Let's Encrypt 2 ISPConfig

Discussion in 'Tips/Tricks/Mods' started by sjau, Oct 28, 2015.

  1. sjau

    sjau Local Meanie Moderator

    There's a topic in the feature request about making ISPConfig and Let's Encrypt work together.
    I posted there a script that I developped - until Till and the other devs include that functionality -. The script is rather simple to use and to be uncluttered from the other thread, I did no make a git repo with it. Improvements are welcomed :)

    The repo can be found here: https://github.com/sjau/le2ispc
     
    till likes this.
  2. sjau

    sjau Local Meanie Moderator

    Just added config option to change between apache/nginx
     
  3. sjau

    sjau Local Meanie Moderator

    added another check whether the domain entry is set to "www". If so, it'll make a san cert for domain.tld and www.domain.tld.

    Unfortunately wildcard domains aren't supported (yet) by LE.
     
  4. Nemis

    Nemis Member

    i not see
    Code:
    --server https://acme-v01.api.letsencrypt.org/directory 
    in your script, are you not on beta test whitelist?
     
  5. sjau

    sjau Local Meanie Moderator

    This is not for beta :) Add it if you're in beta :)
     
  6. Nemis

    Nemis Member

    i'm on beta an have real LE ssl,
    manual mode 'cause on ngix letsencrypt-auto.sh not work well , need to stop webserver+ generate ssl+restart webserver...
    when beta will finish maybe they cange script to include acme server, or maybe not.
    other 2cent, "'added_date' => $domainInfo['added_date']," will be better to add real date, not the old one picked up from db ...

    BUT i think is better waiting some more days before to final relase before try to think how to add to ispconfig.
     
  7. sjau

    sjau Local Meanie Moderator

    you really have to stop the webserver with nginx? Well, I have no clue what they actually do. I thought they will just add a special vhost file for the domains you've given.
     
  8. Nemis

    Nemis Member

    in manual mode letsencrypt-auto start a webserver, expose to server some data to check identity, save ssl, shutdown webserver. done.
    but if someone (like me) have only installed nginx as webserver, can't have 2 nginx session so script fail. but...it's in beta. is written on LE site that nginx plugin is not working.

    edit use git version dated 28 october

    edit2, other people on LE community have stop apache/run LE-auto/start apache, so have to use webroot plugin-
     
    Last edited: Nov 3, 2015
  9. mccharlet

    mccharlet Member HowtoForge Supporter

    Hi,

    Very nice.

    How to use it for multiple domaine ?
    I would like to a san certificate with all domains hosted in my isp server

    Best regards
     
  10. sjau

    sjau Local Meanie Moderator

    you'd have to chain:
    Code:
    --domains domain.tld --domains www.domain.tld --domains otherdomain.tld --domains www.otherdomain.tld
    
    etc...
     
    mccharlet likes this.
  11. Nemis

    Nemis Member

    OK webroot metod work without stopping nginx
    on ISPconfig -WebDomanio-Option under nginx snipped, added
    Code:
    location /.well-known/acme-challenge {
        location ~ /.well-known/acme-challenge/(.*) {
    allow all;
         add_header Content-Type "text/plain";
        }
    }
    than i do a script to call LE client as :
    (i git clone under /opt/letsencrypt and my domanin.tld is whitelisted so acme-v01.api , and edit domain.tld )
    Code:
    /opt/letsencrypt/letsencrypt-auto \
      --agree-dev-preview \
      --server https://acme-v01.api.letsencrypt.org/directory \
      --renew-by-default \
      -a webroot \
      --webroot-path /var/www/domain.tld/web \
      --email [email protected] \
      --verbose \
      --text \
      -d domain.tld \
      -d www.domain.tld \
      certonly
    
    then overwrite (this point need to be automatized by ISP)
    /var/www/clients/clientN/webN/ssl/domain.tld .crt with /etc/letsencrypt/live/domain.tld/fullchain.pem
    and domain.tld .key with privkey.pem

    just 2 cent, added LE's ssl to dovecot also with
    Code:
    local_name imap.domain.tld {
    ssl_cert = </etc/letsencrypt/live/domain.tld/fullchain.pem
    ssl_key = </etc/letsencrypt/live/domain.tld/privkey.pem
    }
    
    but i don't know how to check if it use this or selfsigned
    ssl_cert = </etc/postfix/smtpd.cert
    ssl_key = </etc/postfix/smtpd.key
    :)
     
    Last edited: Nov 6, 2015
  12. sjau

    sjau Local Meanie Moderator

    nemis:

    In nginx if you enable ssl vhost, what do the non-ssl and ssl one look like and where can they be found?
     
  13. sjau

    sjau Local Meanie Moderator

    Ok, I changed the authentication to webroot now and I think I made them working for apache and nginx.
    Apache is simpler, as I can write just a global config file and enable it (and load header and rewrite modules).

    In nginx I have to add the directives to every server stanza. Sicne I don't rung nginx if someone cloud please check if that's right.

    Current script here:
    https://github.com/sjau/le2ispc
     
    Nemis likes this.
  14. Nemis

    Nemis Member

    vhost here:
    /etc/nginx/sites-available/[domain.tld].vhost
    i use
    Code:
    server {
    listen *:80;
      listen *:443 ssl;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
      ssl_certificate /var/www/clients/clientN/webN/ssl/domain.tld.crt;
      ssl_certificate_key /var/www/clients/clientN/webN/ssl/domain.tld.key;
      server_name domain.tld www.domain.tld;
      root  /var/www/domain.tld/web;
    
    and it auto switch to https
     
  15. sjau

    sjau Local Meanie Moderator

    Hmmm, interesting
     
  16. Nemis

    Nemis Member

    if not in beta, so line 22: #$beta will get error inline 104:
    PHP Notice: Undefined variable: beta in /home/marco/le2ispc/le2ispc on line 104
    after fast fix, revoving variable, i fall in my (i think i m the only one have this) bug
    https://community.letsencrypt.org/t...sencrpt-letsencrpt-auto-py26reqs-txt-bug/3196

    edit: also change
    line13 : $server["soap_uri"] = "https://ispc.domain.tld:8080/remote/";
    to $server["soap_uri"] = "https://localhost:8080/remote/";

    edit2 : ok WORK :)
    i launch your script from /op/letsencrypt
    Code:
    root@___:/opt/letsencrypt# /home/nemis/le2ispc/le2ispc  __________.com
    1. Get the domain name.
    2. Query MySQL whether it's a vhost.
    4. Run Let's Encrypt Tool
    5. Read SSL info into vars.
    6. Insert SSL info via API.
    Added SSL Certs to _________.com'
    
    edit3 i had a snippet for well-know acme-callenge, your script added a new one.
    so now not sure if work because my snippet or work with your without restart nginx,
    other test follow

    edit4:
    http://bugtracker.ispconfig.org/ind...asks=&due=64&status[0]=&order=votes&sort=desc -->
    https://github.com/alexalouit/ISPConfig-letsencrypt <<-- look here
     
    Last edited: Nov 16, 2015
  17. The Other Air Force

    The Other Air Force New Member

    The patch looks great and I just installed it from git. When I ran php -q install.php everything patched except ISPConfig. I didn't receive any errors from the installer. When I checked the files that were suppose to be patched in the ISPConfig directory they didn't have the changes made in them. The ispconfig.patch file was copied to the ISPConfig directory by the installer. I ran patch -p3 < ./ispconfig.patch from the command line and the files were successfully patched. But I did get the following at the end:
    Code:
    ...
    patching file server/plugins-available/nginx_plugin.inc.php
    patch unexpectedly ends in middle of line
    Hunk #1 succeeded at 1102 with fuzz 1
    
    Not sure if the unexpectedly ends message is an issue or not.

    I let you know if it works on my white listed beta domain.

    Edit: Just an update. All seems to be working well!
     
    Last edited: Nov 21, 2015
    Nemis likes this.
  18. Nemis

    Nemis Member

    are u on apache?
    beacuse in nginx.conf.patch : "default_type application/jose+json" is deprecated
     
  19. vikozo

    vikozo New Member

  20. Nemis

    Nemis Member

    yes taken from ispconfig DB, same data. and then reput in db
     

Share This Page