Hello, I used this installation manual: https://www.howtoforge.com/tutorial...-postfix-dovecot-and-ispconfig/#-install-bind A slight unrelated difference is that I use AlmaLinux and PHP 7.4 from the official AppStream repository instead of REMI. For ISPConfig 3.1 I used this tutorial: https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ Is there please the same instructions for 3.2 with acme.sh? For the instructions for 3.1, I stopped at: # stat /etc/letsencrypt/live/ stat: cannot statx '/etc/letsencrypt/live/': No such file or directory But LE working fine. Where i can found this?: /etc/letsencrypt/live/{{url }}/fullchain.pem /etc/letsencrypt/live/{{url }}/privkey.pem Thanks.
The Let's encrypt SSL cert gets created automatically during ISPConfig installation, there are no additional steps needed in ISPConfig 3.2 anymore, so do not follow that old ISPConfig 3.1 guide, it does not apply to ISPConfig 3.2 systems that set this up automatically. These folders are not used anymore. acme.sh stores it#s config and files under /root/.acme.sh/ folder.
But I need a set all cases like this: ISPConfig on port 8080 Webmail PHPMyAdmin FTP Postfix Dovecot Possibly. more needed. I remember that when I last tested it, it could only be turned on for ISPConfig, but it didn't work for webmail and phpmyadmin. Can you please confirm that everything will be encrypted, not just https://ispconfig.server.tld: 8080?
It gets turned on automatically for all services managed by ISPConfig, these are ISPConfig UI, FTP, email (smtp/pop3/imap) incl. webmail and phpmyadmin as long as you use them through the apps vhost on port 8081. So the ISPConfig installer configures already more services than the outdated guide that you wanted to use. Regarding a global Apache SSL default vhost, that is neither configured by the guide nor by ISPConfig as ISPConfig does not manage that vhost.
I mean that https: //server.tld: 8080 / will not work but https: //server.8081/ will it? So I can't use port 8080? I also understand that I may not use https: //server.tld/webmail or https: //server.tld: 8080 / webmail, but must it be https: //server.tld: 8081 / webmail? Where can I find the current install.ini? is official SSL working with lets encrypt autorenew like standard lets encrypt on website setting? Thanks you.
Port 8080 is for ISPConfig only and uses https by default. Port 8081 is for other apps and uses https too by default. Yes, the apps vhost exists for accessing other software. There is no such file used in ISPConfig. Let's encrypt certs renew automatically of course. But only if you follow the perfect server guides without alterations, using that other guide will break renewals.
i mean autoinstall.ini i use this, but https on https://server.tld:8080/ does not working. Browser says: "The certificate is not trusted because it is self-signed.": Code: [install] language=en install_mode=standard hostname={{ ansible_nodename }} mysql_hostname=localhost mysql_port=3306 mysql_root_user=root mysql_root_password={{ mysql_root_password }} mysql_database=dbispconfig mysql_charset=utf8 http_server=apache ispconfig_port=8080 ispconfig_use_ssl=y ispconfig_admin_password={{ ispconfig_admin_password }} create_ssl_server_certs=y ignore_hostname_dns=n ispconfig_postfix_ssl_symlink=y ispconfig_pureftpd_ssl_symlink=y [ssl_cert] ssl_cert_country={{ ssl_cert_country}} ssl_cert_state={{ ssl_cert_state}} ssl_cert_locality={{ ssl_cert_locality}} ssl_cert_organisation={{ ssl_cert_organisation}} ssl_cert_organisation_unit={{ ssl_cert_organisation_unit}} ssl_cert_common_name={{ ansible_nodename }} ssl_cert_email={{ ssl_cert_email}} [expert] mysql_ispconfig_user=NONE mysql_ispconfig_password=NONE join_multiserver_setup=n mysql_master_hostname=NONE mysql_master_root_user=NONE mysql_master_root_password=NONE mysql_master_database=NONE configure_mail=y configure_jailkit=y configure_ftp=y configure_dns=n configure_apache=y configure_nginx=n configure_firewall=y install_ispconfig_web_interface=y [update] do_backup=yes mysql_root_password={{ mysql_root_password }} mysql_master_hostname={{ ansible_nodename }} mysql_master_root_user=root mysql_master_root_password=ispconfig mysql_master_database=dbispconfig reconfigure_permissions_in_master_database=no reconfigure_services=yes ispconfig_port=8080 create_new_ispconfig_ssl_cert=yes reconfigure_crontab=yes create_ssl_server_certs=y ignore_hostname_dns=n ispconfig_postfix_ssl_symlink=y ispconfig_pureftpd_ssl_symlink=y ; These are for service-detection (defaulting to old behaviour where alle changes were automatically accepted) svc_detect_change_mail_server=yes svc_detect_change_web_server=yes svc_detect_change_dns_server=yes svc_detect_change_xmpp_server=yes svc_detect_change_firewall_server=yes svc_detect_change_vserver_server=yes svc_detect_change_db_server=yes Im using official server installation guide for centos 8 with acme.sh.
ISPConfig creates a LE cert automatically when it is able to obtain one. So most likely the hostname of your server was not reachable by LE servers from the internet at the time you installed it. You can run an ISPConfig update with --force option to fix your install when the hostname resolves correctly now. If you want to get more details on installing ISPConfig automatically, see the official auto-installer. You can find its code also here: https://git.ispconfig.org/ispconfig/ispconfig-autoinstaller
I can confirm this solution works for servers with ISPconfig control panel installed (port 8080); just re-run the updater/installer and you'll be asked to renew the certificate. But within a multi-server setup, where only one server has the ISPconfig control panel (port 8080) installed, only that machine asks for a new LetEncrypt certificate. Running the update/installer on "control panel"-less doesn't ask to renew the LetEncrypt certificate (for services like pure-ftpd, exim, dovecot, apps.vhost, etc.) Am I missing a step/option? Or is this a "corner case" where the update/installer does not take into account?
Code: Select update method (stable,nightly,git-develop) [stable]: There are no updates available for ISPConfig 3.2.8p1 Stable, 3.2.8p1 -> yes After running "ispconfig_update.sh --force" on a "control panel"-less server; Code: root@server2:~# openssl x509 -noout -text -in /usr/local/ispconfig/interface/ssl/ispserver.crt | fgrep 'Not' Not Before: Dec 15 17:08:44 2021 GMT Not After : Mar 15 17:08:43 2022 GMT After running "ispconfig_update.sh --force" on a server with the ISPconfig control panel; Code: root@server1:~# openssl x509 -noout -text -in /usr/local/ispconfig/interface/ssl/ispserver.crt | fgrep 'Not' Not Before: Mar 18 09:42:15 2022 GMT Not After : Jun 16 09:42:14 2022 GMT The "control panel" server asks: Code: Updating ISPConfig ISPConfig Port [8080]: Create new ISPConfig SSL certificate (yes,no) [no]: yes Checking / creating certificate for server1.domain.fqdn Using certificate path /root/.acme.sh/server1.domain.fqdn Using apache for certificate validation acme.sh is installed, overriding certificate path to use /root/.acme.sh/server1.domain.fqdn Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: The step/question "Create new ISPConfig SSL certificate (yes,no) [no]:" is never seen while updating a "control panel"-less server. At least not on my servers All servers were freshly installed with 3.2 directly (no legacy 3.1 or older), on a Debian 11, using the autoinstaller
Digged a little further: Code: // Create SSL certs for non-webserver(s)? if(!$issue_asked) { if(!file_exists('/usr/local/ispconfig/interface/ssl/ispserver.crt')) { if(!$issue_tried && strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y','create_ssl_server_certs')) == 'y') { $inst->make_ispconfig_ssl_cert(); } } else { swriteln('Certificate exists. Not creating a new one.'); } } After manual deleting/moving '/usr/local/ispconfig/interface/ssl/ispserver.crt'-file, this part solves the problem. Interesting to see, because the server with ISPc asks to "Create new ISPConfig SSL certificate (yes,no)", were an "control panel"-less server just checks if that file exists. I would expect the updater asks to "backup the file" and proceed. Agree? If so, I'll create a pull request later on
Yeah, that would be good, just ensure it defaults to not replacing the old certificate if it exists. Thanks.