Hello guys,
there you can find the solution I've adopted in order to get the systems working with every type of certificate (self signed, from CA or Let's Encrypt)
I didn't change absolutely nothing in the code of i-MSCP, everything is original.
The following has been tested ONLY on Debian Stretch x64, with a standard i-MSCP installation. No strange things.
1. Integrate the new LE CAs in your system:
- mkdir /usr/share/ca-certificates/letsencrypt
- curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/isrgrootx1.crt https://letsencrypt.org/certs/isrgrootx1.pem
- curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/isrg-root-x2.crt https://letsencrypt.org/certs/isrg-root-x2.pem
- curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/isrg-root-x1-cross-signed.crt https://letsencrypt.org/certs/isrg-root-x1-cross-signed.pem
- curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/lets-encrypt-r3.crt https://letsencrypt.org/certs/lets-encrypt-r3.pem
- curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/lets-encrypt-r3-cross-signed.crt https://letsencrypt.org/certs/lets-encrypt-r3-cross-signed.pem
- curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/lets-encrypt-r4.crt https://letsencrypt.org/certs/lets-encrypt-r4.pem
- curl --insecure -Lo /usr/share/ca-certificates/letsencrypt/lets-encrypt-e2.crt https://letsencrypt.org/certs/lets-encrypt-e2.pem
- dpkg-reconfigure ca-certificates
Here a Dialog appears.
- In the first dialog choose "yes"
- In the second select your new 7 CA certificates to import and then click OK
The result should be as follows:
- Updating certificates in /etc/ssl/certs...
- 7 added, 0 removed; done.
- Running hooks in /etc/ca-certificates/update.d...
- done.
2. Remove any previous certbot versions:
3. Install the new and supported certbot version
- apt install snapd
- snap install core && snap refresh core
- snap install --classic certbot
4. Optional, but recommended, edit the file /var/www/imscp/gui/plugins/LetsEncrypt/config.php and update the section as follows:
- 'certbot_create_options' => [
- '--preferred-chain ISRG Root X1'
- ],
Save and close;
5. Remove previous symlinks that could still exist, we'll fix them in next steps:
- rm /usr/bin/certbot
- rm /usr/local/sbin/certbot
6. HIT THE "UPDATE PLUGINS" BUTTON here: https://your.server.panel:1234/admin/settings_plugins.php
If everything goes well, the LE Plugin will reconfigure.
7. Now it's time to fix the symlinks:
- rm /usr/bin/certbot
- ln -s /snap/bin/certbot /usr/bin/certbot
- rm /usr/local/sbin/certbot
- ln -s /usr/bin/certbot /usr/local/sbin/certbot
8. Now a little check:
- which certbot
- Result:
- - /usr/local/sbin/certbot
- which -a certbot
- Result:
- - /usr/local/sbin/certbot
- - /usr/bin/certbot
- - /snap/bin/certbot
9. And the final check:
- /usr/local/sbin/certbot --version
- Result:
- certbot 1.19.0
Now your system will have:
- The new CA from LE that it didn't have before
- The new supported version of certbot that knows the new chains
I tested the procedure on more boxes and it works for certificates creation and for certificates revocations. I don't know if it works for renewals. Please test it and kindly report back.
Hope it helps,
bye Kess.