Rocky 8 install issues... 2 weird ones - letsencrypt and one install php missing...

Discussion in 'ISPConfig 3 Priority Support' started by craig baker, May 24, 2023.

  1. craig baker

    craig baker Member HowtoForge Supporter

    problem 1 -
    Yes I looked at the LE faq - but this is rather odd. I can issue LE for a website I just installed. worked fine.
    but the cert for ISPCONFIG is not correct and I get an oddity in the /root/.acmesh folder
    Code:
    root@ns1 .acme.sh]# ls -al
total 264
drwx------  8 root root   4096 May 23 20:15 .
dr-xr-x---. 5 root root   4096 May 21 10:45 ..
-rw-r--r--  1 root root    220 May 23 20:15 account.conf
-rwxr-xr-x  1 root root 222101 May 21 11:32 acme.sh
-rw-r--r--  1 root root     78 May 21 11:32 acme.sh.csh
-rw-r--r--  1 root root     78 May 21 11:32 acme.sh.env
drwxr-xr-x  4 root root     78 May 23 20:15 ca
drwxr-xr-x  2 root root   4096 May 21 11:32 deploy
drwxr-xr-x  2 root root   8192 May 21 11:32 dnsapi
-rw-r--r--  1 root root      0 May 23 20:15 http.header
drwxr-xr-x  2 root root    181 May 23 20:15 lesismoredmv.com
drwxr-xr-x  2 root root   4096 May 21 11:32 notify
drwxr-xr-x  3 root root   4096 May 21 11:46 ns1.knightking-delivery.com_ecc
[root@ns1 .acme.sh]#
[root@ns1 .acme.sh]# ls lesismoredmv.com -al
total 44
drwxr-xr-x 3 root root 4096 May 23 20:15 .
drwx------ 8 root root 4096 May 23 20:15 ..
drwxr-xr-x 2 root root   10 May 23 20:15 backup
-rw-r--r-- 1 root root 3751 May 23 20:15 ca.cer
-rw-r--r-- 1 root root 5975 May 23 20:15 fullchain.cer
-rw-r--r-- 1 root root 2224 May 23 20:15 lesismoredmv.com.cer
-rw-r--r-- 1 root root  981 May 23 20:15 lesismoredmv.com.conf
-rw-r--r-- 1 root root 1728 May 23 20:15 lesismoredmv.com.csr
-rw-r--r-- 1 root root  214 May 23 20:15 lesismoredmv.com.csr.conf
-rw------- 1 root root 3243 May 23 20:15 lesismoredmv.com.key
-rw------- 1 root root 3243 May 23 20:15 lesismoredmv.com.key.next
[root@ns1 .acme.sh]# ls ns1.knightking-delivery.com_ecc
backup  ns1.knightking-delivery.com.conf  ns1.knightking-delivery.com.csr  ns1.knightking-delivery.com.csr.conf  ns1.knightking-delivery.com.key
[root@ns1 .acme.sh]# ls ns1.knightking-delivery.com_ecc -al
total 24
drwxr-xr-x 3 root root 4096 May 21 11:46 .
drwx------ 8 root root 4096 May 23 20:15 ..
drwxr-xr-x 2 root root   10 May 21 11:26 backup
-rw-r--r-- 1 root root  684 May 21 11:47 ns1.knightking-delivery.com.conf
-rw-r--r-- 1 root root 1033 May 21 11:47 ns1.knightking-delivery.com.csr
-rw-r--r-- 1 root root  200 May 21 11:47 ns1.knightking-delivery.com.csr.conf
-rw------- 1 root root 1675 May 21 11:46 ns1.knightking-delivery.com.key
    now the website (lesismoredmv) got its cert all good.
    but the nameserver ns1.knightkinv-delivery has its folder in first ls with an _ecc at the end. whats that about? nothing in docs do I find! <yoda impersonation>
    and https://ns1.etc:8080 reports self signed invalid cert.
    Any ideas? also when I tried for reissue I got a weird message about needing an account with ZeroSSL? never saw that before:
    I setup an account. but nothing in docs explaining.

    Code:
    [root@ns1 .acme.sh]# acme.sh --renew -d ns1.knightking-delivery.com
[Wed May 24 07:22:31 EDT 2023] The domain 'ns1.knightking-delivery.com' seems to have a ECC cert already, lets use ecc cert.
[Wed May 24 07:22:31 EDT 2023] Renew: 'ns1.knightking-delivery.com'
[Wed May 24 07:22:31 EDT 2023] Renew to Le_API=https://acme.zerossl.com/v2/DV90
[Wed May 24 07:22:31 EDT 2023] Using CA: https://acme.zerossl.com/v2/DV90
[Wed May 24 07:22:32 EDT 2023] Checking if there is an error in the apache config file before starting.
[Wed May 24 07:22:32 EDT 2023] OK
[Wed May 24 07:22:32 EDT 2023] JFYI, Config file /etc/httpd/conf/httpd.conf is backuped to /root/.acme.sh/httpd.conf
[Wed May 24 07:22:32 EDT 2023] In case there is an error that can not be restored automatically, you may try restore it yourself.
[Wed May 24 07:22:32 EDT 2023] The backup file will be deleted on success, just forget it.
[Wed May 24 07:22:32 EDT 2023] Single domain='ns1.knightking-delivery.com'
[Wed May 24 07:22:32 EDT 2023] Getting domain auth token for each domain
[Wed May 24 07:22:36 EDT 2023] Getting webroot for domain='ns1.knightking-delivery.com'
[Wed May 24 07:22:36 EDT 2023] Verifying: ns1.knightking-delivery.com
[Wed May 24 07:22:36 EDT 2023] Processing, The CA is processing your order, please just wait. (1/30)
[Wed May 24 07:22:40 EDT 2023] ns1.knightking-delivery.com:Verify error:"error":{
    odd!

    second problem - during Perfect Server Centos 8 (modified for Rocky 8) there are missing php packages:
    Error: Unable to find a match: php-imap php-mysql php-pecl-apc php-mcrypt php-tidy php-imagick php-pspell

    I have remi and epel installed. Now it seems php-mysql has been replaced by php-mysqlnd - and I built php-magick from instructions elsewhere:
    dnf install -y php php-devel php-pear make
    pecl install imagick
    and finally echo "extension=imagick.so" > /etc/php.d/20-imagick.ini
    php-magick does show up in the php list so thats done.

    what about the others? are they no longer needed?

    thanks o Till, Fount of all Valid Information!
     
    craig baker, May 24, 2023
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Seems as if acme.sh has been installed manually and not by ISPConfig itself, as this leads to the _ecc and zeroSSL issue which ispconfig fixes on its own when it downloads acme.sh. Run:

    acme.sh --set-default-ca --server letsencrypt

    to fix this and then do an ispconfig update with:

    ispconfig_update.sh --force

    and let it create a new SSL cert during update.

    Regarding packages, if they are not there on the distribution that you have chosen, then you can't install them. And myqsl has probably replaced by mysqlnd.
     
    till, May 24, 2023
    #2
  3. craig baker

    craig baker Member HowtoForge Supporter

     
    craig baker, May 25, 2023
    #3
  4. craig baker

    craig baker Member HowtoForge Supporter

    Worked great thanks till maybe docs might note the _ecc nonsense? And i wonder how le would get installed manually...
    Maybe the le faq might include this information?.
     
    craig baker, May 25, 2023
    #4
  5. craig baker

    craig baker Member HowtoForge Supporter

    ENLIGHTENMENT - for Rocky 8 perfect server.
    We need to use REMI for the php 7.4 - that was the error.
    need to do:
    dnf -y module reset php
    dnf -y module install php:remi-7.4
    dnf update
    (i had left out the remi-7.4 accidentally and hence did not pick up the later modules like php-tidy).
     
    craig baker, May 29, 2023
    #5
    till likes this.
  6. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    thx, as my ispconfig setup by the docs did in fact use zerossl by default.
    though it works, but ispconfig fails to detect the provider and sets the wrong CAA record for DNS :/
    should be sectigo for zerossl
     
    ztk.me, Jun 10, 2024
    #6
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig does not support using Zerossl for Acme.sh; that's why ISPConfig sets the CA automatically to Let's encrypt when it installs acme.sh. If we would want to add it, we would likely have to make a setting for it under System > server config and set the CA before requesting a SSL cert.
     
    Last edited: Jun 10, 2024
    till, Jun 10, 2024
    #7
  8. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    I think the better approach would be, if one wanted to support acme.sh, to either specify the provider to be used or read out the default and handle that.
    My Debian 12 box with no manual acme.sh interaction ;) was set to zerossl by default it seems. On the other hand, it worked well besides the wrong CAA
    which I noticed only because my DNS update was too slow for once ( moved domain and tested too quickly ).
     
    ztk.me, Jun 10, 2024
    #8
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    acme.sh always defaults to use Zerossl if you install it manually as its author seems to have a deal with that CA, but I do not see any real benefits of using zeroSSL over Let's Encrypt, ZeroSSL seems to be slower and is sometimes unresponsive when requesting SSL certs. If you install ISPConfig, then ISPConfig downloads acme.sh, unless it is already there, and sets the default CA to let#s encrypt. So your problem arises only because you must have installed acme.sh manually before installing ISPConfig.

    Reading the default is not that easy, as the GUI can not read the default used on slave nodes on a multiserver system. So we would have to make another field writable from the slave node in the master database which is filled at install and updated regularly, and that's something I try to avoid for security reasons.

    So having a setting in GUI and letting the user choose it is maybe the most viable option.
     
    till, Jun 10, 2024
    #9
  10. ztk.me

    ztk.me Well-Known Member HowtoForge Supporter

    Yes, I noticed the slow response when sectigo decided to turn on maintenance mode and did not keep it's promised timeframe ;)
    https://www.howtoforge.com/perfect-server-debian-12-buster-apache-bind-dovecot-ispconfig-3-2/
    Well, technically I might have installed it "manually" according.

    I like zerossl beeing there, and others, to have the ability to chose for various reasons. Would be fine if the howto just add
    10.1 set default to LE

    Another issue might be, how many have sectigo certs and a CAA record for LE and decide to use the ISPConfig DNS in the future and find out then it is wrong?
     
    ztk.me, Jun 10, 2024
    #10

Share This Page