SSL Certificate Explanation & Overview

Discussion in 'Installation/Configuration' started by illuder, Nov 2, 2020.

  1. illuder

    illuder Member HowtoForge Supporter

    I am truly confused on how this SSL works in ISPConfig3, compared to my previous web server.
    Perhaps someone can point me towards some reading material, or explain to me briefly how to manage this. See below:

    1- Previously, I managed cPanel servers for decades, and entering an SSL certificate was simple. A client I host would order it, I would buy it from a supplier and load it in his domain for him.
    2- In ISPConfig3, I've come across let's encrypt, and have read much about it. I've installed it and would like to believe that its installed correctly as I've received no errors. I believe you do it once per server and it SSLs all the domains in that server.
    3- My various domains are not secured. Chrome and other browsers still show warnings. See some here: (Warning: Potential Security Risk Ahead) (connection not secure)
    among others...
    4- and now, important emails being sent to some domains aren't coming through to domains hosted by me.
    5- Google also says security errors:
    The mail system
    <ccclclient [email protected]>: host[] said:
    550-5.7.26 This message does not have authentication information or fails
    to 550-5.7.26 pass authentication checks. To best protect our users from
    spam, the 550-5.7.26 message has been blocked. Please visit 550-5.7.26 for more 550
    5.7.26 information. l184si6928083oig.103 - gsmtp (in reply to end of DATA

    So perhaps I have not refined the server well. I think this security is the cause of these issues.

    Any assistance please , if you could,, it will be greatly appreciated.
  2. Taleman

    Taleman Well-Known Member HowtoForge Supporter

  3. illuder

    illuder Member HowtoForge Supporter

    Thank you for the prompt response.

    Perhaps I could be first told what's the difference between a normal SSL certificate and an LE ?

    Which is worth having? Every browser asks for https nowadays.
  4. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You'll find a lot more info in less time with a quick web search, but "normal" in the above context would be either a certificate you purchase and upload into the panel, or a self-signed certificate you have the panel generate for you; letsencrypt is the popular service that automates issuing domain validated certificates at no cost.

    If your aim is to satisfy a browser opening an https site with no warnings, either will work. Letsencrypt is generally cheaper and easier, but some folks prefer purchasing and manually updating certificates for various reasons.
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Your assumption in no. 2 is wrong. LE certs for your servers are not automatically extended to domains in them. You need to request for LE certs for each of the domains after setting them up in ISPConfig GUI.
  6. illuder

    illuder Member HowtoForge Supporter

    Then I must be doing something incorrectly, because after following all instructions and firmly believing that the installation and activation of LE on my ISPConfig server, i still get many warning from browsers saying that my sites aren't https: Google chrome also shows as not secure.
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You have to enable SSL and LE for the website. If that fails, take a look at your log (Under Monitor -> System-log) and go through the before mentioned LE FAQ.

    The error you describe in point 5 is not related, and you would know that if you read document on the url they mention. In short, you have to setup the following things to sent email with proper authentication that you can sent emails:
    - A reverse dns (PTR) record for your server's IP address with the hostname of your mailserver
    - SPF record for the domain you are sending with that declares your server's IP as trusted sender
    - Eventually a DKIM record for the domain you are sending with
    - Eventually a DMARC record for the domain you are sending with

Share This Page