Securing the control panel with a Let's Encrypt certificate (when using acme.sh)

Discussion in 'Tips/Tricks/Mods' started by Th0m, May 10, 2021.

Thread Status:
Not open for further replies.
  1. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Since ISPConfig 3.2, you can issue a certificate for the hostname of your server when installing/updating (ispconfig_update.sh --force). If a DNS record is in place for your hostname, and port 80 is opened in your firewall, a cert should be issued.

    In some cases, you will want to use the "old" way to set up a cert, e.g. when the hostname used for the panel is not the same as your hostname.

    To use the "old" way with acme.sh:
    Make sure the certificate for your hostname is created. I will use server1.example.com.
    You can check if it exists with
    Code:
    ls -la /root/.acme.sh/server1.example.com
    The certificate files should be there.

    To use this certificate for the panel, run:
    Code:
    cd /usr/local/ispconfig/interface/ssl/
    mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
    ln -s /root/.acme.sh/server1.example.com/fullchain.cer ispserver.crt
    ln -s /root/.acme.sh/server1.example.com/server1.example.com.key ispserver.key
    cat ispserver.{key,crt} > ispserver.pem
    chmod 600 ispserver.pem
    systemctl restart apache2
    To automatically renew the .pem file and restart Apache2 after renewals, we will set up a script that's triggered when the cert changes:
    Install incron and open the script:
    Code:
    apt install -y incron
    nano /etc/init.d/le_ispc_pem.sh
    Put this in there:
    Code:
    #!/bin/sh
    ### BEGIN INIT INFO
    # Provides: LE ISPSERVER.PEM AUTO UPDATER
    # Required-Start: $local_fs $network
    # Required-Stop: $local_fs
    # Default-Start: 2 3 4 5
    # Default-Stop: 0 1 6
    # Short-Description: LE ISPSERVER.PEM AUTO UPDATER
    # Description: Update ispserver.pem automatically after ISPC LE SSL certs are renewed.
    ### END INIT INFO
    cd /usr/local/ispconfig/interface/ssl/
    mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
    cat ispserver.{key,crt} > ispserver.pem
    chmod 600 ispserver.pem
    systemctl restart apache2
    Then make it executable and open incrontab:
    Code:
    chmod +x /etc/init.d/le_ispc_pem.sh
    echo "root" >> /etc/incron.allow
    incrontab -e
    Add this line:
    Code:
    /root/.acme.sh/server1.example.com/ IN_MODIFY ./etc/init.d/le_ispc_pem.sh
    Of course, replace server1.example.com in this guide with your hostname.
     
Thread Status:
Not open for further replies.

Share This Page