Trying to get certificate for ISPCofig admin server failed

Discussion in 'Installation/Configuration' started by muekno, Apr 4, 2021.

  1. muekno

    muekno Member HowtoForge Supporter

    Comment out sll lines apache wont strat as last time
    here is the content, what do I wrong
    <code>
    [email protected]:/etc/apache2/sites-available# cat ispconfig.vhost
    ######################################################
    # This virtual host contains the configuration
    # for the ISPConfig controlpanel
    ######################################################

    Listen 8080
    NameVirtualHost *:8080

    <VirtualHost _default_:8080>
    ServerAdmin [email protected]

    Alias /mail /var/www/ispconfig/mail

    <Directory /var/www/ispconfig/>
    <FilesMatch "\.ph(p3?|tml)$">
    SetHandler None
    </FilesMatch>
    </Directory>
    <Directory /usr/local/ispconfig/interface/web/>
    <FilesMatch "\.ph(p3?|tml)$">
    SetHandler None
    </FilesMatch>
    </Directory>

    <IfModule mod_fcgid.c>
    DocumentRoot /var/www/ispconfig/
    SuexecUserGroup ispconfig ispconfig
    <Directory /var/www/ispconfig/>
    Options -Indexes +FollowSymLinks +MultiViews +ExecCGI
    AllowOverride AuthConfig Indexes Limit Options FileInfo
    <FilesMatch "\.php$">
    SetHandler fcgid-script
    </FilesMatch>
    FCGIWrapper /var/www/php-fcgi-scripts/ispconfig/.php-fcgi-starter .php
    Require all granted
    </Directory>
    IPCCommTimeout 7200
    MaxRequestLen 15728640
    </IfModule>

    <IfModule mpm_itk_module>
    DocumentRoot /usr/local/ispconfig/interface/web/
    AssignUserId ispconfig ispconfig
    AddType application/x-httpd-php .php
    <Directory /usr/local/ispconfig/interface/web>
    # php_admin_value open_basedir "/usr/local/ispconfig/interface:/usr/share:/tmp"
    Options +FollowSymLinks
    AllowOverride None
    Require all granted
    php_value magic_quotes_gpc 0
    </Directory>
    </IfModule>

    # ErrorLog /var/log/apache2/error.log
    # CustomLog /var/log/apache2/access.log combined
    ServerSignature Off

    <IfModule mod_security2.c>
    SecRuleEngine Off
    </IfModule>

    # # SSL Configuration
    # SSLEngine On
    # SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
    # SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
    # SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
    # #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
    #
    # SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
    # SSLHonorCipherOrder On
    #
    # <IfModule mod_headers.c>
    # # ISPConfig 3.1 currently requires unsafe-line for both scripts and styles, as well as unsafe-eval
    # Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'"
    # Header set Content-Security-Policy "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' data:; object-src 'none'; upgrade-insecure-requests"
    # Header set X-Content-Type-Options: nosniff
    # Header set X-Frame-Options: SAMEORIGIN
    # Header set X-XSS-Protection: "1; mode=block"
    # Header always edit Set-Cookie (.*) "$1; HTTPOnly"
    # Header always edit Set-Cookie (.*) "$1; Secure"
    # <IfVersion >= 2.4.7>
    # Header setifempty Strict-Transport-Security "max-age=15768000"
    # </IfVersion>
    # <IfVersion < 2.4.7>
    # Header set Strict-Transport-Security "max-age=15768000"
    # </IfVersion>
    # RequestHeader unset Proxy early
    # </IfModule>
    #
    # SSLUseStapling On
    # SSLStaplingResponderTimeout 5
    # SSLStaplingReturnResponderErrors Off
    </VirtualHost>
    [email protected]:/etc/apache2/sites-available#
    </code>
    [email protected]:/etc/apache2/sites-available# systemctl start apache2.service
    Enter passphrase for SSL/TLS keys for admin.gerdakloos.de:8081 (RSA):
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You also have to comment out the ssl lines in apps.vhost.
     
  3. muekno

    muekno Member HowtoForge Supporter

    Ok that works Thank you
    di comment the apps.host, the
    ispconfig_update.sh --force
    still the selfed signed certificate, but I leave it now. If you have some Idea some time please let me know.
    By the way is it possible to confige the ISCPConfi admin login with a public private key instead using a more or less secure password.
    Stay helathy

    Rainer
     
  4. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

  5. muekno

    muekno Member HowtoForge Supporter

    Are you shure?
    IMPORTANT: This guide is not compatible with ISPConfig 3.2 and newer as ISPConfig 3.2 and newer versions have Let's encrypt for all services builtin.
    I am running ISPConfig 3.2.4.
    Got me and you hours yesterday, thanks again for the help, Before going into more troubles and in worst case having a dead master server I will live with that browser security warning from the self signed certificate. I know why i get the warning and it should be as secure than an official lets encrypt certificate. It is just annoying.
    Rainer
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The old guide can only be used on setups that still use certbot, on acme.sh setups, you can't use it as the created certs are in different locations. According to the results you posted earlier, your setup uses ac,e.sh, so you can't use that old guide. At least not, without changing the paths to the ssl certs in the commands.
     
  7. muekno

    muekno Member HowtoForge Supporter

    That's what I assumed reading the warning and did not try. I can live with the situation as I lived with it a long time. it is/was one of my "If Time" things on my ToDo list and the long easter weekend was fine to try to fix in case of the additional holiday. So now it is as it is.
    Perhaps some time somebody will find a solution.
    Thank you

    Rainer
     
  8. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    To use the "old" way with acme.sh:
    Make sure the certificate for your hostname is created. I will use server1.example.com.
    You can check if it exists with
    Code:
    ls -la /root/.acme.sh/server1.example.com
    The certificate files should be there.

    To use this certificate for the panel, run:
    Code:
    cd /usr/local/ispconfig/interface/ssl/
    mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak
    mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
    ln -s /root/.acme.sh/server1.example.com/fullchain.cer ispserver.crt
    ln -s /root/.acme.sh/server1.example.com/server1.example.com.key ispserver.key
    cat ispserver.{key,crt} > ispserver.pem
    chmod 600 ispserver.pem
    systemctl restart apache2
    To automatically renew the .pem file and restart Apache2 after renewals, we will set up a script that's triggered when the cert changes:
    Install incron and open the script:
    Code:
    apt install -y incron
    nano /etc/init.d/le_ispc_pem.sh
    Put this in there:
    Code:
    #!/bin/sh
    ### BEGIN INIT INFO
    # Provides: LE ISPSERVER.PEM AUTO UPDATER
    # Required-Start: $local_fs $network
    # Required-Stop: $local_fs
    # Default-Start: 2 3 4 5
    # Default-Stop: 0 1 6
    # Short-Description: LE ISPSERVER.PEM AUTO UPDATER
    # Description: Update ispserver.pem automatically after ISPC LE SSL certs are renewed.
    ### END INIT INFO
    cd /usr/local/ispconfig/interface/ssl/
    mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
    cat ispserver.{key,crt} > ispserver.pem
    chmod 600 ispserver.pem
    systemctl restart apache2
    Then make it executable and open incrontab:
    Code:
    chmod +x /etc/init.d/le_ispc_pem.sh
    echo "root" >> /etc/incron.allow
    incrontab -e
    Add this line:
    Code:
    /root/.acme.sh/server1.example.com/ IN_MODIFY ./etc/init.d/le_ispc_pem.sh
    Of course, replace server1.example.com in this guide with your hostname.
    I use this on one of my servers, as the hostname is different from the name used to reach the panel, so the install script does not suit my needs.
     
    Mikeal Wolfe, BartelBe and till like this.

Share This Page