I'm planning migration from ISPConfig 3.1.15p3 running on Debian 9 (multiserver setup) to new system running on Debian 10 and ISPConfig 3.2.2. New system is also multiserver setup. I am assuming the different versions do not matter and the migration toolkit can handle this? Next concern of mine is the current system is using Certbot. I have now learned that changing from certbot to acme.sh is not a good idea. Does this old ttrue also for migration? That is, I should install certbot on the new system and keep using it? If I use ISPConfig auto-installer, and install certbot before starting the auto-installer, does the auto-installer handle this correctly?
Yes, that's no problem. Yes, use certbot also on the new server. No. I fear there is currently no option to use the auto-installer in this case as it will always install acme.sh and use it for the server cert.
I am not 100% sure, but maybe you can migrate without migrating the certs (so don't migrate the LE folder) and then start using acme.sh. Con of this is that your sites will go without a cert for some time, but you could probably minimize this by using HAProxy to pass request on port 80 and 443 from your old to your new system. In my last migration I had trouble with the cert migration, so this would probably have been a better option for me aswell. Opinions/ideas from others on this are very welcome.
I'll also play along with @Th0m ideas if I were you but without using proxy. In my mind when you force update in the new server and request ssl in the process, ISPConfig will create LE certs for the server and its services but web server won't restart as no certs are found for the web sites, unless you did not copy sites-enabled vhost files, which what I would do. I'll try resync tool immediately thereafter and see how it goes which in my mind will create sites-enabled vhost files as well as requesting new LE certs for each web sites. These were never tested though so a test ought to be run first.
Depending on the server size, you might also hit LE limits when you would try to reissue so many certs at once.
Seems it is better to stick with certbot. I prefer to avoid complicated things, and moving to acme.sh looks hard. I'll have to setup a new ISPConfig for testing and use acme.sh there. Meanwhile, since ISPConfig auto-installer is not possible in my situation, has anyone used cloning to install 10 ISPConfig hosts? I'm going to install one Debian 10, clone it to a base system and then use that for the other 9, changing IP-number and hostname. But could I install a base ISPConfig 3.2.2 setup, clone that and then copy that to 9 other hosts, changing IP-number, hostname and force ispconfig reconfigure services?
I have not done this and I doubt it will work - I think it will cause more issues than it will fix. Just a thought - maybe you could remove the step that installs acme from the autoinstaller and install certbot instead? And a note: after my migration, I had to manually reissue the certs over time because the renewal broke.
Hi thank you! Indeed, my code snippet was rather a question. I forgot to mention that I tried a final ispconfig_update.sh --force. And it works for me. Perhaps I don't understand you right. Code: Create new ISPConfig SSL certificate (yes,no) [no]: yes Checking / creating certificate for xxx.xxxxxxxxxx.xx Using certificate path /etc/letsencrypt/live/xxx.xxxxxxxxxx.xx Using nginx for certificate validation Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator webroot, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for xxx.xxxx.xx Using the webroot path /usr/local/ispconfig/interface/acme for all unmatched domains. Waiting for verification... Cleaning up challenges
One possibility might be to cause the LE cert issuing to fail, e.g. by temporarily closing port 80. Then the installer will create a self-signed cert instead. Afterwards, replace acme.sh with certbot and run a forced update. Ok, that's quite a hack and I have not tested it, just as an idea.
Agreed. But this is more complicated. I'd agree with @Th0m again on this. About LE limits, I think it is per domain, not per server, but do check.
