Integrate Let's Encrypt SSL certificates into ISPConfig

Discussion in 'Feature Requests' started by gkovacs, Sep 14, 2015.

  1. sjau

    sjau Local Meanie Moderator

    I see, nice :)
  2. lordimac

    lordimac New Member

    This works, yes, but the chain is incomplete using Apache 2.2.

    This script creates the following entrys (should work with Apache 2.4):

    SSLCertificateFile /var/www/clients/clientx/webx/ssl/domain.tld.crt (linked to fullchain.pem)
    SSLCertificateKeyFile /var/www/clients/clientx/webx/ssl/domain.tld.key

    If I'm using SSLCertificateChainFile instead, it works with full chain. Even SSLLabs gives me an A instead of B because of the full chain.

    SSLCertificateFile /etc/letsencrypt/live/domain.tld/cert.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/domain.tld/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/domain.tld/chain.pem
    Is the ISPConfig Team aware of this issue? Thanks!
  3. concept21

    concept21 Active Member

    Can it be released for production before my commercial certificate expired in summer? :p
  4. dark alex

    dark alex New Member

    yes that would be cool to see in upstream release :D
  5. Riaan

    Riaan New Member

    This is fantastic, thank you guys. This changes the whole game at the end of the day.
    Any release date in mind ?
  6. Linus9000

    Linus9000 New Member

    How is the Lets Encrypt checkbox supposed to work exactly? I updated from to git (commit 5e82da8c) just today (dev machine only) and it doesn't seem to create a cert when checking the box and saving. Is there anything I'm missing, maybe a package I need to install for letsencrypt?
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    letsencrypt has to be installed on your server first to use that function.
  8. Linus9000

    Linus9000 New Member

    Thank you for your answer! Now I got the following problem (Debian Jessie, letsencrypt-python installed from jessie-backports, apache2-2.4.18-1):

    eb 25 15:52:57 XXX apache2[29089]: Starting web server: apache2 failed!
    Feb 25 15:52:57 XXX apache2[29089]: The apache2 configtest failed. ... (warning).
    Feb 25 15:52:57 XXX apache2[29089]: Output of config test was:
    Feb 25 15:52:57 XXX apache2[29089]: AH00526: Syntax error on line 13 of /etc/apache2/sites-enabled/000-ispconfig.conf:
    Feb 25 15:52:57 XXX apache2[29089]: <LocationMatch not allowed here

    Relevant part in 000-ispconfig.conf:
    <Directory /var/www/clients>
    AllowOverride None
    Require all denied

    <IfModule mod_headers.c>
    <LocationMatch "/.well-known/acme-challenge/*">
    Header set Content-Type "text/plain"

  9. felan

    felan Member HowtoForge Supporter

    I have had to switch from le2ispc to ISPConfig 3.1. What would be the best way to handle letsencrypt after deleting le2ispc? Delete archive, live and config or edit all config files to fit with the configuration from ISPConfig 3.1 (have that setup running on another server)
  10. lordimac

    lordimac New Member

    Afaik a Config Rewrite should do the Job.

    Is 3.1 already useable? Because its still not released.
  11. felan

    felan Member HowtoForge Supporter

    3.1 is working great, actually. Just a few minor things here and there with the GUI, but nothing that I couldn't even have in production....
  12. thibotus01

    thibotus01 Member

    Issuing worked well, but when I try to renew the certificate: "uncheck / recheck" as indicated, the expiry date still remains the same, so I'm not sure it did anything.

    Ok actually the error log is:

    2016-04-05 00:30:04,191:INFO:letsencrypt.cli:Cert is due for renewal, auto-renewing...
    2016-04-05 00:30:04,222:DEBUG:letsencrypt.cli:Requested authenticator webroot and installer apache
    2016-04-05 00:30:04,239:DEBUG:letsencrypt.plugins.disco:No installation (PluginEntryPoint#apache):
    Traceback (most recent call last):
    File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt/plugins/", line 103, in prepare
    File "/root/.local/share/letsencrypt/local/lib/python2.7/site-packages/letsencrypt_apache/", line 152, in prepare
    raise errors.NoInstallationError
    2016-04-05 00:30:04,241:DEBUG:letsencrypt.display.ops:No candidate plugin
    2016-04-05 00:30:04,248:DEBUG:letsencrypt.plugins.disco:Other error:(PluginEntryPoint#webroot): Missing parts of webroot configuration; please set either --webroot-path and --domains, or --webroot-map. Run with --help webroot for examples.
  13. DDArt

    DDArt Member

    I don't know if I read it right but in 3.1 release this will be implemented and working. Can someone chime in on this because I am interested as well and I am willing to wait, my cert won't expire for another 6 months or so.
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, letsencrypt is already implemented and working in 3.1.
    DDArt likes this.
  15. felan

    felan Member HowtoForge Supporter

    IMHO not much is left for 3.1 to go live, but if you want to follow, go check the developer section on
  16. thibotus01

    thibotus01 Member

    Anyone tried to renew their certificate ? Are you facing same errors as me ?
  17. Nemis

    Nemis Member

    "letsencrypt-auto renew" on cron as root every 5 days.
  18. Nemis

    Nemis Member

    may u put "wget letencrypt-auto" script on ispconfig install ?
  19. felan

    felan Member HowtoForge Supporter

    Nemis: Nope wouldn't be a good idea since it is a GIT project and some distributions already have their own packages ready for it.
  20. Nemis

    Nemis Member

Share This Page