Integrate Let's Encrypt SSL certificates into ISPConfig

Discussion in 'Feature Requests' started by gkovacs, Sep 14, 2015.

  1. till

    till Super Moderator Staff Member ISPConfig Developer

    I guess that site b and c have not ssl enabled, check their vhost files. You might have troed to enable le there and LE failed to create the cert so that ssl was disabled again due to the missing ssl cert. What you describe is the default behaviour of the nginx webserver in such a case and not related to the use of letsencrypt or ispconfig. Whenno vhost exists on a givem port (443 in this case), then nginx will show the content of the first website that it finds on the same port in alphabetical order.
     
  2. theoldgit

    theoldgit New Member

    Hi till, thanks for prompt response.

    Checked ssl directory in /var/www/<website>/ssl and only have information in A.com for A.com. B.com/ssl and C.com/ssl are both empty.

    I tried disabling SSL for A.com and generating LE for B.com, but still nothing gets written to B.com/ssl and https still works for A.com.

    Could you suggest a workaround? (Hide SSL for A.com and generate SSL for B.com). Or is this how it must be?

    (@ ahrasis - Don't want to share the Certificate, but seems to be what I am getting)
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The SSL from a, b and c are not related to each other. So that b and c failed is not related to the fact if a exists or has SSL. To see why B and C fail, take a look at the letsencrypt log file, the most likely reason for failing LE certs are problems with dns (e.g. a subdomain of the website does not exist in dns or points to a different server) or you rewrite requests in that site in a way that LE is not able to reach it's verification token. But please make a new thread for that as it's not related to this old feature request you posted to.
     
    ahrasis likes this.
  4. theoldgit

    theoldgit New Member

    Thanks till,

    Will do after further investigation.
     
  5. Ivko

    Ivko New Member

    Hi guys, i have a little problem. I'm pretty new in this "world". So i managed to get all my domains on server cerified and full working with
    certbot. The problem is that i dont know how to make ISPConfig panel be certified too.
    When i go to: mydomain.com it is OK HTTPS no problem but when i go to mydomain.com:8080 there is no trusted cert.
    So can you help me with this please?
     
  6. Ivko

    Ivko New Member

    Hi i'm just following your guide for the installed certbot/letsencrypt client, and i got a problem.
    When issuing:
    cat /usr/local/ispconfig/interface/ssl/ispserver.{key,crt} > /usr/local/ispconfig/interface/ssl/ispserver.pem
    i got
    cat: /usr/local/ispconfig/interface/ssl/ispserver.key: No such file or directory
    cat: /usr/local/ispconfig/interface/ssl/ispserver.crt: No such file or directory
    But ls -al show that they are there:
    -rwxr-x--- 1 root root 45 Feb 23 00:24 empty.dir.bak
    lrwxrwxrwx 1 root root 45 Feb 24 14:22 ispserver.crt -> /etc/letsencrypt/live/benchwork/fullchain.pem
    -rwxr-x--- 1 root root 2069 Feb 23 00:24 ispserver.crt.bak
    -rwxr-x--- 1 root root 1724 Feb 23 00:24 ispserver.csr.bak
    lrwxrwxrwx 1 root root 43 Feb 24 14:22 ispserver.key -> /etc/letsencrypt/live/benchwork/privkey.pem
    -rwxr-x--- 1 root root 3243 Feb 23 00:24 ispserver.key.bak
    -rwxr-x--- 1 root root 3311 Feb 23 00:24 ispserver.key.secure.bak
    -rw-r--r-- 1 root root 0 Feb 24 14:45 ispserver.pem
     
    Last edited: Feb 24, 2017
  7. Ivko

    Ivko New Member

    Nevermind, found solution.
     
  8. Vengance

    Vengance New Member

    Would be great if you could also issue a certificate in the panel for the ispconfig domain.
     
  9. Ivko

    Ivko New Member

    Ok, how to point a domain to ispconfig itself and can that domain be a subdomain?
     
  10. sjau

    sjau Local Meanie Moderator

    not sure what you mean. By default, if you call port 8080 (or whatever port you use for ISPC), then the ISPC Interface will come. Independant of domain.
     
  11. Ivko

    Ivko New Member

    I don't know i just responded with question on what have @Vengance said:
    "Would be great if you could also issue a certificate in the panel for the ispconfig domain."

    P.S. i got it to work now, thank you very much!
     
  12. sjau

    sjau Local Meanie Moderator

    but what is the ispconfig domain? as said, when calling accoridng port the ISPC web config panel shows up.... no matter what domain you use.
     
  13. Ivko

    Ivko New Member

    You want me to give you one of domains where i have ISPConfig on or what? I don't understand. As you said, whatever domain you call with port 8080 you will get ISPConfig. I don't have any dedicated odmain specific to ISPConfig if that is what you mean.
     
    Last edited: Feb 25, 2017
  14. Poliman

    Poliman Member

    Hey mate. I have self-signed cert for ISP panel but in /usr/local/ispconfig/interface/ssl I have only empty.dir, ispserver.crt, ispserver.csr, ispserver.key, ispserver.key.secure. There is no ispserver.pem file. Next thing that in /etc/letsencrypt/live/ I have only directory for website which is on my server. There is not directory with name of the name of my server. Second thing that when I checked SSL and Let's Encrypt SSL and click Save and enter in settings of newly created website I haven't checked these two ssl options.
     
  15. sjau

    sjau Local Meanie Moderator

    The important files are:

    Code:
    /usr/local/ispconfig/interface/ssl/ispserver.key
    /usr/local/ispconfig/interface/ssl/ispserver.crt
    /usr/local/ispconfig/interface/ssl/ispserver.bundle
    
    With the acme.sh client I run this command to have them updated:
    Code:
    acme.sh --installcert -d ispc.domain.tld --certpath '/usr/local/ispconfig/interface/ssl/ispserver.crt' --keypath '/usr/local/ispconfig/interface/ssl/ispserver.key' --fullchainpath '/usr/local/ispconfig/interface/ssl/ispserver.bundle' --reloadcmd 'systemctl reload apache2; systemctl restart dovecot; systemctl reload postfix'
    
    Of course I first had to get the cert using:
    Code:
    acme.sh --issue --dns dns_ispconfig -d ispc.domain.tld -d mail.domain.tld -d mail.otherdomain.tld -d mail.thirddomain.tld --keylength 4096
    
     
  16. Poliman

    Poliman Member

    Ok, but I have two important files from these three - ispserver.crt, ispserver.key :)
     
  17. sjau

    sjau Local Meanie Moderator

    You should have all three... what does the ispc vhost file look like? it should reference them all. However it could be possible that the bundle and crt were merged into one file.

    And why do you quote the full post? Why not just quote the part you refer to?
     
  18. Poliman

    Poliman Member

    ISP vhost file (ssl part):
    Code:
      # SSL Configuration
      SSLEngine On
        SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1
        SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
      SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
      #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
    here is SSLCipherSuite and
    SSLHonorCipherOrder On
    
     
  19. Ivko

    Ivko New Member

    Hi mate, just to add on this, you should consider to disable SSLv3, and probably TLSv1.0.
    Because of insec. of SSLv3. You can read more on the link below:
    Code:
    https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
     
  20. till

    till Super Moderator Staff Member ISPConfig Developer

    That's what the line:

    SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1

    is doing. Please see the - in front of the protocols that are not allowed.
     

Share This Page