The data has to be loaded into the ispconfig database on the master server to ensure that it gets replicated to the slaves (if there are any) and to display the cert in ispconfig. Reading from file is not possible as the file can be on a different server so that the interface can't access it. Besside that, the implementation has to ensure that the same cert is not created twice on a mirrored system, so only the master of a mirror should create the cert and load it into the master database (dbmaster connection in server, not db).
That point that the ispconfig control panel isn't always the same server as where the website lives certainly influences the implementation; we need to handle multiple web servers (each hosting only part of the websites) and the mirrored server scenarios. I think the ispconfig server itself could obtain all the certificates using the --manual method, and then push the certificates to all webservers that need them. Ispconfig would then have to track/identify certificates needing renewed and perform that (including handling failed renewals, postponing for another time). And I don't know what all is required to do domain validation in "manual" mode. Alternately, each web server could perform the certificate requests and renewals locally. Would it really hurt anything to have different certificates on different webservers? I think at the http level it would be fine, although of course currently ispconfig can't save more than one in the database. In either setup, if the letsencrypt certificate is going into the ispconfig database, we'll need to identify when the certificate changes and push the new cert info into ispconfig. Could just read the old certificate and compare to the live files, or save a timesamp.
I guess that depends on how letsencrypt handles it, maybe there can be just one ssl cert for one domain at the same time and they revoke the other cert if you create a second one? And it might cause issues in mirrored servers, I don't know how a browser reacts when he gets e.g. a image file from server 1 with a different ssl cert then the secod image or a html page from server 2 on the same website. So my preference would be to create just one ssl cert "cluster wide" for a domain.
so Master can handle SSL, slave can only get from master db. (share the same cert) sjau's script generate LE'S ssl, and store it on ISPconfig's DB. and there is this interesting patch : https://github.com/alexalouit/ISPConfig-letsencrypt need to mix it, and add an cron check. SSL from LE has 90day time limit
my script doesnt take slave servers into account. The main problem I have with slave servers is that I've never used them. If you have domain.tld on slave A then let's encrypt must be run from slave A to ensure the DV (I think). so basically you upon creation of the website in ISPC the slave server needs to be instructed to run LE, fetch cert and then (by api?) add it to the ISPC db. Also a cron needs to run periodically on each slave to recheck if certs need renewal. At least that's how I htink it works but as said, I have no experience with multiserver ISPC setup.
Hey, I just like to ask Till, if there will be a LE integration into ISPC in the near future? And I also would like to know, if the perfect server setup tutorials will feature LE installation. Thanks, Locutus
I've just tested the Alexandre Alouit solution on a clean VM with Ubuntu 14.04.3 and IspConfig latest version, it works like a charm! https://github.com/alexalouit/ISPConfig-letsencrypt For those trying the same solution, you still need to go to SSL tab and choose options like "Create Certificate" and "Save Certificate" to allow the plugin to do its job
There is no way to ignore this incredible feature, you are doing a good job so far! Plesk also just released their own plugin/feature to create Let's Encrypt certificates too: https://ext.plesk.com/packages/f6847e61-33a7-4104-8dc9-d26a0183a8dd-letsencrypt
if i use the alexalouit version and an official feature from ispconfig comes out does this leave me with a dual feature where i have to remove parts again (like the mysql table stuff) that might make the database prone for errors? is there any ETA for the official version (like in the next patch/version)
The code from Alexandre looks nice, I've contacted him to ask for his permission to merge his code base into the ISPConfig master branch.
Hi all, Sorry but someone could explain to me how it works because I have setup this https:/ github.com/alexalouit/ISPConfig-letsencrypt on my linux server but it doesn't work ... This is what I do : 1. Install in root 2. Go in ispconfig > SSL tab : 'create' and 'save' certificate for my domain 3. Restart apache Did I miss something ? Best regards, Fred
What also could be very interesting is an alternate client: https://community.letsencrypt.org/t/list-of-client-implementations/2103 Especially that php client -> https://github.com/kelunik/acme-client That means no massive python tools needed to install etc.
Star merging of Alexandre's code: http://git.ispconfig.org/ispconfig/ispconfig3/commit/435ce38d6939087144c7b8d2764968312e839e24 but i linke more kelunik php version https://community.letsencrypt.org/t/php-client-acme-client-install-and-usage/6396 edit,little ot, there are a "safe way" to test ispconfig version from git ?
This has a huge load of dependencies and is in its early stages, so we decided that we go with the official letsencrypt client. Install it in a virtual machine, e.g. VirtualBox.
Official client is not a bad IMHO, it just has a lot of dependencies also as well the whole virtualenv slows things down massively I think. any (rough) ETA for integration?
It is already integrated in master, see git.ispconfig.org. But we will do some changes in the way it works for the final version.
