Actually, I did read this page, but apparently not far enough. There was a problem with the Let's Encrypt installation, but I could only figure that out by inserting some debug output in the php scripts of ISPConfig. The warning "Let's Encrypt SSL Cert for: <domain> could not be issued." is not helpful. Repeating the install procedure for Let's Encrypt solved the problem. So sorry for the unnecessary post and thanks for your time.
I can confirm that this works just as well on Ubuntu 16.04. Thank you very much! Let's say on server1.example.com, this method will not work for plain example.com, correct? What if I am hosting several sites on one IP address, do I need a unique public IP address for each site that requires a lets encrypt SSL cert like the official guide states? If so, that is fine, but my VPS uses floating point IP addresses, so I would have to figure out a lot more and do some more reading how to make ISPconfig recognize the new public IP. I guess thats part of the fun of learning
That depends on the client, not the server. You don't need a separate ip for each website if you use a recent web browser which supports SNI. A separate IP is only required for older web browsers.
Excellent. Thank you till. I was having serious problems with trying to set up multiple ip's on my vps and getting the domains to resolve correctly. I'm positive this is because of my terrible understanding of making dns do what I want it to do. Anyway, thanks for the hard work!
Till, can you add to that post that in order to be able to use Let's Encrypt, the site must be reachable from the internet? Today I've got this issue, and the let's encrypt check got unchecked all the time, then I remembered that if the site is not reachable from the internet, LE fails and then ISPC unchecks that option... Thanks!
Great Job Jesse! This worked great for me. I worked on this for hours and couldn't figure it out. Ran your script, and poof.
wondering about this as the ISPCFG3 manual and the perfect server guides advise to use and download certbot while there actually is a jessie-backports package.
I'm also on ISPCFG 3.1 and Debian 8 - do you happen to have an update for using certbot instead of letsencrypt?
I'm using certbot from jessie-backports now, without any problems. I originally installed letsencrypt from source manually (early on in pre-3.1) and later switched to the package, and all /etc/letsencrypt/ files were perfectly compatible/functional with both (at the same time, even). I don't have the exact commands handy, but it's about as simple as 'rm -rf /root/.local/; apt-get -t jessie-backports install certbot'.
Just replace `/root/.local/share/letsencrypt/bin/letsencrypt` with `certbot` I believe, I think the syntax is compatible: Code: certbot auth --text --agree-tos --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@`hostname -d` --domains `hostname -f` --webroot-path /usr/local/ispconfig/interface/acme dt=`date '+%Y%m%d%H%M%S'` cd /usr/local/ispconfig/interface/ssl/ for ext in csr key.secure key crt; do if [ -f ispserver.$ext ]; then mv ispserver.$ext ispserver.$ext.old.$dt; fi; done ln -s /etc/letsencrypt/live/`hostname -f`/privkey.pem ispserver.key ln -s /etc/letsencrypt/live/`hostname -f`/fullchain.pem ispserver.crt service apache2 restart
Here is some feedback: it seems the Debian version of certbot is older than the one I had manually downloaded as upon execution of the one installed from the jessie-backports I see this warning: Code: 2016-11-02 13:57:21,288:WARNING:certbot.storage:Attempting to parse the version 0.9.3 renewal configuration file found at /etc/letsencrypt/renewal/domain.tld.conf with version 0.8.1 of Certbot. This might not work. Also, trying your little script above I have the problem that the authentication to http://myispcfg.tld/.well-known/acme-challenge/9jwyG1gYZrkE6GOlDmpP3ITZubCjqfHc10h22eFJJjU doesn't work as I am already using s STARTSSL certificate (which I am trying to replace with the letsencrypt one) and the link above redirects to https so it never works. I'm unsure how to allow http connections and how to handle the renewals as I like the current behavior where http is redirected to https. Hope I explained that properly and hoping to get some pointers. Also, manually installing certbot seems OK but running ./certbot-auto I see: http://take.ms/CmjHM
http->https redirects need to make an exception for /.well-known/acme-challenge/ or letsencrypt won't work currently. (There's a feature request for dns-based authentication.) As an example, if you enable http->https redirect for a website, ispconfig adds this: Code: RewriteEngine on RewriteCond %{REQUEST_URI} ^/\.well-known/acme-challenge/ RewriteRule ^ - [END] RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
That sounds great so I won't have to worry about sites managed by ISPCFG3 but we are talking about the ISPCFG3 admin panel itself here and I have no idea where this HTTP/HTTPS setting is located. I assume the corresponding vhost file would be /etc/nginx/sites-enabled/000-ispconfig.vhost and this vhost shows it is only listening on port 8080. So if I access the link I gave you above, it reverts from http to https and then loads the first website with a letsencrypt certificate. Any ideas about this? Also, manually installing certbot seems OK but running ./certbot-auto I see: http://take.ms/CmjHM
I don't have an nginx setup to refer to, but try enabling the http->https redirect for a site and see what shows up in your vhosts file, then change your port 8080 http->https redirect accordingly.
THanks, I'll give that a try and reply here with my findings but what about all the others in this thread? You're all running an up-to-date ISPCFG3 installation, right? Does nobody else have this problem? I didn't touch any redirections for the control panel so I assume this was the default behaviour.
I switched meanwhile from certbot to acme.sh ( https://github.com/Neilpang/acme.sh ) for the single reason, that it's just a little shell script with no dependencies but wget or curl (and git). Also it has options to provide DNS-01 auth (still using ISPC 3.0.x). 1. Login as root on your server 2. Go to a dir where you want to clone to (I like /usr/local/src) and clone the repo: Code: git clone https://github.com/Neilpang/acme.sh.git 3. Got into the dir an install it. There's a simple install command but I'd prefer to provide a few more options: Code: cd acme.sh ./acme.sh --install \ --home /usr/local/acme.sh \ --certhome /etc/acme.sh \ --accountemail "[email protected]" --home is where the customized install of the acme.sh script will go. --certhome is where acme.sh saves the certs to --accountemail is the email used to register the account to LE There's more options, check out here: https://github.com/Neilpang/acme.sh/wiki/How-to-install#4-advanced-installation The installation performs 3 actions: a. create and copy the acme.sh into the given home dir b. create alias for acme.sh c. create everday cron to check if renew is needed - check your crontab, cron will look like this: Code: 0 0 * * * /usr/local/acme.sh/acme.sh --cron --home /usr/local/acme.sh > /dev/null 4. Issue a cert The cert issue is rather simple: Code: acme.sh --issue -d ispc.domain.tld -w /path/to/webroot/ * this assumes the webroot method is selected and that you provide according webroot that works or multi domain (SAN) Code: acme.sh --issue -d ispc.domain.tld -d mail.domain.tld -d smtp.domain.tld -w /path/to/webroot/ or if you want to issue ECDSA certs you can run it like Code: acme.sh --issue -d ispc.domain.tld -w /path/to/webroot/ --keylength "ec-384" For ECDSA certs see here: https://github.com/Neilpang/acme.sh#single-domain-ecc-cerfiticate ; if you want for example just a 4096 RSA cert, you'd use --keylength 4096 5. Install cert and reload/restart services The final step is to copy the issued cert to where it's needed. In case for ISPC this would be Code: acme.sh --installcert -d ispc.domain.tld \ --certpath "/usr/local/ispconfig/interface/ssl/ispserver.crt" --keypath "/usr/local/ispconfig/interface/ssl/ispserver.key" --fullchainpath "/usr/local/ispconfig/interface/ssl/ispserver.bundle" --reloadcmd "systemctl reload apache2" If you have for example linked postfix and dovecot cert also to this location, you can reload, restart them as well using: Code: --reloadcmd "systemctl reload apache2; systemctl restart dovecot; systemctl reload postfix" For some reason dovecot needs to be restarted and can't be just reloaded.
@sjau thanks, I was looking at that solution too after seeing the tutorial to secure Proxmox with acme.sh. Its all straight forward except for one issue I mentioned above multiple times: I cannot access my ISPCFG3 via HTTP on port 80 thus the authentication via URL fails. Can any of you? Do I have to add the domain used for the control panel itself to the panel so a website is created thus allowing port 80 access?
acme.sh supports dns auth. if you host dns with your ISPC install then you could use the API to answer the challenge automagically. Been pondering to code something like that but haven't tried yet.