Whether to overwrite self-signed certs
In this post, a user have to delete self-signed certs manually before downloading ISPConfig 3.2 and run update.php to secure his server.
I noted that on our previous discussions on securing ISPConfig on install or update, we decided not to overwrite or rename existing certs in /usr/local/ispconfig/interface/ssl/ since there may be certs from SSL certs provider other than LE.
Now, thinking of it, I think we should overwrite or rename self-signed certs as they can be confirmed "openssl verify -CAfile self_signed_cert.pem self_signed_cert.pem" which will return "ok"as mentioned in here as those with self-signed certs normally want these to be replaced with LE SSL certs on ISPConfig update.
If all agree, then we should modify installer_base.lib.php to include that check on that somewhere on and before this in line 2867:
if ((!@is_dir($acme_cert_dir) || !@file_exists($check_acme_file) || !@file_exists($ssl_crt_file) || md5_file($check_acme_file) != md5_file($ssl_crt_file)) && $ip_address_match == true) {
I will try to help on this if we are in agreement but first please advise all of your views on this.