@sjau: awesome, with your hints and reading the documentation, here is what worked: Replaced your step 4. with this: Code: acme.sh --issue --dns -d ispcfg3.mydomain.tld manually adding the required DNS records Code: acme.sh --renew -d ispcfg3.mydomain.tld
but upon next renewal you'll need to update the dns record again. From what I know you have to prove your authorization everytime you request a cert. Hence it would be interesting to code an ISPC dns template like there are for others.
Are you sure there is a new DNS record needed with every update? I assumed I could keep the requested one in place. I could use the API as this domain is hosted on cloudflare and there are examples out there.
I tend to think that upon each request a new challenge is posed. Who knows, maybe you lost control over the domain
Your tip works perfect (ISPConfig 3.1.1p1). I have a question: after the certificate expires, how would that command for the renewal be? Using cerbot automatically, it is only necessary to inform you that you want to renew (./path/to/certbot-auto renew --dry-run). Is it only necessary to add renew to the command? example: Code: certbot-auto renew auth --text --agree-tos --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@`hostname -d` --domains `hostname -f` --webroot-path /usr/local/ispconfig/interface/acme
it should be sufficient to just: Code: certbot renew for testing run: Code: certbot renew --dry-run --force-renew the --force-renew would renew certs that are not within the 30-days expiration period - so it would renew basically all certs.... The --dry-run is just to not really renew but to test if it would try to renew.[/code]
For the ISPConfig Interface I did this and it works Code: certbot auth --text --agree-tos --update-registration --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] -d isp.org -d www.isp.org --renew-by-default --webroot-path /usr/local/ispconfig/interface/acme dt=`date '+%Y%m%d%H%M%S'` cd /usr/local/ispconfig/interface/ssl/ for ext in csr key.secure key crt; do if [ -f ispserver.$ext ]; then mv ispserver.$ext ispserver.$ext.old.$dt; fi; done ln -s /etc/letsencrypt/live/isp.org/privkey.pem ispserver.key ln -s /etc/letsencrypt/live/isp.org/fullchain.pem ispserver.crt service apache2 restart Now I want to make another cert for another site, say client1 Do I need to change the Code: --webroot-path to Code: /usr/local/ispconfig/client1/acme and cd to Code: /var/www/clients/client1/web1/ssl to make it work? And does Code: --renew-by-default grant that the certs will be automagically renewed? From what I understand here certbot eff org/ docs/ using.html #webroot it could be the way to do it. I'm asking this because my site is already in production and I'm trying not to break it.
you shouldn't use Code: ` ` anymore. Better to use Code: $( ) In your case: Code: dt=$(date '+%Y%m%d%H%M%S')
Thanks sjau. But do you mean that's the only aspect to care about for my question? Did I well understood the use of Code: --webroot-path and paths? Code: /usr/local/ispconfig/client1/acme Code: /var/www/clients/client1/web1/ssl
No, for websites you use the ispconfig interface to configure letsencrypt. All you do is check the checkbox and hit save (assuming your dns is already setup).
I try this : certbot auth --text --agree-tos --update-registration --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] -d isp.org -d www.isp.org --renew-by-default --webroot-path /usr/local/ispconfig/interface/acme dt=`date '+%Y%m%d%H%M%S'` cd /usr/local/ispconfig/interface/ssl/ for ext in csr key.secure key crt; do if [ -f ispserver.$ext ]; then mv ispserver.$ext ispserver.$ext.old.$dt; fi; done ln -s /etc/letsencrypt/live/isp.org/privkey.pem ispserver.key ln -s /etc/letsencrypt/live/isp.org/fullchain.pem ispserver.crt service apache2 restart I have this result IMPORTANT NOTES: - Congratulations! Your certificate and chain have been saved at /etc/letsencrypt/live/............eu/fullchain.pem. Your cert will expire on 2017-04-21. To obtain a new or tweaked version of this certificate in the future, simply run certbot again. To non-interactively renew *all* of your certificates, run "certbot renew" - If you like Certbot, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le but when I try to restart my apache I have this Job for apache2.service failed. See 'systemctl status apache2.service' and 'journalctl -xn' for details. janv. 21 17:28:34 .....4.eu apache2[14453]: The apache2 configtest failed. ... (warning). janv. 21 17:28:34 .....4.eu apache2[14453]: Output of config test was: janv. 21 17:28:34.....4.eu apache2[14453]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/si....conf:69 janv. 21 17:28:34 .....4.eu apache2[14453]: AH00526: Syntax error on line 63 of /etc/apache2/sites-enabled/000-ispconfig.vhost: janv. 21 17:28:34 ns304677.ip-94-23-214.eu apache2[14453]: SSLCertificateFile: file '/usr/local/ispconfig/interface/ssl/ispserver.crt' does not exist or is empty janv. 21 17:28:34 .....4.eu apache2[14453]: Action 'configtest' failed. janv. 21 17:28:34 .....4.eu apache2[14453]: The Apache error log may have more information. janv. 21 17:28:34 .....4.eu systemd[1]: apache2.service: control process exited, code=exited status=1 janv. 21 17:28:34 .....4.eu systemd[1]: Failed to start LSB: Apache2 web server. janv. 21 17:28:34 .....4.eu systemd[1]: Unit apache2.service entered failed state. Hint: Some lines were ellipsized, use -l to show in full. How to resolve ?
despite doing this, it looks like the bundle fiel is being ignored. Firefox complains about the certificate it looks like only my certificate is included and the letsencrypt ca one is missing. am I missing something?
omg. I just realized I typed in myispcfg.tld:8080 in Chrome but forgot the :8080 in firefox hence the warning as very, very blonde moment, my apologies.
I've ben using this implementation forever and I would now like to start using the same certificate for pureftpd too. Apparently I need a .pem file for this. I tried creating a symlink inside /etc/ssl/private/pure-ftpd.pem -> /usr/local/ispconfig/interface/ssl/ispserver.crt but that gives an error when restarting pureftpd: Code: May 20 19:55:46 alfred pure-ftpd: (?@?) [ERROR] SSL/TLS [/etc/ssl/private/pure-ftpd.pem](240): error:0906D06C:PEM routines:PEM_read_bio:no start line Can someone give me a hint how to solve this without breaking the currently working certificates and without manually converting them into a .pem?