Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

Discussion in 'Tips/Tricks/Mods' started by ahrasis, Feb 14, 2017.

  1. Poliman

    Poliman Member

    Excellent.
    I used old tutorial for Ubuntu 14.04 (as first, Till sent me link to it) -> https://www.howtoforge.com/tutorial...ovecot-ispconfig-3-1/2/#-install-lets-encrypt. During installation process I hadn't window which is showed in tutorial. Currently ISP sees LE certificate for website. I should check both options - ssl, le ssl - in panel/ website edition.
     
    Last edited: Mar 16, 2017
  2. ahrasis

    ahrasis Active Member

    I stand corrected about LE certificates created by certbot won't be automatically renewed by ISPC though I did read about them not getting renewed somehow.
     
  3. Poliman

    Poliman Member

    @ahrasis I got notification on email about Your answer (Where it is? :) ):
    "The link provided by me earlier is the same one as well but I think you didn't get the blue windows because the tutorial is for Debian, not Ubuntu.
    Ok, I understood case with blue window.
    My experience in running the same (./certbot-auto) in 14.04 is that it will ask you whether you want to install LE SSL on your available websites i.e. if they are created already. Logically, I think, if there is no created websites during installation, none will be asked.
    This same like You. But before started with certbot I have deployed ISPC on the server and configured website.
    Whether ISPC sees that LE SSL files is one thing. But my point is simpler, i.e. if you did use certbot directly in creating LE SSL files for your websites, they normally won't get renewed automatically by ISPC.
    Ok, so probably they won't be renewed. How to do it manually?
    Also, if you install certbot after completed the perfect server guide without updating ISPC, you may face some problems with LE and its certificates renewal.
    I completed perfect server guide, then update ISPC to newest version. ;)
    Anyway, the best is gor you to wait for now because nobody what will happen until it happens. "
    I didn't understand. Should I wait for what? :)
     
  4. ahrasis

    ahrasis Active Member

    If it is not here, that means it is already deleted.

    One of the solutions to check if they are not automatically renewed:
     
    Poliman likes this.
  5. Poliman

    Poliman Member

    I will check this very soon. LE cert will expire in 1 month and 5 days.

    PS
    Is it possible that installation certbot after installing ISPC would determine that I have to manually choose website domains by executing ./certbot-auto?
     
    Last edited: Mar 17, 2017
  6. ahrasis

    ahrasis Active Member

    I am not so sure but I think ./certbot-auto is mainly to install dependencies for proper running of LE and if you have existing websites, it would normally ask you to choose whether to create its SSL certificates for them or else.
     
  7. Jesse Norell

    Jesse Norell Well-Known Member

    Certificates will be renewed automatically if they can be, whether they were issued by manually running certbot or by using the ispconfig interface. The notes at https://www.howtoforge.com/community/threads/letsencrypt-on-mail-server.73695/page-2#post-357516 explain they issued the certificate using standalone mode (which is correct for a dedicated mail server), but now has Apache running, so the details/method for renewing the certificate needed changed (to use webroot).
     
  8. ahrasis

    ahrasis Active Member

    First,
    Second, I was merely suggesting on one of the solutions reported to check in the event LE SSL certificates are not automatically renewed because it does happen for whatever reason that is.
     
  9. Poliman

    Poliman Member

    I am happy, because Let's Encrypt would automatically renew ssl certificate.
     
    ahrasis likes this.
  10. DexDeadly

    DexDeadly New Member

    Hello, I tried following these steps. I setup the site using my full host name. Didn't run into any errors, I restarted my apache2 service. However I am getting NET::ERR_CERT_AUTHORITY_INVALID still when trying to access https://webhost.domain.com:8080 any tips to point me as to why I am still getting this.
     
  11. ahrasis

    ahrasis Active Member

    Can you access your https://webhost.domain.com? Check your website and apache error logs and produce them (the relevant one) in here. Use [ quote ] errors [ / quote ] (without the white spaces and replace errors with the one from your logs) when posting them in here.
     
  12. ahrasis

    ahrasis Active Member

    I noted you also posted your problems in other thread, so, I replied my findings in there i.e. based on my visit to your mentioned domain(s).
     
  13. LotNoMore

    LotNoMore Member

    ahrasis, I did a fresh install of Debian 8.6 and manual reinstall of ISPconfig. Everything was running great and I could get Let's Encrypt work for my site https://angelright.com
    Then I followed your instructions and tried to get my ISPconfig secured login to use the LE certificate. But when I tried to restart the server, I got this error message:
    I could not restart the server! :-(
     
  14. LotNoMore

    LotNoMore Member

    For your information...
     
  15. LotNoMore

    LotNoMore Member

  16. ahrasis

    ahrasis Active Member

    Your vhost file(s) may not be not pointing to the right LE SSL files. Can you check your ISPC vhost as well as its website vhost and check where both vhost files ssl are pointing to?

    Also do ls -lt /etc/letsencrypt/live/`hostname -f` and ls -lt /usr/local/ispconfig/interface/ssl/ and share their outputs in here.
     
    Last edited: Apr 11, 2017
  17. LotNoMore

    LotNoMore Member

    I reinstalled with hearing from you. Now the output for that command is this...
     
    Last edited: Apr 11, 2017
  18. LotNoMore

    LotNoMore Member

    Hmmm... for some reason the "hostname -f" returns server1.com instead of server1.angelright.com
    How do I fix this after already building ISPconfig?
     
  19. LotNoMore

    LotNoMore Member

    I do have LE created for angelright.com right now, see...
     
  20. LotNoMore

    LotNoMore Member

    Ahrasis, should I stop the apache2 server (yes, I changed back to apache2 during the reinstall) first and then run your commands?
     

Share This Page