Prerequisites Operating System: Debian 10 to Debian 12, Ubuntu 20.04, or Ubuntu 22.04. Intel or AMD 64-Bit CPU Architecture (x86_64, also known as AMD64). ARM CPUs are not supported at the moment. The System must have internet access to download and install software with apt. Start from a clean- and empty base OS installation. In the prerequisites, It is clear what is required in order to install a perfect server, except for the DNS requirements. For me, I planned to manage DNS for my primary domain (plus all others) from within ISPConfig, so I didn't make an A record for the FQDN for the hostname (server1.example.com) on my registrar for my domain name. As a matter of fact, I had already registered my ns1 and ns2 nameservers, and pointed my domain to the new servers that didn't even exist yet. In hindsite, this seems obvious. that I should manage DNS from the registrar until I create a workinig DNS server on ISPConfig. Last year I ran the auto installer and never knew that if was trying (and failing) to register the hostname (server1.example.com) with Let's Encrypt. Since I had no A record for that subdomain in my registrar's DNS, Let's Encrypt failed and the script created a self signed SSL for the server, which also becomes the SSL for the mail server too. I accepted this fact, as if it just had to be this way. The script didn't complain about the failed attempt. I didn't have any customers on the server, just my own domains and once I told my browser and email client to trust the self signed SSL, I never even noticed it again. During the last few days, I've been working on improving my OPSEC, and tried out a couple of other web hosting software packages. Hestia is second best, IMO, but clearly I came back to ISPConfig for good this time. Here's how I figured it out. I installed the auto installer again, but this time on Debian 12 and again no DNS. The reason I reinstalled again and again, was because I was trying to install a different SSL than the self signed, and or course I broke the server multiple times. I decided to run the manual install documentation this last time and saw the prompt where it was trying to register the hostname with Let's Encrypt and said that there was no A record for server1.example.com. OMG I left the installer at that point of the install, and made the changes on my registrar's DNS. I had to wait a good 30 minutes for dnslookup.io to see the A record that I needed. Hopefully, I'm not the only idiot. BAM! No more untrusted / unsafe SSL messages in the browser when I went to https://server1.example.com:8080. After that, I created the DNS records on my ISPConfig DNS server for the primary domain including the FQDN hostname. Pointed my primary domain nameservers to my ns1.example.com and ns2.example.com and all is working great now. So, my suggestion is to add a "Strongly Suggested" in the Prerequisites section. Stating the obvious, that it is required in order to register the FQDN hostname with Let's Encrypt, otherwise, you'll only have self signed SSL for the server. That, or in the script, you could maybe make it pause with the failed message about Let's Encrypt.
The hostname of a server must always exist in DNS, unless it's an internal test system. Even without the SSL failure, other servers would have refused to talk with your server or reject your emails as spam if you do not have a valid hostname. In case you received a self-signed SSL cert because your hostname was not reachable at install time, then you can easily get an LE cert at any time later by running: ispconfig_update.sh --force And let the updater create a new SSL cert. I'll add a note to the auto-installer guide that the hostname must exist in DNS and be reachable if one wants to get a valid SSL cert.
I do understand that the hostname must be in DNS... That's why it's the first thing I do after the software was installed on the server. At that point (in my mind at the time anyway) is that I am suing SSH directly to the server IP, still building it and not even using DNS. I accessed my "new" ISPConfig server via the https://x.x.x.x:8080 address. The first thing I do is setup DNS for the domain name. What I didn't know, was that the script was using DNS and was trying to install Let's Encrypt during the install. It was a eureka moment for me. Don't get me wrong, I know it's using DNS in order to get and download the software for the install. Just that one little thing didn't occur to me. And yes, after I did this last install, I also found the update.sh and did use it. Thanks so much for the quick reply. I just figured that there must be others out there making the same mistake as I made. Like I said, it seems obvious to me now, but at the time it didn't seem like I was doing anything wrong. Now I know, and sincerely thank you.
