Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

Discussion in 'Tips/Tricks/Mods' started by ahrasis, Feb 14, 2017.

  1. Redwarp

    Redwarp New Member

    Hello
    Question for Till really, as ispconfig has updated some of these steps are now redundant. Could you point me at the most recent required steps for a new ispconfig installation to do following:
    (assuming perfect server setup mysql/ubuntu/letsencrypt, per instructions)
    To get ssl working on ispconfig control panel
    To get ssl working with mailserver (on same server)
    Is it necessary to add a "site" in ISPC for "the control panel" and add ssl via letsencrypt to that ?
    What are the absolute requred DNS entries:
    AAAA record for this FQDN ?
    AAAA records for any of the sites hosted on this server ?
    Thanks guys
     
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/
    Hard to say, depends on what hosts you have and what they do. Start with A records for all your hosts and NS records for your name servers. MX records are needed if you have mail server.
    You can create AAAA records and any other record if you want.
    There is Tutorial on setting up name service with ISPConfig: https://www.howtoforge.com/tutorial/setting-up-your-own-name-service-with-ispconfig/
     
  3. TomGrow

    TomGrow New Member

    Hello,

    I followed www dot howtoforge dotcom/tutorial/perfect-server-debian-9-stretch-apache-bind-dovecot-ispconfig-3-1/ to set up Ispconfig
    , which works fine

    For installation of Lets encrypt, I followed steps mentioned # 11 of the above guide
    cd /usr/local/bin
    wget https: //dl . eff . org / certbot-auto
    chmod a+x certbot-auto
    ./certbot-auto --install-only

    After that I used this code

    cd /etc/ssl
    wget raw at githubusercontent dot com/ahrasis/LE4ISPC/master/apache/le4ispc.sh --no-check-certificate
    chmod +x le4ispc.sh
    ./le4ispc.sh

    While executing ./le4ispc.sh it throws an error

    ./le4ispc.sh: line 28: certbot: command not found

    whereas the script line 28 reads as
    certbot certonly --authenticator standalone -d $(hostname -f) --pre-hook "service $websvr stop" --post-hook "service $websvr start"

    My DNS with my VPS provider as well Ispconfig are correct

    Please advise

    Thanks & regards,

    Tom
     
  4. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    What do the following commands show:
    Code:
    type -a certbot
    apt-cache policy certbot
     
  5. TomGrow

    TomGrow New Member

    Dear Sir,
    Here is output

    [email protected] /tmp# type -a certbot
    -bash: type: certbot: not found
    [email protected] /tmp# apt-cache policy certbot
    certbot:
    Installed: (none)
    Candidate: 0.28.0-1~deb9u1
    Version table:
    0.28.0-1~deb9u1 500
    500 http // asi-fs-n contabo net/debian stretch/main amd64 Packages
    500 http //ftp us debian org/debian stretch/main amd64 Packages
    500 http //asi-fs-n contabo net/debian stretch-updates/main amd64 Packages
    [email protected] /tmp#

    Thx!
     
  6. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Command certbot is not installed, at least not in the usual paths. Check error messages, the installation commands for error messages or info on where it got installed, if indeed certbot was installed.
     
  7. TomGrow

    TomGrow New Member

    Sir,
    Thank you for your quick reply
    This is how I installed certbot earlier
    [email protected]:/usr/local/bin# dir
    certbot-auto ispconfig_patch ispconfig_update_from_dev.sh ispconfig_update.sh run-getmail.sh
    [email protected]:/usr/local/bin# ./certbot-auto --install-only
    Certbot is installed.

    [email protected]:/usr/local/bin# type -a certbot
    -bash: type: certbot: not found
    [email protected]:/usr/local/bin# apt-cache policy certbot
    certbot:
    Installed: (none)
    Candidate: 0.28.0-1~deb9u1
    Version table:
    0.28.0-1~deb9u1 500
    500 http // asi-fs-n contabo net/debian stretch/main amd64 Packages
    500 http //ftp us debian org/debian stretch/main amd64 Packages
    500 http //asi-fs-n contabo net/debian stretch-updates/main amd64 Packages
    [email protected]:/usr/local/bin#

    Thanks!
     
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Where does that install the certbot command? Or is it just claiming to install something but actually does nothing?
     
  9. TomGrow

    TomGrow New Member

    Sir,
    It is just claiming to install something but actually does nothing

    Thanks
     
  10. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I noticed you downloaded the certbot installation files to /usr/local/bin. This may confuse the installer. Try setting work directory to /tmp/FOO, and do the certbot installation again. Or install from Debian repo doing "apt-get install certbot". I believe Debian now has reasonably new version of certbot that works with the current Let's Encrypt servers. If this fails, use the certbot installation instructions from https://certbot.eff.org/docs/install.html .
     
  11. TomGrow

    TomGrow New Member

    Dear Sir,

    Thank you for your advise;

    Here is the output
    [email protected]:~# apt-get install certbot
    After Installation, next step followed is as under;

    [email protected]:~# type -a certbot
    certbot is /usr/bin/certbot
    [email protected]:~# apt-cache policy certbot
    certbot:
    Installed: 0.28.0-1~deb9u1
    Candidate: 0.28.0-1~deb9u1
    Version table:
    *** 0.28.0-1~deb9u1 500
    500 http://asi-fs-n.contabo.net/debian stretch/main amd64 Packages
    500 http://ftp.us.debian.org/debian stretch/main amd64 Packages
    500 http://asi-fs-n.contabo.net/debian stretch-updates/main amd64 Packages
    100 /var/lib/dpkg/status
    [email protected]:~#
    cd /etc/ssl
    wget https://raw.githubusercontent.com/ahrasis/LE4ISPC/master/le4ispc.sh --no-check-certificate
    chmod +x le4ispc.sh

    [email protected]:/etc/ssl# ./le4ispc.sh
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator standalone, Installer None
    Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/xxxxx.com.conf with version 0.28.0 of Certbot. This might not work.
    Running pre-hook command: service apache2 stop
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for server.xxxxxx.com
    Waiting for verification...
    Cleaning up challenges
    Running post-hook command: service apache2 start

    IMPORTANT NOTES:
    - Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/server.xxxxxxx.com/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/server.xxxxxxxx.com/privkey.pem
    Your cert will expire on 2019-06-03. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot
    again. To non-interactively renew *all* of your certificates, run
    "certbot renew"
    - If you like Certbot, please consider supporting our work by:

    Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
    Donating to EFF: https://eff.org/donate-le

    --2019-03-05 19:57:06-- https://raw.githubusercontent.com/ahrasis/LE4ISPC/master/le4ispc_pem.sh
    Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.12.133
    Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.12.133|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 2479 (2.4K) [text/plain]
    Saving to: ‘/etc/init.d/le4ispc_pem.sh’

    /etc/init.d/le4ispc_pem. 100%[==================================>] 2.42K --.-KB/s in 0s

    2019-03-05 19:57:06 (28.6 MB/s) - ‘/etc/init.d/le4ispc_pem.sh’ saved [2479/2479]

    Selecting previously unselected package incron.
    (Reading database ... 57814 files and directories currently installed.)
    Preparing to unpack .../incron_0.5.10-3+b2_amd64.deb ...
    Unpacking incron (0.5.10-3+b2) ...
    Setting up incron (0.5.10-3+b2) ...
    Adding group `incron' (GID 124) ...
    Done.
    Created symlink /etc/systemd/system/multi-user.target.wants/incron.service → /lib/systemd/system/incron.service.
    Processing triggers for systemd (232-25+deb9u9) ...
    Processing triggers for man-db (2.7.6.1-2) ...
    [email protected]:/etc/ssl#

    It worked!

    Thank you so much!!!
    Regards
     
    ahrasis and Taleman like this.
  12. Chris_UK

    Chris_UK Member HowtoForge Supporter

    Hi Ahrasis, good work on the script. but i have an issue with the cert for ispc.
    My control panel is set up to work for server1.example.com
    Now, example.com has its own working cert, when i run your script there appears to be no cert for server1.example.com created, the others look like they are created but not that one.

    I previously did this the manual way you previously showed before your scripted version, would this cause the issue described?

    LE logs are showing no renewal needed so I cant see where the problem is, ive restarted apache2
    The only thing that I can see that might cause the wrong cert is linked to archive/example.com and not in archive/server1.example.com or live/server1.example.com

    Regardless these two paths don't actually exist so I am not sure how to fix it.
     
  13. ahrasis

    ahrasis Well-Known Member

    Hostname -f must always resolve to server1.example.com or else, the manual tutorial or the script will not work; so do check and fix this first, if there is anything wrong with its setup.

    Secondly, official certbot must be installed, is working and have proper access to your server in order to create the required certs; the tutorial or the script does not support any other unofficial LE clients.

    You should do the troubleshooting faq to determine the cause of your LE related problems and share them when asking; as we cannot help you without proper details.
     
  14. Chris_UK

    Chris_UK Member HowtoForge Supporter

    I think this might be the problem. The hostname of the server is web.example.com and not server1.example.com but also hostname -f returns example.com only, I will look into this later. and decide which one to change, ispc control panel or the server hostname, it really depends on which will require less changes, I am suspecting though that just changing ispc might be the better of the options as the hostname change affects various websites.
     
    Last edited: Mar 17, 2019
  15. Chris_UK

    Chris_UK Member HowtoForge Supporter

    All sorted now, I hit the fail threshold because of the attempts to solve it/ but its now working correctly, im able to use web and have a correctly working cert. Thanks for this script, its excellent.

    One question however before I go, will this work on a stand alone mail server, the description says it will symlink for major services but this means they are on the same server, so I guess not for multiserver?
     
  16. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    It can work on multiserver setup. Copying cert files to the other host. There was info on how to do it, when I set it up.
     
  17. Chris_UK

    Chris_UK Member HowtoForge Supporter

    Thank you Taleman, so that would be rsync or scp, I can manage that part no problem.

    So then to sum up, I will need to use the standalone to create certs on the master, then just copy them over to the mail server and possibly make an edit or two of the config files on the mail services?

    Sorry if I seem dumb, I just don't want to make a start then have to scour the net for fixes if things don't go to plan :D
     
  18. Jesse Norell

    Jesse Norell Well-Known Member

    The mail server needs 2 files, the certificate chain and the key file. You could copy them directly to
    /etc/postfix/smtpd.cert and /etc/postfix/smtpd.key, or put them elsewhere and symlink them.

    Per the tutorial, the files which need to be copied would be: either /etc/letsencrypt/live/$(hostname -f)/fullchain.pem (the actual file) or /usr/local/ispconfig/interface/ssl/ispserver.crt (a symlink to fullchain.pem) for smtpd.cert, and /etc/letsencrypt/live/$(hostname -f)/privkey.pem (file) or /usr/local/ispconfig/interface/ssl/ispserver.key (symlink) as smtpd.key.

    Then restart postfix and dovecot.
     
  19. Chris_UK

    Chris_UK Member HowtoForge Supporter

    Thank you, I recall doing something like this a couple of years ago via the old guide on this thread I think it was.

    Briefly if i may, as the main point was missed. will i need to create the cert for mail.domain.com (as the domain is currently set) on the master using the standalone? if not which cert as the main domain cert only works for the main domain, no extra domains added to that cert.

    I ask because if i use $(hostname -f) that would be the masters hostname if i'm not mistaken. Unless im misreading your reply and you mean for ispconfig panel, howver that part is already sorted out and working from web.domain.com
     
  20. ahrasis

    ahrasis Well-Known Member

    For 3.2, I already proposed and it was already merged, that LE certs are to be created via certbot for ISPConfig server, if that is opted during its installation or update.

    The proposal is to use certbot standalone approach if no web servers is installed which should be auto renewed via ISPConfig LE cronjob that runs every after midnight.

    Edited: This should already be in LE4ISPC. Try simply running the instructions on your mail server.

    The credit has to go to @Taleman as I wrote that based on his post about standalone approach some where in this forum.
     
    Last edited: Mar 22, 2019

Share This Page