Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartSSL - Page 2

Want to support HowtoForge? Become a subscriber!
 
Submitted by falko (Contact Author) (Forums) on Tue, 2012-01-17 17:55. ::

4 ISPConfig Interface (Apache2)

If you use ISPConfig 3 with Apache, open /etc/apache2/sites-available/ispconfig.vhost...

vi /etc/apache2/sites-available/ispconfig.vhost

... and add the line SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt to the # SSL Configuration section (please be aware that you have to re-add that line whenever you update ISPConfig!):

[...]
  # SSL Configuration
  SSLEngine On
  SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
  ## must be re-added after an ISPConfig update!!!
  SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt
[...]

(Adjust this if you use a Class2 certificate.)

Restart Apache afterwards:

/etc/init.d/apache2 restart

 

5 ISPConfig Interface (nginx)

On nginx, all you have to do is append the intermediate certificate to the ispserver.crt file (please adjust this if you use a Class2 certificate)...

cat /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt >> /usr/local/ispconfig/interface/ssl/ispserver.crt

... and reload nginx:

/etc/init.d/nginx reload

 

6 Postfix

For Postfix, we make backups of /etc/postfix/smtpd.cert and /etc/postfix/smtpd.key and create symlinks to /usr/local/ispconfig/interface/ssl/ispserver.crt and /usr/local/ispconfig/interface/ssl/ispserver.key:

cd /etc/postfix
mv smtpd.cert smtpd.cert_bak
mv smtpd.key smtpd.key_bak
ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key

Next we add the smtpd_tls_CAfile directive to /etc/postfix/main.cf...

postconf -e 'smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt'

(Please adjust this if you use a Class2 certificate.)

... and restart Postfix:

/etc/init.d/postfix restart

 

7 Dovecot

Open /etc/dovecot/dovecot.conf...

vi /etc/dovecot/dovecot.conf

... and add the line ssl_ca_file = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt (please be aware that you have to re-add that line whenever you update ISPConfig!):

[...]
ssl_cert_file = /etc/postfix/smtpd.cert
ssl_key_file = /etc/postfix/smtpd.key
## must be re-added after an ISPConfig update!!!
ssl_ca_file = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt
[...]

(Adjust this if you use a Class2 certificate.)

Restart Dovecot afterwards:

/etc/init.d/dovecot restart

 

8 Courier

Create backups of /etc/courier/imapd.pem and /etc/courier/pop3d.pem...

mv /etc/courier/imapd.pem /etc/courier/imapd.pem.bak
mv /etc/courier/pop3d.pem /etc/courier/pop3d.pem.bak

... and then symlink them to /usr/local/ispconfig/interface/ssl/ispserver.pem:

ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem /etc/courier/imapd.pem
ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem /etc/courier/pop3d.pem

Restart Courier afterwards:

/etc/init.d/courier-imap-ssl stop
/etc/init.d/courier-imap-ssl start
/etc/init.d/courier-pop-ssl stop
/etc/init.d/courier-pop-ssl start

 

9 PureFTPd

Create a backup of /etc/ssl/private/pure-ftpd.pem...

cd /etc/ssl/private/
mv pure-ftpd.pem pure-ftpd.pem_bak

... and create a symlink to /usr/local/ispconfig/interface/ssl/ispserver.pem:

ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem pure-ftpd.pem

Restart PureFTPd afterwards:

/etc/init.d/pure-ftpd-mysql restart

 

10 Monit

Monit is not part of the "Perfect Server" setups for ISPConfig 3, but if you have it installed and use its web interface over https, here's how you can use the StartSSL certificate so that the certificate warnings go away.

Open /etc/monit/monitrc...

vi /etc/monit/monitrc

... and specify /usr/local/ispconfig/interface/ssl/ispserver.pem in the PEMFILE line, e.g. as follows:

[...]
set httpd port 2812 and
     SSL ENABLE
     PEMFILE /usr/local/ispconfig/interface/ssl/ispserver.pem
     allow admin:secret
[...]

Restart monit afterwards:

/etc/init.d/monit restart

 

11 Links

 

About The Author

Falko Timme is the owner of Boost Your Site mit Timme Hosting - ultra-schnelles nginx-WebhostingTimme Hosting (ultra-fast nginx web hosting). He is the lead maintainer of HowtoForge (since 2005) and one of the core developers of ISPConfig (since 2000). He has also contributed to the O'Reilly book "Linux System Administration".

up

Copyright © 2012 Falko Timme
All Rights Reserved.
add comment | view as pdf view as pdf | print: this | all page(s)
Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
little mistake
Submitted by matpen (registered user) on Thu, 2012-01-26 10:51.

While installing the certificate into postfix the line

postconf -e 'smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt'

 should read

postconf -e 'smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt'

 otherwise postfix will complain about the missing file and automatically disable TLS.

 Otherwise great post, very helpful!

reply | view as pdf view as pdf
Re: little mistake
Submitted by geonick (not registered) on Wed, 2012-04-04 12:03.
I haven't tried using the postfix part of the guide yet but in the directory /usr/local/ispconfig/interface/ssl/ there seem to be both startssl.chain.class1.server.crt as well as startssl.sub.class1.server.ca.crt. Any arguments on why postconf will complain about missing files?  It's been a while since the post and the guide has not been updated... Is there or is there not a mistake with the crt file?
reply | view as pdf view as pdf
Re: little mistake
Submitted by Ovidiu (registered user) on Tue, 2012-01-31 15:37.

I corrected this msitake and still postfix is complaining about TLS probs :-( 

anything else wrong with this tutorial?

 help!

 

reply | view as pdf view as pdf