[HOWTO] Access ISPConfig via domain name and secure installation with Let's Encrypt free SSL

Discussion in 'Tips/Tricks/Mods' started by Milen Karaganski, Mar 31, 2020.

  1. Milen Karaganski

    Milen Karaganski New Member

    First, the below configuration is a mixture of few other guides founded here and in the web so all the credits for this guide goes to someone else. Basically, my goal was to make the control panel accessible via domain name secured with SSL connection. So, let's begin.

    1. Preliminary note
    If you've followed some of "The Perfect Server" guides, there is a note that you should use a subdomain for your system mail name, which is the same as your hostname. This hostname also should be your server FQDN.

    Also, I assume you will use a subdomain to access the control panel i.e. the domain is already added to ISP and DNS zone for it is configured and everything is working.

    2. Choose your domain name for the control panel and set the server hostname, FQDN and system mail name
    Let's say that the domain for the control panel will be cp.example.com

    2.1 Set your server hostname:
    Code:
    sudo nano /etc/hostname
    and in the file insert "cp-example-com"

    2.2. Set the FQDN:
    Code:
    sudo nano /etc/hosts
    It should be amended like this:
    Code:
    127.0.0.1    localhost.localdomain    localhost
    ::1        localhost6.localdomain6    localhost6
    127.0.1.1   cp.example.com cp-example-com
    
    # The following lines are desirable for IPv6 capable hosts
    ::1     localhost ip6-localhost ip6-loopback
    fe00::0 ip6-localnet
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    ff02::3 ip6-allhosts
    2.3. Set the system mail name:
    Code:
    sudo nano /etc/mailname
    and change the record to "cp.example.com"

    3. Add the subdomain to ISPConfig
    In ISPConfig go to "Sites>Website>Subdmain (Vhost)" and click "Add New Subdomain" and fill as follow:

    Hostname --> cp
    Domain --> example.com :: your_server_name
    Web Folder --> cp
    scroll down and check the box "SSL" but do not check "Let's Encrypt SSL" checkbox. Let's encrypt needs live site to verify it.


    Set the rest options as you want and click "Save". DO NOT change anything in "Redirect" and "SSL" tabs.

    4. Add DNS record for the subdomain
    Go to "DNS>Zones" and open example.com zone for editing. In "Records" tab create "A" record for your subdomain, point it to your server IP and make sure "Active" is checked.

    After the DNS zone is updated, check in your browser that your site is active (i.e. go to http://cp.example.com)

    5. Creating the SSL certificate
    Now when your site is "Live", you can create Let's Encrypt SSL certificate for it.

    5.1. Go back to "Sites>Website>Subdomain (Vhost)" and open your site for editing. Check the box next to "Let's Encrypt SSL" and click "Save".

    After the certificate is created, open your site again for editing.

    5.1. On the "Redirect" tab, check the box next to "Rewrite HTTP to HTTPS". This way your site will be accessible only via SSL. Even if you enter in your browser "cp.example.com" or "http://cp.example.com" you will be redirected to "https://cp.example.com"
    Click save, wait for the changes to take effect and open your site in a browser.

    Make sure you will be redirected to SSL version of it (there should be a "lock" next to your browser address bar).

    6. Set the domain to show your ISPConfig control panel
    Go again and open your site for editing. Click on the "Options" tab and scroll down. In the "Apache directives" add the following:

    Code:
    SSLProxyEngine On
    SSLProxyVerify none
    SSLProxyCheckPeerCN off
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off
    ProxyPass / https://localhost:8080/
    ProxyPassReverse / https://localhost:8080/
    Click save and wait for the changes to take effect. Once done, open again your site in your browser. You should see your control panel login page.

    7. Configure other services to use the same certificate
    First, you will need to verify the path to your certificates. They should be in "/etc/letsencrypt/live/cp.example.com" and looks like below:
    [​IMG]

    7.1. Configure Dovecot
    Execute "sudo nano /etc/dovecot/dovecot.conf". It should looks like this:

    Code:
    [...]
    ssl_cert = </etc/postfix/smtpd.cert
    ssl_key = </etc/postfix/smtpd.key
    [...]
    Leave it, if it is rightly set. Otherwise, fix it.


    7.2. Configure Postfix
    Code:
    cd /etc/postfix/
    mv smtpd.cert smtpd.cert-$(date +"%y%m%d%H%M%S").bak
    mv smtpd.key smtpd.key-$(date +"%y%m%d%H%M%S").bak
    ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem smtpd.cert
    ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem smtpd.key
    service postfix restart
    service dovecot restart

    7.3. Configure PureFTPD
    Code:
    cd /etc/letsencrypt/live/$(hostname -f)
    ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem server.crt
    ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem server.key
    cat server.{key,crt} > server.pem
    and then:
    Code:
    cd /etc/ssl/private/
    ln -sf /etc/letsencrypt/live/$(hostname -f)/server.pem pure-ftpd.pem
    chmod 600 pure-ftpd.pem
    service pure-ftpd-mysql restart
    and that's it. When the certificate is updated, all services will use the updated certificate EXCEPT pureftpd. To renew its certificate just execute:
    Code:
    cd /etc/letsencrypt/live/$(hostname -f)
    cat server.{key,crt} > server.pem
    service pure-ftpd-mysql restart
    
     
    budgierless likes this.

Share This Page