ispconfig 3 autoinstaller problem

Discussion in 'ISPConfig 3 Priority Support' started by tr909192, Aug 30, 2022.

  1. tr909192

    tr909192 Member HowtoForge Supporter

    Dear,

    are few months that in order to deploy our ispconfig 3 installation, we use your official autoinstaller script (https://git.ispconfig.org/ispconfig/ispconfig-autoinstaller).
    Everything goes fine, but we have problems with the let's encrypt used by the interface.
    Basically checking inside ispconfig.vhost file, we see that the ssl used and private key are stored in:
    Code:
    SLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
    But this files are real file not symbolic link to the certs itself:
    Code:
    root@$HOST:/usr/local/ispconfig/interface/ssl# ll
-rwxr-x--- 1 root root 5597 Jun  1 13:43 ispserver.crt
-rwxr-x--- 1 root root 1679 Jun  1 13:43 ispserver.key
    In this way the first time that acme (or certbot) renew this certificate, because expired, the ispconfig web interface stop working because does not get the updated certificate.
    In order to solve this i did the symbolic link like:
    Code:
    root@$HOST:/usr/local/ispconfig/interface/ssl# ll
lrwxrwxrwx 1 root root   52 Aug 30 13:31 ispserver.crt -> /root/.acme.sh/$HOST.$MYDOMAIN/$HOST.$MYDOMAIN.cer
lrwxrwxrwx 1 root root   52 Aug 30 13:32 ispserver.key -> /root/.acme.sh/$HOST.$MYDOMAIN/$HOST.$MYDOMAIN.key
    Is this something that you may want include on the default installation of the autoinstaller itself?
    ty
     
    tr909192, Aug 30, 2022
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    acme.sh copies certs to the target directory on renewal and this normally works absolutely fine, I've installed all of my recent systems using the auto-installer and I don't have any LE cert renewal issue there. My guess is you created a website in ISPConfig which uses the hostname of the server as the exact (sub) domain and activated let's encrypt for that? Because that's what is triggering that issue, most likely we will have to add some code that figures out when a website is created for the hostname and let it reuse the ispconfig cert from
    /usr/local/ispconfig/interface/ssl/ folder instead of creating a new one in the website's SSL folder (which then breaks the renewal for the ISPConfig SSL cert as acme.sh is not able to copy certs to two folders automatically).
     
    till, Aug 30, 2022
    #2
  3. tr909192

    tr909192 Member HowtoForge Supporter

    Yes your guess is right. We have created the hostname on the control panel, because generally we need to put there some web-tool that should be accessible from the server itself.
    Code:
    most likely we will have to add some code that figures out when a website is created for the hostname and let it reuse the ispconfig cert from
/usr/local/ispconfig/interface/ssl/ folder instead of creating a new one in the website's SSL folder (which then breaks the renewal for the ISPConfig SSL cert as acme.sh is not able to copy certs to two folders automatically).
    Yes i think that could be a good solutions.
    For now i have solved with the above mentioned symlinks, and it seems to work.
     
    tr909192, Aug 30, 2022
    #3

Share This Page