Posts by fulltilt
-
-
-
I use following settings for proftpd TLS
Code- <IfModule mod_tls.c>
- TLSEngine on
- TLSRequired off
- TLSLog /var/log/proftpd/ftp_ssl.log
- TLSOptions NoSessionReuseRequired
- TLSRSACertificateFile /etc/imscp/imscp_services.pem
- TLSRSACertificateKeyFile /etc/imscp/imscp_services.pem
- TLSCACertificateFile /etc/imscp/isrgrootx1.pem
- TLSVerifyClient off
- TLSRenegotiate required off
- </IfModule>
- </Global>
- <IfModule mod_tls.c>
- TLSProtocol TLSv1.2
- TLSCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
- </IfModule>
-
when using LE please read:
-
search for obsolete php config files (php.ini) from orphaned domain names
-
re-configuration tasks:
with a new system it seems to work if all certs have been created with the snap certbot kess fix ...
However, existing LE certs with the old chain are marked as invalid and the apache ssl configs are deleted.
To avoid the problem you would have to replace all old chain1.pem and fullchain1.pem with the new one:
Code- nano cat /etc/letsencrypt/archive/mydomain.tld/chain1.pem
- -----BEGIN CERTIFICATE-----
- MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
- TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
- cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
- WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
- RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
- AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
- R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
- sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
- NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
- Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
- /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
- AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
- Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
- FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
- AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
- Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
- gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
- PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
- ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
- CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
- lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
- avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
- yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
- yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
- hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
- HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
- MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
- nLRbwHOoq7hHwg==
- -----END CERTIFICATE-----
- and the bottom part here
- nano /etc/letsencrypt/archive/mydomain.tld/fullchain1.pem
- -----BEGIN CERTIFICATE-----
- MIIFJjCCBA6gAwIBAgISBFOhc87zN32rQFmLqY5Mk7yiMA0GCSqGSIb3DQEBCwUA
- MDIxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1MZXQncyBFbmNyeXB0MQswCQYDVQQD
- EwJSMzAeFw0yMTEwMTYwOTEwMzNaFw0yMjAxMTQwOTEwMzJaMBoxGDAWBgNVBAMT
- D3Rlc3QuZ2xvYmUubmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
- ALoD4xHktPSHH+zZBelr1R7AvyZ7xq+2asIzxc3YbvCnM8KiZUGNFXra1EAkPuxe
- Q/WlX1LZYtTgm/EDQ4amJlKZ+m+5h2j5MEmmcfJjdM10W53zIxQyJshPnM4VG/ff
- zoEIsGriGh4Ahh3GBy9+W4QAqMMO1l5nrKLicw6OL+BlABGLWAjQo+RwXnqytEd3
- PigSYQTpjyhhPCN8n4j7km4LkEaitbUYcY7UB9JIlORvGrGyUBUhFOLpJZljzaNL
- 6J8QqAOEkdj0D5/+JtMGp38sn2T1qz3gdRD1em45BS4V6kubUwMhH6XX8CjdtayS
- yUHCXKBfk8s13YNnwfvUMIECAwEAAaOCAkwwggJIMA4GA1UdDwEB/wQEAwIFoDAd
- BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNV
- HQ4EFgQUMfgniek6OPX8mfIWRUrbcY8W/hEwHwYDVR0jBBgwFoAUFC6zF7dYVsuu
- UAlA5h+vnYsUwsYwVQYIKwYBBQUHAQEESTBHMCEGCCsGAQUFBzABhhVodHRwOi8v
- cjMuby5sZW5jci5vcmcwIgYIKwYBBQUHMAKGFmh0dHA6Ly9yMy5pLmxlbmNyLm9y
- Zy8wGgYDVR0RBBMwEYIPdGVzdC5nbG9iZS5uYW1lMEwGA1UdIARFMEMwCAYGZ4EM
- AQIBMDcGCysGAQQBgt8TAQEBMCgwJgYIKwYBBQUHAgEWGmh0dHA6Ly9jcHMubGV0
- c2VuY3J5cHQub3JnMIIBBgYKKwYBBAHWeQIEAgSB9wSB9ADyAHcAKXm+8J45OSHw
- VnOfY6V35b5XfZxgCvj5TV0mXCVdx4QAAAF8iJTsYwAABAMASDBGAiEAjKnhUe5a
- kdJn4hzlq9Z7t35mGJrkJAm/1VA2yMEVtFACIQC2fTOQiMYWU9e5lucFv94Ck6+W
- xkwdopCUZ4lkxlo2dAB3AG9Tdqwx8DEZ2JkApFEV/3cVHBHZAsEAKQaNsgiaN9kT
- AAABfIiU7N8AAAQDAEgwRgIhAM1npYXyPhxNJ/HCitn7iY82ZpHwLO9p4fQnGtRh
- nvN4AiEAndotW/xMKp/Yy6cbSLgb7K8+zheOvYkPONqlq0z1OYMwDQYJKoZIhvcN
- AQELBQADggEBAA+urK26NVSR/fAfUznbi16NxZww6806GhJFdEfSq24BmOERhgFw
- 18s9IEBbOQq/gyjz/WT7c4tuNWrHPvxUjlxGRPYGnBmS8CHgj/QkvCxabKBfKOtp
- kpAUjVu/X9B7IFjn0oItzLKII9OsTINuo4EU0cScoqtZMD+qntRz3fLwOXauPyK7
- CkcIfhtJ3lLWGSLS7qQ3QocrLvSan67BBLZAqGNikZF7tA8T6NglZ9z53XOCM1BA
- HFWOeyp5yZeyt3R8Sxc4oUP+xIJE+hsXtckYLsOmfMW9u5UBIgZb6FrphcaUuvK/
- GZpDBk2uO+34VG2j6vG36ZccJEBToeGPVPE=
- -----END CERTIFICATE-----
- -----BEGIN CERTIFICATE-----
- MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
- TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
- cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
- WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
- RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
- AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
- R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
- sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
- NHz6a4uPVymZ+DAXXbpyb/uBxa3Shlg9F8fnCbvxK/eG3MHacV3URuPMrSXBiLxg
- Z3Vms/EY96Jc5lP/Ooi2R6X/ExjqmAl3P51T+c8B5fWmcBcUr2Ok/5mzk53cU6cG
- /kiFHaFpriV1uxPMUgP17VGhi9sVAgMBAAGjggEIMIIBBDAOBgNVHQ8BAf8EBAMC
- AYYwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMBMBIGA1UdEwEB/wQIMAYB
- Af8CAQAwHQYDVR0OBBYEFBQusxe3WFbLrlAJQOYfr52LFMLGMB8GA1UdIwQYMBaA
- FHm0WeZ7tuXkAXOACIjIGlj26ZtuMDIGCCsGAQUFBwEBBCYwJDAiBggrBgEFBQcw
- AoYWaHR0cDovL3gxLmkubGVuY3Iub3JnLzAnBgNVHR8EIDAeMBygGqAYhhZodHRw
- Oi8veDEuYy5sZW5jci5vcmcvMCIGA1UdIAQbMBkwCAYGZ4EMAQIBMA0GCysGAQQB
- gt8TAQEBMA0GCSqGSIb3DQEBCwUAA4ICAQCFyk5HPqP3hUSFvNVneLKYY611TR6W
- PTNlclQtgaDqw+34IL9fzLdwALduO/ZelN7kIJ+m74uyA+eitRY8kc607TkC53wl
- ikfmZW4/RvTZ8M6UK+5UzhK8jCdLuMGYL6KvzXGRSgi3yLgjewQtCPkIVz6D2QQz
- CkcheAmCJ8MqyJu5zlzyZMjAvnnAT45tRAxekrsu94sQ4egdRCnbWSDtY7kh+BIm
- lJNXoB1lBMEKIq4QDUOXoRgffuDghje1WrG9ML+Hbisq/yFOGwXD9RiX8F6sw6W4
- avAuvDszue5L3sz85K+EC4Y/wFVDNvZo4TYXao6Z0f+lQKc0t8DQYzk1OXVu8rp2
- yJMC6alLbBfODALZvYH7n7do1AZls4I9d1P4jnkDrQoxB3UqQ9hVl3LEKQ73xF1O
- yK5GhDDX8oVfGKF5u+decIsH4YaTw7mP3GFxJSqv3+0lUFJoi5Lc5da149p90Ids
- hCExroL1+7mryIkXPeFM5TgO9r0rvZaBFOvV2z0gp35Z0+L4WPlbuEjN/lxPFin+
- HlUjr8gRsI3qfJOQFy/9rKIJR0Y/8Omwt/8oTWgy1mdeHmmjk7j1nYsvC9JSQ6Zv
- MldlTTKB3zhThV1+XWYp6rjd5JW1zbVWEkLNxE7GJThEUG3szgBVGP7pSWTUTsqX
- nLRbwHOoq7hHwg==
- -----END CERTIFICATE-----
does anyone have an idea how to repair the whole thing for all chains under "/etc/letsencrypt/archive/*/" at once?
maybe a bash script which processes all the subfolders in a loop ...
-
it seems we need to use the vege.net fix (OpenSSL.pm line 134) when running i-mscp re-configuration (installer) task ...
the panel & customer certs are marked as invalid after a i-mscp re-configuration
-
They all are created correctly for me... on all of my servers
The only issue is that sometimes you need to revoke and then recreate the certificate in order to work correctly.
works perfectly!
I had to clean up some old DST Root CA X3 stuff and had to use "sudo" for the snap install ...
Many thanks!
-
I have cleaned up some more stuff ... it works now. also with Debian Buster!
see below
Undo Fix by vege.net (when in use) and DST Root CA X3 removal
Code- rm /usr/share/ca-certificates/mozilla/lets-encrypt-r3.crt
- rm /usr/lib/ssl/certs/2e5ac55d.0
- remove the certificate DST Root CA X3
- nano /etc/ca-certificates.conf
- change:
- mozilla/DST_Root_CA_X3.crt
- to:
- !mozilla/DST_Root_CA_X3.crt
- remove the line:
- lets-encrypt-r3.crt
- save
- sudo update-ca-certificates -f
- nano /var/www/imscp/engine/PerlLib/iMSCP/OpenSSL.pm
- re-activate line 134
- ( ( $self->{'ca_bundle_container_path'} ne '' ) ? ( '-CAfile', $self->{'ca_bundle_container_path'} ) : () ),
I've added some more stuff to the snap certbot fix!
Certbot Fix by kess:
Code- 1. Integrate the new LE CAs in your system:
- mkdir /usr/share/ca-certificates/letsencrypt
- curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem
- curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/isrg-root-x2.crt https://letsencrypt.org/certs/isrg-root-x2.pem
- curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/lets-encrypt-r3.crt https://letsencrypt.org/certs/lets-encrypt-r3.pem
- curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/lets-encrypt-r4.crt https://letsencrypt.org/certs/lets-encrypt-r4.pem
- curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/lets-encrypt-e2.crt https://letsencrypt.org/certs/lets-encrypt-e2.pem
- sudo dpkg-reconfigure ca-certificates
- Here a Dialog appears.
- - In the first dialog choose "yes"
- - In the second select your new 5 CA certificates to import and then click OK
- - de-select original ISRG Root X1 below
- sudo apt remove certbot
- sudo apt autoremove
- sudo apt install snapd
- sudo snap install core && sudo snap refresh core
- sudo snap install --classic certbot
- 4. edit the file & update the section as follows:
- nano /var/www/imscp/gui/plugins/LetsEncrypt/config.php
- 'certbot_create_options' => [
- '--preferred-chain ISRG Root X1'
- ],
- Save & close
- 5. Remove previous symlinks that could still exist, we'll fix them in next steps:
- rm /usr/bin/certbot
- rm /usr/local/sbin/certbot
- 6. HIT THE "UPDATE PLUGINS" BUTTON (ControlPanel > Plugins)
- 7. Now it's time to fix the symlinks:
- cd /
- rm /usr/bin/certbot
- ln -s /snap/bin/certbot /usr/bin/certbot
- rm /usr/local/sbin/certbot
- ln -s /usr/bin/certbot /usr/local/sbin/certbot
- 8. Now a little check:
- sudo which certbot
- Result:
- - /usr/local/sbin/certbot
- sudo which -a certbot
- Result:
- - /usr/local/sbin/certbot
- - /usr/bin/certbot
- - /snap/bin/certbot
- 9. And the final check:
- /usr/local/sbin/certbot --version
- Result:
- certbot 1.20.0
- test:
- sudo certbot renew --dry-run
- Now your system will have:
- - The new CA from LE that it didn't have before
- - The new supported version of certbot that knows the new chains
thanks a lot to: vege.net, kess, Athar, Nuxwin and everyone else who helped & suggested solutions
-
I just got a little issue, the "cross-signed" certificate in CA-Certificate, I disabled those, wasn't able to use CURL with sites based on Let'sEncrypt SSL certs.
Thank you for the details!
Could you give us a list of the CA certs which have been added & removed?
on my test VPS this one is still in place