I would like to use ISPConfig as an authoritative name server, ACME.sh's way of doing things is like this Code: export ISPC_User="xxx" export ISPC_Password="xxx" export ISPC_Api="https://ispc.domain.tld:8080/remote/json.php" export ISPC_Api_Insecure=1 acme.sh --issue --dns dns_ispconfig -d example.com -d www.example.com Is there a way to secure this so that if a Web Application were to get pwned, the ISPConfig server wouldn't be jeopardized? /Oof Nevermind just realized that if the website isn't hosted on the ISPConfig server, then doing it this way would be pointless. Is there a way to make it so you can use ISPConfig as an authoritative DNS server, while hosting the website on a different machine and still being able to automate the Let's Encrypt certificates? All I can think of is using Rsync, but that would be incredibly insecure as you would have to give access to each machine. Even if done using chroot jail, it would still be insecure.
Simply enable the let's encrypt checkbox in a website in ISPConfig if a website shall have a let's encrypt certificate, that's all. No need for using came.sh or the remote API at all.
That works even if the website is not hosted on the same machine/address as ISPConfig? I only see the checkbox when creating a website, but if I route the A record to the Nginx server it's hosted on (away from ISPConfig), Let's Encrypt certificate is no longer valid.
The A-Record must point to the ISPConfig system and you can use a proxy config to forward the website requests to your other hosting server then. If you want to create LE certs manually with came.sh instead then you can do that as well, the remote API link https://ispc.domain.tld:8080/remote/json.php that you use there works over the network and is protected by ssl, so it does not matter where your web server is located.
Just one thing, take care to exclude the URL that let's encrypt uses to authenticate the SSL cert from being proxied to the other system
