Hello, I have multiservers set up : 2 servers ns1 and ns2, with ubuntu 20.04 and ispc3.2 I install both in 2 steps : 1st w/o certs. Next I set up my DNS inside ispc. And finally I implement certs by php -q update. I have one server with web interface = ns1. One w/o = ns2 I run ispc web interface : cert is OK. I install monit, tests both with success with 'monit status' command. I open ports and try to open it in browser. It works well on ns1.domain.tld:2812 But impossible to open ns2.domain.tld:2812. Firefox tells me "impossible to open ns2 with ns1 cert" ! (it's a sum up of the message ) extract of monitrc file on ns2 : " set httpd port 2812 and SSL ENABLE PEMFILE /etc/ssl/private/pure-ftpd.pem use address "my IP address removed for confidentiality" allow 0.0.0.0/0.0.0.0 allow admin:myPassword " I am thinking, I will have same concern with pure-ftd on ns2 as monit is linked with it certs... Any workaround ? Should I have web interface on all servers ?
1. Only if you need to access via browser from that server. 2. Monit can also be accessed via cli but you have to be familiar with it. 3. Pure-ftpd is not really necessary for non-webserver as ssh is normally already available and accessible.
In that case, my understanding is that, I don't have postfix and pure-ftpd certs (on other servers as said by aharasis...) My idea was to have n web servers and n mail servers with the same ISPconfig set up.
I will not run ispc from several server for same conf. but, having ispc web interface on a server, is a way to have a cert on my serveur ! It is a better way to simply ask cert for my server !
And then you can follow https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
This is not true since ISPConfig 3.2 already capable of allowing you to secure your non-web server with LE SSL certs.
As a summary, the appropriate approach is to create ns1.domain.tld and ns2.domain.tld with ispconfig and to secure them with LE certs and next, when needed to create symlinks for pureftpd, postfix, monit, etc... I'll do then
Ahrasis noted it should work with non-panel servers in 3.2. I wasn't aware of that, but if so, it's not necessary to create a web for it
I guess everybody should check the ISPConfig 3.2 release notes which already say: ISPConfig 3.2 uses webroot parameter for web server and standalone parameter for non-web server in order to request LE SSL certs for the above-mentioned services in that server, if there is any, during ISPConfig install or update, with Neilpang acme.sh and official LE clients both supported. Auto renewal, auto recreation of ispserver.pem and restarting of all services are also included i.e. via hook (script) files and they are also customizable.
I am back to my initial message. On ns2, I have pure-ftdp.pem symlink with ispserver.pem. lrwxrwxrwx 1 root root 48 Nov 10 23:17 pure-ftpd.pem -> /usr/local/ispconfig/interface/ssl/ispserver.pem and monit, linked with /etc/ssl/private/pure-ftpd.pem (see monitrc above) When I open monit in my browser "ns2.domain.tld:2812", it says : cert error. When I open the cert, I see "ns1.domain.tld" cert ! My conclusion, is that when it request certs for ns2, it uses ns1... very strange !?
In ns2.domain.tld, do check what is the result of hostname -f (as it must be ns2.domain.tld) and ls -lah /usr/local/ispconfig/interface/ssl/ispserver.crt (as it must be symlinked to /etc/letsencrypt/live/ns2.domain.tld/fullchain.pem).
