Using CF for SSL discussion

Discussion in 'Developers' Forum' started by slagroom, Sep 2, 2023.

  1. slagroom

    slagroom Member

    As I intend to require using CloudFlare api with wildcard LetsEncrypt certs via DNS, is there a recommended way to use certbot with ispconfig and implement this? Or do I -for now- have to manually overwrite the certs via a post-cert-update script which runs a second SSL cert request (one using CF api for DNS and *.domain.tld) ? This will probably cause issues with LetsEncrypt, no? So I would probably have to find a way to skip ispconfig creating the LE certs for me, despite having that option chosen/set in config. Any advice from people already using CF api for wildcard cert together with ISPconfig?
     
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Yup. That was my idea but I haven't formulated the best way to integrate the same in ISPConfig though the idea should still work and I have been using it on my server ever since.

    For now the most viable approach might be to install create the LE SSL certs in the default way, then edit the renewal conf file with the right parameters and finally run certbot force renewal manually on the said domain to get new LE SSL certs based on its customized renewal config with wildcard and/or others like e.g. ECDSA type with EC key.

    Please note that the above should work in theory but not yet fully tested.
     
  3. slagroom

    slagroom Member

    What do you mean by this? If you're getting your certs this way, how have you implemented this in an existing ispconfig install? I understand that I can easily overwrite existing certs with the CF/DNS/wildcard versions of them, but what have you done in ispconfig to not have it overwrite/overrule your certs? What config for ispconfig are you using?
     
  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    In your post, you are referring to my post, so do read all and the related links in it.

    Originally, I coded it in a such a way that it should work with even custom SSL certs and for LE SSL certs, ISPConfig definitely won't overwrite it because they are from the same LE SSL folder be it using acme.sh or certbot.
     
  5. slagroom

    slagroom Member

    That's not true. Certbot creates the certs under /etc/letsencrypt/archive/domain.tld/* and then symlinks them from /etc/letsencrypt/live/domain.tld/* while ISPconfig creates the certs under /var/www/clients/client0/web1/ssl/*
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    That's not the case, only self-signed certs get created /var/www/clients/client0/web1/ssl/ by ISPConfig using openssl command. LE certs created by certbot are in /etc/letsencrypt/live/domain.tld/ and ISPConfig creates a symlink to them and acme.sh works differently, it creates the certs in /root/.acme.sh/ and then acme.sh itself copies the certs to /var/www/clients/client0/web1/ssl/

    Btw. @ahrasis wrote the first implementation of LE for ISPConfig, so he really knows what he is talking about.
     
  7. slagroom

    slagroom Member

    I just looked at an added domain's nginx conf and at the certs when I had set it to use LetsEncrypt for that domain, and it didn't create certs under /etc. Not sure what you mean here either. I just want to explain to you that it's unclear where (and when, at what stage of config or save or OK or apply) LetsEncrypt certs are requested and stored by ISPconfig.
    I'm not doubting ahrasis' expertise, I'm just noting what I'm seeing happening. And frankly, in the case of the domain I added from within ISPconfig, the browser says it has a valid LE cert, and in its nginx conf it points to the ISPconfig dir, not the /etc dir. For me what ISPconfig does is a blackbox, it doesn't tell me when or where it is creating certs.
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Which means you use acme.sh and not certbot.

    That's what I explained above:

    ISPConfig explains I detail what it is doing, you just must request all the details by setting the log level to debug mode:

    https://www.faqforge.com/linux/debugging-ispconfig-3-server-actions-in-case-of-a-failure/
     
  9. slagroom

    slagroom Member

    I have installed ISPconfig as per the manuals and requirements, I have no idea what it is using. I have only just installed certbot, also as per their manuals and requirements, using snapd, in order to be able to get wildcard domain certs via CF DNS. I have used a shell command to grab a wildcard cert for a domain that was already using a LE cert in ISPconfig. You make it sound like the switch is easy to have ISPconfig use certbot instead, but as it stands, I have not found out where to set that.

    Of course I can look at logs, but it would be better, I think, in general, to give the user feedback as to when, where, how it obtained certs from within the web-UI.
     
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    It is now clear from what I gathered you are a newbie and do not know really know what you are doing; while on the other hand, this is quite an advanced topic and to attempt it you need to have more than average knowledge and understanding on ISPConfig, its coding, Let's Encrypt and its clients in it and general linux.

    To me, the steps I mentioned earlier are already clear to most advanced users.

    Claiming things doesn't work without any supplies of required and relevant info's definitely won't help me and/or others to help you.

    If I were to help you I will need details of your ISPConfig setup, which tutorial you followed, because there are ISPConfig manual and automated install tutorial and the later install does acme.sh by default.

    It is due to the fact that you cannot simply install certbot after that and expect ISPConfig to automatically use the latter without properly removing acme.sh thoroughly and reconfiguring your ISPConfig server again.

    I think it is better for you to start your own topic asking how to setup your ISPConfig server specifying your needs.

    Start or restart from the very beginning is always good for learning and acquiring knowledge and experiences, so try it and good luck.
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    I nowhere said that. You can choose between certbot and acme.sh at install time and acme.sh is the default LE client. ISPConfig supports both LE clients equally, but you can not change that later, at least not easily and not without deeper knowledge on LE clients and ISPConfig.

    You should really just use ISPConfig instead of trying to change it, ISPConfig works fine as it is and it provides the features needed by almost all users. The topics you are trying to work on are not really needed and not used by many users, that's why ISPConfig does not cover them by default. You should gather first more experience on these topics and on ISPConfig in general before trying to tweak things in a setup that's working perfectly fine.

    For example DNS validation: Most users would simply fail to generate DNS records using this method. For them, domain-based validation is way easier as it can happen automatically without the need to use API's of third-party domain or DNS providers and domain validation covers all their needs for getting valid SSL certs from LE. This said, you can use DNS validation of course and some users do that, but it requires knowledge on what you do, and if you do not have that yet, you better stick with whats recommended and what works.

    You can see all this in the web GUI as well. And no, the regular user does not wat to get overwhelmed with debug output of what is obtained by which software and why and which paths get used, they just want to get a SSL cert from Let#s encrypt. Thats why such information is only visible in GUI in monitor module and on the shell when you explicitly enable debug log level,
     
    ahrasis likes this.
  12. slagroom

    slagroom Member

    I don't think you're capable of gathering any of that from what little I've written, you're probably more of a 'noob' than I am. Especially where linux is concerned. I've been using and administering unix and linux machines ever since the mid 90s. I've used acme.sh, certbot and LetsEncrypt probably even before any of you two used it, heck I've even been involved in their forums when it came into existence. I'm age 57.

    The problem with both your responses is that you're not really helping. You're pointing me elsewhere, claiming "read what I've written before", which I did, it does not explain or instruct anyone anywhere on how to make ISPconfig use certbot for the CF api instead of Pang's acme. As far as I understand it, ISPconfig tries to be a control panel, with a web-based GUI. It has its limits, I'm sure, but it does not tell the UI user what it is doing. For that I need to go to the shell anyway. Fine by me. I will probably just ignore ISPconfig for SSL altogether and somehow override the templates with my own SSL/TLS cert paths, and then recreate domains using the UI and edit the config for web and mail by hand if needed.

    Still, as I wrote earlier elsewhere, it would be nice if you could export all ISPconfig DNS-records to Cloudflare using their api at every renewal of any DNS-record. That way you don't have to mess around with LE over port 80 anymore and have the wildcard domains so you can use one cert for mail and all the rest per domain etc. And you could easily export the DKIM, dmarc, DANE/TLSA records as well.
    I'd like to help with cloudflare integration, like I wrote earlier, but it seems to me there's no real incentive for it. You're not putting ISPconfig on github, because you're trying to make some money with it. I can understand that, but then don't pretend to be the open source hero you're not. I'm not doing that either. It's not helpful.
     
  13. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Ok. Yeah. Whatever smarty. You figure it out on your own yeah, and since what you said must be so true to you thus wise you don't need us or our help. Good luck smarty.

     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    Great so you are an experienced Linux admin, you know where the two LE clients are storing certs by default, you know where their log files are, and as ISPConfig uses the default folders of both LE clients, you know where the certs are on your system as all this is not ISPConfig specific in any way. ISPConfig is probably the most standard compatible Hosting Control Panel as we use the default config file folders for all configured services and not any ISPConfig-specific ones.

    That's not the case, you can see all this in the GUI too, depending on the log level you have chosen. This has been explained in post #24.

    Do whatever you want :) Or tick the SSL and Let's Encrypt checkbox and have everything set up automatically by ISPConfig as anyone else does.

    Everybody who would like to join development can sign up for an account on the ISPConfig GitLab system at https://git.ispconfig.org

    You mix up quite a few things here as neither DMARC nor DKIM is related to a LE SSL cert, and ISPConfig creates DKIM certs and adds them to DNS automatically, and you can create a DMARC record in ISPConfig too. CF is not needed for that.

    I understand you love CF and want to use their service instead of running your own systems. But that's not how everyone wants to set up their servers and bind them to a commercial service like CF.

    Why should we have to put our code on a commercial Microsoft platform to be an open-source project? We do not put ISPConfig on GitHub as we run our own GitLab infrastructure at https://git.ispconfig.org/ispconfig/ispconfig3/

    So we asked you for money to get the ISPConfig software or access its source code, really?

    I do not pretend to be anything. We allow you to use the code that we have written under an OSI-approved BSD Open-Source license. That's all. And the ISPConfig developers and community even helps users here for free in the forum.
     
    Farsus, nhybgtvfr and ahrasis like this.
  15. slagroom

    slagroom Member

    I still don't see ISPconfig having created a symlink to the certbot LE certs. nginx ssl conf are pointing to the certs in the ISPconfig /client*/web*/ssl/ dirs, and they are created by acme, they're not suddenly changing to symlinks. So no, this is just not true, which is what I was saying earlier as well. Perhaps something fails because I'm running debian 12, but I doubt it.

    I will not be the only one bumping into this, and it's not me here, it's the way you two communicate or explain things. You don't have to be a noob not to get this. And it's not "over and done with" as soon as you call some user a noob who needs to 'read x or y'.
     
    Last edited: Sep 6, 2023
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Because you are still using acme.sh and not certbot, and as you do not want me to refer to texts in the forum that explain things or let you know that this has been explained here in this thread already, I will not do that. @slagroom, please do not read the following sentences. They are not intended for you: As I mentioned above in post #24, you can not switch from one LE client to another one easily after you install the system. So even if you install certbot, the system will continue using acme.sh unless acme.sh is completely removed. You see this in detail in the debug log in the GUI or on the shell, but only noobs like me will follow a FAQ or debug instructions. The LE client is chosen at install time. There is a flag in the auto-installer for that: https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/

    Thank you for confirming what I said in #24:

    Oh, sorry, referred again to a text I have written for you already, which I should not have done as this is a bad style of communication, in your opinion. So please disregard this answer.

    This is not related to Debian 12. The LE client is chosen at install time and cannot be changed later easily.

    Most users are fine with having a working LE cert in the way ISPConfig provides it. But yes, some users like you do not like a certain aspect of software.

    Yes, I'm sorry. It's my fault.

    Sure, any professional user will get this as well.

    Of course not. Professional users never read documentation or texts they get referred to by others as they know things already. That's why'm not a professional user, I read a text if someone who supposedly knows a software better than me refers me to that text. And I did not call you a noob, I just said that changing certain aspects of a software to make it work in another way than it's intended to work requires deep knowledge about that software and if you do not have that knowledge, it might be better not to try to change it. And not having this knowledge does not mean being a noob. It just means you are not a pro user of that specific software yet, and I guess nobody should claim to be a pro user of all software.
     
    Th0m and ahrasis like this.
  17. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    To understand what I am saying in the above reply, I would suggest reading the following Certbot User Guide:

    For the how to and the parameters I used with certbot and cloudflare, I already shared in my thread which is in my github post i.e. linked in the opening post: Create Lets Encrypt SSL Certs via Certbot DNS Validation in Acme v02. Really read that thread until its end, don't skip. On the other hand, off course, with no doubt, one definitely could also easily read in the Certbot User Guide as a whole and find a lot of useful parameters which can be applied too, if needed.


    I really believe I was very clear on my answers about the how to that is in question except not to the extend of "spoon feeding" but while @till had given good explanations and supports, the responses were very poor even until the last one above this.

    Finally, yes, there are two posts above of which I intended to reply in such a way and I am not proud of it at all but I still believe I am right in I whatever I said above. I also am truly using them on my server.

    Again, this is clearly not endorsed nor encouraged by ISPConfig or any of its developers, and is really meant for advanced users who really know ISPConfig and its coding in and out, certbot in and out, and if they want to use acme.sh in its place, also must really know it in and out, and general linux structure of the OS they are using, and really know what they are doing, so, really, good luck in attempting this.
     
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    Just a info: his thread has been split as it was part of another thread that was not about CF. So references to posts changed, e.g. former post #24 has become post #11 now.
     

Share This Page