Hi, I was wondering, how I could make the script that generates the letsencrypt certificates to include subdomains that are not marked as active?
The domain must be reachable from outside by letsencrypt, letsencrypt tests this by downloading a token from that website trough each domain that is in the cert, so the domain has to be active to include it into a letsencrypt ssl certificate.
Maybe better I explain what I am trying to achieve. Have a look at this URL panel[dot]protostation[dot]com I have managed to do this by modifying the master template (vhost.conf.master) to include this: HTML: # Add panel subdomain to all accounts <tmpl_if name='ssl_enabled'> <VirtualHost {tmpl_var name='ip_address'}:{tmpl_var name='port'}> ServerName panel.{tmpl_var name='domain'} SSLProxyEngine On SSLProxyVerify none SSLProxyCheckPeerCN off SSLProxyCheckPeerName off SSLProxyCheckPeerExpire off ProxyVia off ProxyRequests off ProxyPreserveHost on ProxyPass / https://localhost:1155/ ProxyPassReverse / https://localhost:1155/ </VirtualHost> <tmpl_else> # Redirect unsecure to secure connection <VirtualHost {tmpl_var name='ip_address'}:{tmpl_var name='port'}> ServerName panel.{tmpl_var name='domain'} Redirect 301 / https://panel.{tmpl_var name='domain'}/ </VirtualHost> </tmpl_if> So, this way the subdomain exists and resolves to ISPConfig. Now, I just need to figure out how I can get letsencrypt to always include the subdomain "panel" when creating a certificate. From what you said, I am guessing it would be better to NOT create an actual subdomain via ISPConfig, and also disallow users to create the subdomain in ISPConfig, so avoid it being setup double in the vhost files and causing an .err file to be created (I tried it, that's why I set it to not-active). Also, from what you said, I am guessing I have to add an extra redirect or symlink to the folder that contains the token, so the token is loaded when letsencrypt looks for it on the subdomain? I would love to figure out how to do it, any help is very much appreciated.
I believe if you create panel.domain.com as a normal website you can enable letsencrypt on it, and just past the proxy directives into the custom apache conf section. Might be a viable solution for the short term. What we do, and you may or may not like, is 301 redirect a generic admin.domain.com hostname for each domain to the correct hosting panel name. We currently only have one reseller setup, but when we add a second I'll redirect that reseller's customers to a different panel hostname (same panel, just different hostname). This is of course a different solution, but is an option. As to your original request, I believe you'd have to write a little plugin that runs when a website is setup that requests the cert for panel.domain.com, and just point to that certificate in your custom VirtualHost setup (ie. /etc/letsencrypt/live/panel.domain.com/* files). I think that should be relatively simple to write, and might be nice to share for others. You could probably file a feature request in the issue tracker as well and the functionality might make it into a future version.
I enjoy a coding challenge, so I will have a look at creating a plugin, thanks for the idea. I have never looked into how plugins are created, but I am guessing plugins in ISPConfig can use hooks, similar to how WordPress plugins work? If that the case, I would be grateful for some hints (till ?) as to where I could best hook in my plugin functions to make letsencrypt do what I want it to do, and maybe there is even a way to get the modifications I did to vhost.conf.master wrapped in a plugin/function?
Take a look at http://docs.ispconfig.org/development/interface/ and search the development forum while waiting for more pointers. I don't know how dated that is, but refer to the current "help" module code. Also I don't know if there's a "plugin" interface that is separate from an "interface module" or if it's all the same thing, you simply don't load any interface components for a module without a ui (I've never written an ispconfig plugin).