Differences

This shows you the differences between two versions of the page.

--- software:controlpanels:ispconfig3:tricks [2020/09/22 20:23] – rodolico
+++ software:controlpanels:ispconfig3:tricks [2023/02/02 01:25] (current) – rodolico
@@ Line 12: / Line 12: @@
 ===== Use Certbot with other services =====
+**This is old, as ISPConfig v3.3 or something fixed most of these problems, and you can install your certs during installation**
 ISPConfig3 has support for using Certbot with its web sites. However, it is more difficult to get the certbot to work with your mail/ftp/whatever, including the control panel. User ahrasis wrote a very nice article on this. Actually, he says it best, so I'll leave it up to him
 https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
+===== Can not create certbot SSL script on web site =====
+This one drove me up a tree, and used several hours of my time, but I finally got it fixed after reading [[https://www.niih.de/fixed-warning-could-not-verify-domain-so-excluding-it-from-letsencrypt-request/]].
+Bottom line: ISPConfig v2.9, I think, does some checking on the ability to reach a web site **before** requesting a Certbot SSL certificate. This is still a little flaky in this version, and various things can make it fail (behind a DMZ, split DNS).
+Simply go to System | Server Config | {server name} | Web | SSL Settings and put a check mark in "Skip Lets Encrypt Check"
+===== /var/www on NFS Share =====
+ISPConfig //will// work with /var/www on an NFS share, but you should do a couple of things first. Go to
+**System | Server Config | {server name} | Web**
+* Put a check mark in //Network Filesystem//
+* Uncheck //Make web folders immutable// (click Permissions) to disable extended attributes that many network file systems won't handle.
+===== acme.sh vs certbot =====
+More and more, ISPConfig is moving to acme.sh vs the older certbot to manage LetsEncrypt SSL certificates. I really like it because it appears to be much cleaner.
+Till Brehm, one of the developers over at ISPConfig made a quick note for people who accidentally have certbot installed prior to the ISPConfig installation. ISPConfig will attempt to detect if this is the case and simply fall back to using it.
+I already had a broken system, so I decided to see if I could use what he said to move my system over from certbot to acme.sh, and it worked (kinda'). I missed a couple of steps and broke my server pretty well, but was able to recover.
+Tills comments (at https://forum.howtoforge.com/threads/acme-sh-on-new-install.86553/), give an order to fixing a **new** installation (before you have any sites), but I modified it to work with an already populated one. **NOTE:** your web sites will be down, or not available over https, for a while if you do this.
+  - Go through every web site and disable SSL
+  - Remove Configuration<code bash>mv /etc/letsencypt /etc/letsencrypt.disabled</code>
+  - Remove certbot<code bash>mv /opt/certbot /opt/certbot.disabled # may be called other things</code>OR, if you installed from a package manager, simply uninstall it.
+  - Install the acme.sh code<code bash>curl https://get.acme.sh | sh -s</code>
+  - Reconfigure ispconfig<code bash>ispconfig_update.sh --force</code>
+  - Go through every web site and enable LetsEncrypt SSL
+Step 3 is difficult, as cerbot has been installed in various places at various times, so it could be called anything. Normally, if not part of a package manager installation, it is in /opt.'
+The last line will reconfigure ispconfig. All you really care about (maybe) is generating a new certificate for the control panel, mail server and ftp.