Check the message more closely. The SSL is fine but one ressource gets still loaded from http... the background file. I couldn't figure out where in stikked you could change it so I opened a ticket for them Although checking with FF myself it complains that no identity information is supplied.
Ok, I edited the static .css file to force https for the images. Now it should work also fine in FF. Edit: It was not a Let's Encrypt issue but website one Some other sites: https://www.simplylinux.ch https://repogen.simplylinux.ch https://debgen.simplylinux.ch Edit: Edit: And to force SSL I did add those apache directives in ISPC: Code: RewriteEngine On RewriteCond %{HTTPS} off RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} Or is there a better way to force SSL?
Hmmm, I just read the dovecot can also use SNI. So if you use smtp.provider.tld in your email client instead of mail.ispconfig.tld then you always got ssl cert warnings. Reading here I noticed, that you could just provide the LE certs also for dovecot. However it seems postfix doesn't support SNI and there don't seem to be plans to start doing so.
Guys, any news according to this? Is there an easy tutorial for implementing ACME in ispconfig? Is the script on page 1 working fine? As there was a big announcement in Germany today, customers are already asking for ACME so I will have to provide that shortly.
I put my script into a seperate thread where it is working (not so sure about nginx). Not for customers but for you as admin: https://www.howtoforge.com/community/threads/lets-encrypt-2-ispconfig.71348/
I really like this solution on http://evolvedigital.co.uk/how-to-get-letsencrypt-working-with-ispconfig-3/ It suggests using standalone mode on a different port (9999) and redirect ACME requests to this port by using Apache proxy module. Although the blog posts only describes a solution for Apache2, it can be easily adapted for nginx: Add the following directive to every domain which should get letsencrypt certificates: Code: location ^~ /.well-known/acme-challenge/ { allow all; proxy_pass http://127.0.0.1:9999/.well-known/acme-challenge/; } This will redirect all ACME requests to the local letsencrypt standalone server. I've created a snipped to easily reuse this. Advantage over webroot method: Does work also with non-standard nginx/apache configuration. For example when using nginx as a reverse proxy for service running on a different VM, port...
I prefer the webroot approach using a script containing the webroot for each of my SSL domains (there are not too many). The common problem of all these approaches is the need to replace the ISPConfig files with symbolic links to /etc/letsencrypt/live/... What happens if ISPConfig feels a need to store its SSL info? Will it replace the links with plain files or will it replace the contents of the files the links point to? Any of this would be bad. So what we really need is a way to either import the letsencrypt live files into ISPConfig or have ISPConfig leave the symbolic links alone.
Sorry, I missed that. Nice script, but it does not find the correct webroot with "L" redirections. Here is a quick fix, I will eventually create a pull request: Code: echo "4. Run Let's Encrypt Tool\n"; $webroot = $domainInfo['document_root'] . "/web"; if($domainInfo['redirect_type'] == "L") { $webroot .= $domainInfo['redirect_path']; } #$output = shell_exec("$letsencrypt --agree-dev-preview --renew-by-default --rsa-key-size 4096 --email '$email' $domains --authenticator " . $server['type'] . " certonly"); $output = shell_exec("$letsencrypt --agree-dev-preview $beta --renew-by-default --rsa-key-size 4096 -m '$email' $domains -a webroot --webroot-path " . $webroot . " certonly");
my script currently just gets the certs and then uses the ISPC Api to add them proplerly to ISPC. Renewal is still a bitch though
i will add in crontab a call to a script like this , more or less :-D Code: #!/bin/sh DEBUG=true warning_days=10 # Number of days to warn about soon-to-expire certs certs_to_check=' /etc/letsencrypt/live/-domain-1-/fullchain.pem /etc/letsencrypt/live/-domain-2-/fullchain.pem /etc/letsencrypt/live/-domain-3-/fullchain.pem /etc/letsencrypt/live/-domain-4-/fullchain.pem ' for CERT in $certs_to_check do $DEBUG && echo "Checking cert: [$CERT]" output=$(echo | openssl x509 -in ${CERT} -noout -startdate -enddate) start_date=$(echo $output | sed 's/.*notBefore=\(.*\).*not.*/\1/g') end_date=$(echo $output | sed 's/.*notAfter=\(.*\)$/\1/g') start_epoch=$(date +%s -d "$start_date") end_epoch=$(date +%s -d "$end_date") epoch_now=$(date +%s) if [ "$start_epoch" -gt "$epoch_now" ]; then $DEBUG && echo "Certificate for [$CERT] is not yet valid" logger -p local6.warn "Certificate for $CERT is not yet valid" fi seconds_to_expire=$(($end_epoch - $epoch_now)) days_to_expire=$(($seconds_to_expire / 86400)) $DEBUG && echo "Days to expiry: ($days_to_expire)" warning_seconds=$((86400 * $warning_days)) if [ "$seconds_to_expire" -lt "$warning_seconds" ]; then $DEBUG && echo "Cert [$CERT] is soon to expire ($seconds_to_expire seconds)" logger -p local6.warn "cert [$CERT] is soon to expire ($seconds_to_expire seconds)" output=$( SJAU'S-SCRIPT ${CERT} ) fi done credits: http://superuser.com/questions/6183...f-ssl-certificate-for-multiple-remote-servers or a way to integrate in the cron function in ISPconfig, mixed with the other git code patch
Hello, for sake of information.... i'm working on integrating Let's Encrypt in ISPConfig Admin panel. i plan to do it as described in a previous post: 2. Integrated it into ISPC directly. Basically you could add a new option in the SSL form besides "create, save, ..." named "create with Let'sEncrypt" or something. Then ISPC will trigger the command, wait until the cerst are created and then autofill the stuff. Basically create 2 more options for "Let's Encrypt Create" and "Let's Encrypt Renew" and add a CronJob to trigger renewal every 60days. My approach will only create a symlinks to the certs in your-domain.de/ssl! ... The rest is handled by letencrypt itself. If anyone is working on the same topic, please let me know. Cheers, Jochen
Here https://www.howtoforge.com/community/threads/lets-encrypt-2-ispconfig.71348/ and see on post #16 an (old,need some change) ispconfig patch
Just to clarify, the le2ispc patch that @sjau created isn't the same solution, it's a good way to get using letsencrypt quickly, but where you're heading in your plans above still needs done, @ochorocho. One nice feature of it to keep in mind is it loads the letsencrypt certificate info into the ipsconfig database, so you can later access it via a browser. The integration into ispconfig ui should either do the same thing, or even read the info right from the /etc/letsencrypt/live/ files and display that instead. Also on the cronjob frequency, it's my understanding that you could/should run the letsencrypt autorenew script frequently, eg. probably nightly would be fine, and it won't actually renew site certificates until they're close to expiration. There shouldn't be any need to create complex/lengthy cronjobs that try to do the renewal on-schedule for each domain (and handle temporary failures correctly, retrying again later on).
