How to Install a Comodo InstantSSL Certificate for ISPconfig Apache, Postfix, Imap & Pop on an Ubuntu Server Generating and Obtaining the Certificate 1.You must generate a Certificate Signing Request (CSR) on your webserver. You did this when you installed ISPConfig, but its probably a good idea to do again so that you can make sure everything is entered correctly. Follow these directions to re-generate the ISPconfig certificate http://www.howtoforge.org/faq/14_63_en.html Important: When you are re-generating your certificate, please ensure that the Common Name (CN) you use is ONE of the following: your Fully Qualified Domain Name (e.g. "secure.yourdomain.com") the Full Server Name of your internal server (e.g. "techserver") your Private IP address (e.g. "192.168.0.1") The common name is what people will use to access your server. For example: if your common name is mail.myserver.com then you will acccess ISPconfig with the following link: https://mail.myserver.com:81/ In your email application you will also use mail.myserver.com for incoming and outgoing server. 2.Your CSR is located here: /root/ispconfig/httpd/conf/ssl.csr/server.csr Copy the text in this file. You will need to paste the text into the CSR box when purchasing your certificate. 3.Goto http://www.instantssl.com/ and purchase a certificate or get the free trial. During the certificate sign up process, choose Apache-ModSSL where it asks for the server software used to generate the CSR. You must use exactly the same Common Name (CN) as you used above when generating your CSR. 4.Finish the certificate sign up process. Once you are approved, you may download your certificate files. ------------------------------------------------------------------------------------- ISPconfig Apache Certificate Installation 1.On your web server go to this directory: /root/ispconfig/httpd/conf/ssl.crt and make a backup copy of server.crt. Rename the purchased certificate (example: mail_myserver_com.crt) to server.crt and save it into the above directory replacing the existing server.crt. Warning: always make a backup copy of any file you change or replace in this How-to. If you don't get something right, your ISPconfig will not start and you will need to undo all changes by using your backup copies. 2.Copy the file ca-bundle file to this directory: /root/ispconfig/httpd/conf/ssl.crt 3.Edit the file /root/ispconfig/httpd/conf/httpd.conf and add this line: SSLCertificateChainFile /root/ispconfig/httpd/conf/ssl.crt/mail_myserver_com.ca-bundle Important: In the line above, change mail_myserver_com.ca-bundle to the name of your bundle file. 4.restart ispconfig: /etc/init.d/ispconfig_server restart 5.Now you should not get any errors when you access your site. Example: https://mail.myserver.com:81/ 6.If ispconfig does not restart and you cannot figure out why, use your backup files to replace the files you changed and try to restart ispconfig again. -------------------------------------------------------------------------------------- Postfix Certificate Installation 1.Make a backup copy of cacert.pem, smtpd.crt, smtpd.key in /etc/postfix/ssl Save the bundle file (*.ca-bundle ) as cacert.pem in the above directory replacing the existing file. 2.Save a copy of your server.crt file as /etc/postfix/ssl/smtpd.crt 3.Save a copy of your server.key file as /etc/postfix/ssl/smtpd.key 4.Make sure these lines are in /etc/postfix/main.cf smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem 5.restart postfix: /etc/init.d/postfix restart -------------------------------------------------------------------------------------- Courier Imap/Pop Certificate Installation 1.Navagate to /etc/courier/ and make backup copies of imapd.pem and pop3d.pem. 2.Copy server.crt (/root/ispconfig/httpd/conf/ssl.crt/server.crt) into a new file. Copy server.key (/root/ispconfig/httpd/conf/ssl.key/server.key) in to same file and save this file as /etc/courier/imapd.pem replacing the file that is there. The file should look something like this: -----BEGIN CERTIFICATE----- .................. -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- .................. -----END RSA PRIVATE KEY----- Ensure that there are NO blank lines between the certificate and key. 3.Copy your ca-bundle file to /etc/courier 4.Make sure these lines are in /etc/courier/imapd-ssl TLS_CERTFILE=/etc/courier/imapd.pem TLS_TRUSTCERTS=/etc/courier/mail_myserver_com.ca-bundle Important: In the line above, change mail_myserver_com.ca-bundle to the name of your bundle file. 5.restart imap-ssl: /etc/init.d/courier-imap-ssl restart 6.Make a copy of imapd.pem and save it as pop3d.pem 7.Make sure these lines are in /etc/courier/pop3d-ssl TLS_CERTFILE=/etc/courier/pop3d.pem TLS_TRUSTCERTS=/etc/courier/mail_myserver_com.ca-bundle Important: In the line above, change mail_myserver_com.ca-bundle to the name of your bundle file. 8.restart pop3d-ssl /etc/init.d/courier-pop-ssl restart Congratulations, you are finished. Hope this helps someone. Please comment if you can make these directions better. ------------------------------------------------------------------------------------- Ownership and permissions on the certificate files are important: -r--r----- 1 root root 1230 Jun 7 18:24 mail_myserver_com.ca-bundle -r--r----- 1 root root 2030 Jun 7 19:29 server.key -------------------------------------------------------------------------------------- sources: https://support.comodo.com/index.php_m=knowledgebase&_a=viewarticle&kbarticleid=264 http://www.instantssl.com/ssl-certificate-support/email-certificate/courier-imap.html http://www.instantssl.com/ssl-certificate-support/email-certificate/postfix.html http://www.howtoforge.com/forums/showthread.phpt=12854&highlight=ispconfig+real+certificate
ISPConfig website and SSL Cert install Okay, so this article was helpful. My cert is installed and I can get into the ISPConfig admin GUI okay with the EV SSL encryption. However, I did NOT use ISPConfig's built in SSL cert generation/install for ISPConfig managed websites to create the CSR to send to COMODO. Instead, I followed COMODO's instructions for generating the CSR for my EV SSL certificate from the command line. The EV SSL that I installed per the instructions in this article is working with fine with the ISPConfig admin GUI, but it is not working for the site that I had configured inside of ISPConfig. How can I install this cert to work with my ISPConfig created website? My main server FQDN is www.fullcolorenv.com, the site that I set-up/configured in ISPConfig is also www.fullcolorenv.com. Not sure if this is important, but there it is. I attempted to install the COMODO provided crt and server generated key and csr files into my ISPConfig configured web account's 'ssl' directory, but after I do this and restart ISPConfig, when I attempt to go to https://www.fullcolorenv.com, I am getting messages that the site is not trusted because the certificate appears to be self signed. I notice that there is a key.org file in that directory too, what is this file? I tried installing the ca-bundle that I received from COMODO in my site's ssl folder as the key.org file, but that didn't do anything either. I have gone into the Vhost config file found in /etc/apache2/vhosts and made sure that the ssl directives are pointing to the appropriate files, I added the SSLCACertificateFile directive and pointed it to the ca-bundle that I copied into my site's ssl directory. Still, I get the "untrusted" message. I then just outright pointed those directives to where I installed the certificate using the instructions in the post above, and this time I can see a page, but there is a alert message that some items on the page are not encrypted. So I feel that I am close, but I want the site as ISPConfig created it, to work like ISPConfig expects it too....