[Solved] SSL Cert on ISPConfig 3 (master/master) Multi-server setup

Discussion in 'General' started by dvazart, Dec 10, 2015.

  1. dvazart

    dvazart New Member

    Hello,

    I have some questions about installing a SSL Cert on my ISPConfig 3 (master/master) Multi-server setup.

    I'm running: two OpenVZ containers on Debian 7 x64 with ISPConfig 3.0.5.4p8 in a Master/Master cluster.

    srv1.mycompany.com 123.123.123.123
    srv2.mycompany.com 123.123.123.124

    To let my customers access to the ISPConfig interface, I'm doing Round-robin with two "A" records like:

    https://cp.mycompany.com:8080 --> 123.123.123.123
    https://cp.mycompany.com:8080 --> 123.123.123.124

    and also I have a reseller who's doing the same thing with his own domain name, like:

    https://cp.reseller.com:8080 --> 123.123.123.123
    https://cp.reseller.com:8080 --> 123.123.123.124

    My goal is to avoid the warnings about the self signed certificates when accessing to the ISPConfig interface. For this I want to buy a SSL Cert, but I don't know what kind of SSL Cert is the best advised for my setup: separate SSL Certs for each server or a Wildcard certificate? considering that my reseller want to profit of this feature too.

    Another question: there are posibility to do this with a free SSL solution like https://letsencrypt.org/ ?

    Thanks in advance for your reply,

    Regards !
     
  2. sjau

    sjau Local Meanie Moderator

    ssl certs are name-based. Letsencrypt gives you free certs but no idea how to link those to ispc interface.
     
  3. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    install the cert and the key in /usr(local/ispconfig/interface/ssl
     
  4. sjau

    sjau Local Meanie Moderator

    So, will the LE inclusion in ISPC also be extended for ISPC itself?
     
  5. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    ??? the ssl-key and cert for the interface are stored in interface/ssl
     
  6. sjau

    sjau Local Meanie Moderator

    There is integration for Let's Encrypt in ISPC planned. But as far as I know the discussion was only about hosted domains with automatic ssl (renewal) through LE. So I wondered if an option will be added also to get certs for ISPC itself.
     
  7. dvazart

    dvazart New Member

    Hello,

    Thanks for your answers ! this is how I did it:

    You have to run the following commands in each server in the cluster, this setup works for Debian 7.0 with Apache or NGINX.

    Install some dependencies:
    Code:
    apt-get install build-essential python-pip git
    pip install virtualenv
    pip install pyopenssl ndg-httpsclient pyasn1
    pip install cryptography
    
    Stop your webserver:
    Code:
    service apache2 stop
    
    Install LetsEncrypt client:
    Code:
    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt
    ./letsencrypt-auto certonly
    
    When asked, add all the domain names from where your ISPConfig can be accessed, in my scenario I put:

    On srv1.mycompany.com:
    Code:
    srv1.mycompany.com, cp.mycompany.com, cp.reseller.com
    
    On srv2.mycompany.com:
    Code:
    srv2.mycompany.com, cp.mycompany.com, cp.reseller.com
    
    Backup the self signed certificates:
    Code:
    mkdir /usr/local/ispconfig/interface/ssl/originales
    mv /usr/local/ispconfig/interface/ssl/isp* /usr/local/ispconfig/interface/ssl/originales
    
    Link the new (letsencrypt) certificates :
    Code:
    ln -s /etc/letsencrypt/live/srv1.mycompany.com/fullchain.pem /usr/local/ispconfig/interface/ssl/ispserver.crt
    ln -s /etc/letsencrypt/live/srv2.mycompany.com/privkey.pem /usr/local/ispconfig/interface/ssl/ispserver.key
    
    Start your webserver:
    Code:
    service apache2 start
    
    You are done !
     
  8. To follow dvazart's instructions, I had to use option 2 (standalone) after executing ./letsencrypt-auto certonly. This option places the certificates' in the /etc/letsencrypt/live/your-domain-here.com/ folder so you can easily place the symbolic links' stated above.

    [​IMG]
     
  9. ahrasis

    ahrasis Member

    I would first get the LE ssl by creating a new site in ispconfig itself e.g. create server1.example.tld with ssl and LE button selected.

    I'll secondly use the ssl files created by LE by creating symlinks to ISPC ssl folder e.g.
    Code:
    ln -s /etc/letsencrypt/live/server1.example.tld/cert.pem /usr/local/ispconfig/interface/ssl/ispserver.crt
    ln -s /etc/letsencrypt/live/server1.example.tld/privkey.pem /usr/local/ispconfig/interface/ssl/ispserver.key
    ln -s /etc/letsencrypt/live/server1.example.tld/chain.pem /usr/local/ispconfig/interface/ssl/ispserverchain.crt
    ln -s /etc/letsencrypt/live/server1.example.tld/fullchain.pem /usr/local/ispconfig/interface/ssl/ispserverfullchain.crt
    I'll lastly follow the guide in the tutorial and make all necessary changes accordingly.
     
    Last edited: Jan 27, 2017

Share This Page