Get letsencryt to include non-active subdomain

Discussion in 'Installation/Configuration' started by vortexbased, Oct 13, 2016.

  1. vortexbased

    vortexbased New Member

    I was wondering, how I could make the script that generates the letsencrypt certificates to include subdomains that are not marked as active?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    The domain must be reachable from outside by letsencrypt, letsencrypt tests this by downloading a token from that website trough each domain that is in the cert, so the domain has to be active to include it into a letsencrypt ssl certificate.
  3. vortexbased

    vortexbased New Member

    Maybe better I explain what I am trying to achieve.
    Have a look at this URL panel[dot]protostation[dot]com
    I have managed to do this by modifying the master template (vhost.conf.master) to include this:
    # Add panel subdomain to all accounts
    <tmpl_if name='ssl_enabled'>
    <VirtualHost {tmpl_var name='ip_address'}:{tmpl_var name='port'}>
      ServerName panel.{tmpl_var name='domain'}
      SSLProxyEngine On
      SSLProxyVerify none
      SSLProxyCheckPeerCN off
      SSLProxyCheckPeerName off
      SSLProxyCheckPeerExpire off
      ProxyVia off
      ProxyRequests off
      ProxyPreserveHost on
      ProxyPass  /  https://localhost:1155/
      ProxyPassReverse  /  https://localhost:1155/
    # Redirect unsecure to secure connection
    <VirtualHost {tmpl_var name='ip_address'}:{tmpl_var name='port'}>
      ServerName panel.{tmpl_var name='domain'}
      Redirect 301 / https://panel.{tmpl_var name='domain'}/
    So, this way the subdomain exists and resolves to ISPConfig.

    Now, I just need to figure out how I can get letsencrypt to always include the subdomain "panel" when creating a certificate. From what you said, I am guessing it would be better to NOT create an actual subdomain via ISPConfig, and also disallow users to create the subdomain in ISPConfig, so avoid it being setup double in the vhost files and causing an .err file to be created (I tried it, that's why I set it to not-active).

    Also, from what you said, I am guessing I have to add an extra redirect or symlink to the folder that contains the token, so the token is loaded when letsencrypt looks for it on the subdomain?

    I would love to figure out how to do it, any help is very much appreciated. :)
    Last edited: Oct 13, 2016
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    I believe if you create as a normal website you can enable letsencrypt on it, and just past the proxy directives into the custom apache conf section. Might be a viable solution for the short term.

    What we do, and you may or may not like, is 301 redirect a generic hostname for each domain to the correct hosting panel name. We currently only have one reseller setup, but when we add a second I'll redirect that reseller's customers to a different panel hostname (same panel, just different hostname). This is of course a different solution, but is an option.

    As to your original request, I believe you'd have to write a little plugin that runs when a website is setup that requests the cert for, and just point to that certificate in your custom VirtualHost setup (ie. /etc/letsencrypt/live/* files). I think that should be relatively simple to write, and might be nice to share for others. You could probably file a feature request in the issue tracker as well and the functionality might make it into a future version.
  5. vortexbased

    vortexbased New Member

    I enjoy a coding challenge, so I will have a look at creating a plugin, thanks for the idea.
    I have never looked into how plugins are created, but I am guessing plugins in ISPConfig can use hooks, similar to how WordPress plugins work? If that the case, I would be grateful for some hints (till ?) as to where I could best hook in my plugin functions to make letsencrypt do what I want it to do, and maybe there is even a way to get the modifications I did to vhost.conf.master wrapped in a plugin/function?
    Last edited: Oct 13, 2016
  6. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Take a look at and search the development forum while waiting for more pointers. I don't know how dated that is, but refer to the current "help" module code. Also I don't know if there's a "plugin" interface that is separate from an "interface module" or if it's all the same thing, you simply don't load any interface components for a module without a ui (I've never written an ispconfig plugin).

Share This Page