Debian 11 and Lets Encrypt

Discussion in 'Installation/Configuration' started by iandoug, May 11, 2022.

  1. iandoug

    iandoug New Member

    Hi
    I see there are tons of messages regarding certs.
    I was following the Debian 10 set-up guide, and the acme.sh step failed.
    It was listed as "failing" for Debian this morning (and yesterday) but I see it is now "passing".
    https://github.com/acmesh-official/acme.sh
    I saw messages from the devs saying ISPConfig no longer uses acme.sh and to use the snap package instead.
    However, certbot's site only offers instructions for Debian 9, 10 and "Testing" branch. Which I assume became Debian 11.
    https://certbot.eff.org/instructions?ws=nginx&os=debiantesting
    Debian does offer certbot and python3-certbot-nginx
    Installing both seems to work. Server is test server on local LAN so cert is self-signed, have not tried this on live site yet.
    Are the devs still recommending the snap route, or are the Debian packages okay now?

    Thanks, Ian
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    For Debian 11, use ISPConfig autoinstaller. It supports Debian 11. I believe it uses acme.sh, since that is what ISPConfig recently started suggesting. If you want to use certbot, then the snap is the way to install it nowadays.
    If you install both certbot and acme.sh that should lead to problems. If your server is on local LAN and can not be reached from the public Internet, then Let's Encrypt can not be used. If you want to use LE, see https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    That's not the case. You mix up certbot with acme.sh here. acme.sh is the recommended LE client for recent ISPConfig versions and gets used by the Debian 11 installer too: https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/ acme.sh is a shell script and gets installed by ISPConfig automatically. Certbot is the one that's not recommended anymore. When you still use certbot, then its better to install it via snap, but this applies mainly to updating existing systems only anyway as all new installs should use acme.sh.

    If it works at the moment, then you can keep it as it is. For ISPConfig, it does not matter how you install certbot.
     
  4. iandoug

    iandoug New Member

    Hi
    Am not using auto-installer as I don't want or need everything.
    I actually tried the acme.sh route a few days back, it did not work. That's when I noticed it was marked as "failing" on github.
    The script seems to be "fixed" frequently, which worries me. Also the hundreds of open issues.

    Maybe I misunderstood this message:
    https://www.howtoforge.com/community/threads/migrating-from-certbot-to-acme-sh.88501/#post-432617
    I see Till recommends acme.sh.

    I am going to redo the server from scratch and will try acme.sh and report.

    Thanks, Ian
     
  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    You should use ISPConfig autoinstaller. You can prevent it from installing the parts you do not need, examine the options. It has --help to show currently implemented command line arguments.
     
    ahrasis and Th0m like this.
  6. ahrasis

    ahrasis Well-Known Member

    I'd agree on your choice to redo from the scratch but do follow @Taleman advise because it will really ease you a lot.

    As for why you should use acme.sh in installing new server and only use snap to update existing server that's already using certbot, I guess @till already explained it above.

    However, if you find ISPConfig installer help also give choices as to what to install including LE client, please don't get confused but do read its note:

    As mentioned it is only to be used for migrating from an old server that uses certbot, so it is really not intended for new one.
     
  7. iandoug

    iandoug New Member

    My process has steps that are not in the Debian 10 guide and will probably not be in the auto-install.

    I will use acme.sh, the point is that when I tried it a few days ago it was broken. At their end. Auto-install would have had the same problem.

    Thanks for all the help and suggestions.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    please be aware that this might be the reason for the issue as well, your steps might just not be fully compatible with ISPConfig 3.2

    While it's possible of course, it is very unlikely as we would have seen many more reports in such case, there are hundreds of ISPConfig installs a day. The more likely reason is that no LE cert could be issued due to other issues like problems with DNS setup of the hostname or similar, you should check acme.sh.log for details, also the Let's encrypt error FAQ might help to identify the issue. https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
     
  9. iandoug

    iandoug New Member

    When I did the install it (acme.sh step) failed before I got to ISPconfig. At the time the github repo had Debian build as Failing.

    While I'm on the topic, during the set-ups you have to enter the same info several times to create certs. It would be nice if this could be entered once in a text file, and then just fed to the scripts. Probably not easily doable :-(.

    Cheers, Ian
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    You won't get asked these details when a working LE client (no matter if acme.sh or certbot) is installed, and continuing installation without meeting system requirements for ISPConfig will result in failures anyway, so you might. And it's so rare, maybe one of a few thousand users might see them at all, that it's not worth changing it. And you should not have continued at that point anyway as this meant installing ISPConfig without meeting its system requirements, having an LE client is not optional.
     
  11. ahrasis

    ahrasis Well-Known Member

    Details? It looks more like the LE cannot obtain LE certs therefore trying to create self-signed certs which normally will request details if that's the problem you faced while trying the autoinstaller.

    You should however note that the ISPConfig autoinstaller only work on clean OS install and for LE failure, you should really check the faq as @till suggested above.
     
  12. Hello,
    I've read this thread and a lot of others and I'm not finding any answers. I had meltdown of a system caused by a filesystem problem in a Dovecot mailbox. Copying the backup VM into place failed due to a hardware failure. So I was left re-installing ispconfig from scratch. I'm on Debian 11 and ISPConfig 3.2.8p1. my last installation used letsencrypt and worked really well. This one is broken out of the box.

    Acme.sh installed as per the perfect server instructions (which I have some problems with some very poor instructions) and signed the ispconfig interface properly and is working fine.. I check in /root/.acme.sh and sure enough there's the folder.

    Since I've had to start this install from scratch and then overlay data back onto websites, etc., I have create the websites by hand. I've been creating them, but signing them with acme.sh is failing. When I check /var/log/ispconfig/acme.sh.log there is nothing in it past the install. I don't think acme.sh is getting kicked off at all. How do I troubleshoot this?
     
  13. ahrasis

    ahrasis Well-Known Member

    As said again and again above, follow the mentioned LE FAQ to troubleshoot, one by one.
     
  14. OK. bigger issues. I'm other issues relating dns. another thread. bookmarking this.
     
  15. Got it working. It's not logging anything anywhere. Acme hasn't logged anything since it installed. but then I'm starting over again. I have better notes this time.
     
  16. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Enable server debugging and see what is output when a certificate is attempted to be setup for a site.
     
  17. I had big troubles with DNS and getting things to resolve. All related configuations and versions. I still have this trouble, but now trying to solve a postfix not sending a banner. different thread.
     
  18. OK, I gave up, ripped out powerdns, held my nose and installed bind9, and recreated zones thinking that this all had something to do with plugin. I also reinstalled acme.sh then reconfigured services. Bind is working properlyI can see it calling the letsencrypt script in the logs, but that's it there is no output and the one cert it does have from install showing up during the renewal runs.
     
  19. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Enable server debugging and run server.sh manually with an SSL cert creation pending.
     
  20. Hi, I'm still working on this. It has taken this long to get the server back to where it was due to hardware failures, etc. I am sort of a curmudgeon when it comes to all of this. I have opinions about bind v powerdns. I'll say this. large DNS providers are not running bind. They run something custom or they run PowerDNS. PowerDNS is not subject to the variety of attacks that bind is subject to. PowerDNS is way more scalable and robust. I can go into my adventures with powerdns if you'd like, but the architecture by which DNS (both powerdns and bind) are managed by ispconfig need serious architecture reworking, especially bind. However, I love the DNS templates work. Compared to most anything else, they are seriously cool.
    I digress. I still need to get a new machine built, but this one is up to date on debian 10 (actually Devuan Beowulf - no systemd) and the old letsencrypt. I will work on the migration to acme.sh, but this is working for the moment. It's been updated since all of debian 9 and php 7.0. time to migrate to a clean machine.
    Next question will be on the migration tool forum.

    Thanks for your help.
    Curtis
     
    Th0m likes this.

Share This Page