Get SSL certificate for ISPConfig admin from LetsEncrypt?

@sjau: awesome, with your hints and reading the documentation, here is what worked:

Replaced your step 4. with this:

Code:

acme.sh --issue --dns -d ispcfg3.mydomain.tld

manually adding the required DNS records

Code:

acme.sh --renew -d ispcfg3.mydomain.tld

 

but upon next renewal you'll need to update the dns record again. From what I know you have to prove your authorization everytime you request a cert. Hence it would be interesting to code an ISPC dns template like there are for others.

 

Are you sure there is a new DNS record needed with every update? I assumed I could keep the requested one in place.
I could use the API as this domain is hosted on cloudflare and there are examples out there.

 

I tend to think that upon each request a new challenge is posed. Who knows, maybe you lost control over the domain

 

you seem to be right:

 

Your tip works perfect (ISPConfig 3.1.1p1).
I have a question: after the certificate expires, how would that command for the renewal be?
Using cerbot automatically, it is only necessary to inform you that you want to renew (./path/to/certbot-auto renew --dry-run).

Is it only necessary to add renew to the command?
example:

Code:

certbot-auto renew auth --text --agree-tos --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@`hostname -d` --domains `hostname -f` --webroot-path /usr/local/ispconfig/interface/acme

 

it should be sufficient to just:

Code:

certbot renew

for testing run:

Code:

certbot renew --dry-run --force-renew

the --force-renew would renew certs that are not within the 30-days expiration period - so it would renew basically all certs....
The --dry-run is just to not really renew but to test if it would try to renew.[/code]

 

Hello sjau,
Thank you for the clarifications and the quick answer.

 

For the ISPConfig Interface I did this and it works

Code:

certbot auth --text --agree-tos --update-registration --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] -d isp.org -d www.isp.org --renew-by-default --webroot-path /usr/local/ispconfig/interface/acme

dt=`date '+%Y%m%d%H%M%S'`
cd /usr/local/ispconfig/interface/ssl/
for ext in csr key.secure key crt; do if [ -f ispserver.$ext ]; then mv ispserver.$ext ispserver.$ext.old.$dt; fi; done

ln -s /etc/letsencrypt/live/isp.org/privkey.pem ispserver.key
ln -s /etc/letsencrypt/live/isp.org/fullchain.pem ispserver.crt

service apache2 restart

Now I want to make another cert for another site, say client1
Do I need to change the

Code:

--webroot-path

to

Code:

/usr/local/ispconfig/client1/acme

and cd to

Code:

/var/www/clients/client1/web1/ssl

to make it work?

And does

Code:

--renew-by-default

grant that the certs will be automagically renewed?

From what I understand here
certbot eff org/ docs/ using.html #webroot
it could be the way to do it. I'm asking this because my site is already in production and I'm trying not to break it.

 

you shouldn't use

Code:

` `

anymore. Better to use

Code:

$( )

In your case:

Code:

dt=$(date '+%Y%m%d%H%M%S')

 

Thanks sjau. But do you mean that's the only aspect to care about for my question?
Did I well understood the use of

Code:

--webroot-path

and paths?

Code:

/usr/local/ispconfig/client1/acme

Code:

/var/www/clients/client1/web1/ssl

 

I didn't check the rest... I just noticed the backticks.

 

Got it. Thanks again sjau.

 

Thanks Jesse. I was making difficult and it can't be easier.

 

I try this :

certbot auth --text --agree-tos --update-registration --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] -d isp.org -d www.isp.org --renew-by-default --webroot-path /usr/local/ispconfig/interface/acme

dt=`date '+%Y%m%d%H%M%S'`
cd /usr/local/ispconfig/interface/ssl/
for ext in csr key.secure key crt; do if [ -f ispserver.$ext ]; then mv ispserver.$ext ispserver.$ext.old.$dt; fi; done

ln -s /etc/letsencrypt/live/isp.org/privkey.pem ispserver.key
ln -s /etc/letsencrypt/live/isp.org/fullchain.pem ispserver.crt

service apache2 restart

I have this result
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/............eu/fullchain.pem. Your
cert will expire on 2017-04-21. To obtain a new or tweaked version
of this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot
renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

but when I try to restart my apache I have this

Job for apache2.service failed. See 'systemctl status apache2.service' and 'journalctl -xn' for details.

janv. 21 17:28:34 .....4.eu apache2[14453]: The apache2 configtest failed. ... (warning).
janv. 21 17:28:34 .....4.eu apache2[14453]: Output of config test was:
janv. 21 17:28:34.....4.eu apache2[14453]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/si....conf:69
janv. 21 17:28:34 .....4.eu apache2[14453]: AH00526: Syntax error on line 63 of /etc/apache2/sites-enabled/000-ispconfig.vhost:
janv. 21 17:28:34 ns304677.ip-94-23-214.eu apache2[14453]: SSLCertificateFile: file '/usr/local/ispconfig/interface/ssl/ispserver.crt' does not exist or is empty
janv. 21 17:28:34 .....4.eu apache2[14453]: Action 'configtest' failed.
janv. 21 17:28:34 .....4.eu apache2[14453]: The Apache error log may have more information.
janv. 21 17:28:34 .....4.eu systemd[1]: apache2.service: control process exited, code=exited status=1
janv. 21 17:28:34 .....4.eu systemd[1]: Failed to start LSB: Apache2 web server.
janv. 21 17:28:34 .....4.eu systemd[1]: Unit apache2.service entered failed state.
Hint: Some lines were ellipsized, use -l to show in full.


How to resolve ?

 

despite doing this, it looks like the bundle fiel is being ignored. Firefox complains about the certificate it looks like only my certificate is included and the letsencrypt ca one is missing. am I missing something?

 

What is the exact command you issued?

 

omg. I just realized I typed in myispcfg.tld:8080 in Chrome but forgot the :8080 in firefox hence the warning as very, very blonde moment, my apologies.

 

I've ben using this implementation forever and I would now like to start using the same certificate for pureftpd too. Apparently I need a .pem file for this. I tried creating a symlink inside /etc/ssl/private/pure-ftpd.pem -> /usr/local/ispconfig/interface/ssl/ispserver.crt but that gives an error when restarting pureftpd:

Code:

May 20 19:55:46 alfred pure-ftpd: (?@?) [ERROR] SSL/TLS [/etc/ssl/private/pure-ftpd.pem](240): error:0906D06C:PEM routines:PEM_read_bio:no start line

Can someone give me a hint how to solve this without breaking the currently working certificates and without manually converting them into a .pem?