Hi Guys, Im setting up a multiserver environment with 2 x servers, ISPConfig as VMs behind a PFSense load balancer/firewall and I am have having issues obtaining a LE certificate for the ns1.mydomain.com domain during install. This is (I presume) because there is not a webserver running on ns1. Am I meant to be able to create an LE certificate at this stage? LE acme.sh says the following in the setup console: What would be the best way to proceed, for installation and ongoing autorenewal? Add the websever during setup. Set this up after the initial install from CLI. Configure something within the control panel to create some kind of alias/link to ns1. Thanks for your help.
If there's no webserver installed Acme should create it's own temp webserver while validating. Ofcourse you do need to have opened port 80 in your firewall and NAT to that server. If you only have 1 WAN IP then you're in a bit of trouble as you can NAT a port only to 1 server. So change the NAT rule when you proceed to the next server. A better way, which will avoid all this, is using DNS authentication in Acme. But since you're talking about NS1 I'm guessing that's not an option for now. You can however change the certificate's conf file once it's aquired so renewal can be done using DNS instead of web.
Hi Remkoh, Thanks for your reply. So my PFSense has HAProxy installed and I have set NS1 up in exactly the same way as WEB1,MX1 and MX2 during this project and they worked. There is no firewall installed on the VM, its a fresh Debian 12 ready for IPConfig, and PFSence/HAProxy is configured to forward ns1.mydomain.com -> localIP:80 of the VM. From the console output, it looks like Acme/ISPConfig chooses Apache even though there is no Apache server/service installed [--no-web] so it doesn't surprise me that method fails. I think Acme requires a command line argument to request in standalone mode, unless it does this automatically because it doesn't detect a web server? But the documentation seems to require the '--standalone' argument. I was wondering if there was a way to configure the ISPConfig setup script with something like [--acme-standalone]? Probably not. From the Acme Documentation: Code: acme.sh --issue --standalone -d example.com -d www.example.com -d cp.example.com Is there a manual way to get NS1 a certificate from the CLI using Acme standalone after ISPConfig installation and configure ISPConfig to manage it after initial installation/setup? As this is a Nameserver am I missing something obvious here??? Thanks
ISPConfig runs acme.sh in standalone mode on nodes without a web server. Besides that, your NS servers do not need a signed SSL cert, as there is no services on a DNS server that would use it. So you can just let the ISPConfig installer create a self-signed certificate there if no LE cert can be obtained.
Hi Till, Thanks for your reply. First off, SORRY... It was a misconfiguration on my part with DNS. All my messing around with mail servers and mx1/mx2 and my DNS contained nx1 instead of ns1. "If at first you don't succeed, always check DNS!". Again, SORRY.... This non-issue made me check what was going on with the ISPConfig installer because even though I'd called it with the argument '--no-web', Acme still wanted to use Apache for verification. Apache actually gets installed in the initial part of the ISPConfig installer (in the background not displayed in the console output), with PHP I think. I'm not sure if ISPConfig requires Apache to manage ns1.mydomain.com or its a dependency of PHP and ISPConfig doesn't require it? More clarification is need here. I maybe wrong here and please correct me if I am, but isn't a certificate needed for DoH (DNS over HTTPS) and DoT (DNS over TLS)? @till - I have done a few hours checking this nameserver installation/setup. If you'd like me to expand on this then let me know.
Did you use the exact command from the multiserver guide for the name server installation? https://www.howtoforge.com/tutorial/ispconfig-multiserver-setup-debian-ubuntu/5/ Code: wget -O - https://get.ispconfig.org | sh -s -- --no-web --no-mail --use-php=system --interactive For example, if you left out no-mail, Apache will also get installed.
Yes, an exact copy/paste. It also installs postfix and clamav packages even though the argument '--no-mail' is present, but I'm not sure if this is installed for any backend server notifications from cron etc. This is different from Apache2 thought, these are listed in the console output. Apache2 is not.
Postfix must be installed, but ClamAV is not needed. But it might be that we install it as part of the base setup. Apache is most likely installed as a dependency by an other package and not explicitly by the installer.
Thats what I thought about Apache.... Just to confirm its PHP that installs Apache2 Code: root@isp:~# apt install php Reading package lists... Done Building dependency tree... Done Reading state information... Done The following additional packages will be installed: apache2 apache2-bin apache2-data apache2-utils libapache2-mod-php8.2 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libcurl4 liblua5.3-0 libsodium23 php-common php8.2 php8.2-cli php8.2-common php8.2-opcache php8.2-readline psmisc ssl-cert Suggested packages: apache2-doc apache2-suexec-pristine | apache2-suexec-custom www-browser php-pear The following NEW packages will be installed: apache2 apache2-bin apache2-data apache2-utils libapache2-mod-php8.2 libapr1 libaprutil1 libaprutil1-dbd-sqlite3 libaprutil1-ldap libcurl4 liblua5.3-0 libsodium23 php php-common php8.2 php8.2-cli php8.2-common php8.2-opcache php8.2-readline psmisc ssl-cert 0 upgraded, 21 newly installed, 0 to remove and 0 not upgraded. Need to get 7,664 kB of archives. After this operation, 31.8 MB of additional disk space will be used. Do you want to continue? [Y/n] If I remove Apache during the ISPConfig installation (from another terminal) the certificate verification method used by Acme is still Apache and it fails with the follow: Code: Using apache for certificate validation Failed to restart apache2.service: Unit apache2.service not found. Its not really an issue as you say nothing will use it and I could just select 'no' to install a certificate and remove Apache2 after install. If I were to configure DoH/DoT manually on ns1/ns2 it would be nice that the hostname cert would be valid and autorenew. Thanks for your time @till
Just run acme.sh by hand for the hostname certificate. Code: acme.sh --issue --standalone -d <hostname> --keylength 4096 --key-file "/usr/local/ispconfig/interface/ssl/ispserver.key" --fullchain-file "/usr/local/ispconfig/interface/ssl/ispserver.crt" --renew-hook "letsencrypt_renew_hook.sh" Acme.sh's cronjob will handle renewal after that. Make sure there's isn't running anything on port 80 and you nat port 80 to the server. Once you've got your dns up and running I suggest you change the certificate's config to ISPC-dns authentication and setup ISPC accordingly (assuming your own dns handles your domainname). Then you don't need to nat anything anymore for certificate authentication. If you already have your dns running publicly you can get the certificate by using dns authentication from the start. Code: acme.sh --issue --dns dns_ispconfig -d <hostname> --keylength 4096 --key-file "/usr/local/ispconfig/interface/ssl/ispserver.key" --fullchain-file "/usr/local/ispconfig/interface/ssl/ispserver.crt" --renew-hook "letsencrypt_renew_hook.sh" Ofcourse you do need to have setup acme.sh and ISPC prior to running this. For acme.sh setup add these lines in /root/.acme.sh/account.conf: Code: ISPC_User='<user>' ISPC_Password='<password>' ISPC_Api='<ISPC URL>' ISPC_Api_Insecure='1'