Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

Discussion in 'Tips/Tricks/Mods' started by ahrasis, Feb 14, 2017.

  1. webguyz

    webguyz Active Member HowtoForge Supporter

    I was looking at the acme.sh script but not sure about the renewals but looking again I see there is ISPConfig 3.1 api support. Will have to dig into that. Thanks!
     
  2. ahrasis

    ahrasis Active Member

    My suggestions are as posted few post above yours if this guide is to be followed as a sample.

    However, you may want to try the approach suggested by @Tuumke which he has opened a thread on how to do it.

    Tuumke approach is basically based on earlier posts / discussions by @sjau (acme.sh approach) which is also technically quite similar to certbot approach by @Jesse Norell.
     
  3. ahrasis

    ahrasis Active Member

    I was building a new cluster / mirror server based on Debian Jessie tutorial (mine is Ubuntu Xenial) and while at it, I did perform my suggestion in post #196 above by running this code:
    Code:
    scp -r /etc/letsencrypt/$(hostname -f)/ [email protected]:~/etc/
    Note that the ssh "password" access as between the two has been dealt with the said Debian Jessie tutorial and this should be added to the end part of le_ispc_pem.sh to automate future update via scp for the other sever.

    Since the suggestion is to make the other server as aliasdomain to the main server, I changed $(hostname -f) to main server hostname / domain and other needed parts of the script, saved it and after running it, the other server is now fully secured with the same LE SSL certs as the main server.

    I added a note on this on the main guide, updated the one in LE4ISPC github and hope this should already cover LE SSL certs for ISPConfig multi server setup for those who intending to or already use this approach.
     
    Last edited: Dec 13, 2017
  4. budgierless

    budgierless Member HowtoForge Supporter

    hi, dose this script support Let's Encrypt SSL joining to postfix email tls/ssl for each domian? or is that i different kind of cert?
     
  5. Tapiocapioca

    Tapiocapioca New Member

    Hello, I am using the procedure at the first page and is working fine but I have many domains on my VPS. I need access at the email by IMAP with differents dns, but all requests are rejected because the certificate in not valid. I try to make one example.

    Main domain: tapiolla.com HTTPS Working
    Main domain: www.tapiolla.com HTTPS Working
    Main email: mail.tapiolla.com SSL Working
    Second domain: tapiocapioca.com HTTPS Working
    Second domain: www.tapiocapioca.com HTTPS Working
    Main email: mail.tapiocapioca.com SSL NOT Working

    This situation make me many trobles, if I use the DNS mail.tapiolla.com to send emails from the domain tapiocapioca.com the email is delivered but happen not recived bacause the verification SPF fail. If i delivery emails from the domain tapiocapioca.com with the dns mail.tapiocapioca.com the emails are directly rejected because the certifiate is valid only for mail.tapiolla.com

    By my self I made the certificate handmade with the command:

    /usr/bin/certbot certonly --standalone --email [email protected] -d tapiolla.com -d www.tapiolla.com -d mail.tapiolla.com -d tapiocapioca.com -d www.tapiocapioca.com -d mail.tapiocapioca.com

    and inside the folder /etc/letsencrypt/live/tapiolla.com/ I found the certificated

    cert.pem
    chain.pem
    fullchain.pem
    privkey.pem

    already valid about all dns i need.
    Following the procedure at the first page all DNS I need are working because the certificate handmade is valid about all DNS available.

    Someone know the way to make the procedure automatic? On the page of the site i have only 3 options to generate the certificate

    tapiolla.com
    www.tapiolla.com
    *.tapiolla.com

    Is it possible modify the templare of this page somewhere or the script automatically generate the certificate about the site tapiolla.com ?? I like if I can write by myself all domain I need. I hope someone can give me one suggestion about.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Normally you won't connect with the domain of a client to the imap server, instead, you use the server hostname or a central 'mail' subdomain of the provider and for this server hostname subdomain, you create an SSL cert. That's the correct setup and what's described in this thread. Your delivery problems are not related to the SSL cert, if you have an spf error, then check and correct your spf record.
     
    ahrasis likes this.
  7. Tapiocapioca

    Tapiocapioca New Member

    I have a different feedback maybe I wrote bad. Actually with the certificate generate by myself I can connect the client (thunderbird) to the URL mail.tapiocapioca.com to send one email like [email protected] and I have not errors. Google when recive the email recognise spf correctly.
    With the default certificate made by this guide the connection was directly rejected with mail.tapiocapioca.com, and if I connect thunderbird on the URL mail.tapiolla.com gave my one errore, like Firefox, there is one certificate not valid and ask me to acquire one exception. Acquiring the exception I can send one email like [email protected] but, without any kind of modify, google not recognise the spf and show me ? On the icon of the email I recived. I hope I am more clear now.. :)

    Probably i did somenthing wrong
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so what you claimed in your first that email is failing to be delivered due to an SPF error is not the case. Fine, so there is no SPF issue then.

    Regarding SSL cert in Thunderbird, I explained that in my post. You issue an SSL cert for the hostname of the server and not for each mail subdomain on a server and then you use that hostname to connect with thunderbird and that's the procedure described in this thread. So go back to the first post and follow the instructions that you find there to create an SSL cert for the server hostname of your server. This ssl cert does not have to contain any other domains like you claim in your post.
     
    ahrasis likes this.
  9. Tapiocapioca

    Tapiocapioca New Member

    I found the trouble, I am using Debian so if I use
    /etc/letsencrypt/archive/$(hostname -f)/ IN_MODIFY ./etc/init.d/le_ispc_pem.sh
    inside incrontab -e is not workind. I modified the command and now everything is ok :)
     
  10. Poliman

    Poliman Member

    Is it possible to set up specific certificate for particular domain? On my server I have few domains. Currently postfix/dovecot use LE SSL created for s1.domain.net which is hostname of the server. I can open ISP panel under s1.domain.net:8080. When I try send an email from another domain, example [email protected], postfix/dovecot still use s1.domain.net ssl certificate.
    This is quite huge problem, because Zend application does not allow to send emails from domains which are signed another/self signed certificate.
     
  11. Jesse Norell

    Jesse Norell Well-Known Member

    You could request certificates with sets of domain names included in therm and then configure postfix and dovecot to use them, but there isn't much support in ISPConfig for that at this time. You will need to use a different IP address for each certificate, as postfix doesn't support SNI. I think there have been examples of the postfix config posted before; I don't know about examples dovecot configure offhand, though I've done that on non-ISPConfig servers and it's not difficult.
     
    Poliman likes this.
  12. Poliman

    Poliman Member

    Thank you for anser. Currently I have only one IP and I am affraid it won't change in the future.

    PS
    Jesse, do you know maybe why after set up MAILTO in crontab (cronjobs in ISP create in etc/cron.d specific file like ispc_webX with cron lines), mail won't send? I tried command
    Code:
    echo Test | mail -s Test [email protected]
    and I got nice email.
     
  13. DylanPedro

    DylanPedro Member HowtoForge Supporter

    I think the guide misses out that in order for phpmyadmin to work on an nginx server on port 8081 as default the following has to be added to: Server Config > Web > Apps Vhost Settings > Apps-vhost port :
    Code:
    8081 ssl; ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt; ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key
     
  14. ahrasis

    ahrasis Active Member

    Thanks but this guide is for port 8080 and a single server main services. You may add it to others yourselves (including if you are running multi servers).
     
  15. DylanPedro

    DylanPedro Member HowtoForge Supporter

    But this is on a single server environment and port 8081 is default on an nginx server for ispconfig apps such as phpmyadmin.

    Following the guide will break the default settings for phpmyadmin on an nginx setup if wanting to use ssl?
     
  16. helmo

    helmo New Member

    Thanks for writing up on this.
     
  17. helmo

    helmo New Member

    ... just for reference, there also is a gitlab issue about integrating support for this.
     
  18. helmo

    helmo New Member

    sorry three posts are needed to get passed the link limit on accounts with less then 2 posts.
     
  19. helmo

    helmo New Member

  20. ahrasis

    ahrasis Active Member

    I would prefer to use custom conf for that as I need to add a lot more than just ssl and this way is more effective to me. I would add the /usr/local/ispconfig/server/conf-custom/nginx_apps.vhost.master where its upper part is something like this:
    Code:
    server {
      listen {apps_vhost_ip}{apps_vhost_port} http2;
      listen [::]:{apps_vhost_port} ipv6only=on http2;
    
      # Copied ssl from ispconfig.vhost, if any
      ssl on;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
      ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
      ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;
    
      ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
      ssl_prefer_server_ciphers on;
    
      # redirect to https if accessed with http
      error_page 497 https://$host:{apps_vhost_port}$request_uri;
      error_log /var/log/ispconfig/ispconfig.log;
    
      server_name {apps_vhost_servername};
    
      root {apps_vhost_dir};
    
      client_max_body_size 100M;
    
      location / {
      index index.php index.html;
      }
    
      # serve static files directly
      # location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt|eot|ttf|otf|woff|woff2|svg)$ {
      location ~* \.(ogg|ogv|svg|svgz|eot|ttf|otf|woff|woff2|mp4|mp3|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|html|xml|txt|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)(\?ver=[0-9.]+)?$ {
      access_log off;
      log_not_found off;
      # expires 365d;
      expires max;
      }
    
      location ~* \.(pdf)$ {
      expires 30d;
      }
    
    
     

Share This Page