Securing back end with Let's Encrypt - multiple aliases [Previously: StartSSL query]

Indeed, I understand the distinction; I'm just wondering what the best way is to deal with the http availability at alpha.serverdomain.tld - with 'nothing' configured for web at that address, the server shows the Debian/Apache default page (not even ISPConfig default); so I'd like to tidy up that too.

Thanks,

Rob.

 

that's the default apache site if no vhost is found. You probably could setup a website alpha.serverdoman.tld in ISPC as well... or you could redirect it somewhere else...

 

OK, thanks - I was just wondering if there's a best practice method.

Anyway, I've just set-up the site for serverdomain.tld (with auto-www); and with Let's Encrypt enabled for it, I'm back to getting SSL_ERROR_RX_RECORD_TOO_LONG.

(I don't know if it indicates a problem or not, but I also noticed that with IP address set to *, I only get the Apache default page. I normally specify the IP (just missed it this time), so hadn't noticed it before - once I specify .161, I get the ISPConfig default page as expected.))

Is there anywhere I can check SSL configuration for a site? Should have been written to serverdomain.tld.vhost, or somewhere else? Is there a relevant log?

Thanks again,

Rob.

[EDIT: I also find that http://alpha.serverdomain.tld now shows the ISPConfig default site, where previously it had shown the Apache one; though I've made no change which should affect that?]

 

you could provide the actual domain name so that we can actually check the cert and stuff

 

Hah, I guess. (obfuscating addresses as a matter of course is something I grew up doing, I suppose.)

From what I can see though, apache isn't offering a certificate for the domain anyway (I've been using the 'add exception' dialogue in Firefox Advanced options [to clarify, I'm not seeing a page with this presented] to request the certificate from the URL).

Anyway, it's [redacted after tracking issue - #paranoid]

Rob.

 

same here... well, right, somethings not right there.... you'll need to check if you have certs in the ssl folder of that domain /var/www/[redacted]/ssl and also have a look at the vhost configuration files for it.... there might have been some issue somewhere.

 

heheh - that is what I was wondering
OK. There's nothing in the SSL folder, and there's no :443 vhost or SSL configuration stuff inside the site's .vhost file.
There's not much of anything (apart from people (bots) browsing the apache manual which is somehow showing in the main domain's access log).

 

not having anything in the ssl folder is not good

 

After all that...

Where do I submit a bug report? It's working with 3.1.3 :0
(Exactly the same dependencies etc. - I downloaded both builds and saved an image before installing)

Thanks for keeping me sane while I worked through it @sjau, I may have one or two queries about your acme.sh client in a little while (I'll try not to be a pest!) - I'm going to re-read the documentation, and have some coffee & a smoke before I continue...

Rob.

PS> I'd be grateful if you could edit your post with the domain name included (I know I'm being paranoid - but it's better safe than sorry, and I don't have the bandwidth for armies of bots!)

 

edited it out.... acme.sh works great... only thing is if you want to use it for websites created by ispc, you'll just first let ispc create a self-generated cert, so you have config and ssl files in place and then you tell acme.sh to copy downloaded files at the right location....

the advantage using ISPC's integrated LE is however, that you can edit stuff on the fly, add new aliases that get included etc....

with acme.sh you can just alter the according domain.conf file but you'll have to do changes in two places.

as for bugs: https://git.ispconfig.org/ispconfig/ispconfig3/issues

 

Thanks for the edit.

I think I'll probably let the panel & certbot do their thing for websites, but for everything else I'll use acme.sh instead of trying to 'fudge' things in the panel. I think I probably get the best of both worlds that way - websites are a bit less reliant upon my memory (having tickboxes and stuff), and non-web services can be secured without getting vhosts all tangled-up.

Perhaps you might be able to clarify a few points for me before I proceed...

i) I should leave the API user enabled? (for renewals [or are they 'internally' authenticated, meaning API user only required for initial generation?])
ii) --reloadcmd is stored, and invoked when certificates are renewed (as well as when they're first installed)?
iii) For pureftpd, I would concatenate the .key, .crt, and .bundle?
iv) Does the following look valid? [It relies on my assumptions about (ii) & (iii)]

Code:

acme.sh --issue --dns dns_ispconfig \
-d alpha.domain.tld \
-d ftp.domain.tld \
-d mail.domain.tld \
--installcert \
--certpath /usr/local/ispconfig/interface/ssl/ispserver.crt \
--keypath /usr/local/ispconfig/interface/ssl/ispserver.key \
--fullchainpath /usr/local/ispconfig/interface/ssl/ispserver.bundle \
--reloadcmd "/root/regen-pureftp--restart-services.sh"

Many thanks again for your help,

Rob.

PS> Thanks for bug report link - I'll be sure to file one; hopefully it's useful to the project.

 

API must be left enabled. So chose a good user with a strong password and grant only the necessary permissions. Everytime you ask for a new cert, you will be asked to answer a challenge ... so everytime it has to alter DNS zone file.

yes, reloadcmd is run whenever you successfull retrieve new certs. You can alter it anytime by editing the domain.tld.conf file in the ~/.amce.sh/domain.tld folder... or wherever you told acme.sh to store the information.

No idea about pureftpd

You also wnat to restart/repload apache when you get new certs... if you use the same certs for mail (dovecot/postfix) as well... don't know about the regen-pureftp--restart-services.sh script or what it does... so can't really answer that question.

 

Thanks for clarifying.

'regen-pureftp--restart-services.sh' was just my placeholder for a script which would first sort out the certificate for pureftpd, and then restart apache/dovecot/postfix (and pureftpd) as in the ispconfig example you've documented.

As for pureftpd, I'll figure it out. My query was based upon what I had to do when using a StartSSL certificate, which was to generate a chain from the various CA certificates, then concatenate the key, certificate, and chain into a .pem for pureftpd:

Code:

cat startssl.sub.class1.server.ca.crt startssl.ca.crt > startssl.chain.class1.server.crt
cat ispserver.{key,crt} startssl.chain.class1.server.crt > ispserver.pem

I suppose what I'm actually wondering, is what's inside the .bundle?

Thanks again!

Rob.

 

you can also put the same commands into reloadcmd "command1; comannd2; command3". However, after some complexity you may want to use a seperate script like you did...

Both have advantages or disadvantages.... having it all in the acme config file means it's portable... no need to worry about other scripts....
Not having it in the conf itself allows you to create much more complex scripts...

I have this:

Code:

cat manager.roleplayer.org.conf 
Le_Domain="manager.roleplayer.org" 
Le_Alt="mail.roleplayer.org,mail.another.domain.tld,mail.otherdomain.tld,mail.xxxx.tld" 
Le_Webroot="/var/www" 
Le_PreHook="" 
Le_PostHook="" 
Le_RenewHook="" 
Le_LocalAddress="" 
Le_API="https://acme-v01.api.letsencrypt.org" 
Le_Keylength="4096" 
Le_LinkCert="https://acme-v01.api.letsencrypt.org/acme/cert/xxx" 
Le_LinkIssuer="https://acme-v01.api.letsencrypt.org/acme/issuer-cert" 
Le_CertCreateTime="1496527741" 
Le_CertCreateTimeStr="Sat Jun  3 22:09:01 UTC 2017" 
Le_NextRenewTimeStr="Wed Aug  2 22:09:01 UTC 2017" 
Le_NextRenewTime="1501625341" 
Le_RealCertPath="/usr/local/ispconfig/interface/ssl/ispserver.crt" 
Le_RealCACertPath="" 
Le_RealKeyPath="/usr/local/ispconfig/interface/ssl/ispserver.key" 
Le_ReloadCmd="systemctl reload apache2; systemctl restart dovecot; systemctl reload postfix" 
Le_RealFullChainPath="/usr/local/ispconfig/interface/ssl/ispserver.bundle"

As you can see, the reload command can run seperate commands

 

Magic, thanks. (Also, 'realfullchainpath' suggests that is what I need to append to the key & crt for pureftpd -great.)

Rob.

 

I just noticed I haven't used dns-01 there time to fix that

 

Hello again :S

I'm wondering if you can help me out, @sjau ?

During my troubled attempts last wek with 3.1.4, I hit a letsencrypt rate limit, so I had to wait until today to finalise everything.

I've got acme.sh installed, I've tested my regen-pureftp--restart-services script; I've backed-up all my old self-signed certificates, and run the export commands to populate environment variables with my remote API details.

When I run the command, I just get: Domain is not valid:'alpha.mydomain.co.uk'
[where mydomain is my valid domain]

I've enabled logging in .acme.sh/account.conf, but there are only two lines above that error (using config, and domain_path)

The command I executed was:

Code:

./acme.sh --issue --keylength 4096 --dns dns_ispconfig \
-d alpha.mydomain.co.uk \
-d ftp.mydomain.co.uk \
-d mail.mydomain.co.uk \
-d ns1.mydomain.co.uk \
-d webmail.mydomain.co.uk \
--installcert \
--certpath /usr/local/ispconfig/interface/ssl/ispserver.crt \
--keypath /usr/local/ispconfig/interface/ssl/ispserver.key \
--fullchainpath /usr/local/ispconfig/interface/ssl/ispserver.bundle \
--reloadcmd "/root/regen-pureftp--restart-services.sh"

alpha.mydomain.co.uk has an A record in DNS (I can access it (http) from the machine I'm writing from, which is configured to use Google's DNS servers). The mydomain.co.uk zone is fully configured in ISPConfig.

I'd be grateful if you could suggest what I've made a mess of!

Thanks,

Rob.


EDIT: I think the penny may have dropped... Do I need to add the root domain in the command? (Of course it should make any difference that the ISPConfig sites panel has its own certificate for that domain.)

EDITagain: Oh. That's not it - I just get the error for 'mydomain.co.uk not valid' that way.

 

is your domain hosted by ISPConfig?
Did you create a Remote User for ISPConfig?
Did you export the credentials and URL in the cli before issuing the acme.sh script?

The ISPConfig Remote Credentials should be stored in the ~/acme.sh/account.conf file:

Code:

cat account.conf  
#ACCOUNT_CONF_PATH=xxxx 

#[email protected]  # the account email used to register account. 
#ACCOUNT_KEY_PATH="/path/to/account.key" 
#CERT_HOME="/path/to/cert/home" 


#LOG_FILE="/root/.acme.sh/acme.sh.log" 
#LOG_LEVEL=1 

#AUTO_UPGRADE="1" 

#NO_TIMESTAMP=1 
#OPENSSL_BIN=openssl 

#USER_AGENT="acme.sh/2.6.5 (https://github.com/Neilpang/acme.sh)" 

USER_PATH='/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' 


 
ISPC_User='user' 
ISPC_Password='password' 
ISPC_Api='https://manager.roleplayer.org:8080/remote/json.php' 
ISPC_Api_Insecure='1'

And why even bother to anonymize your domain? All domains that get a cert through LE are publicated anyway.

 

As above:

Yes, the domain is hosted by ISPConfig.
(The nameservers are glued at the registrar to two of my IPs - one of which is for alpha.mydomain.co.uk - which is configured inside a mydomain.co.uk zone in ISPConfig; there's an A record for alpha.mydomain.co.uk [actually all the SANs being requested])

Yes, I set up an ISPC Remote API user with DNS Zone and DNS TXT rights.

Yes, I exported the details (credentials, URL, and insecure flag) to environment variables; checking with printenv returns them OK.

All I have in account.conf is:

Code:

LOG_FILE="/root/.acme.sh/acme.sh.log"
LOG_LEVEL=1

#AUTO_UPGRADE="1"

#NO_TIMESTAMP=1

...I installed (with cURL) and ran acme.sh as root.

As for anonymizing my domain - I do it because I take a 'better safe than sorry' attitude to security/privacy. Anyone walking down my street can see my house, but there's more snooping required to find out who lives in it; even 0.1% better privacy/security because of that has got to be a good thing? Yes, certificate details are published, but someone searching needs to know what they're looking for. Also, unless I'm a total idiot(?) it doesn't really make a difference i) I'm not one of life's over-confidents, but I'm pretty confident it's set-up correctly; ii) any detail can be posted with 'mydomain' replaced as an example.

Actually, you'll probably still have my domain in an autocomplete from when you checked that no certificate was being offered with the letsencrypt integration glitch I had [it starts 'g'] I'll gladly PM it to you if you wish(?), of course. I don't mean to bite the hand which feeds me - I'm sincerely grateful for (and respectful of) your help; I hope you can understand where I'm coming from.

Many thanks again,

Rob.

------------------------------------------
EDIT: I noticed that perhaps the syntax I'd suggested above (based on an example in a linked-thread) might not be quite right, according to acme.sh --help. It appears for output I'd want to be using (for example) --key-file rather than --keypath, that --issue might be extraneous with --installcert(?) (and that probably needed to be --install-cert?)

Anyway, the latest 'polished' command I've executed is:

Code:

acme.sh --install-cert --dns dns_ispconfig --keylength 4096 \
-d mydomain.co.uk \
-d alpha.mydomain.co.uk \
-d ftp.mydomain.co.uk \
-d mail.mydomain.co.uk \
-d ns1.mydomain.co.uk \
-d webmail.mydomain.co.uk \
--cert-file /usr/local/ispconfig/interface/ssl/ispserver.crt \
--key-file /usr/local/ispconfig/interface/ssl/ispserver.key \
--ca-file /usr/local/ispconfig/interface/ssl/ispserver.ca.chain \
--reloadcmd "/root/regen-pureftp--restart-services.sh" \
--fullchain-file /usr/local/ispconfig/interface/ssl/ispserver.bundle

I've tried with and without --issue, and with and without the first -d entry; every combination returns that the first specified domain is invalid. ...I've even tried dirty things like fudging the API details into the account.conf manually; again with no difference.

I see only two parts in the main acme.sh where 'Domain is invalid' might be thrown; in order to double-check that it's happening from within the install-cert function, I edited the error return string. [As one would expect] that is where it's coming from, I'm yet to figure out why :s

I'll keep looking at the documentation and code myself, but I'm not having much luck.

Thanks,

Rob.

EDITagain ..I'll shut up now :|

I found --debug 2, tried some more. Out of curiosity at some 'no such file or directory' output, I ran mkdir /root/.acme.sh/mydomain.co.uk, and it got further, so I chmod -R 777, and this is the output:

Code:

[Fri 30 Jun 00:45:35 UTC 2017] Lets find script dir.
[Fri 30 Jun 00:45:35 UTC 2017] _SCRIPT_='/root/.acme.sh/acme.sh'
[Fri 30 Jun 00:45:35 UTC 2017] _script='/root/.acme.sh/acme.sh'
[Fri 30 Jun 00:45:35 UTC 2017] _script_home='/root/.acme.sh'
[Fri 30 Jun 00:45:35 UTC 2017] Using config home:/root/.acme.sh
[Fri 30 Jun 00:45:35 UTC 2017] LE_WORKING_DIR='/root/.acme.sh'
https://github.com/Neilpang/acme.sh
v2.7.3
[Fri 30 Jun 00:45:35 UTC 2017] Using config home:/root/.acme.sh
[Fri 30 Jun 00:45:35 UTC 2017] _ACME_SERVER_HOST='acme-v01.api.letsencrypt.org'
[Fri 30 Jun 00:45:35 UTC 2017] DOMAIN_PATH='/root/.acme.sh/mydomain.co.uk'
[Fri 30 Jun 00:45:36 UTC 2017] Installing cert to:/usr/local/ispconfig/interface/ssl/ispserver.crt
cat: /root/.acme.sh/mydomain.co.uk/mydomain.co.uk.cer: No such file or directory
[Fri 30 Jun 00:45:36 UTC 2017] Installing CA to:/usr/local/ispconfig/interface/ssl/ispserver.ca.chain
cat: /root/.acme.sh/mydomain.co.uk/ca.cer: No such file or directory
[Fri 30 Jun 00:45:36 UTC 2017] Installing key to:/usr/local/ispconfig/interface/ssl/ispserver.key
cat: /root/.acme.sh/mydomain.co.uk/mydomain.co.uk.key: No such file or directory
[Fri 30 Jun 00:45:36 UTC 2017] Installing full chain to:/usr/local/ispconfig/interface/ssl/ispserver.bundle
cat: /root/.acme.sh/mydomain.co.uk/fullchain.cer: No such file or directory
[Fri 30 Jun 00:45:36 UTC 2017] Run reload cmd: /root/regen-pureftp--restart-services.sh
regen/restart script test complete
[Fri 30 Jun 00:45:36 UTC 2017] Reload success

There are files in the backup folder, and in /usr/local/ispconfig/interface/ssl/, but they're all 0 bytes. There is a mydomain.co.uk.conf file, but it's not got much in it(?) - just paths and reloadcmd. The only recent new certificate shown in the public list [at crt.sh] is the one issued for the main site by the ISPC LE integration.

 

seperate --issue and --install into seperate commands. Also provide according log.