No, this only works for subdomains created as "Subdomain" or "Aliasdomain" in ISPC, not for subdomains created as an own "Website".
Because of the subdomain question yesterday, I did add now a check to auto-add subdomains as well. This works if yo create a subdomain in ISPC as subdomain and not just use something like sub.domain.tld to createa new website.
Another question sjau, the email address for the domain will depend on the domain. I think that could be retrieved from the DNS record, or possibly from the matching email domain, though there may be many email addresses for the domain and would need to pick the right one? I don't think the client's email address is suitable as they may have multiple domains. Otherwise, it would need to be manually configured. I've written some code that extracts emails from all the possible sources for the domain passed into the script. Suggested Priority: 1) DNS mbox record (if the zone exists on the server), 2) 1st email account for the domain (if it exists), 3) Client email address (if it exists)? 4) ???? Some other source? What would be the priority? Any comments?
since clients can't run that as root, the admin of the box should get the reminder if something's not working. Hence I don't exctract client email for this. It might be different with the official LE integragation into ISPC.
There is a small problem with sub-domains. The implementation in ISPConfig using the rewrite rule prevents access to /.well-known.
I'm trying to use Apache Directive snippets. I've managed to get the redirect working, but LE doesn't like how I did it, so it's still not working. I think the problem is that I'm actually rewriting to the parent domain: RewriteCond %{HTTP_HOST} ^subdomain\.domain\.com$ [NC] RewriteCond %{REQUEST_URI} ^/.well-known$ RewriteRule . http://domain.com/.well-known [L] I'm about to adjust the rewriterule using a normal rewrite.
One solution is to modify the default rewrite rules that are installed when the subdomain is added by adding an extra condition: Code: RewriteCond %{REQUEST_URI} !^/\.well-known I'm still trying to figure out a way that will work through the Apache Directive snippets
Another option that also works is to place a symlink in the root folder of the subdomain that points to the .well-known directory: Code: ln -s /var/www/letsencrypt/.well-known/ .well-known
I could not get a rewrite rule snippet that follows on from the standard sub-domain rewrite to work , so I've given up on this approach. The other two options above do work. Whilst the symlink can be installed without any modifications to ISPConfig's software or data, since I'm using LE, my preferred option is to modify /server/conf/vhost.conf.master and add RewriteCond %{REQUEST_URI} !^/\.well-known to the default rules. But others wouldn't want this.
Btw, here's another little snippet that I use: https://paste.simplylinux.ch/view/7b81ca23 I set dovecot and postfix to use the SAN. I have no viable way to read out all the mail domain mx entries thingies... so I did make the manual list in the bash file since it doesn't change often. Then of course add/alter entries in the postfix main.cf file like: Code: smtpd_tls_cert_file = /etc/ispcSSL/live/server.name.tld/fullchain.pem smtpd_tls_key_file = /etc/ispcSSL/live/server.name.tld/privkey.pem and in the dovecot.conf file like this: Code: ssl_cert = </etc/ispcSSL/live/server.name.tld/fullchain.pem ssl_key = </etc/ispcSSL/live/server.name.tld/privkey.pem You can add the entries below the existing ones.
@sjau, do you use that for mail certs only, or also the ispconfig panel itself? Having those covered out of the box would be nice (eg. installer gives option to obtain/use a letsencrypt certificate or create self-signed).
I use that for mail certs only. However I ponder if I should use it for ispconfig panel as well as to not get the untrusted message everytime - chromium is a pain to add self-sigend certs. Would be great, if it would be all handled by ISPC itself though. I just thought since I only have a few mail domains I just make that list manually. I just use mail.domain.tld. Others might use smtp/imap/pop/pop3.domain.tld...
do you know what the limit is for the number of SAN names you can add? I would imagine automating that for all domains might not work on large servers. But you could have a textarea where you list the names to be added, and manually put a limited number in there, or something similar.
Ok, made now push that apache 2.4 uses redirect permanent instead of mod_rewrite. It'll also check and filter out old mod rewrite rules. I wonder if I should add an option for htst as well.
I have no problems getting Let's Encrypt to create certifcates for subdomains created as a web site. I use this snippet server-wide (not sure if it fixes the issues you're talking about). Code: # Block Access To All Hidden Files And Directories With Exceptions <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{REQUEST_URI} "!(^|/)\.well-known/([^./]+./?)+$" [NC] RewriteCond %{SCRIPT_FILENAME} -d [OR] RewriteCond %{SCRIPT_FILENAME} -f RewriteRule "(^|/)\." - [F] </IfModule> Also, there has to be a www prefix in DNS for LE to issue the certifikate, like www.sub.example.com.
