Integrate Let's Encrypt SSL certificates into ISPConfig

Discussion in 'Feature Requests' started by gkovacs, Sep 14, 2015.

  1. till

    till Super Moderator Staff Member ISPConfig Developer

    The data has to be loaded into the ispconfig database on the master server to ensure that it gets replicated to the slaves (if there are any) and to display the cert in ispconfig. Reading from file is not possible as the file can be on a different server so that the interface can't access it. Besside that, the implementation has to ensure that the same cert is not created twice on a mirrored system, so only the master of a mirror should create the cert and load it into the master database (dbmaster connection in server, not db).
     
  2. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    That point that the ispconfig control panel isn't always the same server as where the website lives certainly influences the implementation; we need to handle multiple web servers (each hosting only part of the websites) and the mirrored server scenarios.

    I think the ispconfig server itself could obtain all the certificates using the --manual method, and then push the certificates to all webservers that need them. Ispconfig would then have to track/identify certificates needing renewed and perform that (including handling failed renewals, postponing for another time). And I don't know what all is required to do domain validation in "manual" mode.

    Alternately, each web server could perform the certificate requests and renewals locally. Would it really hurt anything to have different certificates on different webservers? I think at the http level it would be fine, although of course currently ispconfig can't save more than one in the database.

    In either setup, if the letsencrypt certificate is going into the ispconfig database, we'll need to identify when the certificate changes and push the new cert info into ispconfig. Could just read the old certificate and compare to the live files, or save a timesamp.
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess that depends on how letsencrypt handles it, maybe there can be just one ssl cert for one domain at the same time and they revoke the other cert if you create a second one? And it might cause issues in mirrored servers, I don't know how a browser reacts when he gets e.g. a image file from server 1 with a different ssl cert then the secod image or a html page from server 2 on the same website.

    So my preference would be to create just one ssl cert "cluster wide" for a domain.
     
    Nemis likes this.
  4. Nemis

    Nemis Member

    so Master can handle SSL, slave can only get from master db. (share the same cert)
    sjau's script generate LE'S ssl, and store it on ISPconfig's DB.
    and there is this interesting patch : https://github.com/alexalouit/ISPConfig-letsencrypt
    need to mix it, and add an cron check. SSL from LE has 90day time limit
     
  5. sjau

    sjau Local Meanie Moderator

    my script doesnt take slave servers into account. The main problem I have with slave servers is that I've never used them.

    If you have domain.tld on slave A then let's encrypt must be run from slave A to ensure the DV (I think). so basically you upon creation of the website in ISPC the slave server needs to be instructed to run LE, fetch cert and then (by api?) add it to the ISPC db. Also a cron needs to run periodically on each slave to recheck if certs need renewal.

    At least that's how I htink it works but as said, I have no experience with multiserver ISPC setup.
     
  6. Locutus

    Locutus New Member

    Hey,
    I just like to ask Till, if there will be a LE integration into ISPC in the near future?
    And I also would like to know, if the perfect server setup tutorials will feature LE installation.

    Thanks,
    Locutus
     
  7. sjau

    sjau Local Meanie Moderator

    Full integration into ISPC is planned.
     
    biforme likes this.
  8. William K.

    William K. New Member

    I've just tested the Alexandre Alouit solution on a clean VM with Ubuntu 14.04.3 and IspConfig latest version, it works like a charm!
    https://github.com/alexalouit/ISPConfig-letsencrypt

    For those trying the same solution, you still need to go to SSL tab and choose options like "Create Certificate" and "Save Certificate" to allow the plugin to do its job
     
  9. William K.

    William K. New Member

  10. decta

    decta New Member

    if i use the alexalouit version and an official feature from ispconfig comes out does this leave me with a dual feature where i have to remove parts again (like the mysql table stuff) that might make the database prone for errors? is there any ETA for the official version (like in the next patch/version)
     
  11. NginxHolic

    NginxHolic New Member

    Oh this is really great!!
    Having that green lock for free with ease is wonderful.
     
  12. NginxHolic

    NginxHolic New Member

    well, alternatively you can use https://gethttpsforfree.com
     
  13. till

    till Super Moderator Staff Member ISPConfig Developer

    The code from Alexandre looks nice, I've contacted him to ask for his permission to merge his code base into the ISPConfig master branch.
     
    biforme, William K. and Nemis like this.
  14. Nemis

    Nemis Member

    good.
     
  15. foayiid

    foayiid New Member

    Hi all,
    Sorry but someone could explain to me how it works because I have setup this https:/ github.com/alexalouit/ISPConfig-letsencrypt
    on my linux server but it doesn't work ...
    This is what I do :
    1. Install in root
    2. Go in ispconfig > SSL tab : 'create' and 'save' certificate for my domain
    3. Restart apache
    Did I miss something ?
    Best regards, Fred
     
  16. sjau

    sjau Local Meanie Moderator

    Nemis likes this.
  17. Nemis

    Nemis Member

    Last edited: Dec 9, 2015
    William K. likes this.
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    This has a huge load of dependencies and is in its early stages, so we decided that we go with the official letsencrypt client.

    Install it in a virtual machine, e.g. VirtualBox.
     
    Nemis likes this.
  19. sjau

    sjau Local Meanie Moderator

    Official client is not a bad IMHO, it just has a lot of dependencies also as well the whole virtualenv slows things down massively I think.

    any (rough) ETA for integration?
     
    Nemis likes this.
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    It is already integrated in master, see git.ispconfig.org. But we will do some changes in the way it works for the final version.
     
    blackfox123 and Schnacki like this.

Share This Page