Debian 11, ISPConfig 3.2.11 I have a problem with ISPConfig reloading DNS after I ran cerbot with DNS-01 challenge. Currently, DNS reloading from ISPConfig does not work and I have to issue commands from the console to refresh the page: Code: rndc freeze rndc thaw and according to another source: Code: rndc freeze rndc reload rndc thaw and only after issuing rndc freeze/rndc thaw is the zone reloaded. The /etc/init.d/rndc reload command alone does not work even though I tried to add the above commands there. I need this solution because with this I get the certificate *. and besides in one file I have all domains. Please give me a hint how to add these commands so that in the future, when updating ISPConfig, I will not have problems. At the same time, I suggest digging deeper into the topic and perhaps build into ISPConfig support for DNS challenge. Links to source sites: https://certbot-dns-rfc2136.readthedocs.io/en/stable/ https://letsencrypt.org/docs/challenge-types/ https://www.linuxquestions.org/ques...urnal-file-not-updating-zone-file-4175460577/ https://unix.stackexchange.com/ques...one-file-without-restarting-the-named-service
For the moment I do not need full integration and modification of ISPConfig because for the sites certificates are issued with the default script. I did the certbot configuration manually using the command: Code: certbot certonly --dns-rfc2136 --dns-rfc2136-credentials /etc/bind/certbot-credentials.ini --email my@email. --d *.domain1.com *domain2.com ... cerbot updates entries dynamically in named and the only obstacle to make it work is to add in the right place the necessary commands that should execute when reloading named. Dynamic DNS update is sufficient and does not require interference with ISPConfig and the certificate is used for example with FTPS so that it can handle multiple domains. In the case of modifying configuration files, there is a directory /usr/local/ispconfig/server/conf-custom/ where I can insert the modified files, but I don't know how to make ispconfig execute two additional commands during reload. If dynamic DNS update is included then there is no need to make major changes to ISPConfig. For me at the moment the method described at this address https://certbot-dns-rfc2136.readthedocs.io/en/stable/ is sufficient, I just need to add somewhere these two commands so that they work together with the "rndc reload" performed by ISPConfig.
Using certbot commands manually breaks the certificate setup ISPConfig makes. I think the easiest way is to remove the certificates completely and create new original certificates with ISPConfig panel. If you do not use the certificate setup ISPConfig makes but rather create and renew certificates manually, that might work. To run commands when certificate is renewed, this thread shows how to do it with certbot: https://forum.howtoforge.com/threads/lets-encrypt-lots-of-errors-in-standalone.79363/
Thank you for your opinion but you did not understand my needs. Creating a certificate using certbot does not interrupt the certificate creation using ACME. Yes I have to make the first certificate manually and listing all the domains for which it is created, but renewal is automatic. The correct answer to my needs is this: Code: systemctl edit named.service Then we add three lines. Code: ### Editing /etc/systemd/system/named.service.d/override.conf ### Anything between here and the comment below will become the new contents of the file [Service] ExecReload= ExecReload=/usr/sbin/rndc freeze ; /usr/sbin/rndc reload ; /usr/sbin/rndc thaw ### Lines below this comment will be discarded ### /lib/systemd/system/named.service # [Unit] # Description=BIND Domain Name Server # Documentation=man:named(8) # After=network.target # Wants=nss-lookup.target # Before=nss-lookup.target # # [Service] # EnvironmentFile=-/etc/default/named # ExecStart=/usr/sbin/named -f $OPTIONS # ExecReload=/usr/sbin/rndc reload # ExecStop=/usr/sbin/rndc stop # Restart=on-failure # # [Install] # WantedBy=multi-user.target # Alias=bind9.service This treatment resulted in the fact that both the dynamic update run by cerbot and the modifications added by ISPConfig work. I still need to test whether a modification of the Start/Stop commands is needed, but for the moment this short procedure allowed me to achieve my goal. I wanted the certificates issued for the sites (apache) to have nothing small in common with the certificate generated by CerBot. The former works unchanged and cerbot renews my certificate for multiple domains. At renewal it reloads services such as proftpd, postfix, dovecot .... Thanks to this procedure, a client who connects to any domain (ftp.domain1.com or ftp.domain2.com ... ) always sees a valid certificate. For the moment this is enough for me. How to make ISPConfig itself add more certificates to CerBot is another matter.
I'll write it so that it's clear. If you allow in named to dynamically update DNS entries with a key (DDNS) then reloading DNS entries by ISPConfig does not work. The simplest solution is "systemctl edit named.service". Whether I want ISPConfig to issue certificates using acme or cerbot is another matter. The hook option in cerbot has nothing to do with it, it is used for something else.
Are you using something like this: https://forum.howtoforge.com/threads/ispconfig-3-danymic-dns-ddns-module.87967/
This is the first time I have seen this solution. I don't have cerbot integrated with ISPConfig in any way. I used this one: https://certbot-dns-rfc2136.readthedocs.io/en/stable/ I manually generated a single certificate for all domains, and all I needed was for cerbot to renew an automatically issued certificate to itself and add the necessary entries for the renewal/issuance of the certificate. For this you need permission for cerbot to dynamically add entries to the domains, which I achieved using the link above. When cerbot issues the certificate it removes the entries itself. I don't need to see the entries from cerbot in ISPConfig The only thing I need is for the entries added by ISPConfig to be visible on the network after reloading, and this was not happening because when I queried named it still had the previous entries. After adding these two commands to reload, the problem was solved. Everything I am writing about here was given in the links in the first post. What I need is all the domains in one certificate and not each domain in a separate certificate. Now cerbot automatically renews this one certificate for all domains and after renewal reloads ftp,postfix,dovecot etc services. Certificates for sites continue to be in single separate files.
