Ok, sorry for the slow reply. Thanks for clarifying that letsencrypt is currently not used for the ISPConfig Frontend or the server services. Unfortunate, but ok, I'll get around that and hope for the future.
I am glad that ISPConfig 3.1 has built in Letsencrypt. But then I noted that Letsencrypt got its limits and while testing our servers, we may fall into the said limits. Letsencrypt does suggest that if we are using Certbot, we can use its staging evironment with the --staging flag. Thus, my first question or request is, while the available feature is already very good, is there any way or chance that we can improve the available Letsencrypt feature by adding its staging evironment setting or option into ISPConfig, may be on by default but can be turned off, so that we might avoid falling into the limits, unintentionally. Further, if there is already an approved ssl by LetsEncrypt, it won't be deleted (but rather kept unless chosen to be permanently deleted) and the system automatically reinstall it, instead of requesting for a new one again, so it might not fall inside the its limits. Cheers.
I tend to think the limits are rather high. You shouldn't hit them normally: The only real issue I can see is the 20 "registerted domain" limits per week. E.g. if you request a cert for www.domain.tld, another one for mail.domain.tld, anther one for pop.domain.tld, imap.domain.tld, smtp.domain.tld and one for domain.tld. If those all were requested individually, that would be 6 already.
I think you are getting close to my point sjau except that you are referring to normal using of a server instead of testing a server. Repeated testing of 4 times of what you mentioned above per domain will hit the limit. Adding --staging flag will allow up to 30,000 per week, which is much more better and safer while testing a server.
with the current integration there is no testing needed. Click the checkbox and a cert for that domain will be issued. What do you need to test? That's what I don't understand.
Yes. You don't need to if your server is already working good in one setup. If not, you might want to redo it several times until you get it right, and while doing that normally you also want test a domain with lots of subdomains. That's is where it will become handy because the limits will stop you from doing it. I don't mind looking into adding that myself so long you or anyone else can highlight which relevant files to look into to do that. Edited: I find the one for apache in apache2_plugin.inc.php; and for the website in web_vhost_domain_edit.php and its related files. I think, when testing, I only need to add --staging (in apache2_plugin.inc.php) into this line of code: Code: $success = $this->_exec($letsencrypt . " certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@$domain --domains $lddomain --webroot-path /usr/local/ispconfig/interface/acme"); I don't think I will be adding anything new to the web_vhost_domain_edit.php file for now except if the suggestions are to be added as an option for easy use later.
You should follow tutorial where LE is actually installed like in Ubuntu 16.04 and above e.g. https://www.howtoforge.com/tutorial...doveot-and-ispconfig/2/#-install-lets-encrypt. Do not activate LE ssl for any domain after certbot installation in the terminal as you will get trouble in activating in ISPC if you did so. Simply cancel when it shows all your domains. If your server works fine, then you should be able to simply tick LE ssl in Website or Subdomain (Vhost) or Aliasdomain (Vhost) creation or edit (preferrably edit as I think you should make sure your domain works first).
Hi, nice to see LE is implemented(and working like a charm) for hosted websites, but what about ISPC login page? i really dont uderstand why this option missing... so ive make new "page" with same domain like login page "server1.example.com" with LE enabled, then just copy and paste apache2 conf SSL part Code: SSLEngine on SSLProtocol All -SSLv2 -SSLv3 SSLCertificateFile var/www/clients/client1/web1/ssl/server1.example.com-le.crt SSLCertificateKeyFile /var/www/clients/client1/web1/ssl/server1.example.com-le.key SSLCertificateChainFile /var/www/clients/client1/web1/ssl/server1.example.com-le.bundle to Code: /etc/apache2/sites-available/ispconfig.vhost which working but its not really nice and clear..
Never edit the ispconfig.conf file manually, your server wil start to fail on nex update. the correct way is to not alter the ispconfig.conf file, instead you replace the old ssl files with symlinks to the new files that you want to use.
Hello, I discover soon a pb with let's encrypt and I am lokking information it become certbot. What is the process to update let encrypt to cerbot in 3.1. Tk
Both are supported, just install certbot (into a location found in $PATH) and remove letsencrypt and it should work fine.
I noticed conf file created by letsencrypt is far longer than certbot conf. Since I think both can work fine, I might uninstall letsencrypt and use reinstall certbot. But is that a good choice?
Where I found $PATH, in /Etc/apache2 ? Also I migrate on ispconfig 3.1.2, if I change the path what is the repercussion on an update
$PATH is an environment variable which is a list of directories to search for commands to run, eg. with PATH=/bin:/sbin:/usr/bin:/usr/sbin as an example (actual PATH's are usually longer than that), if you run the command 'certbot', it (ie. the shell) will look for /bin/certbot, then /sbin/certbot, then /usr/bin/certbot, then /usr/sbin/certbot and run the first one found - if not found you'd get a 'command not found' error. So what I really meant was simply to install certbot into a standard location for commands to be found. Eg. from the 'certbot' package in jessie-backports, it gets put in /usr/bin/: Code: # dpkg --listfiles certbot | grep bin /usr/bin /usr/bin/certbot /usr/bin/letsencrypt You don't need to change PATH or anything, just install it in a "normal" location.
To create LE for your server: 1. Create a site for your server in ISPConfig panel via Sites > Website > Add new website. 2. Check if your site is accessible online (you might or might not have to create dns for it). 3. If it is already accessible via internet, click ssl and LE button and save. 4. If you haven't enabled ssl during ISPConfig setup, enable it by typing ispconfig_update.sh in the terminal and select yes for ssl. 5. If ssl is already enabled, then use this command to backup and replace the created ssl with LE ssl. Code: mv /usr/local/ispconfig/interface/ssl/ispserver.crt /usr/local/ispconfig/interface/ssl/ispserver.crt.bak mv /usr/local/ispconfig/interface/ssl/ispserver.key /usr/local/ispconfig/interface/ssl/ispserver.key.bak mv /usr/local/ispconfig/interface/ssl/ispserver.pem /usr/local/ispconfig/interface/ssl/ispserver.pem.bak ln -s /etc/letsencrypt/live/yourserverdomain/fullchain.pem /usr/local/ispconfig/interface/ssl/ispserver.crt ln -s /etc/letsencrypt/live/yourserverdomain/privkey.pem /usr/local/ispconfig/interface/ssl/ispserver.key cat /usr/local/ispconfig/interface/ssl/ispserver.{key,crt} > /usr/local/ispconfig/interface/ssl/ispserver.pem 6. Then run "service nginx reload" or "service apache2 reload" accordingly. 7. Check your server ssl info in the browser. It should now show LE ssl. I think that is it on how to use LE ssl for your server.
Hi, Good to see Let's Encrypt integrated into ISPconfig. Great work!! A little confused here (you are dealing with someone dangerous here - knows enough to mess things up!). I have just set up a server with 3 domains/sites. I have an LE SSL Certificate on site a.com which reads correctly - matches site etc.. I tried to set up LE Certificates for B.com and C.com, but the are using the certificate from A.com - of course giving errors. I am using Ubuntu 16.04, ISPconfig 3.1.2 with nginx as the web server and wonder of the behaviour I am seeing is intended or not.