acme Letsencrypt verification [resolved]

Having built a new ISPConfig 3.2 server with only Nginx and MySQL, the admin portal is not publicly available (2 interfaces, one private and the other public). Am I correct in thinking that acme (at least initially) uses the same domain as the admin portal? Is there a way to change this default domain used for/by acme to a different one?

The server_name in /etc/nginx/sites-enabled/999-acme.vhost is easy to change, but that doesn't cover ISPConfig internals. I'm new to acme as all my other servers are still 3.1 with traditional Letsencrypt (certbot). For non-ISPConfig, I've moved to DNS-01 domain verification where the web server interacts with authoritative DNS on another server.

There's no acme log file in either of /var/log/ispconfig/ or /root/.acme.sh/

 

It is true that server FQDN is used to obtain LE certs for ISPConfig server but I am not sure that caused your ISPConfig admin not publicly available. Try to follow Please read before posting! to find out what went wrong with your server or Let’s Encrypt Error FAQ to find out what is wrong with your LE client. In my experience, ISPConfig installation normally works fine.

As side note, you said you are using MySQL compared to MariaDB, which is preferred by ISPConfig installation, this might or might not be related to your problem but do check.

On further note, you can use DNS-01 domain verification or dns challenge in an ISPConfig server as I am using that on mine about three years already. The easiest way is to get it before you install ISPConfig but you can also do that thereafter but it will be a little bit more technical if so.

Edited: I would also change its renewal conf especially renewal params to something like this for certbot to advocate letsencrypt_renew_hook.sh:

Code:

# renew_before_expiry = 30 days
version = 1.13.0
archive_dir = /etc/letsencrypt/archive/server.domain.tld
cert = /etc/letsencrypt/live/server.domain.tld/cert.pem
privkey = /etc/letsencrypt/live/server.domain.tld/privkey.pem
chain = /etc/letsencrypt/live/server.domain.tld/chain.pem
fullchain = /etc/letsencrypt/live/server.domain.tld/fullchain.pem

# Options used in the renewal process
[renewalparams]
account = xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
rsa_key_size = 4096 (this depends on your key size)
renew_hook = letsencrypt_renew_hook.sh
server = https://acme-v02.api.letsencrypt.org/directory
authenticator = dns-cloudflare (change to your dns)
dns_cloudflare_credentials = /usr/local/ispconfig/interface/ssl/.secrets/server.domain.tld
post_hook = echo '1' > /usr/local/ispconfig/server/le.restart

 

Sorry for not being clearer, I don't want the admin publicly available, it wasn't a mistake. I picked a non-public server hostname, it's only internally available. The server has two interfaces, management is not exposed externally.

Don't worry it's MariaDB under the hood.

How did you do this? DNS-01 makes tight outbound firewall rules so much easier, in comparison to Certbot which connects to a CDN.

Thank you for the suggestion. I wonder how much effort it would be to swap acme.sh for something like dehydrated in order to use ddns-tsig.

 

Thank you for confirming this. As @ahrasis suggested, I think I'll look to go the DNS-01 route rather than trying to change the server's hostname. It's a new build so not much time is lost if I need to trash the server and rebuild.
The Autoinstaller is great by the way!

 

Right now, what I can't figure out is how to swap acme.sh for certbot, or can acme.sh be configured with a ddns target and tsig key? As this is a new install, there's no certbot present and the autoinstall did not give an option. the .acme.sh folder ended up under /root/.

 

1. You may not have to change LE client depending on your domain dns service provider because most of them already supported by acme.sh script. Do check if yours is in its support list.

2. ISPConfig autoinstall do have option for certbot but you may not need to set it up in most new installation cases except in migration from an ISPConfig server with certbot.

3. You can already use acme.sh via dns challenge manually to issue LE certs for your ISPConfig server and install LE certs to your preferred location which is in this case is ISPConfig ssl folder. Though I would prefer not to run such install command but use symlink to each its LE certs file in acme.sh folder instead, you don't have to do this.*

4. You may want to modify its renewal conf file after you have successfully obtained the LE certs to add renewal hook like the one you have in your current ISPConfig server with acme.sh script. Renewal hook is important to recreate ispserver.pem upon renewal of the server LE certs.

* Explanation: ISPConfig installer by default currently uses command install to copy LE certs from acme.sh folder to ISPConfig ssl folder and this may overwrite the symlink on each install / update, if one choose to use symlink like me. So, it is best to follow the default built in code of ISPConfig installer / updater as much as possible.

 

I've already sorted the certificate for the admin portal, through an internal CA.
I'm looking to use DNS-01 via own PowerDNS servers that host the domain(s) (not ISPConfig managed). RFC-2136 should work as it's supported by both acme.sh and PowerDNS.

So what I need to work out is how to reconfigure acme.sh for RFC2136 instead of the default method, so that I can have LE certs issued to websites created from ISPConfig. They would all be on a couple of domains that reside on the same PowerDNS authoritative server, so a single TSIG-key for one server will work fine in this case. I wasn't able to find a config file which provides details on how acme.sh is called and which option it uses for obtaining a certificate.

Or is it really as simple as just adding a couple of lines to `/root/.acme.sh/acme.sh.env`?! https://github.com/acmesh-official/...rdns-embedded-api-to-automatically-issue-cert

 

In fact, as I keep reading up on this. acme.sh does have a PowerDNS API plugin, but I prefer not to use the pdns-API as it only supports a single API key (without restriction, which is a major issue when all I need is a ddns update from a DMZ server) and it requires enabling the HTTP API (minor point, but still).

RFC-2136 is preferred, and it looks like the nsupdate plugin may work https://github.com/acmesh-official/acme.sh/wiki/dnsapi#7-use-nsupdate-to-automatically-issue-cert ?

 

Why do you want to use nsupdate when there is a plugin for your powerdns server which is definitely more easy and convenient? What really worries you?

Personally I prefer to use default plugin most of the case so do read again at: https://github.com/acmesh-official/...rdns-embedded-api-to-automatically-issue-cert

I did discuss the use of nsupdate with tsig key in my thread if you really need it but I do not advise to use it since there is a specific plugin for yours. I think powerdns server use mysql database like ISPConfig dns server so using nsupdate may face some conflicts.

 

I clearly really need to do my homework better! The API key can be tied to a specific domain*. Either I completely missed this a year ago, or it's been changed since, most likely I missed it...

[edit:] *) I use PowerDNS-admin which gives this granularity, PowerDNS on its own does not allow for this. On a technical level, PowerDNS-admin simply relays the API calls, adding a layer of security not present in PowerDNS's API implementation. Thus YMMV, depending on your implementation.

Thank you for your patience and comprehensive threads on this forum! So to use the plugin, do I just add the config lines to acme.sh.env and that's it?

 

How do I get ISPConfig to use `--dns dns_pdns` when it calls acme.sh?

Inspecting `/usr/local/ispconfig/server/lib/classes/letsencrypt.inc.php` I see:

PHP:

        public function get_acme_command($domains, $key_file, $bundle_file, $cert_file, $server_type = 'apache') {
                global $app, $conf;

                $letsencrypt = $this->get_acme_script();

                $cmd = '';
                // generate cli format
                foreach($domains as $domain) {
                        $cmd .= (string) " -d " . $domain;
                }


                if($cmd == '') {
                        return false;
                }

                if($server_type != 'apache' || version_compare($app->system->getapacheversion(true), '2.4.8', '>=')) {
                        $cert_arg = '--fullchain-file ' . escapeshellarg($cert_file);
                } else {
                        $cert_arg = '--fullchain-file ' . escapeshellarg($bundle_file) . ' --cert-file ' . escapeshellarg($cert_file);
                }

                $cmd = 'R=0 ; C=0 ; ' . $letsencrypt . ' --issue ' . $cmd . ' -w /usr/local/ispconfig/interface/acme --always-force-new-domain-key --keylength 4096; R=$? ; if [[ $R -eq 0 || $R -eq 2 ]] ; then ' . $letsencrypt . ' --install-cert ' . $cmd . ' --key-file ' . escapeshellarg($key_file) . ' ' . $cert_arg . ' --reloadcmd ' . escapeshellarg($this->get_reload_command()) . ' --log ' . escapeshellarg($conf['ispconfig_log_dir'].'/acme.log') . '; C=$? ; fi ; if [[ $C -eq 0 ]] ; then exit $R ; else exit $C  ; fi';

                return $cmd;
        }

do I edit this file to add `--dns dns_pdns ` in the last line before `return $cmd;`?

 

Solved the puzzle. The missing piece was the Let's Encrypt registration. Trying to issue a cert manually gave me a hint.

Code:

sudo /root/.acme.sh/acme.sh --register-account -m [email protected]

 

I see. All I did was add the following to /root/.acme.sh/acme.sh.env. What am I missing, I thought ISPConfig defaulted to Letsencrypt?

Code:

export PDNS_Url="http://ns.example.com:8081"
export PDNS_ServerId="localhost"
export PDNS_Token="0123456789ABCDEF"
export PDNS_Ttl=60

 

The auth was requested when I manually tried to get the certs issued. Hence I figured I needed to register. Once done I was able to issue the cert from ISPConfig. But alas not a Let's Encrypt certificate. So I've gone back to the terminal en unregistered, then changed the default CA to LetsEncrypt like so:

Code:

`sudo su`
`cd /root/.acme.sh`
`./acme.sh --server letsencrypt --set-default-ca`
`exit`

Then went back to ISPConfig to turn SSL off then on again. And now it's working.

So the steps needed to switch to a plugin for acme is to first set the default CA, then add the desired plugin config to acme.sh.env.

 

Inspecting the log files, I'm not quite there yet. As issuing another cert for another domain and it's using HTTP-01 instead of DNS-01.

How do I nail acme.sh to use the pdns plugin?!

 

I already gave you the link above which clearly said that after you exported the required credentials, you run the basic command "./acme.sh --issue --dns dns_pdns -d example.com -d www.example.com". To note this command may be extendable. Of course before running all that you should already properly installed acme.sh and activated LE for the first time (which means create an account for it). But did you follow that?