Let's Encrypt: auto cleanup & ECC
ECC certificates
You can optionally tell certbot/acme.sh to issue ECDSA type certificates. This is the default for new installs. ISPConfig treats this setting as a preference: When your version of certbot/acme.sh is too old it will automatically fall back to RSA certificates.
Garbage collection
When enabled (enabled by default for new installs) ISPConfig will automatically remove certbot/acme.sh issued certificates that do not get used anymore.
You can specify a list of domains that should never be automatically deleted. If you use certbot/acme.sh on your server outside ISPConfig you should list all these domains in the deny list otherwise ISPConfig will automatically remove the certificates.
The garbage collection happens weekly. It is a two-step process:
- Iterate over all sites (active and disabled) of the current server that have a Let's Encrypt certificate and mark certifcates as used
- If the site is active the serial number of the used certificate always gets marked as used. Even when the certifcate is expired or revoked.
- If the site is disabled then the serial number of the certifcate only gets marked as used when the certifcate is still valid.
- Iterate over a list of all known certifcates from certbot/acme.sh and
- Skip when the serial number was marked in step 1 as used
- Skip when any of the domains of the certifcate is a wildcard domain. ISPConfig cannot issue these certifcates so any wildcard certifcate has to be an externally managed certifcate.
- Skip when any item of the deny list (configurable in the server settings; default is the ISPConfig server hostname) list matches (shell style matching) with any of the domains of the certifcate.
- At this point we consider the certifcate as garbage and delete it.
CLI command
This MR also introduces a new CLI module that can be used to examine your server's Let's encrypt certificates and force-remove expired certificates.
$ /usr/local/ispconfig/server/cli/ispc letsencrypt list
Getting all certificates…
╔══════╤═════════════════════════════════╤═══════════════════╤════════════════════════════════════════╤═════════════════════════════════════╗
║ type │ id │ valid info │ serial │ domains ║
╟──────┼─────────────────────────────────┼───────────────────┼────────────────────────────────────────┼─────────────────────────────────────╢
║ RSA │ domain.example.com │ yes 58 days valid │ 0x0407C4BB93910C18DEF08D5468C5460514E8 │ • domain.example.com ║
║ │ │ │ │ • www.domain.example.com ║
╟──────┼─────────────────────────────────┼───────────────────┼────────────────────────────────────────┼─────────────────────────────────────╢
║ RSA │ *.example.com │ yes 62 days valid │ 0x04DEFA4E60858891D0563BE717A7DEDBC33B │ • *.example.com ║
╚══════╧═════════════════════════════════╧═══════════════════╧════════════════════════════════════════╧═════════════════════════════════════╝
Todos before this MR can be merged
-
Test certbot code -
Test acme.sh code -
Update all language files besides en