Setup Web Panel from :8080(port) to :443(https) + LE Cert + auto renew

Discussion in 'Tips/Tricks/Mods' started by Frankenstein, Sep 27, 2018.

  1. Frankenstein

    Frankenstein Member

    Welcome to the tutorial where i want to show you how to setup the web panel from self signed certificate on https://web.domain.tld:8080 to just https://web.domain.tld with LE Certificate and auto-renew.

    I've checked it on my master server of my 6-7 multi-server-setup which i would post in few days/weeks.
    In this case its tested with web.domain.tld which is on my side my control.domain.tld.

    Please - read carefully - i wrote the tutorial from my head and eventually not every single string is written right.

    1. Create A-Record
    Check your nameserver is running correctly and create a A Record for web.domain.tld to the server-ip in the domain.tld zone (If doesnt exist).

    2. Edit ISPConfig Web Panel vHost
    Code:
    nano /etc/apache2/sites-available/ispconfig.vhost
    Delete the Line with "Listen 8080" and "NameVirtualServer your.server.ip.adress"
    Change <VirtualHost _default_:8080> to <VirtualHost web.domain.tld:443>
    Under the line "ServerAdmin" create the line "ServerName web.domain.tld" without the " " ^^

    Save&Exit

    Code:
    systemctl restart apache2
    3. Start the certbot to create the certificate files
    Code:
    cd /opt/certbot/
    ./certbot-auto
    On the first question chose the number for web.domain.tld
    On the second you can try choose 2 - but it would eventually fail.

    In my fault i choosed 2, but its not supported. Caution! Its not broken - he just cant set rewrite from http to https - the ssl certificate should automatically imported to the vhost. Here my output: (i've already have rewrite configured cauz i done it in ispconfig install.php for Web Panel (The question about u want to activate ssl for web panel^^)

    [email protected] /opt/certbot # ./certbot-auto
    Saving debug log to /var/log/letsencrypt/letsencrypt.log
    Plugins selected: Authenticator apache, Installer apache

    Which names would you like to activate HTTPS for?
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    1: domain.tld
    2: control.domain.tld
    3: www.domain.tld
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Select the appropriate numbers separated by commas and/or spaces, or leave input
    blank to select all options shown (Enter 'c' to cancel): 2
    Obtaining a new certificate
    Performing the following challenges:
    http-01 challenge for control.domain.tld
    Waiting for verification...
    Cleaning up challenges
    Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-ispconfig.vhost

    Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    1: No redirect - Make no further changes to the webserver configuration.
    2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for
    new sites, or if you're confident your site works on HTTPS. You can undo this
    change by editing your web server's configuration.
    - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
    Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2
    Failed redirect for control.domain.tld
    Unable to set enhancement redirect for control.domain.tld
    Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection

    IMPORTANT NOTES:
    - We were unable to set up enhancement redirect for your server,
    however, we successfully installed your certificate.
    - Congratulations! Your certificate and chain have been saved at:
    /etc/letsencrypt/live/control.domain.tld/fullchain.pem
    Your key file has been saved at:
    /etc/letsencrypt/live/control.domain.tld/privkey.pem
    Your cert will expire on 2018-12-26. To obtain a new or tweaked
    version of this certificate in the future, simply run certbot-auto
    again with the "certonly" option. To non-interactively renew *all*
    of your certificates, run "certbot-auto renew"



    4. Setup Cronjob for auto-renew
    Now we need to set a little cron:
    Code:
    crontab -e
    Just enter in a new line (check if certbot is right there, alternativly just change it in the line to the right):
    Code:
    45 2 * * 6 cd /opt/certbot/ && ./certbot-auto renew && systemctl restart apache2
    Save&Exit

    Reloading crontabs:
    Code:
    systemctl reload cron
    5. Testing
    You can test with the following command line what would happen if u try to renew the certificates with the created cronjob:
    Code:
    cd /opt/certbot/ && ./certbot-auto renew --dry-run && systemctl restart apache2


    Best regards
    Frankenstein
     
    Last edited: Sep 27, 2018
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Just a small note: When your server is not a master only and hosts also websites, then leave out step 4 as this collides with the LE cert renewal from ISPConfig. ISPConfig will renew the manually created cert from step 3 automatically, so no need for that separate cronjob.
     
    Frankenstein likes this.
  3. Frankenstein

    Frankenstein Member

    Ouh, thanks for the tip :)
    #updated
     
  4. Jesse Norell

    Jesse Norell Well-Known Member

    This may get a certificate setup one time, but it will fail in the future, as the vhost file will be overwritten at each ISPConfig update. You can work around that, but you would be better off following one of the other guides for how to setup let's encrypt on the control panel, which use symlinks to the certificates from the existing locations, and are a more tested setup

    The guide by @ahrasis in particular will setup a vhost for the control panel to run on port 443, though in your setup, with a dedicated control panel server, all you need to do is specify using port 443 during ISPConfig's installation.
     
  5. ahrasis

    ahrasis Active Member

Share This Page