ISPConfig 3.2.1 | SSL | New installation

Discussion in 'Installation/Configuration' started by 30uke, Dec 17, 2020.

  1. 30uke

    30uke Member HowtoForge Supporter

    Hello,

    I did install Debian 10 + ISPConfig 3.2.1 on a new VM. Everything works fine - but I couldn't figure out why SSL is not working for port 8080 (ISPConfig).

    The URL for ISPConfig is: https://vps2.domain.com:8080
    I have added a site https://vps2.domain.com and Let's encrypt SSL works fine.

    In the past I could simply ln (symlink) a certificate and that works fine. I did notice that certificates are now under /root/.acme.sh. I am not sure how to go ahead. Couldn't find something in the manual (it's 3.1 based). I am a bit confused when I look at the other posts (please note: I do run ISPConfig and a site on the same domain).

    I am hoping someone can help me into the right direction. Thank you.
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  3. 30uke

    30uke Member HowtoForge Supporter

    Hi Tom,
    I am confused now... Sorry. I am using the LE4ISPC script on my other server. I was under the impression that the LE4ISPC script was not required anymore and that this would automatically work with ISPConfig 3.2.1. Might be that I do misunderstand this?
    The renewal script does not work for me. And the LE4ISPC script doesn't work either as it can't find certbot.
    I might want to install certbot? But I did notice the following line in crontab:
    54 0 * * * "/root/.acme.sh"/acme.sh --cron --home "/root/.acme.sh" > /dev/null
    Looking at this: I don't know what to expect and what is best practice for ISPConfig 3.2.1 at this stage.
    I did follow this tutorial for Debian 10 and ISPConfig 3.2.1:
    https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/
    Thank you.
     
    Last edited: Dec 17, 2020
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    The 3.2.1 installer will offer to request a letsencrypt certificate for the server's hostname (hostname -f) if the cert files/symlinks in /usr/local/ispconfig/interface/ssl/ do not exist. If that fails it can fall back to generating a self-signed certificate. If that suits your needs, you could remove those files/symlinks, cleanup LE4ISPC and any cronjobs/etc. which support it, and run the ispconfig installer again, and answer yes to generating a certificate.
     
  5. 30uke

    30uke Member HowtoForge Supporter

    EDIT: I did just try running LE4ISPC after installing certbot [apt install certbot] and it works.
    At the first run of le4ispc.sh I had to set my e-mail address, agree with the Terms of Service and answer some y/n questions. So, this resolved my issue. Please be aware of this.
    I am still not sure what's the best practice as the documentation manual is not updated (it's still 3.1).
    I will leave my initial question below this line.

    EDIT: This has been resolved - please read the info ^^ above this line ^^
    Thanks Jesse... still confused. Do you know if LE4ISPC works after installing certbot? And doesn't it interfere with /root/.acme.sh? I did also read about an issue with this on the newest Debian version: https://github.com/ahrasis/LE4ISPC/issues/12
     
    Last edited: Dec 17, 2020
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You should use either acme.sh OR certbot. acme.sh is installed by default in 3.2 and above. MNot sure if LE4ISPC works with acme.sh. I use the tutorial I shared earlier. When using acme.sh, you will need to change some paths. You can also use the built in script in the updater ofcourse.
     
  7. 30uke

    30uke Member HowtoForge Supporter

    Last edited: Dec 17, 2020
  8. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    LE4ISPC still works on most cases but as its writer I personally advise not to use it in servers that use ISPConfig 3.2 and above mainly for the reason that in recreating ispserver.pem, incron might fail sometimes while hook chances of success is much more higher.

    I am suppose to rewrite LE4ISPC script to betterment including the removing of old incron approach but I kinda become lazier lately maybe due to pandemic LazyVirus20. ;-P
     
  9. 30uke

    30uke Member HowtoForge Supporter

    Thanks ahrasis. A new and compatible LE4ISPC script would be great as LE4ISPC is very convenient :)
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    The functionality is now built into the ISPConfig installer, there is no separate script needed anymore since ISPConfig 3.2.
     
    ahrasis likes this.
  11. 30uke

    30uke Member HowtoForge Supporter

    I did notice the creation of a certificate for ISPConfig during install / update. Does this also work for the services?
    I am looking for some more information about this. The manual was still on version 3.1 when I last checked.
    Thanks for all the effort and help :)
     
    ahrasis likes this.
  12. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    The script will ask wether you want to set up that same cert for Postfix, Dovecot, and Pure-FTPd.

    The manual is outdated. It is not really maintainable so we want to introduce a new system, but I don't know when that will be done :)
     
    ahrasis likes this.
  13. 30uke

    30uke Member HowtoForge Supporter

    Thanks Th0m. I guess I just want to disable LE4ISPC and next run the update script to reconfigure ISPConfig.
    Looking at the release notes I have to run "php -q update.php" and not "ispconfig_update.sh", right?
    https://www.ispconfig.org/blog/ispconfig-3-2-released/
    Thanks.
     
    ahrasis likes this.
  14. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You can download it and run that, but
    Code:
    ispconfig_update.sh
    works fine. Select stable to upgrade to the latest stable version.
     
    ahrasis likes this.
  15. 30uke

    30uke Member HowtoForge Supporter

    Edit: it works with the "--force" parameter.
     
    ahrasis likes this.
  16. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    That means you already have 3.2.1. To run the update script anyways, use
    Code:
    ispconfig_update.sh --force
     
  17. 30uke

    30uke Member HowtoForge Supporter

    It's all working now. Thank you.
    I had to "turn it off and on again"... as incron was borking. I did comment out the line(s) for LE4ISPC. After running the update script I got 400% CPU load... whoops. I did complete remove and purge incrontab. It's a bit spooky when something like that happens.
     
    ahrasis likes this.
  18. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Manual removal of LE4ISPC incron settings and existing LE SSL certs for the server then run update ISPConfig on the server with ssl request should be the right way.

    However, I think if you don't remove the existing LE SSL certs before the said update, you may find that certbot may not add the latest hook in the renewal file, since if I remember correctly it is not coded to do that automatically.

    Please do check your server LE certs renewal conf file just to confirm what I said above if you didn't remove the existing certs before proceeding with re-securing the server before the update.
     

Share This Page