Securing ISPConfig 3.1 With a Free Let's Encrypt SSL Certificate

Author: ahrasis

This tutorial shows how to create and configure a free Let's encrypt SSL certificate for the ISPconfig interface (port 8080), the email system (Postfix and Dovecot/Courier), the FTP server (pure-ftpd) and Monit. The commands in this tutorial have been tested on Ubuntu 16.04, they should work for Debian as well. Certain modifications may be necessary to make it work on CentOS.

Help on this guide is available in this forum thread.

Creating A Website Using ISPConfig Server Hostname FQDN

Create a site for your server in ISPConfig panel via Sites > Website > Add new website. Remember! This is your server website and as such it must contain your server fully qualified domain name (FQDN). I will refer to it as `hostname -f` in this guide.

hostname -f

Hopefully, it will work without any changes to your server as well.

Accessing ISPConfig Website Online

Check if your server site is ready and accessible online as Let's Encrypt needs to verify your website is accessible before issuing SSL key, certificate and chain file for your server site. You also have to create its DNS zone and allow it to properly propagate as Let's Encrypt needs to verify it too.

Enabling SSL For ISPConfig 3 Control Panel (Port 8080)

If you haven't enabled SSL during ISPConfig setup i.e. for its control panel at port 8080, enable it by typing in the terminal and select yes for SSL. We don't need this to be a proper key nor do we want to keep it but we want to work faster, thus we can simply enter for all of its fields. When you finished this, the self-signed SSL should already be enabled for your ISPConfig.

Checking SSL For ISPConfig 3 Control Panel (Port 8080)

Check your browser to confirm by opening ISPConfig control panel at port 8080. Note that you might get some warning at this stage since the created SSL files are self-signed but the browser will confirm that your ISPConfig has SSL enabled or otherwise.

Securing ISPConfig Website With Let's Encrypt SSL

If the above is done, go back to ISPConfig panel > Sites > Website > Website Name, then click SSL and Let's Encrypt check buttons and save - to create Let's Encrypt SSL files and enable them for your server site. If successful your server site shall now be using this Let's Encrypt SSL files but not your ISPConfig 8080 page. If unsuccessful, you will not be able to proceed further, so do check its log file for a clue.

Changing ISPConfig 3 Control Panel (Port 8080)

If LE SSL is already working, then go to your server terminal, go root via sudo su and use the following command to backup and replace the created self-signed SSL files with Let's Encrypt SSL files.

cd /usr/local/ispconfig/interface/ssl/
mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak
mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak
mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt
ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key
cat ispserver.{key,crt} > ispserver.pem
chmod 600 ispserver.pem
  • If you haven't created ispserver.pem before, you may ignore the third line which is aimed at renaming the existing one, if any, as a backup.
  • ote that we are using Let's Encrypt live folder instead of archive folder.
  • Also note the last line where ispserver.pem is created by combining files, thuswise, it will not be automatically renewed by Let's Encrypt unlike other files which we merely symlinked them, thus, we will deal with this in the last part of this guide.
  • Note also that you either type in `hostname -f` or as the result is the same because `hostname -f`is

Using The Same Let's Encrypt SSL Certs For Other Major Services

As additional tips, based on Securing Your ISPConfig 3 Installation you may want to use symlink to ispserver.key or .crt or .pem instead of directly pointing your postfix, dovecot, courier, pure-FTPd and monit to Let's Encrypt SSL files. For dovecot, if it is already using postfix SSL files, it is safe for you to ignore it. In details you only need to do the followings:

a. For Postfix

cd /etc/postfix/
mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
ln -s /usr/local/ispconfig/interface/ssl/ispserver.crt smtpd.cert
ln -s /usr/local/ispconfig/interface/ssl/ispserver.key smtpd.key
service postfix restart
service dovecot restart

b. For dovecot: (* Note this shouldn't exist together with courier)

Check if this code exist by using nano /etc/dovecot/dovecot.conf

ssl_cert = </etc/postfix/smtpd.cert
ssl_key = </etc/postfix/smtpd.key

Leave them as they are if they exist. Otherwise, fix them. In any event, run service dovecot restart is already covered above.

c. For courier: (* Note this shouldn't exist together with dovecot)

cd /etc/courier/
mv imapd.pem imapd.pem-$(date +"%y%m%d%H%M%S").bak
mv pop3d.pem pop3d.pem-$(date +"%y%m%d%H%M%S").bak
ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem imapd.pem
ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem pop3d.pem
service courier-imap-ssl stop
service courier-imap-ssl start
service courier-pop-ssl stop
service courier-pop-ssl start

d. For pure-FTPd:

cd /etc/ssl/private/
mv pure-ftpd.pem pure-ftpd.pem-$(date +"%y%m%d%H%M%S").bak
ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem pure-ftpd.pem
chmod 600 pure-ftpd.pem
service pure-ftpd-mysql restart

e. For monit: (If you have it installed in your server)

nano /etc/monit/monitrc

Add the above symlink to ispserver.pem we created for pure-ftpd in here as well:

set httpd port 2812 and
PEMFILE /etc/ssl/private/pure-ftpd.pem
allow admin:'secretpassword'

And restart monit:

service monit restart

Create Auto Renewal Script For Your ISPConfig Pem File (ispserver.pem)

In this last step, which I haven't found in any guide so far, is the automatic update of ispserver.pem as earlier hinted. Currently, it have to be manually changed right after Let's Encrypt automatically renewed your server SSL files. To avoid overlooking this, you may want to install incron as suggested in the respective incron tutorial and create a script to automatically update your ispserver.pem file, as follows:

Via terminal command, install incron, then create the script file and edit it using nano:

apt install -y incron
nano /etc/init.d/

Add this in the

# Required-Start: $local_fs $network
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Description: Update ispserver.pem automatically after ISPC LE SSL certs are renewed.
cd /usr/local/ispconfig/interface/ssl/
mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
cat ispserver.{key,crt} > ispserver.pem
chmod 600 ispserver.pem
chmod 600 /etc/ssl/private/pure-ftpd.pem
service pure-ftpd-mysql restart
service monit restart
service postfix restart
service dovecot restart
service nginx restart
  • Note some people do not install monit, so they can safely remove it. Do adjust the above script accordingly.
  • For multi-server setup, do refer to post #203 and add the given scp code in here to automate future update.

We then make it executable, add root as an allowed user for incrontab and then edit incrontab file:

chmod +x /etc/init.d/
echo "root" >> /etc/incron.allow
incrontab -e

Add this line in it incrontab:

/etc/letsencrypt/archive/$(hostname -f)/ IN_MODIFY ./etc/init.d/

Restarting Your Services

I think that is about it for Securing Your Server With Let's Encrypt. You may want to restart your web server afterwards.

service nginx restart

Remember: if you are using apache, change nginx to apache2 accordingly.


As an alternative, you might want to use LE4ISPC script created for this purpose which supports both nginx and apache2 from ISPConfig up to pure-ftpd above except for monit. Before using it, you should already have completed the above steps (1-5) and have :

1. Created the website for your server via ISPConfig;
2. The website accessible online;
3. ISPConfig SSL enabled (via installation or update);
4. LE SSL successfully enabled for the website.

Share this page:

Suggested articles

43 Comment(s)

Add comment


By: fsisti at: 2018-02-14 09:08:05

Thank you for the tutorial

How can I test if the auto-renew script renewal works well?With the icrontab -l command I get this, is it correct?

/etc/letsencrypt/archive/$(hostname 0 IN_MODIFY ./etc/init.d/

By: Tobias Rücker at: 2019-02-06 08:21:35

I don't think so, try the real hostname. 

By: Werner at: 2019-04-05 08:23:41

I had the same.


This is incorrect:

/etc/letsencrypt/archive/$(hostname -f)/ IN_MODIFY ./etc/init.d/

The space in the $(hostname -f)-part will break processing. 

Instead, type out the full hostname of your server in that line:

/etc/letsencrypt/archive/ IN_MODIFY ./etc/init.d/

This will respect the incrontab format:

 <path> <mask> <command>

More on this incrontab man page.

By: Marc at: 2018-02-15 22:13:19

Thanks for this tutorial.

I’ve a suggestion. Instead of symlinking '/etc/letsencrypt/live/…' one should symlink the SSL certs in the SSL folder of the website ('/var/www/clients/clientX/webY/ssl/…') as Till suggests here:

Problem is that the LE path can change under some circumstances described in the issue mentioned above.

By: Tom Dings at: 2018-02-17 12:16:22

Thanks. Really interesting piece of information. May I ask how you will do the 'trick' when the setup of IspConfig is done with more than one server ?First thought ... Copying the same certificates to the other servers I guess ? Requesting new ones isn't a good idea I guess. Really like to know how to solve such a setup. Enjoy your weekend!

By: ludo at: 2018-02-17 14:28:05

Thank for this tutorial. And for the auto-renew script!

How can I add mail subdomain (mail.domain.tld) in the LE certificate. At this time, I have only domain.tld and www.domain.tld in the LE certificate, accroding to: openssl x509 -in /etc/letsencrypt/live/domain.tld/fullchain.pem -noout -text

By: onastvar at: 2018-02-19 05:36:15

Will my clients need to update their email settings on their devices if I was to install SSL on my server. It says in description: "This tutorial shows how to create and configure a free Let's encrypt SSL certificate for the ISPconfig interface (port 8080), the email system (Postfix and Dovecot/Courier), the FTP server (pure-ftpd) and Monit."?

By: ustoopia at: 2018-03-19 19:37:03

Very usefull! Thanks for this great tutorial!

By: Keldan at: 2018-04-15 15:15:39

Hi !

Good Job, but there is an error in syslog for pure-ftpd. pure-ftpd-dhparams.pem is missing.

So, add ln -s /etc/ssl/private/pure-ftpd.pem /etc/ssl/private/pure-ftpd-dhparams.pem and service pure-ftpd-mysql restart.


By: Bjoern at: 2018-07-11 12:24:10

Or use after ln -s /usr/local/ispconfig/interface/ssl/ispserver.pem pure-ftpd.pem:


openssl dhparam -out /etc/ssl/private/pure-ftpd-dhparams.pem 2048

and restart

service pure-ftpd-mysql restart

By: SamTzu at: 2018-04-20 13:31:43

#These lines work better as a script for a

cd /usr/local/ispconfig/interface/ssl/mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bakmv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bakmv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bakln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crtln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.keycat /usr/local/ispconfig/interface/ssl/ispserver.key > /usr/local/ispconfig/interface/ssl/ispserver.pemcat /usr/local/ispconfig/interface/ssl/ispserver.crt >> /usr/local/ispconfig/interface/ssl/ispserver.pemchmod 600 ispserver.pem

By: SamTzu at: 2018-04-20 14:18:31

Great job putting all of this together. Thx. PS. Remember always to use full paths on scripts.

By: cmd74 at: 2018-04-20 16:54:45

apache2 cannot restart after following this. I will note I dont have ispserver.pem

By: till at: 2018-04-20 17:11:35

Then you missed some commands from the tutorial, the file gets created in these lines:

cd /usr/local/ispconfig/interface/ssl/

cat ispserver.{key,crt} > ispserver.pem
chmod 600 ispserver.pem

By: mixonic at: 2018-04-22 13:41:25

OS: Debian 9 Stretch

ISP version: 3.1.11


first of all thanks for tut  :) .

I have some issues with instalation LE for my ISP CP ... I followed this guide for ISP installation, and also I installed self signed cert during setup. I created website exact as my server hostname (btw. its the first site in my ISP) as you said, but when I check in browser I get only Apache page, also when I check SSL an LE flags they disappear after ISP page refresh.

LE was installed with this command: sudo apt-get install python-certbot-apache -t stretch-backports

and command sudo certbot --authenticator webroot --installer apache

at step when ask which names would you like to activate HTTPS for I press c just to activate LE, later with same command above I try to install cert for server website. At step input webroot I put /var/www/clients/client1/web1/web regulary, but after that I get error:

Failed authorization procedure. (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://---/.well-known/acme-challenge/uCeBBgn4hIBBL_6c741y2OAtLxne6ij-o8Xncftu-ik: Timeout after connect (your server may be slow or overloaded)



 - The following errors were reported by the server:



   Type:   connection

   Detail: Fetching


   Timeout after connect (your server may be slow or overloaded)


   To fix these errors, please make sure that your domain name was

   entered correctly and the DNS A/AAAA record(s) for that domain

   contain(s) the right IP address. Additionally, please check that

   your computer has a publicly routable IP address and that no

   firewalls are preventing the server from communicating with the

   client. If you're using the webroot plugin, you should also verify

   that you are serving files from the webroot path you provided.


Any help please :)



By: Ed at: 2018-05-06 07:24:08

Hello, after following this tutorial, I get an IDS (intrusion detection alert). Is this because I have added the incron user? IS there anything I should do, like re-run the IDS script?



By: Poliman at: 2018-05-08 06:08:32

I was looking for the solution of providing auto renewal for ispserver.pem file without install any additional software. I perform some script, which after add to cron checks date of fullchain.pem and privkey.pem and compare them to default values. These default values each user has to set on his own for privkey.pem and fullchain.pem from convert their dates (enter directory /etc/letsencrypt/live/ and simple "ls -l") to epoch format using for example

#!/bin/bash#This script is developed for renewing cert used by Monit and other applications,#which will have provided Let's Encrypt certs#add to cronjob each midnight#epoch format of .key and .crt files - user need to configure this manuallyepoch_ispcrt_default=1520924890epoch_ispkey_default=1520924890ispcrt_date_current=`stat -c "%y" /etc/letsencrypt/live/`ispkey_date_current=`stat -c "%y" /etc/letsencrypt/live/`#epoch format for current files modification datesepoch_ispcrt=`date -d "$ispcrt_date_current" +%s`epoch_ispkey=`date -d "$ispkey_date_current" +%s`#left value has to be greater than right valueif [ $epoch_ispcrt -gt $epoch_ispcrt_default ] && [ $epoch_ispkey -gt $epoch_ispkey_default ]then    $epoch_ispcrt_default=$epoch_ispcrt    $epoch_ispkey_default=$epoch_ispkey        cd /usr/local/ispconfig/interface/ssl        if [ -f "ispserver.pem" ]    then        mv ispserver.pem ispserver.pem-`date +"%y-%m-%d-%H:%M:%S"`.bak    fi        cat ispserver.{key,crt} > ispserver.pem    chmod 600 ispserver.pem        #restarting required services    service monit restartelse    #log_file.log will be created in path /usr/local/ispconfig/interface/ssl    echo "Log-->$(date +%y-%m-%d-%H:%M:%S) Compare thinks that variables are even or less, so we don't have to do anything with ispserver.pem." >> log_file.logfi

By: Mani9833 at: 2018-08-21 11:16:54

After installing the SSL with the above steps, Once the server restarted can not able to start the Httpd service.What needs to be changed to get it done. Please suggest.

By: till at: 2018-08-21 11:22:58

There is nothing that needs to be changed in the tutorial, the described steps are fine, I used them many times with success. Probably Let's encrypt did not issue a cert for your domain which causes Apache to fail now. If you need help in debugging why LE was not able to issue the SSL cert, then please post in the Forum here at HowtoForge.

By: Gruppo Pegaso at: 2018-08-22 10:04:09

Got only an error on monit. I have the folder but i'm not sure it is working:

[email protected]:/etc/monit/monitrc.d# cd [email protected]:/etc/monit# lsmonitrc  [email protected]:/etc/monit# service monit restartFailed to restart monit.service: Unit monit.service not [email protected]:/# /etc/init.d/monit restart-bash: /etc/init.d/monit: File o directory non esistente

By: till at: 2018-08-22 10:33:13

Then you probably don't have monit installed.

By: Ed at: 2018-08-27 07:39:16


I followed this exactly and we are not receiving any mail. everything elso is great , including LE ssl.  (I notice that dovecot - I believe that's where the problem is - it is rejecting all clients hosts ( 554 5.7.1 <[valid-ipv4]>: Client host rejected:

    Access denied (in reply to RCPT TO command))

I notice that dovecot looks for the .cert and .key in /etc/postfix/ and what we have done is rename those cert and key and provided symbolic links to the ispconfig cert and key, in /usr/local/ispconfig/interface/ssl/, which aren't really there, because they have been renamed and symbolic links have been created to the lets encrypt files, at /etc/letsencrypt/live/ which arent't really there either - they haven't been renamed, rather all that is there are symbolic links to the actual cert.pem and other files. Is this valid? to have 3 or 4 symbolic links chained like that? See this error message - could this be killin goff dovecot, so that we are receiving no messages?  Thanks for your help - otherwise works great!

Aug 27 08:41:40 server1 postfix/postfix-script[20093]: warning: symlink leaves directory: /etc/postfix/./smtpd.key Aug 27 08:41:40 server1 postfix/postfix-script[20096]: warning: symlink leaves directory: /etc/postfix/./smtpd.cert Aug 27 08:41:52 server1 dovecot: master: Warning: Killed with signal 15 (by pid=20154 uid=0 code=kill)

By: Ed at: 2018-08-27 08:13:14

Hello again, (I just sent a for submission about symlings and postfix killing off dovecot)

We are receiving email now - we had an error in a postfix file that I corrected. I thought that there was some limit on symlink recursion, adn the error/warning message was bizarre.





By: adrastea at: 2018-09-02 09:28:47

Thank you for the tutorial!

In my case, the letsencrypt script does not creat a certificate.

In my log, I found the following error message:

KeyError: 'Directory field not found'

What can I do?

By the way: I use this function for lots of domains on my server but it fails for the servername itself.

I use the output hostname -f in this case.

By: JohnnyBeGood at: 2018-10-13 19:00:07

I was getting errors

"[email protected]:/usr/local/ispconfig/interface/ssl# cat ispserver.{key,crt} > ispserver.pem

cat: ispserver.key: No such file or directory

cat: ispserver.crt: No such file or directory"

when trying to follow this tutorial because I did not had under Site > websites and enabled SSL and Let's Encrypt SSL. 

After I created under  Site > websites and enabled SSL I was able to go pass this error. You have to have site what ever hostname -f prints.

Hope Hope it helps someone!

By: Sunghost at: 2018-11-29 12:00:57


if i understand this right, than customers should call FTP Servername via FQDN and not e.g. via there Domainname, right? If so, is it possible to set an 'DNS Alias like ftp.domain.tld so customers can easier remembert this?

By: Robert Heessels at: 2018-12-15 13:28:02

On my brand new Ubuntu 18.04/Ispconfig 3.1 install, the certificate is only created if I skip the Lets Encrypt check:System > Server Config > Click on the server > Web > SSL Settings (at bottom of page) > Skip Lets Encrypt Check

By: David at: 2019-01-04 16:40:16

I have an Ubuntu 16.04 server with ISPConfig 3.1, and I use Cloudflare to manage DNS. I'm trying to secure ISPConfig 3.1 Control Panel (Port 8080) with a Free Let's Encrypt SSL Certificate, by following this tutorial. I created the server website containing the FQDN. However, when I try to access through the browser, it keeps redirecting to another website I created beforehand. I checked the website folder and it is created with the default website. What should be the problem? Thank you for your help

By: Isterklister at: 2019-01-13 21:54:45

It workes perfect but I'm using Thunderbird as e-mail software and Thunderbird requires intermediate certificate, full chain, but this is not included in this tutorial I guess. can I add this to the fullchain.pem or some other file?

By: c3n at: 2019-02-06 09:27:46

If You follow tutorial (especially first steps for postfix) it must works! I checked it on several IPs. The only problem is that sometimes I got non working SSL on 993 465 ports because of some incorrect settings in, -- that is why it is crucial to setup those files correctly. 

Debian 8/9 and android mail, thunderbird, outlook 365 all working fine with TLS/SSL. 

I suggest to create website for hostname (server) in ISPCONFI for example (rev name)

than when website is active and DNS records ( are pointed to IP correctly U can issue letsencrypt via website configuration. Than i suggest create additional DNS records pointing to domains:,,

after created make simple ALIASDOMAIN FOR WEBSITE pointing smtp,imap,pop3 to website 

after this U will have all subdomains (mail,smtp,imap,pop3) with letsencrypt issued. 

I suggest this because most of MUA will guess serwer host... and than You will get for example and with SSL error.

Forcing users to use one is OK, but in real life better to create simple solutions.

By: Richard Bignell at: 2019-01-23 22:15:49

Great guide.  Thank you.

By: Karsten at: 2019-02-11 13:16:58


if I check the line I added to incrontab after I saved it, its not the same anymore:

"/etc/letsencrypt/archive/$(hostname     IN_ALL_EVENTS   IN_MODIFY ./etc/init.d/"

incrontab seems to cut it after "hostname" and adds an "IN_ALL_EVENTS". Why?

By: P75 at: 2019-02-24 15:18:31


Does this will be broken in case of updating to ISPConfig v3.1.13p1 with ?

By: Jaume at: 2019-03-05 15:05:49

Hi, I've the problem defining  the virtual host...i'll try to explain.

I access ispconfig

I define the site in ispconfig

When I put in the browser, appears roundcube page instead of landing ispconfig page.

I don't know where to look for.


By: Werner at: 2019-04-05 08:35:16

Impressed. Worked in one go. As opposed to Froxlor. Where I ended up not using Froxlor at all and editing all conf's manually and using certbot-auto for LE... +1 for ISPConfig.

For me, the best admin panel start ever ;-) Thanks!

By: rick at: 2019-04-12 13:55:31

This works even better over a free Cloudflare setup activating their full encryption but NOT immediately. It takes 24 hours for everything to accept the new certificate on port 8080 en give a secure connection. After that ...great!

By: Vic at: 2019-04-15 22:28:52

If you create a subdomain with port 8080 will it work??? Without all this hazEl

By: Aina Manoa Ratefiarison at: 2019-05-01 19:14:10


I made a quick script to automate all console manipulations:

Hope that this will help some peoples.

By: mrbronz at: 2019-07-28 14:21:29

???? :-( 

"Check if your server site is ready and accessible online.... (Check) 

as Let's Encrypt needs to verify your website is accessible before issuing SSL key, certificate and chain file for your server site.

You also have to create its DNS zone and allow it to properly propagate as Let's Encrypt needs to verify it too. (WHAT???)

So seeing as this is an how to please give instructions 

By: mrbronz at: 2019-08-02 13:16:38

How do I know if LE SSL is already working or not? you don't explain enough!

By: till at: 2019-08-02 13:56:29

Open the URL of the website with https in the browser, then you know if it's working.

By: Freebox at: 2019-08-05 11:08:42

https://my.server.domain - OK

https://my.server.domain:8080 - on site: "Possible attack detected. This action has been logged."


By: till at: 2019-08-05 12:35:59

This means that you probably run other software on the same http port / domain which has sent a cookie that contains data which has been detected as an attack against ISPConfig. You can switch off the IDS system in /usr/local/ispconfig/security/security_settings.ini when you have such a system setup.