Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

Discussion in 'Tips/Tricks/Mods' started by ahrasis, Feb 14, 2017.

  1. ahrasis

    ahrasis Well-Known Member

    For me, nothing stops you from using your ISPC in creating emails for your public websites. So, basically you got nothing to worry about its LE SSL files as it will use your ISPC LE SSL files.

    About your subdomains, that depends on how you gonna use them. If you need them as separate sites, use subdomains (vhost) in there you can create and manage LE SSL files for them separately. If you simply use * in main site, and create simple subdomains, ISPC should create an LE SSL files for that subdomains too, except they are "bonded" with the main site.
     
    Last edited: Mar 25, 2017
  2. Poliman

    Poliman Member

    When I setup let's encrypt ssl cert for postfix, dovecot, isp panel and pure-ftp what will be response in - for example - FileZilla client about ssl certificate if ssl certificate is for specific domain name of the server and I connect to ftp via website domain name?
     
  3. Tuumke

    Tuumke Member

    The reason i was asking is because of the e-mail client. For example if you use Thunderbird for mail client, you add a new account and then it pop ups with the SSL certificate being self-signed.
     
  4. Jesse Norell

    Jesse Norell Well-Known Member

    I would expect a warning about the certificate name not matching the server name you used. It really depends on what the client does in that case, and I've used FileZilla myself.
     
  5. ahrasis

    ahrasis Well-Known Member

    @Poliman, I mainly use net2ftp - a web based ftp - for my server for easy access from anywhere. I have never tested access from other client like filezilla but will test it and report soon.

    @Tuumke, I only use roundcube as my webmail and have no experience with other client such as thunderbird, thus, I am not sure why your added account is said as self-signed SSL, as LE SSL definitely are not self-signed. Anyway, how you were using your postfix with thunderbird will be of great interest to me with regards to this ssl issue.
     
    Last edited: Mar 4, 2017
  6. Poliman

    Poliman Member

    Ahrasis - I try install Let's Encrypt certificate for ISP panel using Your tutorial https://www.howtoforge.com/communit...cates-into-ispconfig.71055/page-7#post-355116 :
    1. I added new website like domain name of my server.
    2. It's accessible online but there shows default apache page.
    3. SSL and LE checkboxes not work. I checked them, click 'save', again go to settings of this website and they are unchecked.
    4. I have ssl self-signed installed during ISP installation.
    Because of above I can't go to next steps.

    Second thing that after unsuccessful attempts I tried to generate SSL using ./certbot-auto command. Then choose domain name which corresponds to hostname -f output. Finally I got something like below:
    Code:
    Select the appropriate numbers separated by commas and/or spaces, or leave input
    blank to select all options shown (Enter 'c' to cancel):1
    Obtaining a new certificate
    Performing the following challenges:
    tls-sni-01 challenge for vps123.ovh.net
    Waiting for verification...
    Cleaning up challenges
    Generating key (2048 bits): /etc/letsencrypt/keys/0004_key-certbot.pem
    Creating CSR: /etc/letsencrypt/csr/0004_csr-certbot.pem
    An unexpected error occurred:
    There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: ovh.net
    Please see the logfiles in /var/log/letsencrypt for more details.
    
    Btw how can I get a certificate for multiple domain names?
     
    Last edited: Mar 3, 2017
  7. sjau

    sjau Local Meanie Moderator

    Code:
    Too many certificates already issued for: ovh.net
    
     
  8. Poliman

    Poliman Member

    Yes I know but I saw that is possible to go around it with multi domain certificate here -> https://letsencrypt.org/docs/faq/ section "Can I get a certificate for multiple domain names (SAN certificates or UCC certificates)?" I can't find information how to do this. At the moment I have one certificate for one domain on this server. I try setup this https://www.howtoforge.com/community/threads/securing-your-server-with-lets-encrypt.75554/ but before I should setup cert for ISP panel -> https://www.howtoforge.com/communit...cates-into-ispconfig.71055/page-7#post-355116 but problem is that in /etc/letsencrypt/live/ I have only directory for website which is on my server. There is not directory with name of the name of my server. Second thing that when I checked SSL and Let's Encrypt SSL and click Save and enter in settings of newly created website I haven't checked these two ssl options. Besides (accordingly to tutorial from last posted link):
    1. I added new website like domain name of my server.
    2. It's accessible online but there shows default apache page.
    3. SSL and LE checkboxes not work. I checked them, click 'save', again go to settings of this website and they are unchecked.
    4. I have ssl self-signed installed during ISP installation.
    Because of above I can't go to next steps.
     
    Last edited: Mar 3, 2017
  9. ahrasis

    ahrasis Well-Known Member

    It looks like you have hit the max in creating LE SSL for your server domain name and for that you will have to wait for a week before you can try again.

    Do follow each and every steps prescribed in this guide without mixing it with other guides as people tend to get confused and do it wrongly when they mixed up.
     
  10. sjau

    sjau Local Meanie Moderator

    https://letsencrypt.org/docs/rate-limits/

    Since ovh.net isn't listed in the public suffix list it is treated as one registered domain. Hence only 20 per week.
     
  11. Tuumke

    Tuumke Member

    OVH.net isnt ur domain is it? OVH is a hosting provider with ds/vps/web/cloud
     
    ahrasis likes this.
  12. ahrasis

    ahrasis Well-Known Member

    From what I generally tested, other than sftp via ssh connection, there will always be a pop up warning in filezilla claiming that the server certificate is unknown whether you use the server name or any of its website via ftp connection. You will need to confirm the server certificate before you can continue. The server certificate is correct so far that I am concerned.
     
  13. Poliman

    Poliman Member

    Ovh.net is not my domain. It's hosting provider. Btw I suppose that vps123.ovh.net means that vps123 is subdomain in ovh.net domain.
    So I have little chance to generate let's encrypt ssl cert for my vps vps123.ovh.net, am I right? I saw link You posted above and that means there is 20 certificates per ovh.net per week, did I understand well?
    SAN contains up to 100 subdomains not domains which is bad information for me. My server will have soon many different domains, so I will have to generate ssl cert for each domain separately.
    Does it mean - no sense to generate let's encrypt cert for pure-ftp?

    One more thing. I have vps named lets say vps123.ovh.com. Under this name on port 8080 is accessible ISP panel, which has self-signed ssl certificate created during installation process. In ISP I have created one website under domain name example.com which has let's encrypt ssl certificate which is secured and marked as green lock. Is that normal when I put in web browser bar address https://vps123.ovh.com:80 (can be without port explicitly) browser shows domain example.com with self-signed certificate of ISP panel (near web browser bar is exclamation mark) not with it's own let's encrypt cert?
     
  14. Jesse Norell

    Jesse Norell Well-Known Member

    I would be surprised if filezilla continues to complain if it can validate the certificate; but even if it's broken in that regard, you might want a valid certificate for other ftp clients which aren't.

    No, port 80 doesn't support https at all, so what you should see is an error like:
    Code:
    This site can’t provide a secure connection
    vps123.ovh.com sent an invalid response.
    
    ERR_SSL_PROTOCOL_ERROR
    
     
  15. ahrasis

    ahrasis Well-Known Member

    Nope. That seems to be filezilla's normal behaviour and it means you have to confirm the certificate once. It should not be asking you about it again. Do refer to this for its explanation. Plus, your ftp will be duly encrypted if you are using a proper SSL certificate.
     
  16. Poliman

    Poliman Member

    When I put https://vps123.ovh.net/ (or can be too https://vps123.ovh.net:80 - doesn't matter) browser shows website example.com (configured under ISP panel, I have only this one website, nothing more) with self-signed certificate of ISP panel.

    And second thing:
    I have website configured under ISP panel. I tried enter to panel via this domain and port 8080 - example.com:8080. Browser shows login form to ISP panel. I put credentials, clicked "login" and nothing happens. In browser console I have 404 Not Found error for (other finles with status 200, so ok):
    - dashboard.php, request url -> https://example.com:8080/login/dashboard/dashboard.php
    - nav.php?nav=side, url -> https://example.com:8080/login/nav.php?nav=side
    - nav.php?nav=top, url -> https://example.com:8080/login/nav.php?nav=top
    - keepalive.php, url -> https://example.com:8080/login/keepalive.php
    - datalogstatus.php, url -> https://example.com:8080/login/datalogstatus.php

    In other words - I can't log in to panel. Of course when I use normal url vps123.ovh.net:8080 I have login form for ISP panel and I can login.
     
    Last edited: Mar 7, 2017
  17. ahrasis

    ahrasis Well-Known Member

    Yes. As answered many times, this a normal behavior in both apache and nginx servers. This is because example.com is the only domain who has SSL certificates on your server ip. To access https://vps123.ovh.com correctly, you have to create a website for it in ISPC and create SSL certificates for it as well.
     
  18. Poliman

    Poliman Member

    @ahrasis - do You know what can make this problem? Friend checked on his vps from ovh. He has ISP with self-signed (like me) but his website has not ssl cert (my website has LE ssl cert). When he put https://domain.tld:8080 he got login form and he can login to panel. I can't as above posted.
     
  19. ahrasis

    ahrasis Well-Known Member

    Basically, I don't know how you build your server, so, I cannot guess that much, but you can try:
    1. Clear the cookies.
    2. Force reload the page (Ctrl-F5).

    Note that if your ISPC has its own SSL certificates, normally, you will get a warning by opening it from another domain that also has its own SSL certificates. As such, note also that this LE guide is intended for all user to access all the services including ISPC via their server domain name on port 8080 rather than their other websites domain name using the same port 8080.
     
  20. Poliman

    Poliman Member

    Server default setup from tutorial for ubuntu 14.04 ispconfig3. I can post link.
    Yes, I know. I just tested this way. I will check Your suggestions.

    EDIT
    I cleared cache. Now it's working. I can log in after accept ISP panel self-signed ssl cert.

    PS
    How it's working that domain with LE ssl cert used to log in to ISP panel (let's say https://example.com:8080) start uses self-signed ssl cert configured for ISP panel? important thing!
     
    Last edited: Mar 8, 2017
    ahrasis likes this.

Share This Page