[SOLVED] Create SSL certificate for ISPConfig's web interface with support for auto renewal

Discussion in 'ISPConfig 3 Priority Support' started by Jemt, Dec 3, 2017.

  1. Jemt

    Jemt Member HowtoForge Supporter


    Some months ago I manually created a certificate for the web interface because I finally got fed up with that annoying warning browsers display for "hand made" certificates.

    I used the standalone approach so I had to stop apache to allow certbot to bind to 80/443. From the top of my head, I did something like shown below (running certbot in interactive mode):

    /etc/init.d/apache2 stop
    /root/certbot/certbot-auto certonly
    /etc/init.d/apache2 start

    Then I moved the existing certificate for the web interface to a backup folder:

    mkdir /root/ispconfig_ssl_backup
    cd /usr/local/ispconfig/interface/ssl
    mv ispserver.* /root/ispconfig_ssl_backup/

    And finally I created symlinks to the newly created certificate and restarted apache

    ln -s /etc/letsencrypt/live/[ISP.DOMAIN.COM]/fullchain.pem /usr/local/ispconfig/interface/ssl/ispserver.crt
    ln -s /etc/letsencrypt/live/[ISP.DOMAIN.COM]/privkey.pem /usr/local/ispconfig/interface/ssl/ispserver.key
    /etc/init.d/apache2 restart

    However, this prevents renewal of the certificate when ISPConfig invokes certbot from /usr/local/ispconfig/server/lib/classes/cron.d/900-letsencrypt.inc.php since it will try to renew it using the standalone approach which is not possible while Apache is binding to port 80/443. It will emit an error like:
    All renewal attempts failed. The following certs could not be renewed:
    /etc/letsencrypt/live/[ISP.DOMAIN.COM]/fullchain.pem (failure)

    At least that's what I assume is the cause of the problem, which seems to be supported by /var/log/letsencrypt/letsencrypt.log.

    So I looked though /usr/local/ispconfig/server/lib/classes/letsencrypt.inc.php and found that ISPConfig create certificates using the following command (as far as I was able to gather):

    ./opt/eff.org/certbot/venv/bin/certbot certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected]$domain --domains [DOMAIN HERE] --webroot-path /usr/local/ispconfig/interface/acme

    My question is; is it safe for me to create the certificate for ISPConfig's web interface using the exact same command so it can be renewed automatically? Or could it mess things up for ISPConfig? Unfortunately I'm not in a position where I can simply try things out - this is a production server running several important and fairly large websites/shops, and I'm no expert in certificates or certbot.

    Thanks in advance.

    Last edited: Dec 3, 2017
  2. Croydon

    Croydon ISPConfig Developer ISPConfig Developer

    I would recommend the following procedure:
    Create a website in ISPConfig that has the hostname that the ISPConfig panel uses and activate LE for this site. Then symlink the cert, bundle and key files to the /usr/local/ispconfig/interface/ssl/ files.
  3. Jemt

    Jemt Member HowtoForge Supporter

    Even better! Thanks Croydon :)
  4. Tuumke

    Tuumke Active Member

Share This Page