Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

Discussion in 'Tips/Tricks/Mods' started by ahrasis, Feb 14, 2017.

  1. Nexus Fred

    Nexus Fred New Member

    Hello,

    First, I'm a total newbie using unix :)

    I have installed ISPConfig using the "The Perfect Server - Ubuntu 18.04 (Bionic Beaver) with Apache, PHP, MySQL, PureFTPD, BIND, Postfix, Dovecot and ISPConfig 3.1" tutorial.

    ISPConfig has been secured by a self-signed SSL created during the install.

    Now I'm trying to follow this tutorial to install a Let's Encrypt Certificate but I'm blocked at the "[Checking LE SSL For ISPConfig 3.1 Control Panel]" step.

    In the directory "etc/letsencrypt/live" I do have a directory with my localhost name but ISPConfig still using the self-signed SSL Certificate ?

    Any ideas or tips to help a newbie to solve this ? ;)

    Thanks
    Best Regards
    Nexus
     
  2. Neptun

    Neptun Member

    If you follow the guide step by step it definitely works without any issue with the from you mentioned setup guide (if there happened no mistake).

    Start once again at point one here and double check everything

    And important, take care about your real folder structure, it is not only copy paste

    What do you mean with you are blocked?
     
    Last edited: Apr 29, 2020
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    @Nexus Fred, the above is part of the tutorial. Nothing said to check the folder you mentioned, unless you mean you are using LE4ISPC script which automatically checks that folder, and that is different from the tutorial.

    Actually LE4ISPC is quite outdated since there are a lot more codes that have been added while I contributed to ISPConfig for the same purpose.
     
  4. Tuumke

    Tuumke Active Member

    Shouldnt you update LE4ISPC then? :p i used it the other day, seems to work fine for me?
     
  5. Nexus Fred

    Nexus Fred New Member

    Hello,
    thanks all for your help.

    I just did again the tutorial and everything worked fine :), I have no idea of what I did wrong last time.
     
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Good to hear that.

    Yes, but I am too lazy... :p

    True it should also still work for most people except those who are using certbot-auto instead of just certbot.
     
    Last edited: May 4, 2020
  7. Nexus Fred

    Nexus Fred New Member

    Hello,
    I was a little quick when I said "everything worked fine" :rolleyes:
    The ISPConfig on port 8080 dashboard on my subdomain is secure with an Lets Encrypt SSL certificate but the subdomain on the regular port 80 is not.
    If I try to regenerate a certificate on the Site Panel it's not working!?
    I have done something wrong, but what?
    Thanks
    Best Regards
    Nexus
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

  9. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Server subdomain should also work fine with the same LE SSL on other than port 8080, like port 443 (but not port 80 ofcourse) and that all depend on how you set the vhost(s).
     
  10. Nexus Fred

    Nexus Fred New Member

    Thanks @till & @ahrasis.
    So that a normal outcome.
    Do I need to keep the "ISPConfig Server Hostname FQDN" in the Website List or I can remove it or disabled it ?
     
  11. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I would advise maintaining the website if you already have one for it, as the current LE4ISPC script use the standalone approach which is more suitable for non-webserver.

    The reason is obvious, you don't want your webserver to be down during the creation / update of the LE SSL for that server.

    Until I fully update LE4ISPC to use webroot approach for a webserver, which I do not know when, it is best to follow the tutorial if you ISPConfig server is also a webserver.

    If your ISPConfig server is a non-webserver, then the use of standalone approach as in the current LE4ISPC is advisable.
     
  12. Nexus Fred

    Nexus Fred New Member

  13. MaKa

    MaKa New Member

    RIGHT, please correct it
     
    budgierless likes this.
  14. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Kindly note that the codes related to this thread, its tutorial and its advancement thereafter have already been merged with the latest 3.2 beta that should now cover the creating Let's Encrypt SSL certs for any type of ISPConfig server during ISPConfig install or update and the automatic update of the certificates.

    Please also note that the bash scripts (namely letsencrypt_pre_hook.sh, letsencrypt_post_hook.sh and letsencrypt_renewal_hook.sh) are customizable thus can be put into conf-custom folder to survive future ISPConfig updates.

    The latest Pertect Server Tutorial for Ubuntu 20.04 (Apache) mentioned the steps during ISPConfig install, which should be almost the same during ISPConfig update i.e. if you haven't follow this thread or its tutorial yet.

    Those who have followed this thread or its tutorial have a choice to maintain what they have manually done to secure their ISConfig servers but they might not be able to use the latest built in scripts with automatic renewal feature.

    To use the said feature via update to ISPConfig 3.2, undoing the manual steps including removing the already obtained Let's Encrypt SSL certs for the servers will likely be necessary.

    With these already in the latest ISPConfig, I won't be covering this thread actively anymore and members or users are advised to migrate their servers to 3.2 once the stable version is released to secure them better.
     
    Last edited: Sep 13, 2020
    budgierless, gOOvER and MaKa like this.
  15. MaKa

    MaKa New Member

    Nice work! Thanks
     
    budgierless likes this.
  16. gOOvER

    gOOvER Member

    I followed the Step, you explained above, when using the Manual Way. I removed the Cron, all Certs, but on Update, no LE Cert will created. It installs only a selfmade Cert.

    A look into /etc/letsencrypt/live shows me, that no Cert for the Hostname will created

    When i look into update.php, you only create the Symlinks, but not create a (new) Cert
    Code:
    // Create SSL certs for non-webserver(s)?
    if(!file_exists('/usr/local/ispconfig/interface/ssl/ispserver.crt')) {
        if(strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y')
            $inst->make_ispconfig_ssl_cert();
    }
    
    Here is the Ticket: https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5731
     
    Last edited: Sep 13, 2020
  17. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Please check your ispconfig log as the code already check for the existing certs if any, and will only offer an option to create new certs if none exists.

    There may be various reasons on why your server cannot create LE SSL certs and thus create self-signed certs in their place but only you can check that.
     
  18. gOOvER

    gOOvER Member

    You should offer an Option when no Cert is in /etc/letsencrypt. Looks like now you check only /usr/local/ispconfig/interface/ssl
     
  19. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    That codes you mentioned are already in installer_base.lib.php. The problem was something else.

    Before my proposal 911 was merged, there was a request to include ipv6 check and not just ipv4. My original codes svr_ip were modified to become svr_ip4 and svr_ip6 in several lines but they missed to change one line that have svr_ip, thus the codes failed to process your request for LE SSL certs.

    Thanks to your report, I have submitted an MR to fix that: https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1147

    Hopefully it is accepted and resolve this problem.
     
  20. gOOvER

    gOOvER Member

    I found more Errors:
    Debian Buster 10
    New Install
    Latest Nightly from today

    Code:
    2020-09-14 16:43:06,131:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
    2020-09-14 16:43:06,131:DEBUG:certbot.plugins.selection:No candidate plugin
    2020-09-14 16:43:06,131:DEBUG:certbot.plugins.selection:No candidate plugin
    2020-09-14 16:43:06,131:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
    2020-09-14 16:43:06,131:INFO:certbot.main:Could not choose appropriate plugin: The requested apache plugin does not appear to be installed
    2020-09-14 16:43:06,131:DEBUG:certbot.log:Exiting abnormally:
    
    certbot-apache is needed. I fixed this with

    Code:
    apt-get install certbot python-certbot-apache
    Then i have some warnings:

    Code:
    PHP Warning:  symlink(): File exists in /tmp/update_runner.sh.KtUcYqFs7D/install/lib/installer_base.lib.php on line 2771
    PHP Warning:  symlink(): File exists in /tmp/update_runner.sh.KtUcYqFs7D/install/lib/installer_base.lib.php on line 2774
    PHP Warning:  symlink(): File exists in /tmp/update_runner.sh.KtUcYqFs7D/install/lib/installer_base.lib.php on line 2777
    and this Error:

    Code:
    2020-09-14 16:46:23,624:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
      File "/usr/bin/letsencrypt", line 11, in <module>
        load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
        return config.func(config, plugins)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1242, in certonly
        domains, certname = _find_domains_or_certname(config, installer)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 422, in _find_domains_or_certname
        domains = display_ops.choose_names(installer, question)
      File "/usr/lib/python3/dist-packages/certbot/display/ops.py", line 130, in choose_names
        "No names were found in your configuration files. ")
      File "/usr/lib/python3/dist-packages/certbot/display/ops.py", line 200, in _choose_names_manually
        cli_flag="--domains", force_interactive=True)
      File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 524, in input
        self._interaction_fail(message, cli_flag)
      File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 469, in _interaction_fail
        raise errors.MissingCommandlineFlag(msg)
    certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:
    No names were found in your configuration files. Please enter in your domain name(s) (comma and/or space separated)
    
     
    Last edited: Sep 14, 2020

Share This Page