Get SSL certificate for ISPConfig admin from LetsEncrypt?

The pem file is supposed to be a combination of key and crt files. I used this command to create it:

Code:

cat /usr/local/ispconfig/interface/ssl/ispserver.{key,bundle} > /usr/local/ispconfig/interface/ssl/ispserver.pem
chmod 600 /usr/local/ispconfig/interface/ssl/ispserver.pem

After it is created you can symlink it to your pure-ftpd.

 

Thanks but that means a manual intervention after every letsencrypt renewal.

 

Currently, we use a script to automate the recreation of the said pem file on every LE's renewal, so please share if there is any other / better way.

 

Is it not possible to "edit" this step and add the creation of a .pem file to the list so with every renewal a .pem file is additionally created?

Code:

sjau said:
5. Install cert and reload/restart services
The final step is to copy the issued cert to where it's needed. In case for ISPC this would be
Code:
acme.sh --installcert -d ispc.domain.tld \
--certpath "/usr/local/ispconfig/interface/ssl/ispserver.crt"
--keypath "/usr/local/ispconfig/interface/ssl/ispserver.key"
--fullchainpath "/usr/local/ispconfig/interface/ssl/ispserver.bundle"
--reloadcmd "systemctl reload apache2"

 

As suggested by @florian030 in other thread, you may be able to use --post-hook command but I personally am not so sure on the right implementation of it as I've never used it before.

 

just enhance the --reloadcmd option to something like

Code:

cat /usr/local/ispconfig/interface/ssl/ispserver.{key,bundle} > /usr/local/ispconfig/interface/ssl/ispserver.pem; chmod 600 /usr/local/ispconfig/interface/ssl/ispserver.pem; systemctl reload apache2; systemctl reload pureftpd

 

Some by the way question - is it planned to implement the scripts and update scenario in ispconfig?

or ask it the another way round: are these upgrade-safe?

 

As referred to earlier, post-hook might be implemented in ISPC for us to take advantage of in the future, especially in automatically running related scripts upon LE certs' renewal.

Other than that, you can use acme.sh as suggested by @sjau earlier in this thread with modification of reloadcmd above, which I think in theory should work fine.

But the one already available in ISPC is LE certs' creation for website, so for the time being, personally I'd prefer using that with incron and a script to create the required file and restart relevant services.

Except after the confirmation of the first one, I think the second and the third option should currently be upgrade-safe.

 

Hi all,
I followed Jesse's small tutorial for this (Using Certbot) and the whole process went through with 0 errors. The issue I have is after the Apache restart, I am still using the self signed certificate. Sooo what am I missing? I am a complete noob with this CP (Coming from 15yrs of using DTC, which is now basically dead) but I can find my way around a nix box reasonably well.
Cheers.

 

Run the following command and post what you got:
ls -lt /usr/local/ispconfig/interface/ssl/
Normally that happen when you did not move your self-signed certs to new names and/or create symlinks to LE certs in the above folder, or you didn't clear your cookies/caches, properly afterwards.

 

Here ya go, cheers.

Code:

total 24
lrwxrwxrwx 1 root root   61 May 25 05:05 ispserver.crt -> /etc/letsencrypt/live/<fqdn>/fullchain.pem
lrwxrwxrwx 1 root root   59 May 25 05:05 ispserver.key -> /etc/letsencrypt/live/<fqdn>/privkey.pem
-rwxr-x--- 1 root root   45 May 25 04:43 empty.dir
-rwxr-x--- 1 root root 3247 May 25 04:43 ispserver.key.old.20170525050458
-rwxr-x--- 1 root root 2171 May 25 04:43 ispserver.crt.old.20170525050458
-rwxr-x--- 1 root root 1777 May 25 04:43 ispserver.csr.old.20170525050458
-rwxr-x--- 1 root root 3311 May 25 04:42 ispserver.key.secure.old.20170525050458

 

Actually, nevermind. I was still accessing the CP via the IP address instead of the FQDN.

*Face Palm*


Thank you for your assistance anyway.

FFH.

 

That seems correct already. May be it just because of your old caches/cookies in your browser.

 

This worked perfect Question:

Do I have to renew the certificate by hand or does ISPConfig do this on it's own?

 

Hi,
For me, auto renewal did'nt work (SEC_ERROR_EXPIRED_CERTIFICATE)
I can not access my ISPConfig panel anymore
How can I manually renew this certificate?

Thanks

 

I used the method explained above:

Code:

/root/.local/share/letsencrypt/bin/letsencrypt auth --text --agree-tos --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@`hostname -d` --domains `hostname -f` --webroot-path /usr/local/ispconfig/interface/acme

dt=`date '+%Y%m%d%H%M%S'`
cd /usr/local/ispconfig/interface/ssl/
for ext in csr key.secure key crt; do if [ -f ispserver.$ext ]; then mv ispserver.$ext ispserver.$ext.old.$dt; fi; done

ln -s /etc/letsencrypt/live/`hostname -f`/privkey.pem ispserver.key
ln -s /etc/letsencrypt/live/`hostname -f`/fullchain.pem ispserver.crt

service apache2 restart

it worked well for 90 days
I Installed let's encrypt with this tutorial : https://www.howtoforge.com/tutorial...-9-stretch-apache-bind-dovecot-ispconfig-3-1/