ISPConfig 3

Discussion in 'Installation/Configuration' started by Cesar Vasquez M, Feb 7, 2023.

  1. Cesar Vasquez M

    Cesar Vasquez M New Member

    Hello, query about SSL that I don't quite understand. I have 2 ISPConfig in production and 1 that I installed to test this, I installed the https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/ with the following parameter

    wget -O - https://get.ispconfig.org | sh -s -- --use-ftp-ports=40110-40210 --unattended-upgrades

    In all 3, the Let's Encrypt SSL certificate that I enabled for WEBs works perfectly , but for mail, ftp or web configuration: 8080 , it tells me that it is not a valid certificate, it seems to be the self-signed one.
    Try this tutorial, https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/
    but then it doesn't start dovecot. reply
    root@host:~# system ctl restart dovecot Job for dovecot.service failed because the control process exited with error code. See "systemctl status dovecot.service" and "journalctl -xe" for details.

    It is not clear to me if it automatically has to go to www.example.ar, mail server, FTP and web:8080 Could you guide me where I am failing?
    thank you so much greetings
    Cesar
     
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    Regarding the SSL cert for the ISPConfig UI, this is created based on the system hostname using let's encrypt automatically. A self-signed cert is only created when Let's encrypt failed. You can re-issue a cert using ispconfig_update.sh --force command, but anymore not after you followed that guide which changes the SSL setup.

    The reason for the initial problem might have been related to a change in acme.sh, which was resolved by a fix in ISPConfig. https://www.ispconfig.org/blog/ispconfig-3-2-9p1-released/
     
    Last edited: Feb 7, 2023
  3. Cesar Vasquez M

    Cesar Vasquez M New Member

    Hi Till, thanks for your prompt help. I tried with ispconfig_update.sh --force and I updated the self-signed again, thunderbird asked me to accept the new cert. It is running in proxmox and I am using the ispconfig that I installed for testing, I return the snapshot and try with the link of the fix and I will tell you how it went.
    thank you so much
    greetings
     
  4. Cesar Vasquez M

    Cesar Vasquez M New Member

    Hi Till,I have the following versions 3.2.8p2 and 3.2.9 in the production ones and 3.2.9p1 in the test host.netar.ar
    I went back to the snapshot, and forced the installation and I realized the following error when creating the SSL, I solved it by adding in the ISPConfig in DNS an entry A with the host name.

    Create new ISPConfig SSL certificate (yes,no) [no]: yes

    Checking / creating certificate for host.netar.ar
    Using certificate path /root/.acme.sh/host.netar.ar
    Using apache for certificate validation
    acme.sh is installed, overriding certificate path to use /root/.acme.sh/host.netar.ar
    [Wed 08 Feb 2023 12:02:48 AM -03] host.netar.ar:Verify error:190.13.209.20: Fetching http://host.netar.ar/.well-known/acme-challenge/L34mbEYwIRzYn3fdnauPeOuMmjH0GHdWc3gEgW1x9vI: Connection refused
    [Wed 08 Feb 2023 12:02:48 AM -03] Please check log file for more details: /var/log/ispconfig/acme.log
    Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
    Could not issue letsencrypt certificate, falling back to self-signed.
    Generating a RSA private key
    ...................................++++
    ..................................++++
    writing new private key to '/usr/local/ispconfig/interface/ssl/ispserver.key'
    -----
    You are about to be asked to enter information that will be incorporated
    into your certificate request.
    What you are about to enter is what is called a Distinguished Name or a DN.
    There are quite a few fields but you can leave some blank
    For some fields there will be a default value,
    If you enter '.', the field will be left blank.
    -----
    Country Name (2 letter code) [AU]:^C
    root@host:~#
    Now the cert is working for host.netar.ar:8080 and for mail from Thunderbird and Android. Not for FTP. I also can't get it to go to mail.netar.ar or imap.netar.ar , try putting it as an alias of netar.ar

    This is my /etc/hosts, I don't know if my problem is here, I also changed the ip 127.0.1.1 to 190.13.209.20 (my public IP)

    Code:
    127.0.0.1 localhost.localdomain   localhost
    127.0.1.1       host.netar.ar   host
    
    
    # The following lines are desirable for IPv6 capable hosts
    ::1     localhost ip6-localhost ip6-loopback
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    
    

    How do I proceed to be able to use cert in all the domains that I have, for example for mail: mail.example1.ar smrp.example1.ar mail.example2.ar smrp.example2.ar etc, is it possible?
    thank you very much again
    greetings
    Cesar
     
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    The hostname must exist of course in DNS and it must be reachable from the server and also from outside of the server, even before you install a server. You can not get a LE cert for a non existing hostname.

    The hostname is a single name and the SSL cert for the system contains just this name. All clients you use to connect to the system must use the hostname and not other names. if you want to use alternate names, you must set up your system manually.
     
  6. Cesar Vasquez M

    Cesar Vasquez M New Member

    ok Till thanks for your time and help, I'm going to look for info on how to do it manually, can it be applied to the Perfect Server Automated ISPConfig 3 Installation on Debian 11 that I already have? greetings
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    Sure, you just have to replace the central ssl cert in the folder /usr/local/ispconfig/interface/ssl/ with your own cert.
     
    ahrasis likes this.
  8. Cesar Vasquez M

    Cesar Vasquez M New Member

    Hello Till, I can't find clear information in the forums, or I don't know how to look for it in English. I did not understand your suggestion replace the central ssl cert in the folder /usr/local/ispconfig/interface/ssl/ with your own cert.
    Is there a post on how to have a cert for each domain?
    thank you
    greetings
     
  9. till

    till Super Moderator Staff Member ISPConfig Developer

Share This Page