Letsencrypt: automated DNS-01 challenge for ISPC 3.1

Discussion in 'Tips/Tricks/Mods' started by sjau, Nov 25, 2016.

  1. sjau

    sjau Local Meanie Moderator

    Hi there

    I just wanted to let you know that the alternate LE client "acme.sh" has now a dns api plugin that will allow to issue certs through the DNS-01 challenge. This can be for useful for getting certs with no according webpage. E.g. you could request a cert for smtp.domain.tld and imap.domain.tld while not having those or if you host DNS for (sub)domains that aren't accessible from the internet...

    However the DNS must be hosted by ISPC 3.1 and be publicily available.

    Basic operation:
    1. Add remote user to ISPC that has access to DNS zone function and DNS txt function
    2. Install acme.sh
    3. Export remote api info by issuing:
    export ISPC_User="user"
    export ISPC_Password="password"
    export ISPC_Api="https://ispc.domain.tld:8080/remote/json.php"
    export ISPC_Api_Insecure=1
    The data will be stored in ~/.acme.sh/account.conf
    Note: The Insecure option is whether to verify the SSL cert or not. If you already have proper SSL Certs for your config panel, then you can set it to 0.
    4. Request a cert by issuing:
    acme.sh --issue --dns dns_ispconfig -d smtp.domain.tld -d imap.domain.tld -d private.domain.tld
    There are further options like
    -- test for using staging server so you won't hit the limit while testing
    --keylength 4096 for a 4096bit cert
    --keylength ec-256 (or ec-384) for requesting ECDSA certs with 256 or 384 bit)
    There is one drawback however: acme.sh has a 120 seconds wait period so that the according servers can write out the altered zone files.
    5. Certs are stored in ~/.acme.sh/domain.tld if the advance installation routine with different folders wasn't used
    6. Finally, you can issue a command for installation of the certs like:
    acme.sh --installcert -d example.com \
    --certpath /path/to/certfile/in/apache/cert.pem \
    --keypath /path/to/keyfile/in/apache/key.pem \
    --fullchainpath /path/to/fullchain/certfile/apache/fullchain.pem \
    --reloadcmd "service apache2 restart"
    When I got LE certs for ISPC Interface and vanity mailserver certs (mail.domain.tld, not splitting up into smtp/imap) I used this:
    acme.sh --installcert -d manager.roleplayer.org \
    --certpath /usr/local/ispconfig/interface/ssl/ispserver.crt \
    --keypath /usr/local/ispconfig/interface/ssl/ispserver.key \
    --fullchainpath /usr/local/ispconfig/interface/ssl/ispserver.bundle \
    --reloadcmd "systemctl reload apache2; systemctl restart dovecot; systemctl reload postfix"
    In Postfix I have:
    smtpd_tls_cert_file = /usr/local/ispconfig/interface/ssl/ispserver.bundle
    smtpd_tls_key_file = /usr/local/ispconfig/interface/ssl/ispserver.key
    In Dovecot I have:
    ssl_cert = </usr/local/ispconfig/interface/ssl/ispserver.bundle
    ssl_key = </usr/local/ispconfig/interface/ssl/ispserver.key
    For some reasons, Dovecot didn't seem to re-read the new certs with just a reload command, hence I had to use the restart command above.
    Last edited: Dec 9, 2016
    ahrasis, Thaddeus, soho and 2 others like this.
  2. sjau

    sjau Local Meanie Moderator

    Pondering if I should make a small howto out of it.
  3. soho

    soho Member

    Likely to help many people.
  4. chico11mbit

    chico11mbit Member

    A "how to" would be very fine. i don't understand where to put the commands in basic instructions part 3.
  5. sjau

    sjau Local Meanie Moderator

    on the machine where you have acme.sh installed because of DNS-01, every computer that can run bash can request a cert through the DNS-01 method. All you need to do is first provide the login data for the remote api (export commands) and then request a cert.
  6. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    In looking at this method (acme.sh talking to ispconfig remote api), it appears there is no way to restrict an api user to specific zones, is that correct? Ie. it would not work to allow a client to use this method to maintain their own dns zone, because they would have access to all other zones as well?
    ahrasis likes this.
  7. sjau

    sjau Local Meanie Moderator

    That is correct.
  8. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

Share This Page