Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

Discussion in 'Tips/Tricks/Mods' started by ahrasis, Feb 14, 2017.

  1. HSorgYves

    HSorgYves Active Member

    I have Let's Encrypt working on subdomains without own zone. A zone is not required!
     
  2. Tuumke

    Tuumke Member

    wtf... i really dont understand. from what i read on google, LE uses google dns servers. Nslookup to panel.domain.com on the google dns servers worked. I could reach panel.domain.com on 80 and 443 (selfsigned) still LE said it didnt understand. When i added a DNS zone for panel.domain.com it worked, not with an A or AAA record on the zone of domain.com...
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    It could have been simply a problem at the side of LE.
     
    Tuumke likes this.
  4. ruchri

    ruchri New Member

    Thank you very much, ahrasis and other contributors!
    Just what I needed.
     
    ahrasis likes this.
  5. ralfba

    ralfba New Member

    Hi Fellows,
    just to get it right ...
    my setup follows the standard i guess:
    SERVER FQDN => server1.domain.com
    if i follow the initial tutorial from this thread and want to get that ssl-cert created through the ispconfig-control-panel, would need to create ...
    1 - create the domain "domain.com" under CLIENT=>DOMAINS
    2 - create the site "domain.com" under "SITES=>WEBSITES"
    (because you cannot create server1.domain.com directly)
    3 - create the subdomain "server1.domain.com" under "SITES=>SUBDOMAIN FOR WEBSITES"
    4 - edit "domain.com" under "SITES=>WEBSITES"
    and enablle SSL + Let's Encrypt SSL

    that creates a certificate for domain.com that includes the name server1.domain.com in it.
    there is no other way to have the certificate created only for server1.domain.com???
    thx for you help - ralf
     
  6. ahrasis

    ahrasis Active Member

    Why not? You may need to add server1 in domain.com dns A zone but you can always create server1.domain.com as a site (under site > websites) for having its own LE SSL certs.
     
  7. ruchri

    ruchri New Member

    Confirmed what ahrasis said. I did so and ik works like a charm for both my panels on two single vps.
     
  8. FFH

    FFH Member

    I have a small problem, I am unable to renew my letsencrypt certificate.
    Not sure why...

    NET::ERR_CERT_DATE_INVALID

    Subject: XX.domain.com
    Issuer: Let's Encrypt Authority X3
    Expires on: Oct 25, 2017
    Current date: Nov 1, 2017

    I followed this guide and figured the Cron that was setup would take care of this for me.

    Thoughts?
     
  9. ahrasis

    ahrasis Active Member

    Check the logs (LE especially) on why as renewal is done by LE certbot.

    The script works accordingly only when the ISPC domain renewal is successful; so make sure the domain is always accessible and online.

    If you can enter your ISPC control panel (via local or public IP), uncheck the SSL and then recheck the LE for you ISPC website manually to try fixing this.

    The script should do its work once ISPC domain SSL is renewed by LE certbot.
     
  10. FFH

    FFH Member

    Thanks but I think it's my stuff up. I decided to use Certbot via CLI to register 10 domains and some sub domains on the one LE cert (I read somewhere you can do up to 100). I thought it would just be a case of running that command again to update the cert.

    Interestingly some of the domains are using it fine, whilst others aren't.

    So apologies, it is not the procedure you have provided but rather my own issue. :confused:
     
  11. FFH

    FFH Member

    As a little side note, is there a procedure to revert back to Non SSL CP login?
     
  12. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    Remove the ssl-settings from the ispconfig-vhost and restart apache / nginx?
     
  13. Poliman

    Poliman Member

    You can do:
    1. Go to path /etc/letsencrypt (on Debian/Ubuntu).
    2. Turn off SSL and LE SSL in ISP Panel for this domain and wait for changes loading. If you can't enter your panel use IP address of the server.
    3. Remove all files belonging to particular domain from few directories: live, renew, archive.
    4. Turn on LE SSL and SSL and your domain get fresh LE certificate which will work as should.

    You can try update ISP Panel and in question about generate new certificate you can answer "yes". Then your broken LE certificate will be upgraded by self-signed generated during ISP update.
     
    Last edited: Nov 16, 2017
  14. Tuumke

    Tuumke Member

    Last edited: Dec 1, 2017
  15. Tuumke

    Tuumke Member

    If you already have the LE cert for your ISPConfig, how would you get another for mail.domain.tld?
    Or better yet, how can we secure our e-mail domains.
    Usually someoe would use mail.hisdomain.tld for mailserver send/receive. How would we make that secure for all of the domains?
     
  16. ahrasis

    ahrasis Active Member

    Personally, I would create aliasdomain for other servers (like mail.domain.tld etc) under the master-server.domain.tld.

    Then I would add new lines of commands to the script (e.g. scp) to transfer a copy of that certs for other servers usages.

    That way I won't have to unnecessarily install certbot or acme.sh etc or create website on other servers.

    Edited: Please refer to post #203 for the scp command.
     
    Last edited: Feb 23, 2018
  17. Tuumke

    Tuumke Member

    Yes but that is all 'manual' work then :p
     
  18. ahrasis

    ahrasis Active Member

    Pardon me? The script should cover the transfer of the certs to other servers automatically upon their renewal as it does for the main and other services in the master server.

    The only manual work to be done is only at the beginning if this guide is to be followed of course.

    Even if one is to use certbot or acme.sh to create the certs, they still have to run it manually at the first instance, at all servers that is.
     
  19. webguyz

    webguyz Active Member HowtoForge Supporter

    Is it possible to have LE work in a multi-server ISPConfig environement where I have some slave servers that are email only? I would like to create certs for those servers postfix and dovecot services but don't have web hosting on those servers and I understand you can't symlink across servers.
     
  20. Tuumke

    Tuumke Member

    You can create a remote 'api' user in ISPConfig with access to DNS Zone and DNS TXT. Then use the acme.sh to use DNS challenge.
     

Share This Page