Skip to content

Let's Encrypt: auto cleanup & ECC

Daniel Jagszent requested to merge d--j/ispconfig3:certbot_cleanup into develop

SCR-20240727-dagq

ECC certificates

You can optionally tell certbot/acme.sh to issue ECDSA type certificates. This is the default for new installs. ISPConfig treats this setting as a preference: When your version of certbot/acme.sh is too old it will automatically fall back to RSA certificates.

Garbage collection

When enabled (enabled by default for new installs) ISPConfig will automatically remove certbot/acme.sh issued certificates that do not get used anymore.

You can specify a list of domains that should never be automatically deleted. If you use certbot/acme.sh on your server outside ISPConfig you should list all these domains in the deny list otherwise ISPConfig will automatically remove the certificates.

The garbage collection happens weekly. It is a two-step process:

  1. Iterate over all sites (active and disabled) of the current server that have a Let's Encrypt certificate and mark certifcates as used
    • If the site is active the serial number of the used certificate always gets marked as used. Even when the certifcate is expired or revoked.
    • If the site is disabled then the serial number of the certifcate only gets marked as used when the certifcate is still valid.
  2. Iterate over a list of all known certifcates from certbot/acme.sh and
    • Skip when the serial number was marked in step 1 as used
    • Skip when any of the domains of the certifcate is a wildcard domain. ISPConfig cannot issue these certifcates so any wildcard certifcate has to be an externally managed certifcate.
    • Skip when any item of the deny list (configurable in the server settings; default is the ISPConfig server hostname) list matches (shell style matching) with any of the domains of the certifcate.
    • At this point we consider the certifcate as garbage and delete it.

CLI command

This MR also introduces a new CLI module that can be used to examine your server's Let's encrypt certificates and force-remove expired certificates.

$ /usr/local/ispconfig/server/cli/ispc letsencrypt list

Getting all certificates…
╔══════╤═════════════════════════════════╤═══════════════════╤════════════════════════════════════════╤═════════════════════════════════════╗
║ type │ id                              │ valid info        │ serial                                 │ domains                             ║
╟──────┼─────────────────────────────────┼───────────────────┼────────────────────────────────────────┼─────────────────────────────────────╢
║ RSA  │ domain.example.com              │ yes 58 days valid │ 0x0407C4BB93910C18DEF08D5468C5460514E8 │ • domain.example.com                ║
║      │                                 │                   │                                        │ • www.domain.example.com            ║
╟──────┼─────────────────────────────────┼───────────────────┼────────────────────────────────────────┼─────────────────────────────────────╢
║ RSA  │ *.example.com                   │ yes 62 days valid │ 0x04DEFA4E60858891D0563BE717A7DEDBC33B │ • *.example.com                     ║
╚══════╧═════════════════════════════════╧═══════════════════╧════════════════════════════════════════╧═════════════════════════════════════╝

Todos before this MR can be merged

  • Test certbot code
  • Test acme.sh code
  • Update all language files besides en

Fixes #5226
Fixes #6563
Fixes #6746

Edited by Daniel Jagszent

Merge request reports