Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Tips/Tricks/Mods

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #1  
Old 10th April 2009, 04:54
gwa7 gwa7 is offline
Member
 
Join Date: Jan 2007
Posts: 34
Thanks: 2
Thanked 10 Times in 6 Posts
Default Install a Comodo InstantSSL Certificate for ISPconfig Apache, Postfix, Imap & Pop

How to Install a Comodo InstantSSL Certificate for ISPconfig Apache, Postfix, Imap & Pop on an Ubuntu Server

Generating and Obtaining the Certificate
1.You must generate a Certificate Signing Request (CSR) on your webserver. You did this when you installed ISPConfig, but its probably a good idea to do again so that you can make sure everything is entered correctly. Follow these directions to re-generate the ISPconfig certificate http://www.howtoforge.org/faq/14_63_en.html

Important: When you are re-generating your certificate, please ensure that the Common Name (CN) you use is ONE of the following:
  • your Fully Qualified Domain Name (e.g. "secure.yourdomain.com")
  • the Full Server Name of your internal server (e.g. "techserver")
  • your Private IP address (e.g. "192.168.0.1")

The common name is what people will use to access your server. For example: if your common name is mail.myserver.com then you will acccess ISPconfig with the following link: https://mail.myserver.com:81/
In your email application you will also use mail.myserver.com for incoming and outgoing server.

2.Your CSR is located here: /root/ispconfig/httpd/conf/ssl.csr/server.csr
Copy the text in this file. You will need to paste the text into the CSR box when purchasing your certificate.

3.Goto http://www.instantssl.com/ and purchase a certificate or get the free trial. During the certificate sign up process, choose Apache-ModSSL where it asks for the server software used to generate the CSR. You must use exactly the same Common Name (CN) as you used above when generating your CSR.

4.Finish the certificate sign up process. Once you are approved, you may download your certificate files.
-------------------------------------------------------------------------------------
ISPconfig Apache Certificate Installation
1.On your web server go to this directory:
/root/ispconfig/httpd/conf/ssl.crt
and make a backup copy of server.crt. Rename the purchased certificate (example: mail_myserver_com.crt) to server.crt and save it into the above directory replacing the existing server.crt.

Warning: always make a backup copy of any file you change or replace in this How-to. If you don't get something right, your ISPconfig will not start and you will need to undo all changes by using your backup copies.

2.Copy the file ca-bundle file to this directory:
/root/ispconfig/httpd/conf/ssl.crt

3.Edit the file /root/ispconfig/httpd/conf/httpd.conf
and add this line:
SSLCertificateChainFile /root/ispconfig/httpd/conf/ssl.crt/mail_myserver_com.ca-bundle
Important: In the line above, change mail_myserver_com.ca-bundle to the name of your bundle file.

4.restart ispconfig:
/etc/init.d/ispconfig_server restart

5.Now you should not get any errors when you access your site. Example: https://mail.myserver.com:81/

6.If ispconfig does not restart and you cannot figure out why, use your backup files to replace the files you changed and try to restart ispconfig again.
--------------------------------------------------------------------------------------
Postfix Certificate Installation
1.Make a backup copy of cacert.pem, smtpd.crt, smtpd.key in /etc/postfix/ssl
Save the bundle file (*.ca-bundle ) as cacert.pem in the above directory replacing the existing file.

2.Save a copy of your server.crt file as /etc/postfix/ssl/smtpd.crt

3.Save a copy of your server.key file as /etc/postfix/ssl/smtpd.key

4.Make sure these lines are in /etc/postfix/main.cf
smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt
smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key
smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem
5.restart postfix: /etc/init.d/postfix restart
--------------------------------------------------------------------------------------
Courier Imap/Pop Certificate Installation

1.Navagate to /etc/courier/ and make backup copies of imapd.pem and pop3d.pem.

2.Copy server.crt (/root/ispconfig/httpd/conf/ssl.crt/server.crt) into a new file. Copy server.key (/root/ispconfig/httpd/conf/ssl.key/server.key) in to same file and save this file as /etc/courier/imapd.pem replacing the file that is there.
The file should look something like this:
-----BEGIN CERTIFICATE-----
..................
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
..................
-----END RSA PRIVATE KEY-----
Ensure that there are NO blank lines between the certificate and key.

3.Copy your ca-bundle file to /etc/courier

4.Make sure these lines are in /etc/courier/imapd-ssl
TLS_CERTFILE=/etc/courier/imapd.pem
TLS_TRUSTCERTS=/etc/courier/mail_myserver_com.ca-bundle
Important: In the line above, change mail_myserver_com.ca-bundle to the name of your bundle file.

5.restart imap-ssl:
/etc/init.d/courier-imap-ssl restart

6.Make a copy of imapd.pem and save it as pop3d.pem

7.Make sure these lines are in /etc/courier/pop3d-ssl
TLS_CERTFILE=/etc/courier/pop3d.pem
TLS_TRUSTCERTS=/etc/courier/mail_myserver_com.ca-bundle
Important: In the line above, change mail_myserver_com.ca-bundle to the name of your bundle file.

8.restart pop3d-ssl
/etc/init.d/courier-pop-ssl restart

Congratulations, you are finished. Hope this helps someone. Please comment if you can make these directions better.
-------------------------------------------------------------------------------------
Ownership and permissions on the certificate files are important:
-r--r----- 1 root root 1230 Jun 7 18:24 mail_myserver_com.ca-bundle
-r--r----- 1 root root 2030 Jun 7 19:29 server.key
--------------------------------------------------------------------------------------
sources:
https://support.comodo.com/index.php...barticleid=264

http://www.instantssl.com/ssl-certif...rier-imap.html

http://www.instantssl.com/ssl-certif...e/postfix.html

http://www.howtoforge.com/forums/sho...al+certificate
Reply With Quote
Sponsored Links
  #2  
Old 30th September 2009, 18:08
cdaters cdaters is offline
Junior Member
 
Join Date: Feb 2007
Posts: 1
Thanks: 0
Thanked 0 Times in 0 Posts
Default ISPConfig website and SSL Cert install

Okay, so this article was helpful. My cert is installed and I can get into the ISPConfig admin GUI okay with the EV SSL encryption.

However, I did NOT use ISPConfig's built in SSL cert generation/install for ISPConfig managed websites to create the CSR to send to COMODO. Instead, I followed COMODO's instructions for generating the CSR for my EV SSL certificate from the command line. The EV SSL that I installed per the instructions in this article is working with fine with the ISPConfig admin GUI, but it is not working for the site that I had configured inside of ISPConfig. How can I install this cert to work with my ISPConfig created website?

My main server FQDN is www.fullcolorenv.com, the site that I set-up/configured in ISPConfig is also www.fullcolorenv.com. Not sure if this is important, but there it is.

I attempted to install the COMODO provided crt and server generated key and csr files into my ISPConfig configured web account's 'ssl' directory, but after I do this and restart ISPConfig, when I attempt to go to https://www.fullcolorenv.com, I am getting messages that the site is not trusted because the certificate appears to be self signed. I notice that there is a key.org file in that directory too, what is this file? I tried installing the ca-bundle that I received from COMODO in my site's ssl folder as the key.org file, but that didn't do anything either.

I have gone into the Vhost config file found in /etc/apache2/vhosts and made sure that the ssl directives are pointing to the appropriate files, I added the SSLCACertificateFile directive and pointed it to the ca-bundle that I copied into my site's ssl directory. Still, I get the "untrusted" message.

I then just outright pointed those directives to where I installed the certificate using the instructions in the post above, and this time I can see a page, but there is a alert message that some items on the page are not encrypted. So I feel that I am close, but I want the site as ISPConfig created it, to work like ISPConfig expects it too....

Last edited by cdaters; 30th September 2009 at 23:29.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Mail server using Postfix, Dovecot, Mysql... Postfix virtual maps doesn't work?? tarasbuljba HOWTO-Related Questions 33 28th May 2010 14:33
Install a Comodo InstantSSL Certificate for ISPconfig Apache, Postfix, Imap & Pop gwa7 Installation/Configuration 0 10th April 2009 04:54
localhost postfix/master: fatal: bind 127.0.0.1 port 125: Permission denied g18c Installation/Configuration 4 24th March 2009 17:39
CentoS doesn't send the emails vaio1 Installation/Configuration 18 5th November 2008 17:51
Mail System Error - Returned Mail tristanlee85 General 16 16th March 2008 09:40


All times are GMT +2. The time now is 06:25.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.