Integrate Let's Encrypt SSL certificates into ISPConfig

Discussion in 'Feature Requests' started by gkovacs, Sep 14, 2015.

  1. Ivko

    Ivko New Member

    Yes, sorry didn't know that "-" is exclude syntax, i thought that only "!" do that.
     
  2. Poliman

    Poliman Member

    I posted SSL part from vhost file, because @sjau asked about look ispc vhost file. I have there
    Code:
      # SSL Configuration
      SSLEngine On
        SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
        SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
      SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
      #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
    here is SSLCipherSuite and
    SSLHonorCipherOrder On
    and nothing more about ssl certificates.
     
  3. Anders Malmros

    Anders Malmros New Member

    Hi. I am sorry if my question already have been covered in this thread, but I have some SSL issues and I really can't find out how to fix them.
    When I installed ispConfig, i did make a self signed SSL certificate through SSH, I would like to have a new one created, the company name have changed.
    More importantly, I want to use Let's Encrypt for all sites I host through ispconfig. But whenever i enable either ssl or ssl + lets encrypt, ispconfig updates settings, but nothing is happening. When i go back into the site settings, both checkboxes are disabled, and of course no SSL has been generated. I am sorry if this is a noob question, but I hope that you can help me out. I've spend a lot of time reading through this thread and others, unable to learn what I need to do.
    I do have live customer pages online on the server now, and it is just now that the need for ssl is important.

    Best regards, Anders
     
  4. sjau

    sjau Local Meanie Moderator

    Since you say you have the LE checkbox in the ISPC Interface I assume you do have at least ISPC 3.1.

    In order to use LE with ISPC 3.1+ you need to get the client. See the following link on how to do that.

    https://www.howtoforge.com/tutorial...ovecot-ispconfig-3-1/2/#-install-lets-encrypt

    Once you have the LE client (nowadays called certbot), it should automagically work for websites by using the webinterface.

    As for getting valid cert for your ISPC installation itself, it's a bit more complicated.

    I prefer meanwhile the DNS-01 method and have written a little howto here: https://www.howtoforge.com/communit...utomated-dns-01-challenge-for-ispc-3-1.74850/

    Here's a bit more detailed setup using certbot: https://www.howtoforge.com/communit...ntrol-panel-with-lets-encrypt-free-ssl.75554/
     
  5. zenny

    zenny Member

    @sjau : Just wondering whether one has to manually add a crontab job for renewal check in ISPconfig 3.1.5 or UI takes care of renewal every 90 days once the SSL and Let's Encrypt tabs are selected under Sites >> Domains?

    In the former case what is the ideal command to append the crontab if the server is nginx? Thanks!
     
  6. Sir Henry

    Sir Henry Member

    It is automatic with ISPC 3.1, no cron job needed.
     
  7. zenny

    zenny Member

    @Sir Henry, thanks for prompt reply. But in my case, that didn't reflected in real till I was running ISPC 3.1.2. I cannot say now after upgrading to 3.1.5.
     
  8. Sir Henry

    Sir Henry Member

    Sometimes ISPC has problems with existing symbolic links from an earlier manual LE installation or with wrong permissions. If the renewal does not work, you will find the reason in the ISPC logs.
     
  9. vassiskansa

    vassiskansa New Member

    Hi,
    I've a problem enabling Let's Encrypt flag into ISPConfig 3.
    Let's Encrypt works, i've correctly performed the "perfect installation" with certbot-auto, SSL Certificates are ok for my site... But ISPConfig won't update the flag... Why?
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    You mean you created the SSL cert manually with certbot-auto instead of doing this trough ISPConfig? In this case, LE will not work in ISPConfig anymore until you remove the config and SSL cert that certbot added. Then you can create a new SSL cert within ISPConfig. The reason is that certbot does not understand the apache config correctly and messes it up, it adds a duplicate config file which then blocks all website config changes.
     
  11. vassiskansa

    vassiskansa New Member

    Hi Till, thank you for your reply.
    But, can you tell me what i must delete?
    At the /etc/letsencrypt/live there are some folder who contains SSL certs... This one?
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    Search for files and folders with that domain name in /etc/letsencrypt and delet them (make a backup of the whole /etc/letsencrypt folder before you do that). Then search in the apache vhost folders (/etc/apache2/sites-enabled and /etc/apache2/sites-available if there are any files with '-le' in the file name, these are created by certbot and need to be removed, then restart apache.
     
  13. vassiskansa

    vassiskansa New Member

    I've tried... but it doesn't work for me... I'm sure that those file are completely removed, but the Let's Encrypt flag was disable.
    How can i also check?
    p.s.: the SSL certs was rebuilt correctly on /etc/letsencrypt subfolders... live, archive and renewal conf...
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

  15. vassiskansa

    vassiskansa New Member

    Hi Till,
    i've read the guide on faqforge, but the .sh return no error. §(eg.:"Finished")
    This on ispconfig cron.log:

    Fri Sep 1 07:49:03 UTC 2017 Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Fri Sep 1 07:49:04 UTC 2017 Obtaining a new certificate
    Fri Sep 1 07:49:04 UTC 2017 Performing the following challenges:
    Fri Sep 1 07:49:04 UTC 2017 http-01 challenge for XXX.XXX
    Fri Sep 1 07:49:04 UTC 2017 http-01 challenge for XXX.XXX.XXX
    Fri Sep 1 07:49:04 UTC 2017 Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains.
    Fri Sep 1 07:49:04 UTC 2017 Waiting for verification...
    Fri Sep 1 07:49:08 UTC 2017 Cleaning up challenges
    Fri Sep 1 07:49:08 UTC 2017 Unable to clean up challenge directory /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    Fri Sep 1 07:49:15 UTC 2017 finished.

    "Unable to clean up challenge directory"... is this the error?

    Thank you.
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    No, that's ok.

    Please do a debug as described in the debug instructions. This will show you if the changes in the vhost.conf file could not be applied.
     
  17. vassiskansa

    vassiskansa New Member

    Hi till,
    sorry but i've done that described in the debug istructions... the report shown is the same of the cron.log file.
     
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    The output that you posted is not the output from server.sh file in debug mode as described in the debug instructions. The dbeug output looks like this:

    Code:
    root@server1:~# /usr/local/ispconfig/server/server.sh
    _
    
    13.08.2017-00:35 - DEBUG - Calling function 'check_phpini_changes' from plugin 'webserver_plugin' raised by action 'server_plugins_loaded'.
    13.08.2017-00:35 - DEBUG - Found 1 changes, starting update process.
    13.08.2017-00:35 - DEBUG - Calling function 'ssl' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    13.08.2017-00:35 - DEBUG - Calling function 'update' from plugin 'apache2_plugin' raised by event 'web_domain_update'.
    13.08.2017-00:36 - DEBUG - Writing the vhost file: /etc/apache2/sites-available/c1.tld.vhost
    13.08.2017-00:36 - DEBUG - Apache status is: running
    13.08.2017-00:36 - DEBUG - Calling function 'restartHttpd' from module 'web_module'.
    13.08.2017-00:36 - DEBUG - Restarting httpd: systemctl restart apache2.service
    13.08.2017-00:36 - DEBUG - Apache restart return value is: 0
    13.08.2017-00:36 - DEBUG - Apache online status after restart is: running
    13.08.2017-00:36 - DEBUG - Processed datalog_id 123
    13.08.2017-00:36 - DEBUG - Remove Lock: /usr/local/ispconfig/server/temp/.ispconfig_lock
    finished.
    root@server1:~#
     
  19. cbj4074

    cbj4074 Member

    Hi, everyone!

    I'm curious as to the inner-workings of ISPConfig's Let's Encrypt implementation.

    Specifically, how and when does ISPConfig attempt to renew certificates issued via Let's Encrypt?

    Is it every time I modify and save a website? Is it on a set schedule via cron or similar?

    Thanks for any insight here!
     
  20. sjau

    sjau Local Meanie Moderator

    There is a nightly cron that checks if previously issued certs are up for renewal.
     

Share This Page