Acme.sh validation through ISPConfig dns API

Discussion in 'Tips/Tricks/Mods' started by remkoh, Oct 8, 2021.

  1. remkoh

    remkoh Active Member

    I have multiple websites on non-standard http ports or not publicly accessible using my own domain for which I run my own nameservers.
    All with several ISPConfig servers.

    ISPConfig's default certbot with webroot validation is giving me no joy if I want to enroll certificates for those websites.
    But Acme.sh has the ability to validate using the ispconfig dns api.

    That's why on one of my webservers I substituted certbot by acme.sh.
    Enrolling certificates still work.
    Big question is: how can I get ISPConfig to use the ispconfig dns api instead of webroot?

    This also would be a nice feature in future versions of ISPConfig.
    Giving ISPConfig users the ability to set the validation method in Server Configuration for example.
    And then maybe not only ISPConfig dns API but also a bunch of other dns API's supported by Acme.sh.
     
    Gwyneth Llewelyn likes this.
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    For the time being, you can try using proxy to issue LE certs for that websites of yours or manually obtain the LE certs using dns challenge.

    Or, if you are brave enough, in the git link given above, there is a short how-to-do-it code that I wrote, which basically work when use with certbot the last time I tested them.

    They are doable but are neither of utmost importance nor of highest urgency, so I think you may not see them in years to come unless the status is changed.
     
  4. remkoh

    remkoh Active Member

    :( That feature request exists a few years now.
    So implementation any time soon seems unlikely I guess.

    Also I had probleems with --dns-ispconfig in certbot (not updating serial) I see mentioned.
    Which is why I switched to acme.sh.

    For now I make a website public on default web ports to enroll the certificate and afterwards change it back to ports and access the way I want.
    Then I change the certificate's config file to dns validation so that will be used when the certificate gets renewed.

    It's a usable workaround but I realy don't like the fact I need to make the websites temporarily public and would prefer changing ISPConfig so dns validation is used from the get go.
    Only I have no clue where to look.
     
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    That plugin or command does not exist. For certbot with ISPConfig dns server you have to use the one mentioned in here: https://github.com/m42e/certbot-dns-ispconfig
     
  6. Steini86

    Steini86 Active Member

    Either you wait until the feature request is through. Or you hack something. Depends on how automated you want to have it. ;-)
    The good thing is that acme.sh and ispconfig are well separated. If you make a new cert in ISPC, it just calls the acme.sh api and lets it run. So for existing configurations, you can just change the config to dns challenge and ISPC will not care.

    If you want to have it for new certs, you can patch file /usr/local/ispconfig/server/lib/classes/letsencrypt.inc.php in line 77 and add "--dns dns_ispconfig"
    Don't forget to set the environmental variables (after creating the appropriate remote user)
    Code:
    # export ISPC_User="remoteUser"
    # export ISPC_Password="remotePassword"
    # export ISPC_Api="https://ispc.domain.tld:8080/remote/json.php"
    (or directly write them to ~/.acme.sh/account.conf)
    See https://github.com/acmesh-official/acme.sh/blob/master/dnsapi/dns_ispconfig.sh
    and https://github.com/acmesh-official/acme.sh/wiki/dnsapi Number 12
    for documentation.

    If there are only a few domains that you want to use with dns challenge, then adjust the config file and recreate the cert via "acme.sh --renew -d example.com --force"
    (Untested, but you could try to set in your acme.sh config file Le_Webroot='dns_ispconfig' and try a renew)
    You have to do this for every domain just once, ISPC will (currently) not overwrite this.
     
    ahrasis, Gwyneth Llewelyn and remkoh like this.
  7. remkoh

    remkoh Active Member

    That was exactly what I was looking for.
    Thanks! Works like a charm when enrolling a new certificate.

    Adjusting the config file and manually renewing as you mention to test it is precisely what I did up until now.
     
    Last edited: Oct 10, 2021
    Steini86 likes this.

Share This Page