SSL how to for ISPconfig 3 with Letsencrypt

Discussion in 'General' started by SamTzu, Nov 16, 2016.

?

Who's the man?

  1. You

    2 vote(s)
    66.7%
  2. Me

    1 vote(s)
    33.3%
  1. SamTzu

    SamTzu Member HowtoForge Supporter

    Ok. I have spent the last 3 days to get this to work so you best gimme some kudos :)

    Create new sites on ISPconfig 3.1 "perfect server" (in this example we call these new web sites ic4.eu, smtp.ic4.eu and imap.ic4.eu) and enable Let's Encrypt SSL on these sites. You can use the default www. as alias on ic4.eu (but remember to disable www. alias on any other web site that will use the (ic4.eu) root domain address like for instance smtp.ic4.eu. Why? Because you can't have two or more websites with same address ie. www.ic4.eu.) Make sure your DNS servers have these new addresses configured. (You can use 'tail /var/log/letsencrypt/letsencrypt.log' to check for errors.)

    Define ISPconfig to use the new SSL certificate with symbolic links.
    (If you don't know how to use symbolic links this how-to is not for you)
    /usr/local/ispconfig/interface/ssl/
    ispserver.crt -> /etc/letsencrypt/live/ic4.eu/fullchain.pem
    ispserver.key -> /etc/letsencrypt/live/ic4.eu/privkey.pem

    Define Postfix to use the new SSL certificate in /etc/postfix/main.cf.
    (If you don't know how to add these entries this how-to is not for you)
    smtpd_tls_cert_file = /etc/letsencrypt/live/smtp.ic4.eu/cert.pem
    smtpd_tls_key_file = /etc/letsencrypt/live/smtp.ic4.eu/privkey.pem
    smtpd_tls_CAfile = /etc/letsencrypt/live/smtp.ic4.eu/fullchain.pem

    Define Dovecot to use the new SSL certificate in /etc/dovecot/dovecot.conf.
    (If you don't know how to add these entries this how-to is not for you)
    ssl_cert = </etc/letsencrypt/live/imap.ic4.eu/fullchain.pem
    ssl_key = </etc/letsencrypt/live/imap.ic4.eu/privkey.pem

    Enjoy your working SSL certificates for SMTP(s) and IMAP(s).
    Who's the man?
     
    Last edited: Jan 4, 2017
    Turbanator and dfumagalli like this.
  2. PermaNoob

    PermaNoob Member

    Quick question: I don't use dns on my servers, I use my domain registrar's dns. Is that going to cause a problem with Let's Encrypt?
     
  3. sjau

    sjau Local Meanie Moderator

    No, you just have to make sure that there are A or CNAME entries in your zone file.
     
    PermaNoob likes this.
  4. PermaNoob

    PermaNoob Member

    Thanks!
     
  5. GhostRider

    GhostRider New Member

    Hi
    The path is not good, the certificates are incremented with each renewal ... 1 ... 2 ... 3 .....
    it's : /etc/letsencrypt/live/imap.ic4.eu/.......
     
  6. SamTzu

    SamTzu Member HowtoForge Supporter

    Thanx GhostRider. I will fix the tutorial to point /live/ folder symlinks.
     
  7. SamTzu

    SamTzu Member HowtoForge Supporter

    Now who wants to figure out how to use these certs with PureFTP?
     
  8. SamTzu

    SamTzu Member HowtoForge Supporter

    And how to make Dovecot POP(s) to use a separate certificate?
     
  9. sjau

    sjau Local Meanie Moderator

    seperate certificate for dovecot?
     
  10. kerrsmith

    kerrsmith Member

  11. SamTzu

    SamTzu Member HowtoForge Supporter

    @sjau Dovecot has also POP(s) service. Not just IMAP(s). Both should have their own certs defined in the conf.
     
  12. SamTzu

    SamTzu Member HowtoForge Supporter

    @kerrsmith Nothing new on those threads. The pure-ftp cert fix seems interesting but does not seem to improve situation.
     
  13. sjau

    sjau Local Meanie Moderator

    still, why seperate certs? If you have pop.domain.tld and imap.domain.tld they can be both in one cert.
     
  14. kerrsmith

    kerrsmith Member

    I only use POP and SMTP for my mail server which is why I only included those in my example I linked to, you can of course add any others in you require and they all end up in the same certificate.

    I am not sure why your FTP attempts are not working, does anything helpful show up in the error logs when you try to connect? Are you connecting using FTPS rather then SFTP as they work differently, also it should be Explicit FTP over TLS. I only ask this as the "server's host key is unknown" error sounds a bit like an SSH error message.
     
  15. sjau

    sjau Local Meanie Moderator

    then you have to create a SAN cert yourself for those services...
     
  16. SamTzu

    SamTzu Member HowtoForge Supporter

    @kerrsmith Correct. I was talking about sFTP. Difficult to get rid of that error message.
     
  17. nikolaosp

    nikolaosp New Member

    Thanks for your work mate, however I have a quick question, I have created a smpt.example.com website with a letsencrypt cert that I used in postfix. However, after restart postfix I noticed that I see a certificate for another site in my server that is not evern in the example.com domain but on a domain by itself.

    Any ideas?

    EDIT: Sorry for being such a noob but it appears I had not set correctly the parameters for the certificate. All is well and thanks again for your work
     
    Last edited: Jan 10, 2017
  18. SamTzu

    SamTzu Member HowtoForge Supporter

    :) This is the "Advanced Course for Linux".
     
  19. For the pure-ftp you need to merge private key and the full chain together, i'm using a cron job to merge them every month ;-)

    Code:
    #!/bin/bash
    cat /etc/letsencrypt/live/srv010.web.ichtushosting.com/fullchain.pem /etc/letsencrypt/live/srv010.web.ichtushosting.com/privkey.pem > /etc/ssl/private/srv010.letsencrypt.keyandfullchain.pem
    
    And I have a symlink from /etc/ssl/private/pure-ftpd.pem -> srv010.letsencrypt.keyandfullchain.pem
     
  20. Sidenote: you can also use vhost aliases instead of full websites.
    That way only one certificate is generated with all the different domains ;-)
     

Share This Page