Securing the control panel with a Let's Encrypt certificate (when using acme.sh)

Since ISPConfig 3.2, you can issue a certificate for the hostname of your server when installing/updating (ispconfig_update.sh --force). If a DNS record is in place for your hostname, and port 80 is opened in your firewall, a cert should be issued.

In some cases, you will want to use the "old" way to set up a cert, e.g. when the hostname used for the panel is not the same as your hostname.

To use the "old" way with acme.sh:
Make sure the certificate for your hostname is created. I will use server1.example.com.
You can check if it exists with

Code:

ls -la /root/.acme.sh/server1.example.com

The certificate files should be there.

To use this certificate for the panel, run:

Code:

cd /usr/local/ispconfig/interface/ssl/
mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak
mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak
mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
ln -s /root/.acme.sh/server1.example.com/fullchain.cer ispserver.crt
ln -s /root/.acme.sh/server1.example.com/server1.example.com.key ispserver.key
cat ispserver.{key,crt} > ispserver.pem
chmod 600 ispserver.pem
systemctl restart apache2

You can set up a script to do this automatically when the certificate has been renewed:

Open a new script file:

Code:

nano /usr/local/bin/le_ispc_pem.sh

Paste this in that file:

Code:

#!/bin/bash
### BEGIN INIT INFO
# Provides: LE ISPSERVER.PEM AUTO UPDATER
# Required-Start: $local_fs $network
# Required-Stop: $local_fs
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: LE ISPSERVER.PEM AUTO UPDATER
# Description: Update ispserver.pem automatically after ISPC LE SSL certs are renewed.
### END INIT INFO
cd /usr/local/ispconfig/interface/ssl/
sleep 120
mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
cat ispserver.{key,crt} > ispserver.pem
chmod 600 ispserver.pem
systemctl restart apache2

Make the script executable:

Code:

chmod +x /usr/local/bin/le_ispc_pem.sh

To automatically trigger this script on renewal, we are going to use systemd.

Create and open the new systemd service:

Code:

nano /etc/systemd/system/le_ispc_pem.service

Paste this in that file:

Code:

[Unit]
Description="Create new .pem file on certificate renewal"

[Service]
ExecStart=/usr/local/bin/le_ispc_pem.sh

Save and close this file. Then create and open the new systemd path file:

Code:

nano /etc/systemd/system/le_ispc_pem.path

Paste this in that file and replace mail.example.com with the hostname you used:

Code:

[Unit]
Description="Monitor the panel certificate files to trigger a recreation of the .pem file after renewal"

[Path]
PathModified=/root/.acme.sh/server1.example.com/
Unit=le_ispc_pem.service

[Install]
WantedBy=multi-user.target

Save and close this file. Then start the service and enable it so it runs on startup:

Code:

systemctl start le_ispc_pem.path

And enable it so it runs on startup:

Code:

systemctl enable le_ispc_pem.path

And we're done!

Of course, replace server1.example.com in this guide with your hostname.

 

I have updated this guide to be compatible with Debian 11.

 

I have edited the script to sleep for 120 seconds before doing anything, just for sure. There were some corner cases where some files where changed, but not all, then Apache2 restarted and crashed, which made the renewal fail but only partly.

 

The guide has been updated to use /usr/local/bin instead of /etc/init.d for storing the script. I will update other guides with relevant scripts as well.