Additional Domains To Exisiting ISPConfig LE SSL Certs

Discussion in 'Developers' Forum' started by ahrasis, Jan 11, 2021.

  1. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Basically I am extending discussion from a thread in here where I noted that there are various requests or questions to add domain(s) to the existing ISPConfig LE SSL certs which is now can be issued automatically during install or update.

    After a revisit, I think some modifications may be made to the following code to include them:
    Code:
    //* Get hostname from user entry or shell command */
    if($conf['hostname'] !== 'localhost' && $conf['hostname'] !== '') {
       $hostname = $conf['hostname'];
    } else {
       $hostname = exec('hostname -f');
    }
    
    and
    Code:
    if($conf['nginx']['installed'] == true || $conf['apache']['installed'] == true) {
    exec("$acme --issue -w /usr/local/ispconfig/interface/acme -d " . escapeshellarg($hostname) . " $renew_hook", $out, $ret);
    }
    // Else, it is not webserver, so we use standalone
    else {
    exec("$acme --issue --standalone -d " . escapeshellarg($hostname) . " $hook", $out, $ret);
    }
    
    and
    Code:
    if($conf['nginx']['installed'] == true || $conf['apache']['installed'] == true) {
       exec("$le_client $certonly $acme_version --authenticator webroot --webroot-path /usr/local/ispconfig/interface/acme --email " . escapeshellarg('postmaster@' . $hostname) . " -d " . escapeshellarg($hostname) . " $renew_hook", $out, $ret);
    }
    // Else, it is not webserver, so we use standalone
    else {
       exec("$le_client $certonly $acme_version --standalone --email " . escapeshellarg('postmaster@' . $hostname) . " -d " . escapeshellarg($hostname) . " $hook", $out, $ret);
    }
    
    One of the issues to consider for this to work, I think is that, we need a file where admin may list their additional domain's names so it can be checked and added together upon issuing the LE SSL certs. For now I am thinking additional_domain.hostname.master in our default /conf-custom/install/ however that would not cover the issuance during install process though it may work in the update process. I would suggest server admin to create the file in /user/local/temp folder before install to resolve this issue.

    Another issue is acme.sh doesn't have any specific way to add domain as discussed in various LE community forum as well as acme.sh github except by two ways one of which is to modify the server hostname FQDN acme.sh conf, insert additional domains in Le_Alt='' and force renew file as mentioned here. The other is to remove the current certs and issue a new one with the additional domains. I haven't properly read and understood the way acme.sh in ISPConfig 3.2 append them for website but I guess it work in about the same but the later method is preferred.

    One other unconnected issue to note is the previous ISPConfig 3.1 non-hook / incron approach for the LE SSL certs, which I would suggest should be overcome by removing / deleting the existing certs if no prescribed hook exist in the server certs renewal conf, so a standard can be maintained instead of mixing the two hook and incron approach. I will try to include this as well, if all are agreeable that is.

    I will pause to get comments and feedback before attempting to rewrite the above code as it feels better if this can be worked out.
     
  2. Bocki

    Bocki Member HowtoForge Supporter

    Thanks for taking this up!
    But shouldn't there be an option in the web GUI to specify additional names instead of a file in the file system? And, doing so, could you add the possibility to specify the notification e-mail-address for Let's Encrypt, too? Just my thoughts on that matter...
     
    ahrasis likes this.
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I personally prefer the general structure is agreeable by all in GUI (which basically mean will be in the master database) or in the CLI, so it doesn't matter to me to use whatever approach so long it is agreeable, because as I said, the coding part is not so hard, I think.

    I already went on researching on how to properly add this via CLI but so far I still see /usr/local/temp/ for pre-install location and /conf-custom/install/ pre-update location is for the yet to be properly named file (may be additional_server_fqdn.master?) as the best for now.

    I am not sure whether this is better added in the GUI compared to CLI but I personally do not prefer it to be added in there.

    About the email, I remember adding the email in the code but it was removed when it was re-written and improvised for acme.sh (still there for certbot though i.e. [email protected]), but I will look into adding it back together with this, once the general structure is agreed, as writing it now will waste a lot of time if the general structure is not finalized and keeps changing.
     
  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I was reading a lot on /etc/hosts in here and other articles / discussions and was thinking that this could the right place for multiple FQDN for a server.

    If there is no fixed ip for the server, the default will be 127.0.1.1, so the idea is to put one or more FQDN in an ISPConfig server in the /etc/hosts file like this:
    Code:
    ispc.server.fixed.ip    server1.example.com    web.example.com    db1.example.com    mail.example.com   ns1.example.com    ftp.example.com
    
    Meaning, the code should get ISPConfig Server fixed ip, then get all FQDN in that ip line, then add them in the request for issuance of LE SSL certs for the server.

    May be this is the best, but I am not so sure, so I'll be needing more response and feedback regarding this before pursuing further.
     
  5. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    The installer already reads and writes some conf file where you can set some values, seems like that would be a good place to store a list of hostnames?

    Allowing to specify an email address is easy enough - have you tested what happens when that address is changed? Ie in both certbot and acme.sh can you update existing certificates, or have to issue new requests?
     
    ahrasis likes this.
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Yes, I will check deeper on it as I am not sure on certain things:
    1. Whether it accommodates to store a list of hostnames?
    2. Whether it can be used during an install other than during an update?

    Yes, this actually is quite easy, except in the code, we did specify the email in certbot, but not in acme.sh, which I think we should and already MR for that one alone.
     
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    This should be something that can be stored right in /usr/local/ispconfig/server/lib/config.inc.php. That's just straight php code, so you could store a list (eg. hostnames separated by comma and/or whitespace), and it is already read by and written by the installer. You could additionally read from an environment variable in the installer, but the value still needs to be stored, and read the next time (so config.inc.php should work).

    I'd expect it to work like: if someone wants to set a default list of names before starting install, either set the appropriate env var or add a line item to config.inc.php with them. When the installer runs, default to the env value if set, otherwise the config.inc.php value if that's set, otherwise $(hostname -f). Then prompt asking if the list of hostnames to be included in the server certificate should be changed (and display the current value). After possibly reading a new list interactively, attempt to request the certificate with those names. If the certificate request is successful, ensure the list of names gets saved to config.inc.php.

    That's pretty straightforward, the interesting parts are how to handle exceptions. Should the installer respect the server config setting to resolve names or not, and only include names which can be resolved? Should it simply try and if it fails, prompt to supply a new list of names? Or fail and go straight to rolling back the previous cert (if any), else go self-signed? And if it fails, do you write the list of hostnames (which just failed) to config.inc.php? Or do you leave the previous value?
     
    ahrasis likes this.
  8. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Another item to consider is how to normalize international domain names, both when reading interactively and when storing/reading from config.inc.php.
     
  9. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    This part is already there in the installer lib. Others are great ideas, I'll go deep.
     

Share This Page