LetsEncrypt

From Egbert's Wiki

LetsEncrypt and ISPconfig

I have severe problems using LetsEncrypt as designed in ISPconfig. I now use a Certbot installation via PPA. Using certbot certonly -d ... works fine. From there Ton Lankhorst's recipe was followed.

General Process

Request a certificate for the website wiki.vandenbussche.nl using the running apache server. If this fails try stopping apache, issue the certbot command again and use the standalone webserver (choice 2).

root@ubuntu:# certbot certonly -d wiki.vandenbussche.nl
Saving debug log to /var/log/letsencrypt/letsencrypt.log

How would you like to authenticate with the ACME CA?
-------------------------------------------------------------------------------
1: Apache Web Server plugin - Beta (apache)
2: Spin up a temporary webserver (standalone)
3: Place files in webroot directory (webroot)
-------------------------------------------------------------------------------
Select the appropriate number [1-3] then [enter] (press 'c' to cancel): 1
Plugins selected: Authenticator apache, Installer None
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for wiki.vandenbussche.nl
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
 - Congratulations! Your certificate and chain have been saved at:
   /etc/letsencrypt/live/wiki.vandenbussche.nl/fullchain.pem
   Your key file has been saved at:
   /etc/letsencrypt/live/wiki.vandenbussche.nl/privkey.pem
   Your cert will expire on 2018-02-21. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"

Restart apache if it was stopped. Certs are now in the /etc/letsencrypt/archive/wiki.vandenbussche.nl/ and links to the actual certs are in /etc/letsencrypt/live/wiki.vandenbussche.nl/.

root@ubuntu:/etc/letsencrypt/live/wiki.vandenbussche.nl# ls -l
total 4
-rw-r--r-- 1 root root 543 Nov 23 16:33 README
lrwxrwxrwx 1 root root  45 Nov 23 16:33 cert.pem -> ../../archive/wiki.vandenbussche.nl/cert1.pem
lrwxrwxrwx 1 root root  46 Nov 23 16:33 chain.pem -> ../../archive/wiki.vandenbussche.nl/chain1.pem
lrwxrwxrwx 1 root root  50 Nov 23 16:33 fullchain.pem -> ../../archive/wiki.vandenbussche.nl/fullchain1.pem
lrwxrwxrwx 1 root root  48 Nov 23 16:33 privkey.pem -> ../../archive/wiki.vandenbussche.nl/privkey1.pem

Copy the cert, key and chain into the web, SSL tab of ISPconfig then Save. This places the certs in /var/www/wiki.vandenbussche.nl/ssl. Follow Tom Lankhorst's recipe. This will replace the files in the ssl directory by links to the certs in the /etc/letsencrypt/live/wiki.vandenbussche.nl directory.

Before:
-rw-r--r-- 1 root root 3515 Nov 23 16:41 wiki.vandenbussche.nl.crt
-r-------- 1 root root 1730 Nov 23 16:41 wiki.vandenbussche.nl.key

ln -sf /etc/letsencrypt/live/wiki.vandenbussche.nl/fullchain.pem wiki.vandenbussche.nl.crt
ln -sf /etc/letsencrypt/live/wiki.vandenbussche.nl/fullchain.key wiki.vandenbussche.nl.key

After:
lrwxrwxrwx 1 root root 57 Nov 23 16:47 wiki.vandenbussche.nl.crt -> /etc/letsencrypt/live/wiki.vandenbussche.nl/fullchain.pem
lrwxrwxrwx 1 root root 57 Nov 23 16:47 wiki.vandenbussche.nl.key -> /etc/letsencrypt/live/wiki.vandenbussche.nl/fullchain.key

This makes that after a renewal (every 90 days), the website will use the new certs.

SSL for ISPconfig itself

To use LetsEncrypt for ISPconfig itself (read: all services that run with /ubuntu.vandenbussche.nl/<service>), a slightly differen approach is needed. ISPconfig refers to (self-signed) certs in its own tree /usr/local/ispconfig/interface/ssl. These must be remapped to the location of the LE certs: /etc/letsencrypt/live/<hostname -f>. A good description was written by Arasis.

As said, for ISPconfig itself is an extra but similar step as for hosted websites needed. The hardcoded self-signed cert are to be replaced with a symbolic link to the LE location. Very logical, indeed. Just like any other secure website created under ISPconfig. This way all web-based services ISPconfig and i.e. phpmyadmin are SSL secured. I run ISPconfig on port 8080: https://ubuntu.vandenbussche.nl:8080/ and phpMyAdmin as https://ubuntu.vandenbussche.nl:8080/phpmyadmin.

cd /var/www/ubuntu.vandenbussche.nl/ssl
ln -sf /etc/letsencrypt/live/ubuntu.vandenbussche.nl/fullchain.pem ubuntu.vandenbussche.nl.crt
ln -sf /etc/letsencrypt/live/ubuntu.vandenbussche.nl/privkey.pem ubuntu.vandenbussche.nl.key
Result:
lrwxrwxrwx 1 root root 59 Mar 14 20:57 ubuntu.vandenbussche.nl.crt -> /etc/letsencrypt/live/ubuntu.vandenbussche.nl/fullchain.pem
lrwxrwxrwx 1 root root 57 Mar 14 20:58 ubuntu.vandenbussche.nl.key -> /etc/letsencrypt/live/ubuntu.vandenbussche.nl/privkey.pem

cd root@ubuntu:/usr/local/ispconfig/interface/ssl
mv ispserver.crt ispserver.crt.bak
mv ispserver.key ispserver.key.bak
Result:
lrwxrwxrwx 1 root root   59 Mar 14 21:03 ispserver.crt -> /etc/letsencrypt/live/ubuntu.vandenbussche.nl/fullchain.pem
-rwxr-x--- 1 root root 2057 Sep  5  2016 ispserver.crt.bak
-rwxr-x--- 1 root root 1720 Sep  5  2016 ispserver.csr
lrwxrwxrwx 1 root root   57 Mar 14 21:04 ispserver.key -> /etc/letsencrypt/live/ubuntu.vandenbussche.nl/privkey.pem
-rwxr-x--- 1 root root 3243 Sep  5  2016 ispserver.key.bak
-rwxr-x--- 1 root root 3311 Sep  5  2016 ispserver.key.secure

This server holds now several certs:

root@ubuntu:/etc/letsencrypt/live# ls -l
total 24
drwxr-xr-x 2 root root 4096 Sep 29 00:51 beta.vandenbussche.nl
drwxr-xr-x 2 root root 4096 Nov  1 00:53 boemerang.vandenbussche.nl
drwxr-xr-x 2 root root 4096 Sep 29 00:51 dev.vandenbussche.nl
drwxr-xr-x 2 root root 4096 Sep 29 00:51 speldorado.vandenbussche.nl
drwxr-xr-x 2 root root 4096 Sep 29 00:51 ubuntu.vandenbussche.nl
drwxr-xr-x 2 root root 4096 Nov 23 16:33 wiki.vandenbussche.nl

And in ubuntu.vandenbussche.nl:
-rw-r--r-- 1 root root 543 Mar 14 20:42 README
lrwxrwxrwx 1 root root  47 Mar 14 20:42 cert.pem -> ../../archive/ubuntu.vandenbussche.nl/cert1.pem
lrwxrwxrwx 1 root root  48 Mar 14 20:42 chain.pem -> ../../archive/ubuntu.vandenbussche.nl/chain1.pem
lrwxrwxrwx 1 root root  52 Mar 14 20:42 fullchain.pem -> ../../archive/ubuntu.vandenbussche.nl/fullchain1.pem
lrwxrwxrwx 1 root root  50 Mar 14 20:42 privkey.pem -> ../../archive/ubuntu.vandenbussche.nl/privkey1.pem