Securing Your ISPConfig 3 Installation With A Free Class1 SSL Certificate From StartSSL - Page 2
4 ISPConfig Interface (Apache2)
If you use ISPConfig 3 with Apache, open /etc/apache2/sites-available/ispconfig.vhost...
vi /etc/apache2/sites-available/ispconfig.vhost
... and add the line SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt to the # SSL Configuration section (please be aware that you have to re-add that line whenever you update ISPConfig!):
[...] # SSL Configuration SSLEngine On SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key ## must be re-added after an ISPConfig update!!! SSLCertificateChainFile /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt [...] |
(Adjust this if you use a Class2 certificate.)
Restart Apache afterwards:
/etc/init.d/apache2 restart
5 ISPConfig Interface (nginx)
On nginx, all you have to do is append the intermediate certificate to the ispserver.crt file (please adjust this if you use a Class2 certificate)...
cat /usr/local/ispconfig/interface/ssl/startssl.sub.class1.server.ca.crt >> /usr/local/ispconfig/interface/ssl/ispserver.crt
... and reload nginx:
/etc/init.d/nginx reload
6 Postfix
For Postfix, we make backups of /etc/postfix/smtpd.cert and /etc/postfix/smtpd.key and create symlinks to /usr/local/ispconfig/interface/ssl/ispserver.crt and /usr/local/ispconfig/interface/ssl/ispserver.key:
cd /etc/postfix
mv smtpd.cert smtpd.cert_bak
mv smtpd.key smtpd.key_bak
ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key
Next we add the smtpd_tls_CAfile directive to /etc/postfix/main.cf...
postconf -e 'smtpd_tls_CAfile = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt'
(Please adjust this if you use a Class2 certificate.)
... and restart Postfix:
/etc/init.d/postfix restart
7 Dovecot
Open /etc/dovecot/dovecot.conf...
vi /etc/dovecot/dovecot.conf
For Dovecot 1.x:
... and add the line ssl_ca_file = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt (please be aware that you have to re-add that line whenever you update ISPConfig!):
[...] ssl_cert_file = /etc/postfix/smtpd.cert ssl_key_file = /etc/postfix/smtpd.key ## must be re-added after an ISPConfig update!!! ssl_ca_file = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt [...] |
(Adjust this if you use a Class2 certificate.)
For Dovecot 2.x:
... and add the line ssl_ca_file = /usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt (please be aware that you have to re-add that line whenever you update ISPConfig!):
[...] ssl_cert = </etc/postfix/smtpd.cert ssl_key = </etc/postfix/smtpd.key ## must be re-added after an ISPConfig update!!! ssl_ca = </usr/local/ispconfig/interface/ssl/startssl.chain.class1.server.crt [...] |
(Adjust this if you use a Class2 certificate.)
Restart Dovecot afterwards:
/etc/init.d/dovecot restart
8 Courier
Create backups of /etc/courier/imapd.pem and /etc/courier/pop3d.pem...
mv /etc/courier/imapd.pem /etc/courier/imapd.pem.bak
mv /etc/courier/pop3d.pem /etc/courier/pop3d.pem.bak
... and then symlink them to /usr/local/ispconfig/interface/ssl/ispserver.pem:
ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem /etc/courier/imapd.pem
ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem /etc/courier/pop3d.pem
Restart Courier afterwards:
/etc/init.d/courier-imap-ssl stop
/etc/init.d/courier-imap-ssl start
/etc/init.d/courier-pop-ssl stop
/etc/init.d/courier-pop-ssl start
9 PureFTPd
Create a backup of /etc/ssl/private/pure-ftpd.pem...
cd /etc/ssl/private/
mv pure-ftpd.pem pure-ftpd.pem_bak
... and create a symlink to /usr/local/ispconfig/interface/ssl/ispserver.pem:
ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem pure-ftpd.pem
Restart PureFTPd afterwards:
/etc/init.d/pure-ftpd-mysql restart
10 Monit
Monit is not part of the "Perfect Server" setups for ISPConfig 3, but if you have it installed and use its web interface over https, here's how you can use the StartSSL certificate so that the certificate warnings go away.
Open /etc/monit/monitrc...
vi /etc/monit/monitrc
... and specify /usr/local/ispconfig/interface/ssl/ispserver.pem in the PEMFILE line, e.g. as follows:
[...] set httpd port 2812 and SSL ENABLE PEMFILE /usr/local/ispconfig/interface/ssl/ispserver.pem allow admin:secret [...] |
Restart monit afterwards:
/etc/init.d/monit restart
11 Links
- StartSSL: http://www.startssl.com/
- ISPConfig: http://www.ispconfig.org/
About The Author
Falko Timme is the owner of Timme Hosting (ultra-fast nginx web hosting). He is the lead maintainer of HowtoForge (since 2005) and one of the core developers of ISPConfig (since 2000). He has also contributed to the O'Reilly book "Linux System Administration".