LetsEncrypt - SSL certificate is not valid

    everything seems to work with the letsencrypt patch, but I discovered a problem when installing a purchased certificate ...

    To install a paid certificate line 134 needs to be reactivated in OpenSSL.pm (afterwards deactivate again).

    Therefore I have deactivated / changed the button links in the client theme to prevent customers being able to create and edit certificates themselves except letsencrypt

    Code
    1. # nano /var/www/imscp/gui/themes/default/client/domains_manage.tpl
    2. #from:
    3. <a href="{CERT_SCRIPT}" class="icon i_edit" title="{VIEW_CERT}">{VIEW_CERT}</a>
    4. #to
    5. <a href="" class="icon i_edit" title="{VIEW_CERT}">{VIEW_CERT}</a>
    6. service imscp_panel restart

    also w/ any other line with {CERT_SCRIPT} for alias, alias-sub, sub ...


    or simply

    Code
    1. sed -i 's|{CERT_SCRIPT}||g' /var/www/imscp/gui/themes/default/client/domains_manage.tpl
    2. sudo service imscp_panel restart
    4. # reverse - make buttons available again
    5. sed -i 's|""|"{CERT_SCRIPT}"|g' /var/www/imscp/gui/themes/default/client/domains_manage.tpl
    6. sudo service imscp_panel restart


    I will try to make this accessible only to the administrator

    if ... admin

    <a href="{CERT_SCRIPT}" ...

    else

    <a href=""

    ...

    Edited 4 times, last by fulltilt ().

    Was valid until 6th of October.


    Display Spoiler

    Edited once, last by Athar ().


    Thank you for the hot fix. It helped me very well to calm down and to enjoy my weekend as planed! :-)


    /Nagilum

    Hello guys,

    there you can find the solution I've adopted in order to get the systems working with every type of certificate (self signed, from CA or Let's Encrypt)

    I didn't change absolutely nothing in the code of i-MSCP, everything is original.


    The following has been tested ONLY on Debian Stretch x64, with a standard i-MSCP installation. No strange things.


    1. Integrate the new LE CAs in your system:

    Code
    1. mkdir /usr/share/ca-certificates/letsencrypt
    2. curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem
    3. curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/isrg-root-x2.crt https://letsencrypt.org/certs/isrg-root-x2.pem
    4. curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/isrg-root-x1-cross-signed.crt https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem
    5. curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/lets-encrypt-r3.crt https://letsencrypt.org/certs/lets-encrypt-r3.pem
    6. curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/lets-encrypt-r3-cross-signed.crt https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem
    7. curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/lets-encrypt-r4.crt https://letsencrypt.org/certs/lets-encrypt-r4.pem
    8. curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/lets-encrypt-e2.crt https://letsencrypt.org/certs/lets-encrypt-e2.pem
    9. dpkg-reconfigure ca-certificates

    Here a Dialog appears.

    - In the first dialog choose "yes"

    - In the second select your new 7 CA certificates to import and then click OK

    The result should be as follows:

    Code
    1. Updating certificates in /etc/ssl/certs...
    2. 7 added, 0 removed; done.
    3. Running hooks in /etc/ca-certificates/update.d...
    4. done.

    2. Remove any previous certbot versions:

    Code
    1. apt remove certbot

    3. Install the new and supported certbot version

    Code
    1. apt install snapd
    2. snap install core && snap refresh core
    3. snap install --classic certbot

    4. Optional, but recommended, edit the file /var/www/imscp/gui/plugins/LetsEncrypt/config.php and update the section as follows:

    Code
    1. 'certbot_create_options' => [
    2. '--preferred-chain ISRG Root X1'
    3. ],

    Save and close;

    5. Remove previous symlinks that could still exist, we'll fix them in next steps:

    Code
    1. rm /usr/bin/certbot
    2. rm /usr/local/sbin/certbot

    6. HIT THE "UPDATE PLUGINS" BUTTON here: https://your.server.panel:1234/admin/settings_plugins.php

    If everything goes well, the LE Plugin will reconfigure.

    7. Now it's time to fix the symlinks:

    Code
    1. rm /usr/bin/certbot
    2. ln -s /snap/bin/certbot /usr/bin/certbot
    3. rm /usr/local/sbin/certbot
    4. ln -s /usr/bin/certbot /usr/local/sbin/certbot

    8. Now a little check:

    Code
    1. which certbot
    2. Result:
    3. - /usr/local/sbin/certbot
    5. which -a certbot
    6. Result:
    7. - /usr/local/sbin/certbot
    8. - /usr/bin/certbot
    9. - /snap/bin/certbot

    9. And the final check:

    Code
    1. /usr/local/sbin/certbot --version
    2. Result:
    3. certbot 1.19.0

    Now your system will have:

    - The new CA from LE that it didn't have before

    - The new supported version of certbot that knows the new chains


    I tested the procedure on more boxes and it works for certificates creation and for certificates revocations. I don't know if it works for renewals. Please test it and kindly report back.

    Hope it helps,

    bye Kess.

    Thanks Kess! It works with my test vps ... but I think it would be a better idea to be patient until Nuxwin is done with his work.

    Manual changes in database or OS (via snapd sources) could possibly cause problems afterwards ...

    For now I prefer the solution of vege.net ... an undo is very simple because only line 134 needs to be activated again.

    Hi fulltilt ,

    thx for your reply.

    With that solution, nothing has been changed in i-MSCP files or Database, everything is original.

    Regarding snapd, it runs in its own sandbox... everything you have on your systems is included in /snap directory.

    Problems ? I can't see... but if you don't like it in 1 or 2 years, just uninstall it using apt or apt-get and everything will be exactly as before...


    certbot-auto has become unsupported, this is the only official method for managing LE Certs (Certbot documentation on eff.org).

    I didn't test using the Debian Packaged Certbot in order to see if it works... I don't know if the new chains are managed or not. I'm sure the --preferred-chain option will not work on version 0.28.0 (Debian 9 packaged version).


    It's up to you...

    Bye Kess

    A good solution for fixing Let's Encrypt, but...

    Quote from fulltilt

    everything seems to work with the letsencrypt patch, but I discovered a problem when installing a purchased certificate ...

    To install a paid certificate line 134 needs to be reactivated in OpenSSL.pm (afterwards deactivate again).

    ... it had issues with paid certificates.


    I continued the work on Joern's approach. As per his instructions, start with:

    Code
    1. cd /usr/share/ca-certificates/mozilla/
    2. wget https://letsencrypt.org/certs/lets-encrypt-r3.pem
    3. mv lets-encrypt-r3.pem lets-encrypt-r3.crt
    4. dpkg-reconfigure ca-certificates # -->> add new letsencrypt Cert

    The next step is to edit /var/www/imscp/engine/PerlLib/iMSCP/OpenSSL.pm with editor of your choice. As Joern instructed, start by commenting out the line at 135. However, to allow paid certificates with CA bundle continue to work, if the initial verify command fails, then we need to try to run it with the CAfile parameter. This is done by adding the code below after line 140 debug( $stdout ) if $stdout;:

    Full code from line 132 (old) to 157 (new) with a few comments for clarity:


    Disclaimer: use at your own risk.