Lets Encrypt - @ahrasis LE4ISPC - for HTTPS and IMAP SMTP (mail.CutomerDomain) FTP etc.

Discussion in 'Installation/Configuration' started by HappierTimesAhead, May 1, 2020.

  1. HappierTimesAhead

    HappierTimesAhead New Member

    Hi All,

    What I want to achieve: -
    I would like to secure IMAP, SMTP , phpMyAdmin and SFTP for each customers domain. LE works fine for HTTPS but gives errors for mail.CutomerDomain.com

    What I have done: -
    Installed a clean setup on DEBIAN 9 as per - The Perfect Server - Debian 9 (Stretch) with Apache, BIND, Dovecot, PureFTPD and ISPConfig 3.1: - https://www.howtoforge.com/tutorial...-9-stretch-apache-bind-dovecot-ispconfig-3-1/

    Specifically I installed Let’s Encrypt as per the Perfect Server, namely: -
    cd /usr/local/bin
    wget https://dl.eff.org/certbot-auto
    chmod a+x certbot-auto
    ./certbot-auto --install-only

    I secured the Control Panel with Self Cert
    (which gives these warnings: -
    main-server.mydomain.com:8080 uses an invalid security certificate.
    The certificate is not trusted because it is self-signed.
    Error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT)
    as per the script: -

    Do you want a secure (SSL) connection to the ISPConfig web interface (y,n) [y]: y

    Can access Control Panel with untrusted https

    Created new DNS for newdomain.com
    Created new Site for newdomain.com
    Added LE SSL for site from Control Panel

    Can access newdomain.com under HTTPS with no warnings – all works fine

    Now I want to install @ahrasis script ( https://github.com/ahrasis/LE4ISPC ) as I understand that this script will enable the LE cert to secure IMAP, SMTP , phpMyAdmin and SFTP etc for each customers domains.

    Here is what I do: -
    cd /etc/ssl
    wget https://raw.githubusercontent.com/ahrasis/LE4ISPC/master/le4ispc.sh
    chmod +x le4ispc.sh
    ./le4ispc.sh

    This is what is happening: -
    I get the following error: -

    ./le4ispc.sh: line 28: certbot: command not found

    My Questions Please: -
    1/ Am I correct that @ahrasis script will enable LE cert to secure IMAP, SMTP , phpMyAdmin and SFTP for existing and new future sites?
    2/ Why am I getting the ./le4ispc.sh: line 28: certbot: command not found error?

    Once again I have read the manual and looked hi and low on here and google but I cannot seem to find the answers?

    Would be grateful if anyone could point me in the right direction please.

    Thanks in advance

    Kind regards to all

    Nick
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    HappierTimesAhead likes this.
  3. HappierTimesAhead

    HappierTimesAhead New Member

    @Taleman Hi, Many thanks for the update.

    If I follow the steps from: -

    https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/

    I fail at the very first step, namely: -

    lelive=/etc/letsencrypt/live/$(hostname -f)
    if [ ! -d "$lelive" ]; then
    certbot certonly --authenticator standalone -d $(hostname -f) --pre-hook "service apache2 stop" --post-hook "service apache2 start"
    fi

    I get: -
    -bash: certbot: command not found

    Totally confussed - HELP :)

    Kind regards

    Nick
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess the problem is that the certbot does not get installed in the path anymore when using certbot auto. So what needs to be changed in the instructions is either to use the full path to certbot command, it's somewhere under /opt/eff.org/... now if I remember correctly. Or by creating a symlink to certbot command e.g. in /usr/local/bin/ which might be even more useful as this would allow easy access to the command in future. Such a symlink will probably also make the le4ispc.sh working again. certbot-auto is basically an installer and wrapper for certbot according to the information I found on certbot website, certbot-auto is not a replacement, internally it still installs certbot command so it can be used in future as well.
     
    Last edited: May 1, 2020
    HappierTimesAhead likes this.
  5. HappierTimesAhead

    HappierTimesAhead New Member

    Hi @till thanks for the update.

    I have found certbot at the following location (Debian 9): -
    /opt/eff.org/certbot/venv/bin/certbot

    Would I use the following command (as root) to create the symlink you mentioned?
    ln -sf /opt/eff.org/certbot/venv/bin/certbot /sr/local/bin/

    Many thanks again
    Regards
    Nick
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    I had a typo in my post, it's /usr/local/bin/ and not /sr/... Change that in your command and it should be working.
     
    HappierTimesAhead likes this.
  7. HappierTimesAhead

    HappierTimesAhead New Member

    Hi again @till thanks for your kind help.

    Can confirm that I created the symlink as per your suggestion: -
    ln -sf /opt/eff.org/certbot/venv/bin/certbot /usr/local/bin/

    Then I ran: -
    cd /etc/ssl
    wget https://raw.githubusercontent.com/ahrasis/LE4ISPC/master/le4ispc.sh --no-check-certificate
    chmod +x le4ispc.sh
    ./le4ispc.sh

    All went well with no errors apart from: -
    An unexpected error occurred:
    There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: master-server.ngechosting.com: see https://letsencrypt.org/docs/rate-limits/

    So now because I have hit the rate limit I have to wait a few days - I could cry :(:(:(

    But THANK YOU SO MUCH.

    One more question please: -
    Now I have run the le4ispc.sh script; will all new LE sites created be able to use there own secure mail.CustomerWebsite.com to access mail securely?

    With kind regards to all

    Nick
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    You should tell your customers to use your server hostname in their mail clients as smtp and map server, that's what all larger hosters do. Using subdomains of customer domains is a huge problem in general as you will have to configure an SSL cert for each customer mail domain manually and also remove them manually in case a customer cancels your service plus you need a very new postfix version for that as SNI does not exist that long in postfix or you have one large cert with all customer subdomains, which works in older postfix versions, but this would require also to add and remove each subdomain properly. So better go the way that large hosters use and tell your customers to use the mail server name of your servers as you're the hosting company for them.
     
    HappierTimesAhead likes this.
  9. HappierTimesAhead

    HappierTimesAhead New Member

    Hi @till,

    Many thanks for: -
    A) Your quick responses to my queries :)
    B) Great advice that works :)
    C) Your patience :)
    D) ISPConfig which is an outstanding product

    Have a great weekend and stay safe.

    With kind regards, thanks and best wishes

    Nick
     
    ahrasis and till like this.

Share This Page