It is possible to create SSL certificates for aliasdomains directly in certbot, but not if done via ISPconfig 3.1. Is there a workaround for this (other than using certbot directly )? Is it on the roadmap to implement it in ISPconfig3 for aliasdomains? (I should mention that the aliasdomain is defined with a DNS A record)
aliasdomains get added automatically to the ssl cert of the website they belong to in ispconfig. So there is no need to create a cert outside of ispconfig for them.
Ok, so even if the website is e.g. "www.mydomain.com" and the alias is "www.anotherdomain.com" (I mean, not a sub-domain of the website) this will be included? Another thing: How do I do with existing certificates generated by certbot? Can I import them into ISPconfig so that I handle them from there, or should I revoke those outside of ISPconfig and create them inside ISPconfig instead? ...and finally: Is there an API in ISPconfig that we can use to handle (create, revoke, renew etc) these certs? Is the API part of the manual that is for sale? Thanks!
Yes, of course. That's an aliasdoamin and that's included in the SSL cert. ispconfig will create a new cert when you activate letsencrypt. cert handling is fully automated incl. renewal, so there is just one checkbox for all this and this checkbox is alaso available as setting in the ispconfig remote api.
Correct, both subdomains (other.mydomain.com) and alias domains (www.another.com) will be included in the certificate. I've not tried that, but I would expect everything to work. Pick a less important/test domain and try enabling the letsencrypt checkbox, I'd expect it to request a new cert (because the names might vary) and switch to the new one in a minute or two. I can't answer that, @till or someone will need to. (My guess is that the api would expose the same settings as the ui, effectively letting you turn the letsencrypt checkbox on or off, so you could turn off (wait a minute?) then back on and it should set letsencrypt up fresh (I don't know if the old certificates will get removed or left on the server and potentially reused if the names are the same).)
I tried with this setup: 1) domain1.com - the website, LE SSL enabled 2) test1.anotherdomain.com - the aliasdomain, added after domain1.com was created On the same server (same IP as for all) there is another domain that has an aliasdomain associated with it (let's call that aliasdomain2.com). aliasdomain2.com is not associated with domain1 other than that they share the same IP. I also set a script to redirect all traffic from http to https (Apache directives): <snip> RewriteEngine on RewriteCond %{SERVER_PORT} !^443$ RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R=301,L] </snip> Results: * domain1.com worked like a charm and it redirected like it should from http://domain1.com to https://domain1.com * test1.anotherdomain got redirected to https://test1.anotherdomain.com which resulted in a "Insecure connection" asking for an exception (and a yellow "icon" for the SSL protected (in the address bar)). Looking in the explanation for the insecure connection, the aliasdomain2.com showed up as the only domain that the certificate was valid for. Then I tried to revoke the certificate for aliasdomain.com and that went well in itself, but it didn't help for the result of connecting to https://test1.anotherdomain.com Any ideas? Thanks!
I believe you have to exclude the /.well-known/acme-challenge location from redirecting. There is already a setting in ispconfig to redirect http->https, just enable the checkbox at Website > Redirect > Rewrite HTTP to HTTPS.
