Comments on Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartSSL

Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartSSL This tutorial shows how you can use a free Class1 SSL Certificate from StartSSL to secure your ISPConfig 3 installation and get rid of self-signed certificate warnings. The guide covers using the SSL certificate for the ISPConfig web interface (both Apache2 and nginx), Postfix (for TLS connections), Courier and Dovecot (for POP3s and IMAPs), and PureFTPd (for TLS/FTPES connections). If you've installed monit and use HTTPS for its web interface, I will show you how to use the StartSSL certificate for it as well. This guide assumes you use Debian or Ubuntu; the principle is the same for other distributions supported by ISPConfig 3, but paths might differ.

20 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: daharasam
Reply  

Well it is an useful tutor....and will helpful for many others.

By: MaddinXx
Reply  

Just great!

Thank you so much for this, was one of these points I just was not able to look through until now.

I am just wondering if you don't have to CHMOD 750 the ispserver.crt file?

 

By: benjamin
Reply  

Well, this tutor was quite useful  and very informative too........

By: Anonymous
Reply  

Thanks For The useful Information. It Would Help A Lot.

By: Anonymous
Reply  

Really should state that the "Free" cert is really a 30 day cert in exchange for your personal info.

By: Anonymous
Reply  

Doesnt really work any more.   The last 2 servers I tried this on was declined with this response: 

 Thank you for requesting a digital certificate with us. However Class 1 certificates are not meant to be used for commercial activities or financial transactions. For this purpose please consider upgrading to Class 2 or higher verification level. Thank you for your understanding.

The only 2 things on these servers was a fresh install of ISPConfig3.  

By: Sas
Reply  

Thanks for this guide! It worked perfectly for Comodo Free SSL as well as my Class 2 SHA2 cert from StartSSL.

But I still have one question:

the certs are now in place and loaded by the browser when going to https://server.mydomain.com:8080 however I am getting a mixed content error and therefore still the crossed out padlock.

Why is that? Do you have any idea?

 

Thanks in advance!

 

By: Matt
Reply  

I am getting error when trying to restart postfix

* Starting Postfix Mail Transport Agent postfix                                                                                                                        postmulti: fatal: /etc/postfix/main.cf, line 82: missing '=' after attribute name: "postconf -e = 'smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt'"

Any idea?

By: trond Husø
Reply  

very interesting article. Question. If you have a setup like this: server1.example.com (web, ftp), server2.example.com (sql) and server3.example.com (mail). And you only want to have a certificate on server3.example.com - can I still use your tutorial/howto description?

By: Julien
Reply  

Dec 2015 I couldn't get this guide to work, although it worked perfectly a couple of months ago. The problem was that the server certificate couldn't get validated against the intermediate or root CA.

I found out that the link to http://www.startssl.com/certs/sub.class1.server.ca.pem is not valid anymore, as it returns a file with some text in it, but not a certificate (this might be a temporary error, I don't know).

To find the correct intermediate CA certificate I went to the StartSSL toolbox > StartCom CA Certifcate > Intermediate CA certificate > SSL Certificates, and downloaded  (1) Class 1 DV SSL certificate > StartCom Class 1 DV Server CA(SHA-2).

https://startssl.com/certs/sca.server1.crt

I re-did most of the guide with this certificate instead (rename to startssl.sub.class1.server.ca.crt for the guide to work as-is), and it worked like a charm for Nginx, Postfix and Dovecot :)

By: Tijmen
Reply  

After completing this tutorial, my ISP Config isnt loading anymore. None of the websites are =(

By: till
Reply  

Then your SSL cert is probably broken as apache will not start with a broken ssl cert. Check the SSL cert and ensure that ssl key and certificate match.

By: mpyusko
Reply  

In my case I setup a server we'll call example.org.  I followed a Perfect Server Guide and created self-signed a certificate during the setup process.  Once the server was up and running I made myself a client and created a site for example.org.  I gererated a CSR and obtained a StartSSL certificate for example.org.  I installed it to the server via the web interface.  The Certificate installed properly, however when connecting to example.org:8080 it still gave me a self-signed warning.

I backed up the exisiting files in /usr/local/ispconfig/interface/ssl into a separate folder.  I then found the SSL cert files for client1/web1/ssl and copied them to /usr/local/ispconfig/interface/ssl and symlinked:

ispconfig.key.secure -> /usr/local/ispconfig/interface/ssl/example.org.key.orgispserver.crt -> /usr/local/ispconfig/interface/ssl/example.org.crtispserver.csr -> /usr/local/ispconfig/interface/ssl/example.org.csrispserver.key -> /usr/local/ispconfig/interface/ssl/example.org.key

Next:

/etc/init.d/apache2 restart/etc/init.d/postfix restart/etc/init.d/dovecot restart/etc/init.d/pure-ftpd-mysql restart

Is this acceptable?  I no longer get a Self-signed warning when connecting to 8080, but what about the other services?  They seem to be ok.

It would be nice if there was a way to install SSL certs for the server from the admin panel as there is for each individual site.

Thanks for this great write-up!

By: Trond
Reply  

I am getting

warning: TLS library problem: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol:s23_srvr.c:649:

When trying issue a STARTTLS command from telnet. Anyone experienced this?

By: Nikolai
Reply  

I follow all the steps. When I restart Apache "/etc/init.d/apache2 restart" it gives me an error:

* Restarting web server apache2                                                                                                                                         AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:62

Action 'start' failed.

The Apache error log may have more information.

[fail]

 * The apache2 instance did not start within 20 seconds. Please read the log files to discover problems

Tried 2 times - the same result. Need to reistall ISPConfig to reconfigure services each time.

If someone have any idea I would be really grateful.

 

By: grm34
Reply  

Thank you so much for this!

There is an error with smtpd_tls_CAfile, it should be :

postconf -e 'smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/startssl.ca.crt'

o fix "454 4.7.0 TLS not available due to local problem" and to receive mails !

Cheers

 

By: Wolfgang
Reply  

Hi, thank you for the guide, which i followed a year ago.

After renewing the cert now, i receive an SEC_ERROR_REVOKED_CERTIFICATE on Firefox, but the site is working on IE?

any idea?

By: till
Reply  

Firefox and Google Chrome does not accept SSL Certs from Startssl anymore. You should e.g. replace the cert with one from let's encrypt.

By: Mateus
Reply  

 

After this tutotial, stopped my ftp

By: MON@H Rasta
Reply  

From January 1st, 2018, StartCom will not issue any new end entity certificate and will only provide validation services through its OCSP and CRL services for two years from January 1st, 2018. Starting 2020, all remaining valid certificates will be revoked. 

https://www.startcomca.com/index/News/newDetail?date=20171116