Get SSL certificate for ISPConfig admin from LetsEncrypt?

Discussion in 'Installation/Configuration' started by zkvvoob, May 22, 2016.

  1. zkvvoob

    zkvvoob Member

    Today I successfully obtained and installed two certificates from Let's Encrypt for two of the domains that I manage by means of ISPCcnfig 3 on by Ubuntu 14.04 machine.
    Now I would like to do the same for ISPConfig's web interface. It's accessible at
    , the domain itself is also managed by ISPConfig and has web content there.
    So, I tried
    certbot certonly --webroot -w /var/www/ -d
    certbot certonly --webroot -w /usr/local/ispconfig/interface/web -d
    but both returned the following error:

    I have double-checked and there is an A DNS record for the 'server' subdomain.
    Could you advise me how to proceed?
    Thank you!
  2. uniQ

    uniQ New Member

    Same problem here and I can't get it to work. :/
  3. zkvvoob

    zkvvoob Member

    Jesse Norell likes this.
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    @zkvvoob, are you running ispconfig 3.1 (beta), or the older 3.0.5? 3.1 supports letsencrypt for hosted domains, and I think what you did won't work on 3.1?
  5. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Working through this on Debian 8/ispconfig 3.1, with letsencrypt installed according to the perfect server guide, this is what worked for. During ispconfig installation I did generate a self-signed certificate (don't know if the config varies if you say no there). Note this relies on hostname -f and hostname -d output, so make sure those are right.

    /root/.local/share/letsencrypt/bin/letsencrypt auth --text --agree-tos --authenticator webroot --server --rsa-key-size 4096 --email postmaster@`hostname -d` --domains `hostname -f` --webroot-path /usr/local/ispconfig/interface/acme
    dt=`date '+%Y%m%d%H%M%S'`
    cd /usr/local/ispconfig/interface/ssl/
    for ext in csr key crt; do if [ -f ispserver.$ext ]; then mv ispserver.$ext ispserver.$ext.old.$dt; fi; done
    ln -s /etc/letsencrypt/live/`hostname -f`/privkey.pem ispserver.key
    ln -s /etc/letsencrypt/live/`hostname -f`/fullchain.pem ispserver.crt
    service apache2 restart
    I now have a green padlock in my browser, showing the LetsEncrypt certificate info.

    I also confirmed that reinstalling ispconfig (running, choosing git-stable) does not affect/destroy this setup when I answered no to creating a new certificate. Hopefully something like the above commands will make their way into the ispconfig installer, and eventually configuration for ftpd/dovecot/postfix (including multi-server).
    Last edited: May 24, 2016
  6. zkvvoob

    zkvvoob Member

    Basically I did what you did, Jesse, albeit without the fancy script to rename ISPConfig's old crt/key files. ;)
    I didn't know that there was a beta version, but frankly speaking I'm a tad hesitant to try it now because I don't want to risk corrupting my current setup.
  7. uniQ

    uniQ New Member

    Thank you so much, this method worked like a charm! :)
  8. NdK

    NdK Member

    Just wrestled a bit with my first LE cert for ISPConfig admin interface.
    At the end, I've had to use certbot-auto (from ) since the letsencrypt script in /root/.local/ said it was too old and didn't work.
    Just a possible hint for others.
  9. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Also check your distro (eg. there's a letsencrypt package in jessie-backports)
  10. sghazagh

    sghazagh Member

    Hi Jesse/guys,
    I have used your instruction and now the SSL is working fine on my ISPConfig control panel. Thanks you...

    I also have a question with regard to SSL for normal websites and hope you can help.
    I tried to create a SSL for my own website inside ISPControl panel and enabled the SSL for the site.
    However, it seems that the <mywebsite>.vhost does not get update with "SSLEngine on" and other required settings and cannot use HTTPS for my website!

    Do you know how I can use HTTP on a website?
    your help will be appreciated.
    (I am using ISPConfig 3.1.b1)

  11. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    This is enabling letsencrypt for the website, or pasting in ssl certificate info into the SSL tab? I'm assuming letsencrypt. Do you have a <mywebsite>.vhost.err file created, which does have the proper SSL settings? Try turning off both the SSL and LetsEncrypt checkboxes, wait a minute, then turn on only SSL checkbox, wait a minute, then turn on the LetsEncrypt checkbox, and see if it works (also make sure DNS is pointing to this server for <mywebsite> or you can't get a letsencrypt certificate).

    If that fixes it, it's probably just a bug that was recently fixed; run and update from git-stable, or use that workaround till the next beta comes out.
  12. sghazagh

    sghazagh Member

    Many thanks for your reply.
    I actually have tried that.
    The problem is that there is no .err file as it recreates the .vhost file but with content exactly as what it was before, with no SSL setting on it.
    I tried it again. Enabled the SSL checkbox, saved and waited for a minute. Backed and enabled Letsencrypt checkbox and save.
    When I back, the SSL checkbox still is enabled but the Letsencrypt checkbox gets disabled!

    I actually tried that for another website. The case is same. However, I could get the https working but asking to add the exception as the certificate seems is not trusted.
    But same with Letsencrypt. The check box gets disabled.
    I also tried to create the Letsencrypt SSL for the second website manually. The Letsencrypt created the files in /etc/letsencrypt/live/<> folder. Still checkbox gets disabled.
    There are four/4 files in there:
    ISPConfig looking for "SSL Key", "SSL Request" and "SSL Certificate" files inside /var/www/domain.tld/ssl folder when only SSL checkbox is enabled.
    To be honest I don't know which one is which that I can at least manually copy the text inside the ISPConfig SSL fileds!
    and see if that works! (I assume "cert.pem" is "SSL Certificate", "privkey.pem" is "SSL Key" but what about "SSL Request" one?! Am I correct at all?)

    Any help will be appreciated?!
  13. sghazagh

    sghazagh Member

    It's working.

    Ok, I did this and it's working for second website now!
    - Did generate the Let'sencrypt certificate manually as per your instruction above:
    /root/.local/share/letsencrypt/bin/letsencrypt auth --text --agree-tos --authenticator webroot --server --rsa-key-size 4096 --email [email protected] --domains --webroot-path /var/www/
    - It creates those 4 files explained above in "/etc/letsencrypt/live/
      • cert.pem
      • privkey.pem
      • chain.pem
      • fullchain.pem
    - copied the content of "cert.pem" into "SSL Certificate" filed in ISPConfig control panle, SSL tab of the domainname.tld website
    - copied the content of "privkey.pem" into "SSL Key" filed in ISPConfig control panle, SSL tab of the domainname.tld website
    - Cleared the "SSL Request" filed
    - "SSL Bundle" filed was already empty
    Saved the Certificate.

    Even though the Letsencrypt checkbox still is disabled, but the HTTPS of website works fine and does not asks for "Add Exception". Green lock on Firefox shows up and the site is loading.
    I also enabled the Rewrite HTTP to HTTP for having HTTPS all the times and that worked too!!!

    I don't know if this workaround is good enough but hope the stable version fixes all of this issues!
  14. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    Glad you got some partial success; I don't know what your issue with letsencrypt option getting disabled is. You might want to copy chain.pem into the SSL Bundle field.
  15. sghazagh

    sghazagh Member

    I see !
    Does it really required to have the Bundle one copied as well or I can use either of them?
    I mean, certificate+key or just bundle!

    Because for now the certificate+key is just working!!!
  16. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    the "bundle" is neither the key nor your certificate, it is the chain of intermediate certificates linking the CA's well known root cert with the certificate you were given - your browser happens to already know the required intermediate certificates required to validate your certificate or it wouldn't give you the green lock. But without the intermediate certificates, other browsers will complain. There are some web-based "check my ssl" services that will tell you if there are problems with your site, see what those say (
  17. sghazagh

    sghazagh Member

    Thanks a lot mate for sharing your knowledge.
    I learned a lot from your post and help.
    Really appreciate that :)

    And yes, I did check with and without "chain.pem" and with chain there are no issue for SSL checking on the link you did have provided. (Big thanks :))

    Sorry mate, I only have just another question!
    I see that the certificate only is valid around 2 months!!!
    Does it means I have to regenerate the certificate every two months?
    Is there any option on your instructed command to extend this period>
    Last edited: Jun 9, 2016
  18. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    In your current setup you will have a problem, and need to replace the cert manually. With a working letsencrypt setup, you won't have to do anything, it will renew and replace the expiring certificates automatically. Keep digging in to / asking about getting that letsencrypt checkbox to work, as I don't know offhand why it would not. Maybe run and update to the latest git-stable if you haven't recently, and see if that helps.
    sghazagh likes this.
  19. sghazagh

    sghazagh Member

    Ok, I will dig into it and hope I can find the issue.
    Once more many thanks for your time. You did help a lot...
  20. kabieror

    kabieror New Member

    I also have got the problem of the Let's Encrypt checkbox being disabled after running the cron job. I'm on Ubuntu 16.04 with Apache and ISPConfig 3.1dev (git-stable). I updated to this version from the 3.1 stable release to try to solve the problem, but it still exists. I checked the logs /var/log/ispconfig/cron.log and /var/log/letsencrypt/letsencrypt.log. The cron log shows no noticable entries after enabling the checkbox - the output of the letsencrypt job is the same as before. No vhost.err exists in /etc/apache2/sites-available and in /etc/letsencrypt/live I can't find a folder belonging to the domain I want to enable SSL for.

    I don't know if this is of importance, but I managed to enable the Let's Encrypt setting at several domains when the DNS records still pointed to another server (I moved from one server to another). I started to continuosly copy the directory /usr/local/ispconfig/interface/acme/.well-known to the webroot of the domain I wanted to enable SSL at on the old server, where the DNS records of that domain pointed at. Then I enabled the Let's Encrypt checkbox at the new server and could observe some files being generated in the .well-known directory that then were immediately copied to the old server by my running job. The letsencrypt job finished successfully, ISPConfig installed the certificates and updated the apache settings. Everything fine. But now, as the DNS records point to the correct server, the files in .well-known are not any longer generated by the cron job. I don't know that I would have changed anything that could have caused the problem.

    Has anyone got an idea how to do further debugging?

Share This Page