to a plugin for acme is to first set the default CA, then add the desired plugin config to acme.sh.env.
     
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    Quite strange that you had to switch the CA again, as that is what ISPConfig does at install time. But maybe acme.sh stores this information separately for each auth method. But what matters is that it works now for you :)
     
    dmgeurts likes this.
  19. dmgeurts

    dmgeurts Member

    Inspecting the log files, I'm not quite there yet. As issuing another cert for another domain and it's using HTTP-01 instead of DNS-01.

    How do I nail acme.sh to use the pdns plugin?!
     
  20. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I already gave you the link above which clearly said that after you exported the required credentials, you run the basic command "./acme.sh --issue --dns dns_pdns -d example.com -d www.example.com". To note this command may be extendable. Of course before running all that you should already properly installed acme.sh and activated LE for the first time (which means create an account for it). But did you follow that?
     

Share This Page