how do i know if my server uses certbot or acme.sh?

Discussion in 'Server Operation' started by ShaferTech, Sep 20, 2023.

  1. ShaferTech

    ShaferTech Member

    Just bought the migration tool. Reading the doc it says if you have acme.sh, the new server needs to use that as well.
    How do you tell which one? I've had ispconfig installed for a while, since 2019. I would assume it's certbot as i see certbot 1.11 installed.
     
  2. MaxT

    MaxT Active Member HowtoForge Supporter

    do a search:
    $ locate acme.sh
    $ locate certbot

    in case there is no locate command, install it and then index:
    $ apt-get install mlocate
    $ updatedb
     
    ShaferTech likes this.
  3. ShaferTech

    ShaferTech Member

    didn't even think about locate. looks like my server uses certbot.
     
    MaxT likes this.
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    You can also check it like this: if SSL certs are in subfolders under /etc/letsencrypt/ then your system uses certbot. If there is no /etc/letsencrypt folder and certs are stored in subfolders of /root/.acme.sh/ then you have acme.sh.

    But for a system from 2019, ist quite likely that it uses certbot.
     
    ShaferTech likes this.
  5. ShaferTech

    ShaferTech Member

    probably a more solid way to check it. thanks for the extra info!
     
  6. ShaferTech

    ShaferTech Member

    new issue... following the multi server setup guide, it didn't pull a valid cert for the panel (8080). did force update and it switched to acme.sh.
    Found a thread that mentions this feature request as implemented... so i'm guessing i'm missed a step somewhere.
    How do I undo acme.sh or should i just reinstall?
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    The update should only download and use acme.sh if it can't find certbot on the server. How did you install the system?

    That's unrelated.
     
  8. ShaferTech

    ShaferTech Member

    https://www.howtoforge.com/tutorial/ispconfig-multiserver-setup-debian-ubuntu/2/

    i have an old server running centos 7 and i'm moving to ubuntu 22.04 lts. the install didn't ask anything about if i planned to migrate or if i wanted to use certbot vs acme.sh.
     
  9. ShaferTech

    ShaferTech Member

    if
    it's easier, i can just reinstall the OS, certbot, and then ispconfig.
    Or i can switch the install to use certbot since there aren't any sites hosted on it yet.
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    If you want to use certbot, then you must instruct the installer to use it. If you do not do that, it defaults to acme.sh.
    See e.g. command line options here in chapter 6:

    https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/

    So you must add --use-certbot to the command. E.g.:

    Code:
    wget -O - https://get.ispconfig.org | sh -s -- --no-mail --no-dns --interactive --use-certbot
    You can try that, the steps are:

    1) Delete /root/acme.sh folder.
    2) Install certbot via snap as described on certbot website https://certbot.eff.org/ but do not create a SSL cert.
    3) Run ispconfig_update.sh --force and let the updater create a new cert.

    If this does not work, then you might have to reinstall.
     
    ShaferTech and ahrasis like this.
  11. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Basically I tried the steps several times and so I can help confirming it works though there should be some extra(s) to delete to remove warnings (I can't remember it for now but do share if you see one).

    Basically you can do this vice versa i.e. certbot to acme.sh as well but I do not want to encourage this because it is best to train to get it right at the command line, but we all things happened.
     
    till likes this.
  12. ShaferTech

    ShaferTech Member

    This worked. Certs are from certbot
    I didn't install the snap, as I'm not a big fan of snaps. I installed certbot, python3 certbot apache using apt.
     
  13. ShaferTech

    ShaferTech Member

    One last question,

    I do appreciate all the assistance. My last question, my old setup is multi-server. I had thought it would be easier to migrate the primary server. Then, create a secondary server and let it sync to the primary OR should the secondary already be setup and syncing to the primary before i migrate. Or does this even matter. The old servers were hosting.domain.com and the new servers are panel.domain.com if that helps answer the question in anyway.
     
  14. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    What is the question?
    The only phrase written as a question (but question mark missing) is "Or does this even matter." But I do not fully understand what this is referring to.
    Just as a guess: if you plan to migrate old ISPConfig system to new, you can migrate a multiserver system to a multiserver system or to a single server system. Or migrate a single server system to a multiserver system. Create the new ISPConfig system first, single server or multi server, whatever you desire, then do the migration.
    I would practice first with a test migration to see how it works, to avoid big mistakes on a production system.
     
    ahrasis likes this.
  15. slagroom

    slagroom Member

    I did the 3 steps to change using certbot, at the end of the forced ispconfig update it showed:
    Code:
    Reconfigure Services? (yes,no,selected) [yes]:
    
    The following custom templates were found:
    
    /usr/local/ispconfig/server/conf-custom/nginx_vhost.conf.master
    /usr/local/ispconfig/server/conf-custom/sieve_filter.master
    
    Do you want to rename these conf-custom templates now so the default templates are used? (yes,no) [no]:
    
    The following local config override templates were found, be sure to incorporate upstream changes if needed:
    
    /usr/local/ispconfig/server/conf-custom/install/dovecot_custom.conf.master
    
    Configuring Postfix
    Configuring Dovecot
    Configuring Spamassassin
    Configuring Rspamd
    Configuring Getmail
    Configuring Pureftpd
    Configuring nginx
    Configuring Apps vhost
    Configuring Jailkit
    Configuring AppArmor
    Configuring Database
    Updating ISPConfig
    ISPConfig Port [8080]:
    
    Create new ISPConfig SSL certificate (yes,no) [no]: yes
    
    PHP Warning:  Undefined array key "ip" in /tmp/update_runner.sh.MQXkxglcyo/install/lib/installer_base.lib.php on line 2995
    Checking / creating certificate for my.somedomain.net
    Using certificate path /etc/letsencrypt/live/my.somedomain.net
    sh: 1: cannot open /dev/tcp/127.0.0.1/80: No such file
    Using nginx for certificate validation
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Symlink ISPConfig SSL certs to Postfix? (y,n) [y]:
    
    Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]:
    
    Reconfigure Crontab? (yes,no) [yes]:
    
    Updating Crontab
    Restarting services ...
    Update finished.
    Perhaps the warnings are related to the custom templates? The /var/log/letsencrypt/letsencrypt.log looks fine, it does work with certbot now. Thanks for that!
     
  16. slagroom

    slagroom Member

    Code:
    -bash: /root/.acme.sh/acme.sh.env: No such file or directory
    certbot works fine, but I keep getting the above on the shell when I log in (via ssh). Looked for cron-jobs that would maybe still be trying stuff with that .acme.sh dir, but that's not the case. Any idea?
     
  17. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Switching from acme.sh to certbot (and vice versa) is not supported and will result in a broken system.
     
  18. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I already reminded that earlier, because other than deleting its folder, the right clean way to delete acme.sh is to use its uninstall command as Neilpang himself said:
    This uninstall command remove the line from the root ".bashrc" file. That said, since you already remove the acme.sh by deleting its folder, you may avoid that warning from occurring again by removing it manually from that file (at the last line).

    I would suggest removing certbot that was installed by apt and re-install it via snap (or pip) as suggested by certbot website for the latest stable non-deprecated features.
     
    Last edited: Oct 12, 2023
    till likes this.
  19. slagroom

    slagroom Member

    How do you mean that? In sofar as my system isn't already 'broken', since I'm using cloudflare for DNS, and for letsencrypt name verification. The only thing I need to do manually, is create and maintain the certificates.
    ISPconfig also does not create DANE/TLSA verification, so I'm *already* running a 'broken' system, as long as I override ispconfig regarding certs things will be fine.
    Strangely, this was not the last line in my .bashrc, I'd overlooked that earlier. Thanks for making me look again, because now I did see it and deleted it.
     
  20. remkoh

    remkoh Active Member

    If you do a manual switch and nothing after then yes.

    Let's say you want to switch from certbot to acme.sh.
    Just uninstall certbot and do a force update of ISPConfig.
    Acme.sh will be installed by ISPConfig as certbot is no longer there.
    After that you do need to re-issue your certificates within ISPConfig (and update your dane/tlsa records if you have those).
    Then you won't have a broken system.

    Vice versa I guess you uninstall acme.sh and install certbot before force updating ISPConfig as ISPConfig favors acme.sh when none are installed.
     

Share This Page