Hi there, I'm trying to create a LEt's Encrypt SSL certificate within ISPConfig (or with command line). But the domain I want a certificate to have approx 180 domains aliases (all of them redirect to the main domain). But Let's Ecnrypt fails if certificates has more than 100 domains... How to get a Let's Encrypt certificate only for the main domain? I tries to launch certbot manualy, to get the certifcate for the main domain only, but I got this error : Code: Deploying Certificate for XXX to VirtualHost /etc/apache2/sites-available/XXX.vhost.err-le-ssl.conf Error while running apache2ctl configtest. Action 'configtest' failed. The Apache error log may have more information. Syntax error on line 169 of /etc/apache2/sites-enabled/XXX.vhost.err-le-ssl.conf: FastCgiExternalServer: redefinition of previously defined class "/var/www/clients/client1/web2/cgi-bin/php5-fcgi-*-80-XXX" Rolling back to previous server configuration... Is there some to help me? Thanks!
Certbot / and LE are not able to edit complex apache config files properly, that's what causes the above error. Ensure to delete the file /etc/apache2/sites-available/XXX.vhost.err-le-ssl.conf if it still exists as it will block ISPConfig from working too. Take a look at the commands that @SpudMuffin used here to create a cert manually without letting LE change any config files: https://www.howtoforge.com/communit...orking-centos-7-4-perfect-server-guide.77335/
@till : thanks! Actually, the certificate is created, I can see it in /etc/letsencrypt/live/ Now my problem is to create/change/edit my Apache conf file to integrate the SSL config... I'm not comfortable with SSSL apache config... Right now, accessing the serveur with https use the ispconfig certificate, that's not good because I want a certificate for all primary domains my server is hosting. Does I have to duplicate my current .confg file and adds the right options for Virtualhost XXX:443 ? Does the XXX.conf for :80 is used also when accessed with :443 (= the SSL config must have complete config or le 80 config is used?) If I have to duplicate my conf file, how to keep working the php-FPM extension working (especially without breaking ISPCofing, because the server hosts several others sites, so I want to keep the ISPConfig great help!) Sorry about my newbie style questions, I'm quite confused with SSL config @HSorgYves : yes, the apache config file is 1400+ lines not very easy to read But becasue it's only redirections to the primary domain, it's not that complicated !
Why don't you use the Let's Encrypt feature of ISPConfig, it would include all aliases in the cert as well and manage your configuration files too...
Because (see me first post), unfortunately, ISPConfig feature tries to embed all domains aliases redirecting to the site, and certificats are limited to 100 max. I could suspend all aliases to get the certificate, and re-enabled them, but I don't want to do that manual process every 3 months...
And also, on a simplier site (without aliases), process failed because of php-fpm config, same way taht when I triers to run certbot manually on my site with so many aliases
Did you solve this yet? I was thinking to suggest the use of vhost aliases instead of normal aliases. You have to enable vhost alias first before you can use it at ISPC > System > Main Config. As the created aliasdomains via ISPC are considered as web sites, you may get away from 100 aliases limit without worry to their LE SSL renewal since ISPC should be able to perform that task. Just a thought...
I guess we should add a few lines of code in ISPConfig to add the first 100 domains only so that you get at least a cert for the main domain plus the first 99 aliases.
Thanks @ahrasis! Not solved yet... I haven't seen any "vhost aliases" in ISPconfig... but as you described it, it would help me! Is this the "Create aliasdomains as web site" option? It could be great, but my interface (and config files) will be flooded OK, if I have to choose between "comfort" and "it works", the choice became easy I keep going on searching to solve my other problem (php-fpm)... I'm not finding many help because I use apache and not Nginx...
Or better, an option to choose the cert for the main domain only. Or even better, add the ability to choose which domains to include for the cert But whatever solution is chosen, it would be great!
If you enable SSL for less than 100, then all should be included IMHO. @till: When you touch that code, maybe think about the wildcard certificates that Let's Encrypt will start supporting in January 2018.
As far as I know, you can't use wildcards with domain based auth as we use it now, so that's nothing that we can implement easily. Wildcards require DNS based auth and that's not implemented at all yet.
If the DNS ist hosted by ISPC then wildcard support is easy... been using DNS-01 with ISPConfig and acme.sh for quite a while now.
Buy the way, I succeeded solving my problems. I manually created certs with certbot, as I wanted to redirect all traffic to https, I changed my apache conf file to redirect all *:80 to *:443, and moving most of the :80 config to :443, so the FPM config has not changed... Although, I ran some tests to get the same FPM pool used by 2 virtual hosts, and I found the solution. Here was a standard FPM definition for :80 virtual host: Code: Action php5-fcgi /php5-fcgi Alias /php5-fcgi /usr/lib/cgi-bin/php5-fcgi_testvm FastCgiExternalServer /usr/lib/cgi-bin/php5-fcgi_testvm -socket /var/run/php5-fpm-testvm.sock -pass-header Authorization To use the same FPM pool in another VirtualHost (port 443 for me), you can use this config: Code: Action php5-ssl-fcgi /php5-ssl-fcgi Alias /php5-ssl-fcgi /usr/lib/cgi-bin/php5-ssl-fcgi_testvm FastCgiExternalServer /usr/lib/cgi-bin/php5-ssl-fcgi_testvm -socket /var/run/php5-fpm-testvm.sock -pass-header Authorization It's just about renaming the alias (action too, but not sure it's mandatory). Thanks all for your help!
