[Solved] SSL Cert on ISPConfig 3 (master/master) Multi-server setup

Discussion in 'General' started by dvazart, Dec 10, 2015.

  1. dvazart

    dvazart New Member


    I have some questions about installing a SSL Cert on my ISPConfig 3 (master/master) Multi-server setup.

    I'm running: two OpenVZ containers on Debian 7 x64 with ISPConfig in a Master/Master cluster.


    To let my customers access to the ISPConfig interface, I'm doing Round-robin with two "A" records like:

    https://cp.mycompany.com:8080 -->
    https://cp.mycompany.com:8080 -->

    and also I have a reseller who's doing the same thing with his own domain name, like:

    https://cp.reseller.com:8080 -->
    https://cp.reseller.com:8080 -->

    My goal is to avoid the warnings about the self signed certificates when accessing to the ISPConfig interface. For this I want to buy a SSL Cert, but I don't know what kind of SSL Cert is the best advised for my setup: separate SSL Certs for each server or a Wildcard certificate? considering that my reseller want to profit of this feature too.

    Another question: there are posibility to do this with a free SSL solution like https://letsencrypt.org/ ?

    Thanks in advance for your reply,

    Regards !
  2. sjau

    sjau Local Meanie Moderator

    ssl certs are name-based. Letsencrypt gives you free certs but no idea how to link those to ispc interface.
  3. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    install the cert and the key in /usr(local/ispconfig/interface/ssl
  4. sjau

    sjau Local Meanie Moderator

    So, will the LE inclusion in ISPC also be extended for ISPC itself?
  5. florian030

    florian030 ISPConfig Developer ISPConfig Developer

    ??? the ssl-key and cert for the interface are stored in interface/ssl
  6. sjau

    sjau Local Meanie Moderator

    There is integration for Let's Encrypt in ISPC planned. But as far as I know the discussion was only about hosted domains with automatic ssl (renewal) through LE. So I wondered if an option will be added also to get certs for ISPC itself.
  7. dvazart

    dvazart New Member


    Thanks for your answers ! this is how I did it:

    You have to run the following commands in each server in the cluster, this setup works for Debian 7.0 with Apache or NGINX.

    Install some dependencies:
    apt-get install build-essential python-pip git
    pip install virtualenv
    pip install pyopenssl ndg-httpsclient pyasn1
    pip install cryptography
    Stop your webserver:
    service apache2 stop
    Install LetsEncrypt client:
    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt
    ./letsencrypt-auto certonly
    When asked, add all the domain names from where your ISPConfig can be accessed, in my scenario I put:

    On srv1.mycompany.com:
    srv1.mycompany.com, cp.mycompany.com, cp.reseller.com
    On srv2.mycompany.com:
    srv2.mycompany.com, cp.mycompany.com, cp.reseller.com
    Backup the self signed certificates:
    mkdir /usr/local/ispconfig/interface/ssl/originales
    mv /usr/local/ispconfig/interface/ssl/isp* /usr/local/ispconfig/interface/ssl/originales
    Link the new (letsencrypt) certificates :
    ln -s /etc/letsencrypt/live/srv1.mycompany.com/fullchain.pem /usr/local/ispconfig/interface/ssl/ispserver.crt
    ln -s /etc/letsencrypt/live/srv2.mycompany.com/privkey.pem /usr/local/ispconfig/interface/ssl/ispserver.key
    Start your webserver:
    service apache2 start
    You are done !
    agentmoller001 and Jesse Norell like this.
  8. To follow dvazart's instructions, I had to use option 2 (standalone) after executing ./letsencrypt-auto certonly. This option places the certificates' in the /etc/letsencrypt/live/your-domain-here.com/ folder so you can easily place the symbolic links' stated above.


Share This Page