Integrate Let's Encrypt SSL certificates into ISPConfig

Discussion in 'Feature Requests' started by gkovacs, Sep 14, 2015.

  1. sjau

    sjau Local Meanie Moderator

    Check the message more closely. The SSL is fine but one ressource gets still loaded from http... the background file. I couldn't figure out where in stikked you could change it so I opened a ticket for them ;)
    Although checking with FF myself it complains that no identity information is supplied.
  2. sjau

    sjau Local Meanie Moderator

    Ok, I edited the static .css file to force https for the images.
    Now it should work also fine in FF.
    Edit: It was not a Let's Encrypt issue but website one :)

    Some other sites:

    Edit: Edit: And to force SSL I did add those apache directives in ISPC:
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
    Or is there a better way to force SSL?
    Last edited: Nov 5, 2015
  3. Nemis

    Nemis Member

    now is better, firefox see the cypherlist , no more advise
  4. sjau

    sjau Local Meanie Moderator

    Hmmm, I just read the dovecot can also use SNI. So if you use smtp.provider.tld in your email client instead of mail.ispconfig.tld then you always got ssl cert warnings.
    Reading here I noticed, that you could just provide the LE certs also for dovecot. However it seems postfix doesn't support SNI and there don't seem to be plans to start doing so.
  5. mintess

    mintess New Member

    Guys, any news according to this? Is there an easy tutorial for implementing ACME in ispconfig?
    Is the script on page 1 working fine?
    As there was a big announcement in Germany today, customers are already asking for ACME so I will have to provide that shortly.
  6. sjau

    sjau Local Meanie Moderator

  7. foxx

    foxx New Member

    I really like this solution on
    It suggests using standalone mode on a different port (9999) and redirect ACME requests to this port by using Apache proxy module.

    Although the blog posts only describes a solution for Apache2, it can be easily adapted for nginx:

    Add the following directive to every domain which should get letsencrypt certificates:
    location ^~ /.well-known/acme-challenge/ {
      allow all;
    This will redirect all ACME requests to the local letsencrypt standalone server. I've created a snipped to easily reuse this.

    Advantage over webroot method:
    Does work also with non-standard nginx/apache configuration. For example when using nginx as a reverse proxy for service running on a different VM, port...
  8. sjau

    sjau Local Meanie Moderator

    foxx: that sounds neat. I guess I'll adapt my script to do that :)
  9. Sir Henry

    Sir Henry Member

    I prefer the webroot approach using a script containing the webroot for each of my SSL domains (there are not too many).

    The common problem of all these approaches is the need to replace the ISPConfig files with symbolic links to /etc/letsencrypt/live/... What happens if ISPConfig feels a need to store its SSL info? Will it replace the links with plain files or will it replace the contents of the files the links point to? Any of this would be bad. So what we really need is a way to either import the letsencrypt live files into ISPConfig or have ISPConfig leave the symbolic links alone.
  10. Nemis

    Nemis Member

    sjau script DO this
  11. Sir Henry

    Sir Henry Member

    Sorry, I missed that. Nice script, but it does not find the correct webroot with "L" redirections. Here is a quick fix, I will eventually create a pull request:
    echo "4. Run Let's Encrypt Tool\n";
    $webroot = $domainInfo['document_root'] . "/web";
    if($domainInfo['redirect_type'] == "L") {
        $webroot .= $domainInfo['redirect_path'];
    #$output = shell_exec("$letsencrypt --agree-dev-preview --renew-by-default --rsa-key-size 4096 --email '$email' $domains --authenticator " . $server['type'] . " certonly");
    $output = shell_exec("$letsencrypt --agree-dev-preview $beta --renew-by-default --rsa-key-size 4096 -m '$email' $domains -a webroot --webroot-path " . $webroot . " certonly");
    Last edited: Nov 24, 2015
  12. sjau

    sjau Local Meanie Moderator

    my script currently just gets the certs and then uses the ISPC Api to add them proplerly to ISPC. Renewal is still a bitch though
  13. Nemis

    Nemis Member

    i will add in crontab a call to a script like this , more or less :-D

    warning_days=10 # Number of days to warn about soon-to-expire certs
    for CERT in $certs_to_check
      $DEBUG && echo "Checking cert: [$CERT]"
      output=$(echo | openssl x509 -in ${CERT} -noout -startdate -enddate)
      start_date=$(echo $output | sed 's/.*notBefore=\(.*\).*not.*/\1/g')
      end_date=$(echo $output | sed 's/.*notAfter=\(.*\)$/\1/g')
      start_epoch=$(date +%s -d "$start_date")
      end_epoch=$(date +%s -d "$end_date")
      epoch_now=$(date +%s)
      if [ "$start_epoch" -gt "$epoch_now" ]; then
        $DEBUG && echo "Certificate for [$CERT] is not yet valid"
        logger -p local6.warn "Certificate for $CERT is not yet valid"
      seconds_to_expire=$(($end_epoch - $epoch_now))
      days_to_expire=$(($seconds_to_expire / 86400))
      $DEBUG && echo "Days to expiry: ($days_to_expire)"
      warning_seconds=$((86400 * $warning_days))
      if [ "$seconds_to_expire" -lt "$warning_seconds" ]; then
        $DEBUG && echo "Cert [$CERT] is soon to expire ($seconds_to_expire seconds)"
       logger -p local6.warn "cert [$CERT] is soon to expire ($seconds_to_expire seconds)"
    output=$( SJAU'S-SCRIPT ${CERT} )

    or a way to integrate in the cron function in ISPconfig, mixed with the other git code patch
  14. Sir Henry

    Sir Henry Member

    What is the problem in dropping the wrapper script into cron.monthly?
  15. Nemis

    Nemis Member

    LE's cert expires in 90 day, better not rennovate every month.
  16. ochorocho

    ochorocho Member

    Hello, for sake of information.... i'm working on integrating Let's Encrypt in ISPConfig Admin panel.

    i plan to do it as described in a previous post:
    2. Integrated it into ISPC directly. Basically you could add a new option in the SSL form besides "create, save, ..." named "create with Let'sEncrypt" or something. Then ISPC will trigger the command, wait until the cerst are created and then autofill the stuff.

    Basically create 2 more options for "Let's Encrypt Create" and "Let's Encrypt Renew" and add a CronJob to trigger renewal every 60days.
    My approach will only create a symlinks to the certs in! ... The rest is handled by letencrypt itself.

    If anyone is working on the same topic, please let me know.

    till likes this.
  17. Nemis

    Nemis Member

  18. ochorocho

    ochorocho Member

    Thanks .... so no need to reinvent the wheel! ...
  19. sjau

    sjau Local Meanie Moderator

    I added this meanwhile :) thx
  20. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Just to clarify, the le2ispc patch that @sjau created isn't the same solution, it's a good way to get using letsencrypt quickly, but where you're heading in your plans above still needs done, @ochorocho.

    One nice feature of it to keep in mind is it loads the letsencrypt certificate info into the ipsconfig database, so you can later access it via a browser. The integration into ispconfig ui should either do the same thing, or even read the info right from the /etc/letsencrypt/live/ files and display that instead.

    Also on the cronjob frequency, it's my understanding that you could/should run the letsencrypt autorenew script frequently, eg. probably nightly would be fine, and it won't actually renew site certificates until they're close to expiration. There shouldn't be any need to create complex/lengthy cronjobs that try to do the renewal on-schedule for each domain (and handle temporary failures correctly, retrying again later on).

Share This Page