Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

Discussion in 'Tips/Tricks/Mods' started by ahrasis, Feb 14, 2017.

  1. Hi Ahrasis
    I've been checking log daily basis and i thought that the certificate would renew only at 90 days...And I reveice emails from EEF about the expirying, other expired period i've done using certbot autorenew but many issues came up...So i've posted a question here, about months ago, and the answer was to do not use certbot once ISPConfig has a crontab that will renew it automatically.
    Well, anyway, many thanks to the reply to me with soo very good news about it.
    I will try what Jesse Norell has recommended to see if i can at least recover access to ISPConfig panel...
    Last edited: May 2, 2019
  2. Jesse
    I've got the new version from git-stable "ISPConfig Version: 3.1dev" and the disabling and reenabling the Letsencrypt checkbox at ISPConfig->Website-> has recreated the certificate and finally the upload_2019-5-1_11-6-30.png came up.....
    At first time that i've tried to use https://URL the login has never completed, but at second time, worked.....soo many Thanks for you Jesse once seems that the problem regarding certbot has solved...
    A final question...what should a i do to have 100% sure that ISPConfig scripts will automatically renew certificates 30 days previous to expire...?
  3. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    If you now have ISPConfig version from GIT stable, you are OK. It was a bug in certbot that LE sometimes could not renew certificate.
    Check the e-mail address for LE is something you read daily, so you get informed if some problem pops up and LE can not renew.
    Fabio IT Consultant and ahrasis like this.
  4. ahrasis

    ahrasis Well-Known Member

    For me ISPConfig cron job script is working just fine but the creation and renewal are done by other software i.e. certbot in this case and through Let's Encrypt.

    So nobody can ever be 100% sure that certbot (or any other LE clients) or Let's Encrypt servers will always work, so it is best for every server administrators to have high self-discipline in going through their emails and doing regular maintenance for their servers.
    MaxT and Fabio IT Consultant like this.
  5. MaxT

    MaxT Member HowtoForge Supporter

    just one question:
    Do you think it would be possible keeping a self-signed certificate for "", and one LE certificate "" only for Postfix?.
    It would be problematic for the automatic LE renewal?
  6. ahrasis

    ahrasis Well-Known Member

    Possible since you can always define different certs for postfix and I don't think it would be problematic for the automatic LE renewal too, but that's just my thought.
    MaxT likes this.
  7. MaxT

    MaxT Member HowtoForge Supporter

    thanks, I will try it:)
  8. HitoDev

    HitoDev New Member

    3 questions :
    1) If I understand well, despite the post date (Discussion in 'Tips/Tricks/Mods' started by ahrasis, Feb 14, 2017.) this tutorial is most recent than (Published:Feb 13, 2018) ?

    2) I have previously created symlinks for Dovecot, by following this thread (but it didn't work) :
    ln -s /etc/letsencrypt/live/ smtpd.cert
    ln -s /etc/letsencrypt/live/ smtpd.key
    Does I need to remove these symlinks before start your tutorial, or
    ln -sf /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
    ln -sf /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key
    will automatically update the previous symlinks ?

    3) Does your method allow Thunderbird & K-9 Mail for Android to recognize certificates as valid
    without having to add an exception?

    Thanks !
    Last edited: Jul 5, 2019
  9. ahrasis

    ahrasis Well-Known Member

    1. Yes but both are supposed to work anyway.

    2. Yes, at least I think so.

    3. Supposedly but I never try any of them.

Share This Page