Comments on Securing ISPConfig 3.1 With a Free Let's Encrypt SSL Certificate
This tutorial shows how to create and configure a free Let's encrypt SSL certificate for the ISPconfig interface (port 8080), the email system (Postfix and Dovecot/Courier), the FTP server (pure-ftpd) and Monit.
63 Comment(s)
Comments
Thank you for the tutorial
How can I test if the auto-renew script renewal works well?With the icrontab -l command I get this, is it correct?
/etc/letsencrypt/archive/$(hostname 0 IN_MODIFY ./etc/init.d/le_ispc_pem.sh
I don't think so, try the real hostname.
I had the same.
This is incorrect:
/etc/letsencrypt/archive/$(hostname -f)/ IN_MODIFY ./etc/init.d/le_ispc_pem.shThe space in the $(hostname -f)-part will break processing.
Instead, type out the full hostname of your server in that line:
/etc/letsencrypt/archive/thisismyserver.nl/ IN_MODIFY ./etc/init.d/le_ispc_pem.shThis will respect the incrontab format:
<path> <mask> <command>
More on this linux.die.net incrontab man page.
Thanks for this tutorial.
I’ve a suggestion. Instead of symlinking '/etc/letsencrypt/live/…' one should symlink the SSL certs in the SSL folder of the website ('/var/www/clients/clientX/webY/ssl/…') as Till suggests here:
https://git.ispconfig.org/ispconfig/ispconfig3/issues/4589#note_62298
Problem is that the LE path can change under some circumstances described in the issue mentioned above.
Thanks. Really interesting piece of information. May I ask how you will do the 'trick' when the setup of IspConfig is done with more than one server ?First thought ... Copying the same certificates to the other servers I guess ? Requesting new ones isn't a good idea I guess. Really like to know how to solve such a setup. Enjoy your weekend!
Thank for this tutorial. And for the auto-renew script!
How can I add mail subdomain (mail.domain.tld) in the LE certificate. At this time, I have only domain.tld and www.domain.tld in the LE certificate, accroding to: openssl x509 -in /etc/letsencrypt/live/domain.tld/fullchain.pem -noout -text
Will my clients need to update their email settings on their devices if I was to install SSL on my server. It says in description: "This tutorial shows how to create and configure a free Let's encrypt SSL certificate for the ISPconfig interface (port 8080), the email system (Postfix and Dovecot/Courier), the FTP server (pure-ftpd) and Monit."?
Very usefull! Thanks for this great tutorial!
Hi !
Good Job, but there is an error in syslog for pure-ftpd. pure-ftpd-dhparams.pem is missing.
So, add ln -s /etc/ssl/private/pure-ftpd.pem /etc/ssl/private/pure-ftpd-dhparams.pem and service pure-ftpd-mysql restart.
Thx
Or use after ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem pure-ftpd.pem:
openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048
and restart
service pure-ftpd-mysql restart#These lines work better as a script for a generate-ispconfig-ssl.sh
cd /usr/local/ispconfig/interface/ssl/mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bakmv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bakmv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bakln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crtln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.keycat /usr/local/ispconfig/interface/ssl/ispserver.key > /usr/local/ispconfig/interface/ssl/ispserver.pemcat /usr/local/ispconfig/interface/ssl/ispserver.crt >> /usr/local/ispconfig/interface/ssl/ispserver.pemchmod 600 ispserver.pem
Great job putting all of this together. Thx. PS. Remember always to use full paths on scripts.
apache2 cannot restart after following this. I will note I dont have ispserver.pem
Then you missed some commands from the tutorial, the file gets created in these lines:
cd /usr/local/ispconfig/interface/ssl/
.....
cat ispserver.{key,crt} > ispserver.pem
chmod 600 ispserver.pem
OS: Debian 9 Stretch
ISP version: 3.1.11
Hi,
first of all thanks for tut :) .
I have some issues with instalation LE for my ISP CP ... I followed this guide for ISP installation, and also I installed self signed cert during setup. I created website exact as my server hostname (btw. its the first site in my ISP) as you said, but when I check in browser I get only Apache page, also when I check SSL an LE flags they disappear after ISP page refresh.
LE was installed with this command: sudo apt-get install python-certbot-apache -t stretch-backports
and command sudo certbot --authenticator webroot --installer apache
at step when ask which names would you like to activate HTTPS for I press c just to activate LE, later with same command above I try to install cert for server website. At step input webroot I put /var/www/clients/client1/web1/web regulary, but after that I get error:
Failed authorization procedure. ---.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://---/.well-known/acme-challenge/uCeBBgn4hIBBL_6c741y2OAtLxne6ij-o8Xncftu-ik: Timeout after connect (your server may be slow or overloaded)
IMPORTANT NOTES:
- The following errors were reported by the server:
Domain:---
Type: connection
Detail: Fetching
http://---/.well-known/acme-challenge/uCeBBgn4hIBBL_6c741y2OAtLxne6ij-o8Xncftu-ik:
Timeout after connect (your server may be slow or overloaded)
To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Any help please :)
thx for this tutorial
For Webmin:
cd /etc/webmin/mv miniserv.pem miniserv.pem-$(date +"%y%m%d%H%M%S").bakln -s /usr/local/ispconfig/interface/ssl/ispserver.pem miniserv.pem/etc/webmin/stop/etc/webmin/startHello, after following this tutorial, I get an IDS (intrusion detection alert). Is this because I have added the incron user? IS there anything I should do, like re-run the IDS script?
Thanks
I was looking for the solution of providing auto renewal for ispserver.pem file without install any additional software. I perform some script, which after add to cron checks date of fullchain.pem and privkey.pem and compare them to default values. These default values each user has to set on his own for privkey.pem and fullchain.pem from convert their dates (enter directory /etc/letsencrypt/live/s1.example.net/ and simple "ls -l") to epoch format using for example https://www.epochconverter.com/:
#!/bin/bash#This script is developed for renewing cert used by Monit and other applications,#which will have provided Let's Encrypt certs#add to cronjob each midnight#epoch format of .key and .crt files - user need to configure this manuallyepoch_ispcrt_default=1520924890epoch_ispkey_default=1520924890ispcrt_date_current=`stat -c "%y" /etc/letsencrypt/live/s1.poliman.net/fullchain.pem`ispkey_date_current=`stat -c "%y" /etc/letsencrypt/live/s1.poliman.net/privkey.pem`#epoch format for current files modification datesepoch_ispcrt=`date -d "$ispcrt_date_current" +%s`epoch_ispkey=`date -d "$ispkey_date_current" +%s`#left value has to be greater than right valueif [ $epoch_ispcrt -gt $epoch_ispcrt_default ] && [ $epoch_ispkey -gt $epoch_ispkey_default ]then $epoch_ispcrt_default=$epoch_ispcrt $epoch_ispkey_default=$epoch_ispkey cd /usr/local/ispconfig/interface/ssl if [ -f "ispserver.pem" ] then mv ispserver.pem ispserver.pem-`date +"%y-%m-%d-%H:%M:%S"`.bak fi cat ispserver.{key,crt} > ispserver.pem chmod 600 ispserver.pem #restarting required services service monit restartelse #log_file.log will be created in path /usr/local/ispconfig/interface/ssl echo "Log-->$(date +%y-%m-%d-%H:%M:%S) Compare thinks that variables are even or less, so we don't have to do anything with ispserver.pem." >> log_file.logfi
After installing the SSL with the above steps, Once the server restarted can not able to start the Httpd service.What needs to be changed to get it done. Please suggest.
There is nothing that needs to be changed in the tutorial, the described steps are fine, I used them many times with success. Probably Let's encrypt did not issue a cert for your domain which causes Apache to fail now. If you need help in debugging why LE was not able to issue the SSL cert, then please post in the Forum here at HowtoForge.
Got only an error on monit. I have the folder but i'm not sure it is working:
root@xxx:/etc/monit/monitrc.d# cd ..root@xxx:/etc/monit# lsmonitrc monitrc.droot@xxx:/etc/monit# service monit restartFailed to restart monit.service: Unit monit.service not found.root@xxx:/# /etc/init.d/monit restart-bash: /etc/init.d/monit: File o directory non esistente
Then you probably don't have monit installed.
Hello,
I followed this exactly and we are not receiving any mail. everything elso is great , including LE ssl. (I notice that dovecot - I believe that's where the problem is - it is rejecting all clients hosts ( 554 5.7.1 <server1.example.com[valid-ipv4]>: Client host rejected:
Access denied (in reply to RCPT TO command))
I notice that dovecot looks for the .cert and .key in /etc/postfix/ and what we have done is rename those cert and key and provided symbolic links to the ispconfig cert and key, in /usr/local/ispconfig/interface/ssl/, which aren't really there, because they have been renamed and symbolic links have been created to the lets encrypt files, at /etc/letsencrypt/live/example.com/ which arent't really there either - they haven't been renamed, rather all that is there are symbolic links to the actual cert.pem and other files. Is this valid? to have 3 or 4 symbolic links chained like that? See this error message - could this be killin goff dovecot, so that we are receiving no messages? Thanks for your help - otherwise works great!
Aug 27 08:41:40 server1 postfix/postfix-script[20093]: warning: symlink leaves directory: /etc/postfix/./smtpd.key Aug 27 08:41:40 server1 postfix/postfix-script[20096]: warning: symlink leaves directory: /etc/postfix/./smtpd.cert Aug 27 08:41:52 server1 dovecot: master: Warning: Killed with signal 15 (by pid=20154 uid=0 code=kill)Hello again, (I just sent a for submission about symlings and postfix killing off dovecot)
We are receiving email now - we had an error in a postfix file that I corrected. I thought that there was some limit on symlink recursion, adn the error/warning message was bizarre.
Best,
Ed
Thank you for the tutorial!
In my case, the letsencrypt script does not creat a certificate.
In my log, I found the following error message:
KeyError: 'Directory field not found'
What can I do?
By the way: I use this function for lots of domains on my server but it fails for the servername itself.
I use the output hostname -f in this case.
I was getting errors
"root@debian:/usr/local/ispconfig/interface/ssl# cat ispserver.{key,crt} > ispserver.pem
cat: ispserver.key: No such file or directory
cat: ispserver.crt: No such file or directory"
when trying to follow this tutorial because I did not had subdomain.example.com under Site > websites and enabled SSL and Let's Encrypt SSL.
After I created subdomain.example.com under Site > websites and enabled SSL I was able to go pass this error. You have to have site what ever hostname -f prints.
Hope Hope it helps someone!
Hi,
if i understand this right, than customers should call FTP Servername via FQDN and not e.g. via there Domainname, right? If so, is it possible to set an 'DNS Alias like ftp.domain.tld so customers can easier remembert this?
On my brand new Ubuntu 18.04/Ispconfig 3.1 install, the certificate is only created if I skip the Lets Encrypt check:System > Server Config > Click on the server > Web > SSL Settings (at bottom of page) > Skip Lets Encrypt Check
I have an Ubuntu 16.04 server with ISPConfig 3.1, and I use Cloudflare to manage DNS. I'm trying to secure ISPConfig 3.1 Control Panel (Port 8080) with a Free Let's Encrypt SSL Certificate, by following this tutorial. I created the server website containing the FQDN. However, when I try to access through the browser, it keeps redirecting to another website I created beforehand. I checked the website folder and it is created with the default website. What should be the problem? Thank you for your help
It workes perfect but I'm using Thunderbird as e-mail software and Thunderbird requires intermediate certificate, full chain, but this is not included in this tutorial I guess. can I add this to the fullchain.pem or some other file?
If You follow tutorial (especially first steps for postfix) it must works! I checked it on several IPs. The only problem is that sometimes I got non working SSL on 993 465 ports because of some incorrect settings in master.cf, main.cf -- that is why it is crucial to setup those files correctly.
Debian 8/9 and android mail, thunderbird, outlook 365 all working fine with TLS/SSL.
I suggest to create website for hostname (server) in ISPCONFI for example (rev name)
mail.somedomail.com
than when website is active and DNS records (mail.somedomail.com) are pointed to IP correctly U can issue letsencrypt via website configuration. Than i suggest create additional DNS records pointing to domains:
smtp.somedomail.com, imap.somedomail.com, pop3.somedomail.com
after created make simple ALIASDOMAIN FOR WEBSITE pointing smtp,imap,pop3 to website mail.somedomain.com
after this U will have all subdomains (mail,smtp,imap,pop3) with letsencrypt issued.
I suggest this because most of MUA will guess serwer host... and than You will get for example imap.somedomain.com and smtp.somedomain.com with SSL error.
Forcing users to use one mail.somedomain.com is OK, but in real life better to create simple solutions.
Great guide. Thank you.
Hi,
if I check the line I added to incrontab after I saved it, its not the same anymore:
"/etc/letsencrypt/archive/$(hostname IN_ALL_EVENTS IN_MODIFY ./etc/init.d/le_ispc_pem.sh"
incrontab seems to cut it after "hostname" and adds an "IN_ALL_EVENTS". Why?
Hi,
Does this will be broken in case of updating to ISPConfig v3.1.13p1 with ispconfig_update.sh ?
Hi, I've the problem defining the virtual host...i'll try to explain.
I access ispconfig https://www.example.com:8080
I define the site www.example.com in ispconfig
When I put www.example.com in the browser, appears roundcube page instead of landing ispconfig page.
I don't know where to look for.
thanks.
Impressed. Worked in one go. As opposed to Froxlor. Where I ended up not using Froxlor at all and editing all conf's manually and using certbot-auto for LE... +1 for ISPConfig.
For me, the best admin panel start ever ;-) Thanks!
This works even better over a free Cloudflare setup activating their full encryption but NOT immediately. It takes 24 hours for everything to accept the new certificate on port 8080 en give a secure connection. After that ...great!
If you create a subdomain with port 8080 will it work??? Without all this hazEl
Hello!
I made a quick script to automate all console manipulations: https://github.com/Hostibox/ISPConfig-Let-s-Encrypt-Securing
Hope that this will help some peoples.
???? :-(
"Check if your server site is ready and accessible online.... (Check)
as Let's Encrypt needs to verify your website is accessible before issuing SSL key, certificate and chain file for your server site.
You also have to create its DNS zone and allow it to properly propagate as Let's Encrypt needs to verify it too. (WHAT???)
So seeing as this is an how to please give instructions
How do I know if LE SSL is already working or not? you don't explain enough!
Open the URL of the website with https in the browser, then you know if it's working.
https://my.server.domain - OK
https://my.server.domain:8080 - on site: "Possible attack detected. This action has been logged."
:(
This means that you probably run other software on the same http port / domain which has sent a cookie that contains data which has been detected as an attack against ISPConfig. You can switch off the IDS system in /usr/local/ispconfig/security/security_settings.ini when you have such a system setup.
Hello everyone
I just created a script that allows you to create the ssl certificate automatically although I remind you that you must first create the domain and it will be pointing to the ip address of the ispconfig if it does not work. If you are interested here I leave it
The only thing you have to do is enter the last line on the terminal screen.
/etc/letsencrypt/archive/$(hostname 0 IN_MODIFY ./etc/init.d/le_ispc_pem.sh
You can modify it to your liking since I adapted it for ISPConfig in Debian 9.4 with Apache without Monit and with Multi PHP but it is valid for other systems.
#!/bin/bash
hostname -f
cd /usr/local/ispconfig/interface/ssl/
mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak
mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak
mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt
ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key
cat ispserver.{key,crt} > ispserver.pem
chmod 600 ispserver.pem
cd /etc/postfix/
mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key
service postfix restart
service dovecot restart
cd /etc/ssl/private/
mv pure-ftpd.pem pure-ftpd.pem-$(date +"%y%m%d%H%M%S").bak
ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem pure-ftpd.pem
chmod 600 pure-ftpd.pem
service pure-ftpd-mysql restart
apt install -y incron
cd /etc/init.d
wget https://novaitts.com/public/scripts/le_ispc_pem.sh
cd
chmod +x /etc/init.d/le_ispc_pem.sh
echo "root" >> /etc/incron.allow
incrontab -e
service apache2 restart
Why not use certbot hook and create manually the certificate from CLI like this:
certbot-auto certonly --webroot -w /usr/local/ispconfig/interface/acme/ -d server.example.com --post-hook /etc/init.d/le_ispc_pem.sh
After implementing this, I am unable to connect FTP over TLS to the server (I can still connect on normal mode). I get the error: GnuTLS error -110 in gnutls_record_recv: The TLS connection was non-properly terminated. What went wrong?
Hi, so after doing this tutorial I noticed I had to un-check my "Require SSL to send email" in my windows 10 mail program to send mail, before it worked fine. I do notice that it works fine from my iphone with SSL checked. Did I miss a step or do I need to do something? Below is a log that I notice when I try to send mail with windows mail and SSL checked.
Thanks for any help =)
Jan 16 19:38:01 server postfix/smtpd[6332]: lost connection after STARTTLS from unknown[192.***.*.***] Jan 16 19:38:01 server postfix/smtpd[6332]: disconnect from unknown[192.***.*.***] ehlo=1 starttls=1 commands=2 Jan 16 19:38:01 server postfix/smtpd[6332]: connect from unknown[192.***.*.***] Jan 16 19:38:01 server postfix/smtpd[6332]: SSL_accept error from unknown[192.***.*.***]: -1 Jan 16 19:38:01 server postfix/smtpd[6332]: warning: TLS library problem: error:1420918C:SSL routines:tls_early_post_process_client_hello:version too low:../ssl/statem/statem_srvr.c:1655: Jan 16 19:38:01 server postfix/smtpd[6332]: lost connection after STARTTLS from unknown[192.***.*.***] Jan 16 19:38:01 server postfix/smtpd[6332]: disconnect from unknown[192.***.*.***] ehlo=1 starttls=0/1 commands=1/2 Jan 16 19:38:01 server postfix/submission/smtpd[19600]: connect from unknown[192.***.*.***]
Hello thanx for the tutorial.
I am still quite a beginner in linux but never the less i got ispconfig working.
After i did everything what i got installed from this tutorial i cant restart apache.Output: service apache2 status =
systemd[1]: Starting The Apache HTTP Server...apachectl[5771]: AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:73apachectl[5771]: AH00526: Syntax error on line 63 of /etc/apache2/sites-enabled/000-ispconfig.vhost:apachectl[5771]: SSLCertificateFile: file '/usr/local/ispconfig/interface/ssl/ispserver.crt' does not exist or is emptyapachectl[5771]: Action 'start' failed.apachectl[5771]: The Apache error log may have more information.systemd[1]: apache2.service: Control process exited, code=exited status=1systemd[1]: apache2.service: Failed with result 'exit-code'.systemd[1]: Failed to start The Apache HTTP Server.
I just cant figure out what i did wrong, can anyone help me out a bit.
Gr Kees
"If you haven't enabled SSL during ISPConfig setup i.e. for its control panel at port 8080, enable it by typing ispconfig_update.sh in the terminal and select yes for SSL"
And the reasult is: "There are no updates available for ISPConfig 3.1.15p3"
does not work. Please don't try, your server will crash. I did the step by step twice, same mistake in both. Although I still haven't solved my problem with ssl, I just want to warn people that these commands generate errors, and headaches.
Works perfectly, I used it just a few days ago. The commands are fine. When they don't work for you, then you made a mistake. E.g. you missed creating a website for the server hostname.
Thank you for this tutorial. Works perfectly for me.
Followed the steps from Tutorial "The Perfect Server - Debian 10 (Buster) with Apache, BIND, Dovecot, PureFTPD and ISPConfig 3.2" and now tying to secure the installation iwth the certificates, but i get stucked at the step "Changing ISPConfig 3 Control Panel (Port 8080)". My installation does not have an /etc/letsencrypt folder, which i guess is ok due to the fact that ispconfig now uses acme, right ?
How should the command be in step "Changing ISPConfig 3 Control Panel (Port 8080)" when using acme as decribed in the setup of the server =
Do not use this guide at all, it is not compatible with any recent ISPConfig version (as mentioned at the beginning of the guide). ISPConfig creates the LE cert now automatically by itself. So do not follow this guide if you are using ISPConfig 3.2 or newer as you will break your server otherwise. An LE cert is generated automatically at ISPConfig install now, if that did not happened on your system due to a wrong hostname setup, then see Let's Encrypt FAQ in the forum on how to fix the DNS setup before you attempt to recreate a new SSL cert by using the ISPConfig updater.
How can't you not even tell that this is for Nginx in the beginning lol.
wow
The guide can not be used with any recent ISPConfig version anyway, see description at the beginning "IMPORTANT: This guide is not compatible with ISPConfig 3.2 and newer as ISPConfig 3.2 and newer versions have Let's encrypt for all services builtin. The Let's encrypt SSL cert gets configured automatically during installation, so there is no need to configure Let's encrypt for any service manually anymore." So don't use it if you use a recent ISPConfig version, this feature is built into ISPConfig for quite some time now and the builtin feature is compatibe with nginx and Apache.
anyone looking for the lets encrypt folder in etc.. just use the ssl dir associated with the zone/site instead.
ie: "ln -s /var/www/clients/client0/web7/ssl/host1.domain.co.nz-le.key ispserver.key "
in the /usr/local/ispconfig/interface/ssl dir instead of /etc/letsencrypt dir
This was on ubuntu 20 lts
If someone has a problem with the certificate in the root chain and wants to permanently fix the issue read this post on forum: https://www.howtoforge.com/community/threads/lets-encrypt-and-expired-dst-root-ca-x3.87770/reply?quote=433865
Hello after this Changing ISPConfig 3 Control Panel (Port 8080) my web server is down :(
sudo apachectl configtest
AH00526: Syntax error on line 22 of /etc/apache2/sites-enabled/000-apps.vhost:SSLCertificateFile: file '/usr/local/ispconfig/interface/ssl/ispserver.crt' does not exist or is emptyAction 'configtest' failed.The Apache error log may have more information.
Please, how to fix this
Incron has been deprecated and I have found a solution as a workaround using systemd.path
next to the script le_ispc_pem.sh you have to create 2 files
create a file: /etc/systemd/system/le-update.path
[Path]
PathModified=/etc/letsencrypt/archive/$(hostname -f)/
[Install]
WantedBy=multi-user.target
========
cerate a file: /etc/systemd/system/le-update.service
[Unit]
Description=Auto Renewal Script For Your ISPConfig Pem File (ispserver.pem)
After=network.target
[Service]
Type=oneshot
ExecStart=/etc/init.d/le_ispc_pem.sh
======
systemctl enable le-update.path
systemctl start le-update.path
Thank you for this addition, but as mentioned at the top of the guide, this whole guide is deprecated and should not be used anymore as this functionality is built into ISPConfig now and using this tutorial might cause you issues with ISPConfig and LE cert updates later. There is no need to set up incron or Systemd for for using LE certs with ISPConfig 3.2.
Hi Till,
If this was previously setup, one can simply abandon this (removing the incron / systemd offcoarse) and leave the rest in place? or must there something be done?