Hello, query about SSL that I don't quite understand. I have 2 ISPConfig in production and 1 that I installed to test this, I installed the https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/ with the following parameter wget -O - https://get.ispconfig.org | sh -s -- --use-ftp-ports=40110-40210 --unattended-upgrades In all 3, the Let's Encrypt SSL certificate that I enabled for WEBs works perfectly , but for mail, ftp or web configuration: 8080 , it tells me that it is not a valid certificate, it seems to be the self-signed one. Try this tutorial, https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/ but then it doesn't start dovecot. reply root@host:~# system ctl restart dovecot Job for dovecot.service failed because the control process exited with error code. See "systemctl status dovecot.service" and "journalctl -xe" for details. It is not clear to me if it automatically has to go to www.example.ar, mail server, FTP and web:8080 Could you guide me where I am failing? thank you so much greetings Cesar
Regarding the SSL cert for the ISPConfig UI, this is created based on the system hostname using let's encrypt automatically. A self-signed cert is only created when Let's encrypt failed. You can re-issue a cert using ispconfig_update.sh --force command, but anymore not after you followed that guide which changes the SSL setup. The reason for the initial problem might have been related to a change in acme.sh, which was resolved by a fix in ISPConfig. https://www.ispconfig.org/blog/ispconfig-3-2-9p1-released/
Hi Till, thanks for your prompt help. I tried with ispconfig_update.sh --force and I updated the self-signed again, thunderbird asked me to accept the new cert. It is running in proxmox and I am using the ispconfig that I installed for testing, I return the snapshot and try with the link of the fix and I will tell you how it went. thank you so much greetings
Hi Till,I have the following versions 3.2.8p2 and 3.2.9 in the production ones and 3.2.9p1 in the test host.netar.ar I went back to the snapshot, and forced the installation and I realized the following error when creating the SSL, I solved it by adding in the ISPConfig in DNS an entry A with the host name. Create new ISPConfig SSL certificate (yes,no) [no]: yes Checking / creating certificate for host.netar.ar Using certificate path /root/.acme.sh/host.netar.ar Using apache for certificate validation acme.sh is installed, overriding certificate path to use /root/.acme.sh/host.netar.ar [Wed 08 Feb 2023 12:02:48 AM -03] host.netar.ar:Verify error:190.13.209.20: Fetching http://host.netar.ar/.well-known/acme-challenge/L34mbEYwIRzYn3fdnauPeOuMmjH0GHdWc3gEgW1x9vI: Connection refused [Wed 08 Feb 2023 12:02:48 AM -03] Please check log file for more details: /var/log/ispconfig/acme.log Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt Could not issue letsencrypt certificate, falling back to self-signed. Generating a RSA private key ...................................++++ ..................................++++ writing new private key to '/usr/local/ispconfig/interface/ssl/ispserver.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:^C root@host:~# Now the cert is working for host.netar.ar:8080 and for mail from Thunderbird and Android. Not for FTP. I also can't get it to go to mail.netar.ar or imap.netar.ar , try putting it as an alias of netar.ar This is my /etc/hosts, I don't know if my problem is here, I also changed the ip 127.0.1.1 to 190.13.209.20 (my public IP) Code: 127.0.0.1 localhost.localdomain localhost 127.0.1.1 host.netar.ar host # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters How do I proceed to be able to use cert in all the domains that I have, for example for mail: mail.example1.ar smrp.example1.ar mail.example2.ar smrp.example2.ar etc, is it possible? thank you very much again greetings Cesar
The hostname must exist of course in DNS and it must be reachable from the server and also from outside of the server, even before you install a server. You can not get a LE cert for a non existing hostname. The hostname is a single name and the SSL cert for the system contains just this name. All clients you use to connect to the system must use the hostname and not other names. if you want to use alternate names, you must set up your system manually.
ok Till thanks for your time and help, I'm going to look for info on how to do it manually, can it be applied to the Perfect Server Automated ISPConfig 3 Installation on Debian 11 that I already have? greetings
Sure, you just have to replace the central ssl cert in the folder /usr/local/ispconfig/interface/ssl/ with your own cert.
Hello Till, I can't find clear information in the forums, or I don't know how to look for it in English. I did not understand your suggestion replace the central ssl cert in the folder /usr/local/ispconfig/interface/ssl/ with your own cert. Is there a post on how to have a cert for each domain? thank you greetings
You can have only one SSL cert, this cert must be a multidomain SSL cert that contains all domains. The guide you started using is one option for that https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/ But it's nothing that I would use on my own server. So you can try to get this to work to replace the ISPConfig cert.
