The pem file is supposed to be a combination of key and crt files. I used this command to create it: Code: cat /usr/local/ispconfig/interface/ssl/ispserver.{key,bundle} > /usr/local/ispconfig/interface/ssl/ispserver.pem chmod 600 /usr/local/ispconfig/interface/ssl/ispserver.pem After it is created you can symlink it to your pure-ftpd.
Currently, we use a script to automate the recreation of the said pem file on every LE's renewal, so please share if there is any other / better way.
Is it not possible to "edit" this step and add the creation of a .pem file to the list so with every renewal a .pem file is additionally created? Code: sjau said: 5. Install cert and reload/restart services The final step is to copy the issued cert to where it's needed. In case for ISPC this would be Code: acme.sh --installcert -d ispc.domain.tld \ --certpath "/usr/local/ispconfig/interface/ssl/ispserver.crt" --keypath "/usr/local/ispconfig/interface/ssl/ispserver.key" --fullchainpath "/usr/local/ispconfig/interface/ssl/ispserver.bundle" --reloadcmd "systemctl reload apache2"
As suggested by @florian030 in other thread, you may be able to use --post-hook command but I personally am not so sure on the right implementation of it as I've never used it before.
just enhance the --reloadcmd option to something like Code: cat /usr/local/ispconfig/interface/ssl/ispserver.{key,bundle} > /usr/local/ispconfig/interface/ssl/ispserver.pem; chmod 600 /usr/local/ispconfig/interface/ssl/ispserver.pem; systemctl reload apache2; systemctl reload pureftpd
You have to combine the key and fullchain for pureftpd, so have to "manually" do that with the certbot client (I've not used acme.sh, but I'd guess it's probably the same case or you wouldn't be asking). But you can just create a little script to do that for you and run from cron, then you don't have to manually do it each time it renews.
Some by the way question - is it planned to implement the scripts and update scenario in ispconfig? or ask it the another way round: are these upgrade-safe?
As referred to earlier, post-hook might be implemented in ISPC for us to take advantage of in the future, especially in automatically running related scripts upon LE certs' renewal. Other than that, you can use acme.sh as suggested by @sjau earlier in this thread with modification of reloadcmd above, which I think in theory should work fine. But the one already available in ISPC is LE certs' creation for website, so for the time being, personally I'd prefer using that with incron and a script to create the required file and restart relevant services. Except after the confirmation of the first one, I think the second and the third option should currently be upgrade-safe.
Hi all, I followed Jesse's small tutorial for this (Using Certbot) and the whole process went through with 0 errors. The issue I have is after the Apache restart, I am still using the self signed certificate. Sooo what am I missing? I am a complete noob with this CP (Coming from 15yrs of using DTC, which is now basically dead) but I can find my way around a nix box reasonably well. Cheers.
Run the following command and post what you got: ls -lt /usr/local/ispconfig/interface/ssl/ Normally that happen when you did not move your self-signed certs to new names and/or create symlinks to LE certs in the above folder, or you didn't clear your cookies/caches, properly afterwards.
Here ya go, cheers. Code: total 24 lrwxrwxrwx 1 root root 61 May 25 05:05 ispserver.crt -> /etc/letsencrypt/live/<fqdn>/fullchain.pem lrwxrwxrwx 1 root root 59 May 25 05:05 ispserver.key -> /etc/letsencrypt/live/<fqdn>/privkey.pem -rwxr-x--- 1 root root 45 May 25 04:43 empty.dir -rwxr-x--- 1 root root 3247 May 25 04:43 ispserver.key.old.20170525050458 -rwxr-x--- 1 root root 2171 May 25 04:43 ispserver.crt.old.20170525050458 -rwxr-x--- 1 root root 1777 May 25 04:43 ispserver.csr.old.20170525050458 -rwxr-x--- 1 root root 3311 May 25 04:42 ispserver.key.secure.old.20170525050458
Actually, nevermind. I was still accessing the CP via the IP address instead of the FQDN. *Face Palm* Thank you for your assistance anyway. FFH.
This worked perfect Question: Do I have to renew the certificate by hand or does ISPConfig do this on it's own?
Hi, For me, auto renewal did'nt work (SEC_ERROR_EXPIRED_CERTIFICATE) I can not access my ISPConfig panel anymore How can I manually renew this certificate? Thanks
That might depends on how you installed letsencrypt, but if the certificate was issued via ISPConfig, I would look into why the renewal is failing (see the letsencrypt FAQ).
I used the method explained above: Code: /root/.local/share/letsencrypt/bin/letsencrypt auth --text --agree-tos --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@`hostname -d` --domains `hostname -f` --webroot-path /usr/local/ispconfig/interface/acme dt=`date '+%Y%m%d%H%M%S'` cd /usr/local/ispconfig/interface/ssl/ for ext in csr key.secure key crt; do if [ -f ispserver.$ext ]; then mv ispserver.$ext ispserver.$ext.old.$dt; fi; done ln -s /etc/letsencrypt/live/`hostname -f`/privkey.pem ispserver.key ln -s /etc/letsencrypt/live/`hostname -f`/fullchain.pem ispserver.crt service apache2 restart it worked well for 90 days I Installed let's encrypt with this tutorial : https://www.howtoforge.com/tutorial...-9-stretch-apache-bind-dovecot-ispconfig-3-1/
That tutorial says to run 'apt-get install certbot', in which case you could run "certbot renew" to request renewal. However, if that is indeed how you installed certbot, then the "/root/.local/share/letsencrypt/bin/letsencrypt" command you posted would never have worked; if you are positive that it did, perhaps you followed multiple instructions and installed both the certbot package and installed letsencrypt from source? (I suppose it's also possible that tutorial had different instructions at one time and they were changed to simplify installation.)