Hello I recently set up a server with ISPConfig 3.2 and had a SSL certificate created during the installation. Now I would like to add more domains to the certificate and use the idea from "https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/". Is it sufficient for this to apply this or does this then possibly lead to problems with the certificate created during installation. A certificate for the same TLD should be used, which was already deposited during the installation. Greetings Bernd
Newly setup server use acme.sh and hook system, so I personally think that there is no way you can use that tutorial safely without a lot of untested modifications with LE SSL certs issued by ISPConfig 3.2 new system. Although I think can rewrite my whole tutorial to accommodate requests like this, I am not, however, so sure I should, as I already prepared to rewrite it in the ISPConfig installer lib as I mentioned in other thread, but the response in there are too little to be considered encouraging for me to do so.
You can use that guide, if you use acme.sh rememeber to change the paths for the certificates and don't let the update script issue a new cert.
If the acme.sh is already working on the server: I think I need to deactivate it. If I set up a site with the same FQDN as used for server installation there will be two systems updating the certificate. So I think I must deactivate the usage of acme.sh. How can this bie done? Bernd
certbot and acme.sh update only their own certs, so acme.sh will not update certbot certs and vice versa. if you don't use acme.sh, then it's a good idea to uninstall it indeed as it makes no sense to run both tools when no certs are issues via acme.sh.
But what if for example I have the following situation FQDN of ISPConfig server is server1.domain.tld. Certs are created when installing ispconfig. So Certs for ispconfig frontend, mail, ftp, ... are set by acme. Now I want to have a web page for server1.domain.tld which should use a let's encrypt certificate. If I do this both acme and certbot will try to create the cert. And as far as I understood both will create the certificates in /etc/letsencrypt/live, or am I wrong with that? Will there be problems or are both certbot and acme smart enough not to update if it is not needed? Greetings Bernd
Ok.I thought so. Is it possible to disable acme.sh if you want to switch to certbot afterwards. What do you have to do for that? Or am I on a totaly wrong way and certbot is not used by ispconfig anymore? I set the server up ispconfig 3.2 and used the perfect server setup for ubuntu 20.04. Ther certbot is installed if I remember correctly. Greeting Bernd
It is currently not easy to migrate from certbot to acme.sh or vice versa. I would not attempt so on a production system. Stick to one of them.
I looked into /usr/local/ispconfig/server/scripts/letsencrypt_renew_hook.sh. Is this the script that is responsible for doing all the updates for the letsencrypt certificates? If so I understand it that way, that if certbot is installed and there is no acme.sh installed with some data in /root/.acme.sh certbot will be used by ispconfig? If this is correct I think I would not have any problem if I create a site for the server with the same domain name that was used when setting up ispconfig. Or am I wrong with that. Greetings Bernd
If you had certbot already, I would remove all acme.sh files and the program. Then keep using certbot for all certs.
Hello I assume in the meantime that I have succumbed to a misunderstanding. I thought that ispconfig uses acme.sh by default and brings this itself if necessary. But after the comments in this post I assume that ispconfig uses what it finds. Since I never installed and used acme.sh when setting up the machines but installed certbot from the beginning (before ispconfig came on the machine) I can probably assume that certbot does the job and I don't actually have a problem. I still have an older installation on which I used the instructions https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/. Here I probably need to remove the traces of this customization to update ispconfig. Is that correct? Greetings Bernd
Yes. You can try using the code in my LE4ISPC removal script (or simply download and run that script).
Correct, ISPConfig uses certbot, if its installed, or acme.sh, if installed. But you should not install both, as this may lead to conflicts as certbot and acme.sh serve both the same purpose. So if you have a system that uses certbot already or a system where you plan to migrate sites to (e.g. by using the Migration Tool) from a system that uses certbot, then use certbot on the new system as well. if you are installing a new system and don't plant to migrate old websites (with certbot generated LE certs), then better use acme.sh as certbot has a long history of problems like that its corrupting its own conf files, not renewing certs or the latest fun that they stopped providing it as a 'normal' installable software (its just python as far as I know, so there should be no issues to run it on any Linux distribution like any normal python program) and forcing sys admins to install snap on a server.