Site SSL recommendations for a new automated install

Discussion in 'Installation/Configuration' started by IntnsRed, Jan 25, 2023.

  1. IntnsRed

    IntnsRed Member

    Setting up a new server with the automated install -- this is different!

    Can someone ELI5 for me the way certificates are now done in the automated install of ISPConfig?

    I'll explain the way I used to do things. In the past I installed ISPConfig on server1.example.com, an all-in-one hobbyist box hosting a few domains.

    I then created a web site for server1.example.com and used the web site to create a Let's Encrypt certificate. Using [the instructions that are on this page], I configured *all* of the various services to use that certificate -- Postfix, DoveCot, ISPConfig and Apache for the web site server1.example.com, they all use the same Let's Encrypt certificate. Thanks to the various links on that page, when the certificate is updated by Let's Encrypt all of the services see the updated cert.

    That's cool, IMO. The "problem" is that Postfix uses the server1.example.com cert. I edit all of the domains' DNS mail records to list server1.example.com as their MX/mail instead of their aliased domain-name entry. This is not as "personalized" for each domain, but tough -- that's the way I do/did it.

    What I'm wondering is with my new install of my server, what is the best, recommended way I should be doing this now? Is doing the all services use a Let's Encrypt certificate planned for some future version of the automated install?

    Thanks in advance.
     
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I thought as ISPConfig Developer you should know better but that is ok. You can see how it works in the latest tutorial. Basically, you choose create SSL during ISPConfig install or update and it will take care of creating it. But make sure before you follow the ISPConfig Auto Installer tutorial, you have a fresh new ISPConfig minimal server, to avoid any unforeseen shortcomings.
     
  3. IntnsRed

    IntnsRed Member

    I followed the recommendations of [building the perfect server routine here]. Unlike the older "perfect server" installs it mentions nothing about certs and SSL.
     
  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    That is how it works.

    ISPConfig auto installer basically choose to create SSL for the server hostname fqdn by default, so we don't have to manually select it, like we do when we setup new ISPConfig server manually or update it (you can still see the option to create SSL during ISPConfig update); and the script that I originally composed and you used to follow is already modified and embedded in ISPConfig install lib file since version 3.2.

    The modified and embedded script attempts to create LE SSL certs for the server hostname fqdn and upon successful attempt, extend that certs to all other services in that server, whatever server that you want to build, whether standalone or any of the multiserver setup.
     
  5. IntnsRed

    IntnsRed Member

    Just to finish this thread, here was my solution:

    Using the [instructions here on securing ISPConfig using Let's Encrypt certificates] I simply created a web site for server1.example.com enabling Let's Encrypt.

    Then use the web site/ISPConfig Let's Encrypt certificate for server1.example.com and plug it in for the various services. That web site/ISPConfig Let's Encrypt certificate is found in /var/www/server1.example.com/ssl/server1.example.com-le.crt and /var/www/server1.example.com/ssl/server1.example.com-le.key.
     
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    That in theory might still work provided you properly cover the auto creation of ispserver.pem upon renewal, but of course default built in ISPConfig is preferred to avoid failure.

    Tjat said, the original tutorial uses incron, while the embedded code uses renewal hook, to create ispserver.pem that is relied by the services automatically upon the server website LE SSL certs renewal.

    However, incron is deprecated in newer Debian version and as such the embedded script in ISPConfig install lib was improvised to use LE renewal hook to achieve the same.

    Thus, you should be able to add the said renewal hook to renewal.conf file as one way to achieve the ispserver.pem auto renewal.

    The other way is to use systemd approach which is more suitable to newer server that usea systemd as shared by @Th0m that replaces the incron method in my tutorial to re-create ispserver.pem automatically upon renewal of LE SSL certs for the server website.
     

Share This Page