Let's Encrypt - Debian 8 - MultiHost


#1

Hi,
i searched and found pieces of the solution to this quest on this forum and on ispconfig forum but i think will be useful (also for other configuration) a complete panoramic for a configuration that i think could interest a lot of user: how to correctly configure and manage ssl/tls certificates for multiple domains all hosted on a single machine (Debian 8 Jessie) with a single IP?

Why this request? I used with success in past certbot on a machine based on Centos 6 for an ecommerce site. There is only one domain on which tls is needed for ecommerce. And i didn’t noticed this problem because the configuration needed is only 1.

Now on the machine with Debian 8 (Jessie) and Ispconfig 3.1.1 I have installed 12 domains, on 5 of these domains (and relative www. aliases) i need to configure TLS/SSL certificates.
I installed certbot, all without problem.
I started the configuration for one of the domain (i can send in PM all details to test it) and all seems to work.

So i checked if it works.
The http domain (domain1.com) send correctly to the site.
The https domain (domain1.com) send to the Web Document Root of the server /var/www/html/index.html

On ISPCONFIG for the single domain there is a section called SSL (and i can select a checkbox called Let’s Encrypt so i thought there is a semi-automatic procedur) where i can put the keys and certificates but after doing this nothing changed (also after restarting apache and the server).

So i tried to get certificate for another domain (domain2.com). All seems to work but when i request by https the domain (domain2.com) tell me this error on firefox:
Certificate is valid only for these names: domain1.com www.domain1.com
Error code: SEC_ERROR_UNKNOWN_ISSUER

If i put an exception to this error i get again the Web Document Root of the server /var/www/html/index.html

I had an idea for a workaround (with cut and past of all guides) but really i cannot found a complete guide to configure multihost without headeache. A step by step also to do this manually on Debian (forget about ISPCONFIG, it’s not a problem if i cannot configure SSL/TLS using it).

In brief:
How to setting SSL for a single domain on a server that host more domains and http and https send to the same pages on Debian 8.

Thank you
Francesco


#2

I’m not sure if you want this as a “feature request” or you want some help and guidance to achieve it on your server. What your asking would appear to me to be standard webserver configuration.

The “feature” exists - in that it’s perfectly possible to have certs for multiple hosts on Debain 8 (including when using ISPconfig )

Note; If you are using ISPconfig you shouldn’t manually configure the webserver (I’m assuming apache ) because those manual configs will be overwritten by ISPconfig.


#3

Sorry i didn’t checked the category. It’s not a Feature Request… moved to server.


#4

I know ispconfig configure apache, mysql etc. without any problem.
The problem is that certbot doesn’t recognize that settings because doesn’t see the vhosts correctly, he found the domains but then it doesn’t use the path configured for that domains. And the message says that he doesn’t support automatically multiple virtual hosts.
So there is the step by step guide to setup domain by domain on Debian 8 with Ispconfig 3 without headache, also manually, but a linear guide?


#5

As a note, i find your very useful anwsers around all the community of Let’s Encrypt, i’m trying to put all together. But i think you are the only one tha understand the problem that i’m facing. And a lot of people I think. There’s a patchwork of information about integration of ispconfig and let’s encrypt. But unfortunately drop by drop and every time on anwser to particular problem.
There’s the need of a definitive guide with workaround if someone stuck in a problem. Also for future. Thank you.


#6

Hi Francesco,

There are two ways ( and probably more) that you can achieve what you want. Basically they all start with installing ISPConfig onto Debian 8

As noted above, certbot (the latest version of the official letsencrypt client)) and ISPConfig both modify the apache config, but don’t know about each other, hence it does end up with a slight mess, and not working if you try and run both in an automatic way.

####Using ISPConfig and certbot (letsencrypt) independently

After you have setup all your domains in ISPConfig (I’ll assume you have domain1.com, domain2.com and domain3.com)

install certbot (which should have been done as part of the ISPConfig install if you followed the above instructions, I’ve included here as you aren’t starting from scratch though).

run certbot to obtain certificates for your first domain

certbot certonly --webroot -w /var/www/domain1.com/web/ -d domain1.com -d www.domain1.com

which should obtain an ssl certificate for domain1.com and www.domain1.com and place the certificates in /etc/letsencrypt/live/domain1.com/

Log into your ISPConfig and go into Sites > domain1.com > SSL where you can paste the key, certificate and bundle. In the “SSL action” at the bottom make sure you select “save certificate” before clicking on the save button.

This should set up the SSL so it’s working and ISPConfig creates files for these components in /var/www/domain1.com/ssl/

check everything is working on SSL for this domain then using SSH run the following

rm -f /var/www/domain1.com/ssl/domain1.key
ln -s /etc/letsencrypt/live/domain1.com/privkey.pem /var/www/domain1.com/ssl/domain1.key
rm -f /var/www/domain1.com/ssl/domain1.crt
ln -s /etc/letsencrypt/live/domain1.com/cert.pem /var/www/domain1.com/ssl/domain1.crt
rm -f /var/www/domain1.com/ssl/domain1.bundle
ln -s /etc/letsencrypt/live/domain1.com/fullchain.pem /var/www/domain1.com/ssl/domain1.bundle

This creates a symlink between the files which ISPConfig is looking for, and those which certbot automatically updates and knows about.

Check everything is running as you want for domain1.com and then repeat this for domain2.com and domain3.com

To renew you should be able to do just use

certbot renew --post-hook “/usr/sbin/service apache2 reload”

There should be no need to copy and paste the certificates after the first time.

####Using the Let’s Encrypt SSL function built into ISPConfig

This should be the easiest option. although only available in the recent versions of ISPConfig (>= v3.1 ). For this you should not run certbot / letsencrypt from the command line yourself at all.

Log into your ISPConfig and go into Sites > domain1.com and select the “SSL” and “Let’s Encrypt SSL” options. This should then run letsencrypt/certbot and add the certificate in the correct place and everything be OK - it does take about a minute typically.

The challenge using this method ( for me) is it gives you no indication of success or failure. You need to go into /var/log/letsencrypt/letsencrypt.log to see any problems / issues.

Does that help ?


#7

Thank you Serverco very clear.
Ok i tried the last optio you give to me. It’s incredible but ispconfig in the manual (that i’ve paid) doesn’t make any note about this automatic use of ispconfig.
I’ve the latest ISPCONFIG and tried for another domain2.com. It all works perfectly for domain2.com, site is recognized as certified by major browser. In ssl options in ispconfig all is at right places and the redirect is perfect. But…

domain1.com now if called https://domain1.com give now the error Certificate is valid only for these names: domain2.com www.domain2.com
Error code: SEC_ERROR_UNKNOWN_ISSUER

The situation is revolutioned… :scream:

I have to notice that now i don’t see for domain2.com the document root but the right site, difference. But domain1.com give this error… uhm… i’ll make some test and let you know.
Probably deleting and recreating domain1.com…

Only a question about the last option. How to do with renews of certificate? There is another option or better to make with shell?

Thank you for your very precious contribute.


#8

If you have used the second option ( the with the Let’s Encrypt option in ISPConfig ) the renewals should happen automatically. ISPConfig takes care of this.


#9

Fantastic. I send you a PM.
Thank you
Francesco


#10

To all who may concern: THANK YOU serverco. All problem resolved! A real guru of LE and ISPCONFIG


#11

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.