ISPconfig 3.1, Let's Encrypt and Aliasdomains

Discussion in 'General' started by axxies, Sep 29, 2016.

  1. axxies

    axxies Member

    It is possible to create SSL certificates for aliasdomains directly in certbot, but not if done via ISPconfig 3.1. Is there a workaround for this (other than using certbot directly :) )? Is it on the roadmap to implement it in ISPconfig3 for aliasdomains?
    (I should mention that the aliasdomain is defined with a DNS A record)
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    aliasdomains get added automatically to the ssl cert of the website they belong to in ispconfig. So there is no need to create a cert outside of ispconfig for them.
    axxies likes this.
  3. axxies

    axxies Member

    Ok, so even if the website is e.g. "" and the alias is "" (I mean, not a sub-domain of the website) this will be included?

    Another thing:
    How do I do with existing certificates generated by certbot? Can I import them into ISPconfig so that I handle them from there, or should I revoke those outside of ISPconfig and create them inside ISPconfig instead?

    ...and finally:
    Is there an API in ISPconfig that we can use to handle (create, revoke, renew etc) these certs? Is the API part of the manual that is for sale?

  4. till

    till Super Moderator Staff Member ISPConfig Developer

    Yes, of course. That's an aliasdoamin and that's included in the SSL cert.

    ispconfig will create a new cert when you activate letsencrypt.

    cert handling is fully automated incl. renewal, so there is just one checkbox for all this and this checkbox is alaso available as setting in the ispconfig remote api.
    axxies likes this.
  5. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Correct, both subdomains ( and alias domains ( will be included in the certificate.
    I've not tried that, but I would expect everything to work. Pick a less important/test domain and try enabling the letsencrypt checkbox, I'd expect it to request a new cert (because the names might vary) and switch to the new one in a minute or two.
    I can't answer that, @till or someone will need to. (My guess is that the api would expose the same settings as the ui, effectively letting you turn the letsencrypt checkbox on or off, so you could turn off (wait a minute?) then back on and it should set letsencrypt up fresh (I don't know if the old certificates will get removed or left on the server and potentially reused if the names are the same).)
    axxies likes this.
  6. axxies

    axxies Member

    I tried with this setup:

    1) - the website, LE SSL enabled
    2) - the aliasdomain, added after was created
    On the same server (same IP as for all) there is another domain that has an aliasdomain associated with it (let's call that is not associated with domain1 other than that they share the same IP.

    I also set a script to redirect all traffic from http to https (Apache directives):
    RewriteEngine on
    RewriteCond %{SERVER_PORT} !^443$
    RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L]

    * worked like a charm and it redirected like it should from to
    * test1.anotherdomain got redirected to which resulted in a "Insecure connection" asking for an exception (and a yellow "icon" for the SSL protected (in the address bar)).
    Looking in the explanation for the insecure connection, the showed up as the only domain that the certificate was valid for.

    Then I tried to revoke the certificate for and that went well in itself, but it didn't help for the result of connecting to

    Any ideas?

    Last edited: Sep 29, 2016
  7. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    I believe you have to exclude the /.well-known/acme-challenge location from redirecting. There is already a setting in ispconfig to redirect http->https, just enable the checkbox at Website > Redirect > Rewrite HTTP to HTTPS.
    axxies likes this.

Share This Page