Let's Encrypt renewal after upgrade

Discussion in 'Installation/Configuration' started by afonic, Oct 24, 2016.

  1. afonic

    afonic New Member

    Hello,

    A have a (simple) question: I have updated from ISPconfig 3.0.x to 3.1 and I've installed Let's Encrypt as described at the HOWTO guide.

    Will ISPconfig take care of cert renewals or do I also have to setup a cronjob?

    Thanks in advance.
     
    afonic, Oct 24, 2016
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPconfig takes care to renew letsencrypt certs that you created in ispconfig 3.1.
     
    till, Oct 24, 2016
    #2
  3. afonic

    afonic New Member

    Thanks a lot for the reply!
     
    afonic, Oct 25, 2016
    #3
  4. LyrX

    LyrX New Member

    Another question.
    How does this renew happen?
    For pureftpd i need a really fullchain which you cant get from letsencrypt. You have to create it by yourself with cat. There is a
    RENEW_HOOK in certbot, which could be usefull for this.
    Another option would be just die renew the fullchain every 7 days with a cron and dont care about if the certs did really change.
    What do you think or how do you do this?
     
    LyrX, Nov 22, 2016
    #4
  5. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    I was going to take the latter approach (blindly rebuild fullchain in cron) as an interim measure. I believe there's a rfe to add letsencrypt support for the "full" control panel (ispconfig interface, mail services and ftp should be included).
     
    Jesse Norell, Nov 22, 2016
    #5
    LyrX likes this.
  6. sjau

    sjau Local Meanie Moderator

    Hmmm, you could also use a different client. I'm using acme.sh at the moment and writing a plugin to use ISPConfig API for DNS-01 challenge.
    The good thing about acme.sh is that it has a three step process.
    1. Get the certs
    2. Install/Copy the files where you want them...
    3. Run some commands (e.g. reload server)
    All those steps are then saved in a config.
    In the 3. step you could be able to cat the files to where you want them and restart/reload pureftpd

    Just as example I give you the config file for my cp/mail certs:
    Code:
    Le_Domain="manager.roleplayer.org"
Le_Alt="mail.roleplayer.org,mail.otherdomain.tld,mail.xxxdomain.tld"
Le_Webroot="/var/www"
Le_PreHook=""
Le_PostHook=""
Le_RenewHook=""
Le_LocalAddress=""
Le_API="https://acme-v01.api.letsencrypt.org"
Le_Keylength="4096"
Le_LinkCert="https://acme-v01.api.letsencrypt.org/acme/cert/xxx"
Le_LinkIssuer="https://acme-v01.api.letsencrypt.org/acme/issuer-cert"
Le_CertCreateTime="1475832597"
Le_CertCreateTimeStr="Fri Oct  7 09:29:57 UTC 2016"
Le_NextRenewTimeStr="Tue Dec  6 09:29:57 UTC 2016"
Le_NextRenewTime="1480930197"
Le_RealCertPath="/usr/local/ispconfig/interface/ssl/ispserver.crt"
Le_RealCACertPath=""
Le_RealKeyPath="/usr/local/ispconfig/interface/ssl/ispserver.key"
Le_ReloadCmd="systemctl reload apache2; systemctl restart dovecot; systemctl reload postfix"
Le_RealFullChainPath="/usr/local/ispconfig/interface/ssl/ispserver.bundle"
    I think the ReloadCmd could be abused to cat the certs into one file.
     
    sjau, Nov 22, 2016
    #6
    LyrX likes this.
  7. LyrX

    LyrX New Member

    Thanks! I added a cron witch is executed at 5am every day.
    Excuse me but what does "rfe" mean?
     
    LyrX, Nov 22, 2016
    #7
  8. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    request for enhancement, aka feature request.
     
    Jesse Norell, Nov 23, 2016
    #8

Share This Page