Migrate to acme.sh

Discussion in 'Installation/Configuration' started by pzajda, Aug 6, 2020.

  1. pzajda

    pzajda Member HowtoForge Supporter


    As ISPConfig provides support for acme.sh for certificate generation, is there a procedure to migrate from certbot to acme.sh?
    Gwyneth Llewelyn likes this.
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    No, at least none that I'm aware of. What might work is that you uninstall certbot, but don't purge the existing certs. Then disable Le in a website, press save, and enable it again, to get the cert re-issues using acme.sh. And take care that your installed iSPConfig version really supports acme.sh, might be that you have to use 3.1dev, which is currently under heavy development, so not sure if I can recommend to go to 3.1dev at the moment on production systems until things settled down a bit.
    Gwyneth Llewelyn likes this.
  3. exynenem

    exynenem Member

    Resyncing the websites may work (untested) if you don't want to tick-off and on the Let's Encrypt selectbox for each website. In ISPConfig: Settings -> Resync -> Websites.
    I would not recommend this on busy webservers with many websites since ISPConfig will restart for each website the http daemon.
    It's rather recommended to do this in a period where the server is not under heavy load.
    Gwyneth Llewelyn likes this.
  4. TonyG

    TonyG Active Member

    I'm installing a new system and tried to substitute certbot for acme.sh. I tend to use the user 'ubuntu' for general navigation, and either sudo or su to root for installations. In this case I did su to root to install acme.sh. This causes the creation of a .acme.sh under /root. When the ISPConfig installation progresses and initial certs are created, I don't think it's working in this config. The "self-signed" certs are invalid. I can manually create "stand-alone" certs, or open port 80 for the cert verification process.

    At this point the certs are invalid. I'd be happy to experiment with this if it would help development. ... Or would the current advice be to just stick with certbot?

  5. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    What version of ISPConfig are you using and on which Operating System?
    With certbot at least, if certbot commands are issued from command line to do something with the certificates it breaks the ISPConfig certificate setup and it stops working. I would assume this happens with acme.sh also.
  6. TonyG

    TonyG Active Member

    Thanks for your response.

    As noted in this other thread, I just did my first ISPConfig installation, using v3.1.15.p3, and I tried it over Ubuntu 20. U understand this isn't supported and posted my notes in case it would help anyone else.
    If we can identify exactly what ISPConfig does with the certs (rather, what it instructs components to do?) and we know where the certs are stored, then we should be able to regenerate the certs with acme.sh and position them wherever required. I'm no expert with acme.sh but I've had some recent/extensive experience and I'd be willing to experiment in my Ubuntu 20 environment to come up with a path from certbot to acme.sh for anyone who wants it.
    Gwyneth Llewelyn likes this.

Share This Page