LetsEncrypt plugin v1.3.0 RELEASED

  • Dear community,


    A new version of the LetsEncrypt plugin has just been released:



    CHANGELOG

    • Added: `include_altnames` configuration parameter (Closes: #IP-1657)
    • Added: Support for i-MSCP control panel and services SSL certificates
    • Fixed: Enforce non-interactive debconf frontend to avoid confusing debug log
    • Fixed: Installation fail due to missing certbot `--non-interactive' command line option (regression fix)
    • Fixed: Syntax error in SQL statement (iMSCP_Plugin_LetsEncrypt::afterDeleteCustomer() event listener)

    Once registered on our forums, you can purchase this plugin at: https://i-mscp.net/index.php/PaidSubscriptionList/


    WARNING Before updating, don't forget to read the README.md file and the UPDATE.md file inside the plugin archive WARNING


    Update notes regarding this new version


    I. Let's Encrypt SSL certificates for the control panel and services (FTP, IMAP/POP and SMTP)


    The plugin is now able to handle issuance of SSL certificates for the control panel and/or services. To enable Let's Encrypt for the control panel and/or services you must in order:

    • Enable SSL on i-MSCP side for the control panel and/or services, by choosing the self-signed SSL certificate option
    • Connect as administrator to the control panel
    • Activate Let's Encrypt for the control panel and/or services through the administrator's Let's Encrypt interface

    The link for accessing the administrator's Let's Encrypt interface is available in the settings page.


    Note that it is important to not disable this plugin when updating/reconfiguring i-MSCP because there is an event listener that replace the default SSL certificates by the Let's Encrypt SSL certificates. If the LetsEncrypt plugin is disabled, the event listener will not be triggered and so, the SSL certificates won't be replaced.


    Be aware that this feature is still experimental.


    Regarding SSL certificate for the control panel


    Note that after enabling Let's Encrypt for the control panel, you may have to close and re-open your browser. Indeed, in some cases, the newly created SSL certificate is not loaded after a simple page refresh.


    Note for PanelRedirect plugin users


    If you use the PanelRedirect plugin, you must ensure that you have a version greater or equal to 1.1.5, else, the domain validations will fail.


    II. SSL for alternative URL


    Support for alternative URLs has been added. You can enable it by setting the include_altnames configuration parameter to true in the plugin configuration file. Once done, don't forget to trigger a plugin list update.


    Before enabling support for alternative URLs, be sure that your DNS server can resolve names for them. If you use an external DNS server, this is generally achieved by adding a wildcard DNS resource record such as

    Code
    1. *.<panel.domain.tld>. IN A <server.ip>

    where <panel.domain.tld> is the domain used for accessing the i-MSCP control panel and <server.ip>, the primary IP address of the i-MSCP server.


    Be aware that this parameters acts only for new issuances and renewals.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • WARNING


    There is some limitations in current implementation regarding SSL certificates for the panel and services:

    • You cannot presently enable Let's Encrypt for the panel and/or services if the domain for the panel and the services is identical
    • You cannot presently enable Let's Encrypt for the panel if the domain for the panel is also added as customer domain or subdomain

    In both cases, you will have SQL error. These issues will be fixed in next version which will be released in few hours.


    @theqkash @UncleSam


    I'll contact you both before releasing for testing if you're ok.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Another bug has just been found. When enabling Let's Encrypt for a customer domain, subdomain... The SSL certificate is generated but the Apache2 vhost (for SSL) is not created. This is due to a misplaced SQL statement in the plugin backend file that prevents update of domain status and therefore, the creation of the required vhost.


    @abs0lut3 (and some others) It is useless to make presure on our head. When we work under presure, we cannot test all correctly and some bugs as those above are introduced.


    Thank you for your understanding.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • CHANGELOG for the coming version:


    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Updated:


    CHANGELOG will be as follow (version bump)


    Tests are in progress...

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Notes regarding SANs for alternative URLs


    SSL for alternative URLs


    You can enable support for alternative URLs by setting the `include_altnames` configuration parameter to`true` in the plugin configuration file. Once done, don't forget to trigger a plugin list update.


    Be aware that this parameters acts only for new SSL certificate issuances.


    Warning regarding this feature


    Due to the current Let's Encrypt rate limits, it is not recommended to enable this feature. Indeed, each SSL certificate issuance for which a SAN is added for an alternative URL will hits the Certificate per Registered Domain limit (20 per week) for the control panel domain. This explain why this feature is turned off by default.


    Note that alternative URLs as provided by i-MSCP are meant to allow the customer to access his domain for DNS propagation time. These URLs should not be exposed publicly.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • 1.4.0 on the road ;) We will enter in second testing phase soon. (tests by customers).


    @UncleSam


    In the log below, you can see the expand action (adding a SAN in the SSL certificate) and the shrink action (Removing a SAN from the SSL certificate). The domain name here is used for the control panel and also as a customer subdomain.



    EXPAND action

    Shell-Script
    1. ...[DEBUG] iMSCP::DbTasksProcessor::_process: Processing Modules::Plugin (enabled) tasks for: LetsEncrypt (ID 2)[DEBUG] Modules::Plugin::_call: Calling run() method on Plugin::LetsEncrypt[DEBUG] iMSCP::Execute::execute: openssl x509 -inform PEM -outform DER -in /etc/letsencrypt/live/panel.bbox.nuxwin.com/cert.pem -out /tmp/p1bj0j21qE[DEBUG] Plugin::LetsEncrypt::_getCertRequiredAction: Current SANs list: panel.bbox.nuxwin.com[DEBUG] Plugin::LetsEncrypt::_getCertRequiredAction: New SANs list: panel.bbox.nuxwin.com www.panel.bbox.nuxwin.com[DEBUG] Plugin::LetsEncrypt::_issueCertificate: Required action: expand[DEBUG] iMSCP::Execute::execute: /usr/local/sbin/certbot-auto certonly --text --agree-tos --non-interactive --email [email protected] --webroot --webroot-path /var/www/virtual/LetsEncrypt --staging --domain panel.bbox.nuxwin.com --domain www.panel.bbox.nuxwin.com --expand[DEBUG] iMSCP::Execute::execute: openssl x509 -enddate -noout -in '/etc/letsencrypt/live/panel.bbox.nuxwin.com/cert.pem'[DEBUG] iMSCP::OpenSSL::getCertificateExpiryTime: notAfter=Feb 14 06:49:00 2017 GMT[DEBUG] iMSCP::Execute::execute: openssl x509 -inform PEM -outform DER -in /etc/letsencrypt/live/panel.bbox.nuxwin.com/cert.pem -out /tmp/nKeohrejha[DEBUG] Plugin::LetsEncrypt::_getCertRequiredAction: Current SANs list: panel.bbox.nuxwin.com www.panel.bbox.nuxwin.com[DEBUG] Plugin::LetsEncrypt::_getCertRequiredAction: New SANs list: panel.bbox.nuxwin.com www.panel.bbox.nuxwin.com[DEBUG] Plugin::LetsEncrypt::_issueCertificate: Required action: none[DEBUG] iMSCP::Execute::execute: openssl x509 -enddate -noout -in '/etc/letsencrypt/live/panel.bbox.nuxwin.com/cert.pem'[DEBUG] iMSCP::OpenSSL::getCertificateExpiryTime: notAfter=Feb 14 06:49:00 2017 GMT...


    SHRINK action


    Note that the shrink action requires the removal of current SSL certificate lineage. This is due to the fact that current version of Certbot create another SSL certificate lineage with arbitrary name which is an annoying behavior. This will be fixed in Cerbot 0.10.x normally (We will be able to target a specific lineage).

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206