acme.sh ECC sufix

Discussion in 'Installation/Configuration' started by erikcas, Jan 29, 2023.

Thread Status:
Not open for further replies.
  1. erikcas

    erikcas New Member

    I noticed, on a clean automated install on a fresh Debian 11 (hetzner cloud) today, acme.sh sets the "ECC_SUFFIX". So the certificate ends up in "/root/.acme.sh/<domain>_ecc", instead of "/root/.acme.sh/<domain>"

    ISPConfig installer_base.lib.php does not seem to be able to handle this suffix if I am right. When do ispconfig_update.sh a self signed certificate is created by the script.

    I tried to set it as an alternative for hostname in letsencrypt_renew_hook.sh:
    Code:
    elif [ -d "/root/.acme.sh/${hostname}_ecc" ] ; then
        lelive="/root/.acme.sh/${hostname}_ecc" ;
    But that was not a solution.
    Only when I hard set ECC_SUFFIX="", in /root/.acme.sh/acme.sh the issued certificate is used by ISPConfig. This seems an unwanted workaround to me. In my opinion, the suffix needs to be detected in installer_base_lib.php?
     
    Last edited: Jan 29, 2023
    erikcas, Jan 29, 2023
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    So you did not manually install acme.sh nor change its config? Then this must be a new behavior in acme.sh as it still worked a few days ago when I installed my last ISPConfig system. So yes, if acme.sh changed the way it works and stores SSL certs, then we might have to adjust the ISPConfig code.
     
    till, Jan 29, 2023
    #2
  3. erikcas

    erikcas New Member

    hi Till,
    no I did not modify any of acme.sh config. The only thing what I had changed is the isp_config port in the ispconfig-autoinstaller (lines 1928 and 1972 of lib/os/class.ISPConfigDebianOS.inc.php, as I use jenkins on port 8080). I am (almost 100%) sure that does not interfere with acm.sh or its config.

    If you like, I can setup a testserver, with an unmodified autoinstaller to be 100% sure. Let me know, and if yes, are there particular logs I can take?

    edit: doing that test anyway atm, as I need to be sure for myself
     
    erikcas, Jan 29, 2023
    #3
  4. erikcas

    erikcas New Member

    on vanilla installer, immediately after the installer ends, the certificate folder is in _ecc dir.
    Used commands and truncated output, with ofc changed credentials
    Code:
    hostname: test.it-cas.nl

git clone https://git.ispconfig.org/ispconfig/ispconfig-autoinstaller.git
cd ispconfig-autoinstaller/
./ispc3-ai.sh
<logging>
....
....
[INFO] Installing acme.sh (Let's Encrypt).
[INFO] acme.sh (Let's Encrypt) installed.
....
....
[INFO] Your ISPConfig admin password is: welcome01
[INFO] Your MySQL root password is: welcome02
[INFO] Warning: Please delete the log files in /root/ispconfig-autoinstaller/var/log/setup-* once you don't need them anymore because they contain your passwords!
root@test:~/ispconfig-autoinstaller# ls /root/.acme.sh/
account.conf  acme.sh  acme.sh.env  ca  deploy  dnsapi  http.header  notify  test.it-cas.nl_ecc
root@test:~/ispconfig-autoinstaller# ls -lart /root/.acme.sh/
total 260
drwx------ 5 root root   4096 Jan 29 20:43 ..
-rw-r--r-- 1 root root     78 Jan 29 20:43 acme.sh.env
-rwxr-xr-x 1 root root 221225 Jan 29 20:43 acme.sh
drwxr-xr-x 2 root root   4096 Jan 29 20:43 dnsapi
drwxr-xr-x 2 root root   4096 Jan 29 20:43 deploy
drwxr-xr-x 2 root root   4096 Jan 29 20:43 notify
drwxr-xr-x 3 root root   4096 Jan 29 20:46 ca
drwx------ 7 root root   4096 Jan 29 20:46 .
drwxr-xr-x 3 root root   4096 Jan 29 20:46 test.it-cas.nl_ecc
-rw-r--r-- 1 root root   1306 Jan 29 20:46 http.header
-rw-r--r-- 1 root root    293 Jan 29 20:46 account.conf
    edit: this was done on a fresh debian 11 install on a hetzner CX11 cloud VPS using hetzners debian11 image
     
    Last edited: Jan 29, 2023
    erikcas, Jan 29, 2023
    #4
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Thank you for the tests. So acme.sh must have changed something recently. We'll look into this and see what's the best way to solve this. I'll create an issue in the ISPConfig issue tracker.
     
    till, Jan 29, 2023
    #5
    Gwyneth Llewelyn, ahrasis, erikcas and 1 other person like this.
  6. erikcas

    erikcas New Member

    I will test ubuntu 22.04 as well tomorrow. I will check the issue tracker and add my findings there.
     
    erikcas, Jan 29, 2023
    #6
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I would suggest ISPConfig use its own path from now which can be set via acme.sh command. If that is attended, do review the acme.sh install command which is basically just a copy command that you do not need to do since it will double the certs storage size, one in acme.sh and one in ispconfig and website's SSL folder respectively. Merely symlinking from the original folder to SSL folder should suffice IMHO.
     
    ahrasis, Jan 30, 2023
    #7
    Gwyneth Llewelyn likes this.
  8. erikcas

    erikcas New Member

    Last edited: Jan 30, 2023
    erikcas, Jan 30, 2023
    #8
    till and ahrasis like this.
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, most likely the problem can be solved by not relying on the default key length at all but always specifying a key length (without ecc). And the issue must exist on any OS in ISPConfig as acme.sh is downloaded from its website directly and updated, so the acme.sh version is the same on all OS. I'll look into the issue this morning and try to provide a fix.
     
    till, Jan 30, 2023
    #9
    ahrasis and erikcas like this.
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    till, Jan 30, 2023
    #10
    ahrasis and erikcas like this.
  11. erikcas

    erikcas New Member

    erikcas, Jan 30, 2023
    #11
    Gwyneth Llewelyn, ahrasis and till like this.
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    till, Jan 30, 2023
    #12
    ahrasis likes this.
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    Using the auto-installer with the command line option:

    --channel=dev

    should result in a working acme.sh le cert now. It is getting late here, so I'll do a test install tomorrow if nobody reports success for the fix in the meantime.
     
    till, Jan 30, 2023
    #13
    ahrasis, erikcas and Taleman like this.
  14. erikcas

    erikcas New Member

    Tested with a fresh image and install, now working as expected now. Thanks @till !
     
    erikcas, Jan 30, 2023
    #14
    ahrasis and till like this.
  15. stargazer

    stargazer Member HowtoForge Supporter

    Just fyi, I ran into the same issue and was able to resolve it with the following:
    ln -s /root/.acme.sh/domain.name_ecc /root/.acme.sh/domain.name
    I then reran update_ispconfig.sh --force and ti worked.
    A quick work around if someone needs to get it up fast before the fix comes out in stable.
     
    stargazer, Feb 6, 2023
    #15
    Gwyneth Llewelyn, till and ahrasis like this.
  16. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Nice idea, but basically, others won't need that trick approach since new version 3.2.9p1 is already out, fixing this problem.
     
    ahrasis, Feb 7, 2023
    #16
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    Deleting the domain_ecc folder is still needed for anyone who installed his system before 3.2.9p1 was released, as it seems that acme.sh will not reissue a cert for a domain without ecc when there is already a cert with ecc for the same domain, it just says that there is a cert and no update is needed.
     
    till, Feb 7, 2023
    #17
    Th0m and ahrasis like this.
  18. mIKTHAM

    mIKTHAM New Member

    I am still using
    This Version: 3.2.4
    if I update to the following new version
    New Version : 3.2.9p1
    will it trouble my centos 7 operation?
     
    mIKTHAM, Feb 8, 2023
    #18
  19. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    3.2.9p1 still supports CentOS 7, so upgrading should not result in any problems, unless you have custom modifications that ISPConfig overwrites.
     
    Th0m, Feb 9, 2023
    #19
    mIKTHAM likes this.
  20. mIKTHAM

    mIKTHAM New Member

    thanks for your info buddy
     
    mIKTHAM, Feb 9, 2023
    #20
Thread Status:
Not open for further replies.

Share This Page