Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartSSL - Page 2

4 ISPConfig Interface (Apache2)

If you use ISPConfig 3 with Apache, open /etc/apache2/sites-available/ispconfig.vhost...

vi /etc/apache2/sites-available/ispconfig.vhost

... and add the line SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt to the # SSL Configuration section (please be aware that you have to re-add that line whenever you update ISPConfig!):

[...]
  # SSL Configuration
  SSLEngine On
  SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
  ## must be re-added after an ISPConfig update!!!
  SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt
[...]

(Adjust this if you use a Class2 certificate.)

Restart Apache afterwards:

/etc/init.d/apache2 restart

5 ISPConfig Interface (nginx)

On nginx, all you have to do is append the intermediate certificate to the ispserver.crt file (please adjust this if you use a Class2 certificate)...

cat /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt >> /usr/local/ispconfig/interface/ssl/ispserver.crt

... and reload nginx:

/etc/init.d/nginx reload

6 Postfix

For Postfix, we make backups of /etc/postfix/smtpd.cert and /etc/postfix/smtpd.key and create symlinks to /usr/local/ispconfig/interface/ssl/ispserver.crt and /usr/local/ispconfig/interface/ssl/ispserver.key:

cd /etc/postfix
mv smtpd.cert smtpd.cert_bak
mv smtpd.key smtpd.key_bak
ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key

Next we add the smtpd_tls_CAfile directive to /etc/postfix/main.cf...

postconf -e 'smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt'

(Please adjust this if you use a Class2 certificate.)

... and restart Postfix:

/etc/init.d/postfix restart

7 Dovecot

Open /etc/dovecot/dovecot.conf...

vi /etc/dovecot/dovecot.conf

For Dovecot 1.x:

... and add the line ssl_ca_file = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt (please be aware that you have to re-add that line whenever you update ISPConfig!):

[...]
ssl_cert_file = /etc/postfix/smtpd.cert
ssl_key_file = /etc/postfix/smtpd.key
## must be re-added after an ISPConfig update!!!
ssl_ca_file = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt
[...]

(Adjust this if you use a Class2 certificate.)

For Dovecot 2.x:

... and add the line ssl_ca_file = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt (please be aware that you have to re-add that line whenever you update ISPConfig!):

[...]
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
## must be re-added after an ISPConfig update!!!
ssl_ca = </usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt
[...]

(Adjust this if you use a Class2 certificate.)

Restart Dovecot afterwards:

/etc/init.d/dovecot restart

8 Courier

Create backups of /etc/courier/imapd.pem and /etc/courier/pop3d.pem...

mv /etc/courier/imapd.pem /etc/courier/imapd.pem.bak
mv /etc/courier/pop3d.pem /etc/courier/pop3d.pem.bak

... and then symlink them to /usr/local/ispconfig/interface/ssl/ispserver.pem:

ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem /etc/courier/imapd.pem
ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem /etc/courier/pop3d.pem

Restart Courier afterwards:

/etc/init.d/courier-imap-ssl stop
/etc/init.d/courier-imap-ssl start
/etc/init.d/courier-pop-ssl stop
/etc/init.d/courier-pop-ssl start

9 PureFTPd

Create a backup of /etc/ssl/private/pure-ftpd.pem...

cd /etc/ssl/private/
mv pure-ftpd.pem pure-ftpd.pem_bak

... and create a symlink to /usr/local/ispconfig/interface/ssl/ispserver.pem:

ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem pure-ftpd.pem

Restart PureFTPd afterwards:

/etc/init.d/pure-ftpd-mysql restart

10 Monit

Monit is not part of the "Perfect Server" setups for ISPConfig 3, but if you have it installed and use its web interface over https, here's how you can use the StartSSL certificate so that the certificate warnings go away.

Open /etc/monit/monitrc...

vi /etc/monit/monitrc

... and specify /usr/local/ispconfig/interface/ssl/ispserver.pem in the PEMFILE line, e.g. as follows:

[...]
set httpd port 2812 and
     SSL ENABLE
     PEMFILE /usr/local/ispconfig/interface/ssl/ispserver.pem
     allow admin:secret
[...]

Restart monit afterwards:

/etc/init.d/monit restart

11 Links

StartSSL: http://www.startssl.com/
ISPConfig: http://www.ispconfig.org/

About The Author

Falko Timme is the owner of Timme Hosting (ultra-fast nginx web hosting). He is the lead maintainer of HowtoForge (since 2005) and one of the core developers of ISPConfig (since 2000). He has also contributed to the O'Reilly book "Linux System Administration".

view as pdf | print

Share this page:

Sub pages

20 Comment(s)

Add comment

Comments

By:

While installing the certificate into postfix the line

postconf -e 'smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt'

should read

postconf -e 'smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt'

otherwise postfix will complain about the missing file and automatically disable TLS.

Otherwise great post, very helpful!

By:

I corrected this msitake and still postfix is complaining about TLS probs :-(

anything else wrong with this tutorial?

help!

By: geonick

I haven't tried using the postfix part of the guide yet but in the directory /usr/local/ispconfig/interface/ssl/ there seem to be both startssl.chain.class1.server.crt as well as startssl.sub.class1.server.ca.crt. Any arguments on why postconf will complain about missing files? It's been a while since the post and the guide has not been updated... Is there or is there not a mistake with the crt file?

By: Anonymous

has any one had this working on cent0s 6.2
i have tried 3 times and cant get it to work

vi /etc/apache2/sites-available/ispconfig.vhost - says it ius a new directory are there any directions for this?

By: Anonymous

great tutorial

for centos

/etc/httpd/conf/sites-available/ispconfig.vhost

By:

I installed all ISPConfig thanks to this site and the answers of Falko and Till Brehm.

Yours, the new hosting guy,

thanks.

By: Ninja

I installed per instructions and it seemed to be working, but I received an email from startssl that I needed to install the intermediate CA certificate. This appeared to be confirmed by checking my site in http://www.digicert.com/help/

I changed the /etc/apache2/sites-available/ispconfig.vhost addition to:

SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt

and it seem to work and checked out in digicert.

By:

Falko, You saved me a lot of time with this tutorial, and I'm sure a lot of others too... Outstanding tutorial! Thank you! Darin

By: Leonel Hernández

hy Falko i want thanks you very much because i have done many of your tutorials and i have be out of mistakes :) THANKS ALOT brother keep working :) take CARE

By: Sascha

Hi Falko,

as always...great job! Thank you very much.
Everything is working, except with monit. Here's the error on restart of the service:

Starting daemon monitor: Syntax error:
monit: The SSL server PEM file '/usr/local/ispconfig/interface/ssl/ispserver.pem' must be owned by you.
/etc/monit/monitrc:8: Error: SSL server PEM file has too loose permissions '/usr/local/ispconfig/interface/ssl/ispserver.pem'

In fact, the file is owned by "ispconfig" rather than "root", which i presume munin expects.

What can i do?
Thank you very much

Sascha

By: monnoliv

Congratulation Falko, first time right!

Send me your photo, I'll create a bust in your effigy and I'll place it next to my PC :-)

Thanks a lot,

Olivier

By: Carlos Utrera

Althought cert are working for postfix, courier, ... seems not work in apache. I have tested my site server.todo-host.com and has an default cert. What could be the problem? Centos 6.2 + Apache+Postfix+Courier+Ispconfig3.

I also have to mention that httpd get me this error when i restart:

Starting httpd: httpd: Could not reliably determine the server's fully qualified domain name, using server.todo-host.com for ServerName

[Fri Sep 13 18:58:46 2013] [warn] NameVirtualHost 80.82.222.129:443 has no VirtualHosts

[Fri Sep 13 18:58:46 2013] [warn] NameVirtualHost *:80 has no VirtualHosts

[Fri Sep 13 18:58:46 2013] [warn] NameVirtualHost *:443 has no VirtualHosts

[Fri Sep 13 18:58:46 2013] [warn] NameVirtualHost *:80 has no VirtualHosts

[ OK ]

You could test here: https://sslcheck.globalsign.com/es/sslcheck if you find for server.todo-host.com you get a cert thaht seems to be first created in ispconfig.

By:

CORRECT WORKING CONFIG FORMAT

[...]
ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key
## must be re-added after an ISPConfig update!!!
ssl_ca = </usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt
[...]

INCORRECT OBSOLETE CONFIG FORMAT

[...]
ssl_cert_file = /etc/postfix/smtpd.cert
ssl_key_file = /etc/postfix/smtpd.key
## must be re-added after an ISPConfig update!!!
ssl_ca_file = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt
[...]

By: mlmateos

PureFTPd

To allow FTP and TLS sessions, run

echo 1 > /etc/pure-ftpd/conf/TLS

Then restart PureFTPd:

service pure-ftpd-mysql restart

By: till

This command is already run in the perfect server guides. You have to run it a second time here only if you missed to enable TLS in the ispconfig setup tutorial.

By: zustudios

For step 8 all command got no such file or directory, (centos 7)

By: till

This tutorial is for Debain and Ubuntu only. From first page of this guide: "This guide assumes you use Debian or Ubuntu".

By: Tuumke

Having troubles with the TLS of postfix... argh

postfix/smtpd[28988]: cannot load Certificate Authority data: disabling TLS support

main.cf

smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt

By: CSoellinger

At postfix and dovecot i did one more step...

...

cd /etc/postfix

...

ln -s /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt caroot.crt

now using

postconf -e 'smtpd_tls_CAfile = /etc/postfix/caroot.crt'

.... at dovecot (and/or others) you also can change the path to /etc/postfix/caroot.crt instead of /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt :)

Nothing happens here... it's just a link like the other two files ;)

By: DonMcCoy

For everyone with the Postfix complaining about disabling TLS Support, the problem is the following line (In /etc/postfix/master.cf):smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crtthis is wrong according to Postfix documentation on building TLS: Build TLS in PostFix.so without much reading, the fix is that the CA file should be .pem file, replace the line with .pem file that was created in this tutorial: smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/ispserver.pemor simply do:

postconf -e 'smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/ispserver.pem'and Finally, we are really thankfull for this great post.

Log in or Sign up

Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartSSL - Page 2

On this page

4 ISPConfig Interface (Apache2)

5 ISPConfig Interface (nginx)

6 Postfix

7 Dovecot

8 Courier

9 PureFTPd

10 Monit

11 Links

About The Author

Sub pages

Suggested articles

20 Comment(s)

Comments