How to Secure port 8080 with LetsEncrypt on ISPCONFIG server panel

I have installed the latest version of ISPCONFIG and configured as per the tutorial for Installing ispconfig on centos 8. I could install letsencrypt for my websites but when i browse on port 8080 to access the control panel it shows as not secured. Please guide me as to how to secure port 8080 on centos 8 installation.

 

I did chose the option of having ssl and completed the certification process... I still couldn't secure the port 8080.

I did find a tutorial for the same but on debian / ubuntu and I am in a learning stage so could not quite get hold of what to do?

 

Hi,
I did run the update :
i tried to choose to install the ssl followed by yes to all the options and filling out the details - SSL certificate generated but not working with port 8080, otherwise it is working fine without using port 8080.
I recreated certificates for couple of websites that i have already created but the same problem persists...

It is working fine with : ...//example.com, but not with....://example.com:8080.
I have enabled SNI in ssl settings unders system-systemconfig-web.
I am not too sure about the CA path : [ have given /root/.acme.sh/ca/ ]. Does this effect certificate generation and saving ?
---------------------
another issue i am not able to resolve is the IPv6 prefix : [2605:a140:2055:5963::/64] which is showing an error

 

Just to be clear, thiugh this may not directly related to your problem, any ISPConfig server FQDN should be a domain sub e.g. server1.example.com and not its root.

 

true and I do have the server domain in format you described.

 

1. I have chosen to install one at the time of installation/update and that should be self signed.
2. The certificate issued by the server fqdn to fqdn as per the details when i click the triangle warning icon near the address bar of the browser
3. I have mapped one of the domains to the server ip and created letsencrypt ssl for the same.

 

[root@shreya ~]# ispconfig_update.sh --force


--------------------------------------------------------------------------------
_____ ___________ _____ __ _
|_ _/ ___| ___ \ / __ \ / _(_)
| | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _
| | `--. \ __/ | | / _ \| '_ \| _| |/ _` |
_| |_/\__/ / | | \__/\ (_) | | | | | | | (_| |
\___/\____/\_| \____/\___/|_| |_|_| |_|\__, |
__/ |
|___/
--------------------------------------------------------------------------------


>> Update

Please choose the update method. For production systems select 'stable'.
WARNING: The update from GIT is only for development systems and may break your current setup. Do not use the GIT version on servers that host any live websites!
Note: On Multiserver systems, enable maintenance mode and update your master server first. Then update all slave servers, and disable maintenance mode when all servers are updated.

Select update method (stable,nightly,git-develop) [stable]: stable

Downloading ISPConfig update.
Unpacking ISPConfig update.


--------------------------------------------------------------------------------
_____ ___________ _____ __ _ ____
|_ _/ ___| ___ \ / __ \ / _(_) /__ \
| | \ `--.| |_/ / | / \/ ___ _ __ | |_ _ __ _ _/ /
| | `--. \ __/ | | / _ \| '_ \| _| |/ _` | |_ |
_| |_/\__/ / | | \__/\ (_) | | | | | | | (_| | ___\ \
\___/\____/\_| \____/\___/|_| |_|_| |_|\__, | \____/
__/ |
|___/
--------------------------------------------------------------------------------


>> Update

Operating System: CentOS 8.3

This application will update ISPConfig 3 on your server.

Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]: yes

Creating backup of "/usr/local/ispconfig" directory...
Creating backup of "/etc" directory...
Checking ISPConfig database .. OK
Starting incremental database update.
Loading SQL patch file: /tmp/update_runner.sh.QF0yta8eZv/install/sql/incremental/upd_dev_collection.sql
Reconfigure Permissions in master database? (yes,no) [no]: no

Service 'xmpp_server' has not been detected (strongly recommended, currently enabled) do you want to disable it? (yes,no) [yes]: yes

Service 'firewall_server' has been detected (currently disabled) do you want to enable and configure it? (yes,no) [no]: no

Reconfigure Services? (yes,no,selected) [yes]: yes

Configuring Postfix
Configuring Dovecot
Configuring Mailman
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring BIND
Configuring Pureftpd
Configuring Apache
Configuring vlogger
Configuring Apps vhost
Configuring Jailkit
Configuring Database
Updating ISPConfig
ISPConfig Port [8080]: 8080

Create new ISPConfig SSL certificate (yes,no) [no]: yes

Checking / creating certificate for shreya.shreyacreatives.cf
Using certificate path /root/.acme.sh/shreya.shreyacreatives.cf
Server's public ip(s) (144.126.132.121, 144.126.132.121) not found in A/AAAA records for shreya.shreyacreatives.cf:
Ignore DNS check and continue to request certificate? (y,n) [n]: y

which: no letsencrypt in (/usr/share/Modules/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
which: no certbot in (/usr/share/Modules/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
which: no letsencrypt in (/root/.local/share/letsencrypt/bin)
which: no certbot in (/opt/eff.org/certbot/venv/bin)
which: no acme.sh in (/usr/local/ispconfig/server/scripts)
Using apache for certificate validation
acme.sh is installed, overriding certificate path to use /root/.acme.sh/shreya.shreyacreatives.cf
[Fri Apr 2 05:26:57 CDT 2021] shreya.shreyacreatives.cf:Verify error:Fetching http://shreya.shreyacreatives.cf/.w...e/sNokSST1WHaZ7hS1Ux-zr-LhMO5ZfHISkFJmTIqsiuQ: Connection refused
[Fri Apr 2 05:26:57 CDT 2021] Please check log file for more details: /var/log/ispconfig/acme.log
Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
Could not issue letsencrypt certificate, falling back to self-signed.
Generating RSA private key, 4096 bit long modulus (2 primes)
....................................................................................++++
..............................................................................................++++
e is 65537 (0x010001)
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:IN
State or Province Name (full name) []:Telangana
Locality Name (eg, city) [Default City]:Secunderabad
Organization Name (eg, company) [Default Company Ltd]:Shreya Creatives
Organizational Unit Name (eg, section) []:IT Cell
Common Name (eg, your name or your server's hostname) []:shreya.shreyacreatives.cf
Email Address []:[email protected]
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
writing RSA key
Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: y

Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: y

which: no acme.sh in (/usr/local/ispconfig/server/scripts)
Reconfigure Crontab? (yes,no) [yes]: yes

Updating Crontab
Restarting services ...
Update finished.
You have new mail in /var/spool/mail/root

 

Sure... I will do that in future... I am using this for the first time so unaware of using code tags.

I have added A/AAAA records for shreya.shreyacreatives.cf in the shreyacreatives.cf zone... I am not sure if this is required to be done...

 

I have tried to use the code tags and not getting right i guess.

I have done the above and able to login with https://shreya.shreyacreatives.cf:8080 in a secured manner...

 

Code:

>> Update

Operating System: CentOS 8.3

This application will update ISPConfig 3 on your server.

Shall the script create a ISPConfig backup in /var/backup/ now? (yes,no) [yes]: yes

Creating backup of "/usr/local/ispconfig" directory...
Creating backup of "/etc" directory...
Checking ISPConfig database .. OK
Starting incremental database update.
Loading SQL patch file: /tmp/update_runner.sh.0SvQKOnR5M/install/sql/incremental/upd_dev_collection.sql
Reconfigure Permissions in master database? (yes,no) [no]: no

Service 'xmpp_server' has not been detected (strongly recommended, currently enabled) do you want to disable it?  (yes,no) [yes]: yes

Service 'firewall_server' has been detected (currently disabled) do you want to enable and configure it?  (yes,no) [no]: no

Reconfigure Services? (yes,no,selected) [yes]: yes

Configuring Postfix
Configuring Dovecot
Configuring Mailman
Configuring Spamassassin
Configuring Amavisd
Configuring Getmail
Configuring BIND
Configuring Pureftpd
Configuring Apache
Configuring vlogger
Configuring Apps vhost
Configuring Jailkit
Configuring Database
Updating ISPConfig
ISPConfig Port [8080]: 8080

Create new ISPConfig SSL certificate (yes,no) [no]: yes

Checking / creating certificate for shreya.shreyacreatives.cf
Using certificate path /root/.acme.sh/shreya.shreyacreatives.cf
which: no letsencrypt in (/usr/share/Modules/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
which: no certbot in (/usr/share/Modules/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/root/bin)
which: no letsencrypt in (/root/.local/share/letsencrypt/bin)
which: no certbot in (/opt/eff.org/certbot/venv/bin)
which: no acme.sh in (/usr/local/ispconfig/server/scripts)
Using apache for certificate validation
acme.sh is installed, overriding certificate path to use /root/.acme.sh/shreya.shreyacreatives.cf
Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: y

Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: y

which: no acme.sh in (/usr/local/ispconfig/server/scripts)
Reconfigure Crontab? (yes,no) [yes]: yes

Updating Crontab
Restarting services ...
Update finished.

 

Just wanted to reconfirm what i have done is in right order:
I have created a dns zone for shreya.shreyacreatives.cf and pointed to the server ip.
addes A / AAAA records for the same.
after running the update command I am now able to login securely using https://shreya.shreyacreatives.cf:8080.

When i checked with dnschecker.org I am only seeing my ip4 address resolving not the AAAA records...

Thank you all for your time and support and helping me out in this issue.

 

​

I actually have done that as suggested now by you. so I just need to remove the new zone which is not necessary. Thanks
Will do that and update if there are any further issues on the topic.

 

Hi,
I always have an error trying updating SSL ISPConfig:

Code:

An unexpected error occurred:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 417, in wrap_socket
    cnx.do_handshake()
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1426, in do_handshake
    self._raise_ssl_error(self._ssl, result)
  File "/usr/lib/python3/dist-packages/OpenSSL/SSL.py", line 1174, in _raise_ssl_error
    _raise_current_error()
  File "/usr/lib/python3/dist-packages/OpenSSL/_util.py", line 48, in exception_from_error_queue
    raise exception_type(errors)
OpenSSL.SSL.Error: [('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')]
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 594, in urlopen
    chunked=chunked)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 350, in _make_request
    self._validate_conn(conn)
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 837, in _validate_conn
    conn.connect()
  File "/usr/lib/python3/dist-packages/urllib3/connection.py", line 337, in connect
    ssl_context=context)
  File "/usr/lib/python3/dist-packages/urllib3/util/ssl_.py", line 327, in ssl_wrap_socket
    return context.wrap_socket(sock, server_hostname=server_hostname)
  File "/usr/lib/python3/dist-packages/urllib3/contrib/pyopenssl.py", line 424, in wrap_socket
    raise ssl.SSLError('bad handshake: %r' % e)
ssl.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
  File "/usr/lib/python3/dist-packages/requests/adapters.py", line 423, in send
    timeout=timeout
  File "/usr/lib/python3/dist-packages/urllib3/connectionpool.py", line 624, in urlopen
    raise SSLError(e)
requests.packages.urllib3.exceptions.SSLError: ("bad handshake: Error([('SSL routines', 'tls_process_server_certificate', 'certificate verify failed')],)",)

 

Please paste code listings in CODE tags. Info here: https://www.howtoforge.com/community/threads/please-read-before-posting.58408/
Your post is even more undreadable than usual.
Is your topic at all related to the topic of this thread, "How to Secure port 8080 with LetsEncrypt on ISPCONFIG server panel"?
Start a new thread, then do this: https://www.howtoforge.com/community/threads/please-read-before-posting.58408/