SSL/Dynamic DNS/Multiple Hostnames/ISPConfig3.1b1

Discussion in 'Installation/Configuration' started by Johnny Curtis, Jul 17, 2016.

  1. Johnny Curtis

    Johnny Curtis New Member

    Here is what I am hoping for:
    A magical, all-encompassing SSL Certification solution for ISPConfig 3.1b1. I have been looking around the web off and on for over a year and hesitating and putting it off and over time, things change, and needs change, production websites get moved from a temporary domain name to a permanent domain name, and the list goes on. I'm having troubles.
    So I need a legit cert for the ISPConfig interface, email, and primarily one client that has an eCommerce site with Wordpress and WooCommerce installed, and more clients down the road. This client has an existing domain that points to his existing website at some hosting company and the website that I built for him has a temporary domain name. I see problems here if I create the certificate now and then change the domain name later, but I have no idea. This is just a guess since I've seen error messages before in Outlook stating that the certificate doesn't match the host name or some such thing when playing around with self-signed certs.
    I read that I would need a Class 2 cert for wildcards here: https://www.howtoforge.com/securing...h-a-free-class1-ssl-certificate-from-startssl and this is an excellent turorial, but I'm worried that things will break if I don't come to this awesome forum and get some advice first. Also, the hostname for my server is just a made-up host name and has nothing to do with the websites that I am hosting. It seems like this is going to cause some issues.. And also, I use a dynamic DNS service. So I get SMTP banner errors that are more of an annoyance than anything else, but I'm just throwing this out there to see if anyone knows if this will cause problems with STARTTLS or something if I'm using a class 2 cert with multiple hosts.
    My ultimate question is: Is there a way to generate an SSL certificate with th ISPConfig update script and use the CSR at StartSSL to generate a class 2 cert that will work on EVERYTHING? Including email, and eCommerce checkout and ISPConfig interface?
    I'm hoping that there is a way that I can generate a class 2 cert following the instructions given above, and just plug in the SSL info into my ISPConfig > Sites >mycustomer.temporarydomain.com > SSL Tab. I really don't want to just try it and break it because the customer is currently working on it with thousands of products available. I hope it just rolls straight into using SSL smoothly.

    My setup is as follows:
    The server has a random made-up hostname that doesn't have any DNS records. I am using dynamic DNS to point domain names to it.
    Server: hostname: something.madeup.com (Ubuntu 16.04 LTS (Xenial Xerus)) ISPConfig 3.1b1 both recently upgraded from the tutorial for Ubuntu 15.something with dovecot/postfix/apache
    Client X at mycustomer.temporarydomain.com has Wordpress / WooCommerce with force SSL enabled within WooCommerce (works fine with temporary self-signed cert, but customer will have to see the security warning in their browser)
     
  2. Jesse Norell

    Jesse Norell Active Member

    It will be more complicated to try to get a single certificate with names to cover your control panel, mail server and a customer's website, I'd keep them separate. In 3.1 you can use a letsencrypt for your control panel if you want, the commands to do so are at https://www.howtoforge.com/communit...fig-admin-from-letsencrypt.73097/#post-344008

    If your mail server is the same machine as your control pane, then pointing postfix/dovecot config at the same certificate should be pretty simple; a quick look at the config shows they're both pointing at /etc/postfix/smtpd.{cert,key}, so just symlink those names to the files under /etc/letsencrypt/live/{name.com}/ and you should be done. Your client would use your server's name, not mail.customerdomain.com, to not see errors about the certificate.

    For your client's website, just get the certificate for it, and install it via the SSL tab. (LetsEncrypt won't work for that if you need more than domain validated.)
     

Share This Page