How to Install a Comodo InstantSSL Certificate for ISPconfig Apache, Postfix, Imap & Pop on an Ubuntu Server Generating and Obtaining the Certificate 1.You must generate a Certificate Signing Request (CSR) on your webserver. You did this when you installed ISPConfig, but its probably a good idea to do again so that you can make sure everything is entered correctly. Follow these directions to re-generate the ISPconfig certificate http://www.howtoforge.org/faq/14_63_en.html Important: When you are re-generating your certificate, please ensure that the Common Name (CN) you use is ONE of the following: your Fully Qualified Domain Name (e.g. "secure.yourdomain.com") the Full Server Name of your internal server (e.g. "techserver") your Private IP address (e.g. "192.168.0.1") The common name is what people will use to access your server. For example: if your common name is mail.myserver.com then you will acccess ISPconfig with the following link: https://mail.myserver.com:81/ In your email application you will also use mail.myserver.com for incoming and outgoing server. 2.Your CSR is located here: /root/ispconfig/httpd/conf/ssl.csr/server.csr Copy the text in this file. You will need to paste the text into the CSR box when purchasing your certificate. 3.Goto http://www.instantssl.com/ and purchase a certificate or get the free trial. During the certificate sign up process, choose Apache-ModSSL where it asks for the server software used to generate the CSR. You must use exactly the same Common Name (CN) as you used above when generating your CSR. 4.Finish the certificate sign up process. Once you are approved, you may download your certificate files. ------------------------------------------------------------------------------------- ISPconfig Apache Certificate Installation 1.On your web server go to this directory: /root/ispconfig/httpd/conf/ssl.crt and make a backup copy of server.crt. Rename the purchased certificate (example: mail_myserver_com.crt) to server.crt and save it into the above directory replacing the existing server.crt. Warning: always make a backup copy of any file you change or replace in this How-to. If you don't get something right, your ISPconfig will not start and you will need to undo all changes by using your backup copies. 2.Copy the file ca-bundle file to this directory: /root/ispconfig/httpd/conf/ssl.crt 3.Edit the file /root/ispconfig/httpd/conf/httpd.conf and add this line: SSLCertificateChainFile /root/ispconfig/httpd/conf/ssl.crt/mail_myserver_com.ca-bundle Important: In the line above, change mail_myserver_com.ca-bundle to the name of your bundle file. 4.restart ispconfig: /etc/init.d/ispconfig_server restart 5.Now you should not get any errors when you access your site. Example: https://mail.myserver.com:81/ 6.If ispconfig does not restart and you cannot figure out why, use your backup files to replace the files you changed and try to restart ispconfig again. -------------------------------------------------------------------------------------- Postfix Certificate Installation 1.Make a backup copy of cacert.pem, smtpd.crt, smtpd.key in /etc/postfix/ssl Save the bundle file (*.ca-bundle ) as cacert.pem in the above directory replacing the existing file. 2.Save a copy of your server.crt file as /etc/postfix/ssl/smtpd.crt 3.Save a copy of your server.key file as /etc/postfix/ssl/smtpd.key 4.Make sure these lines are in /etc/postfix/main.cf smtpd_tls_cert_file = /etc/postfix/ssl/smtpd.crt smtpd_tls_key_file = /etc/postfix/ssl/smtpd.key smtpd_tls_CAfile = /etc/postfix/ssl/cacert.pem 5.restart postfix: /etc/init.d/postfix restart -------------------------------------------------------------------------------------- Courier Imap/Pop Certificate Installation 1.Navagate to /etc/courier/ and make backup copies of imapd.pem and pop3d.pem. 2.Copy server.crt (/root/ispconfig/httpd/conf/ssl.crt/server.crt) into a new file. Copy server.key (/root/ispconfig/httpd/conf/ssl.key/server.key) in to same file and save this file as /etc/courier/imapd.pem replacing the file that is there. The file should look something like this: -----BEGIN CERTIFICATE----- .................. -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- .................. -----END RSA PRIVATE KEY----- Ensure that there are NO blank lines between the certificate and key. 3.Copy your ca-bundle file to /etc/courier 4.Make sure these lines are in /etc/courier/imapd-ssl TLS_CERTFILE=/etc/courier/imapd.pem TLS_TRUSTCERTS=/etc/courier/mail_myserver_com.ca-bundle Important: In the line above, change mail_myserver_com.ca-bundle to the name of your bundle file. 5.restart imap-ssl: /etc/init.d/courier-imap-ssl restart 6.Make a copy of imapd.pem and save it as pop3d.pem 7.Make sure these lines are in /etc/courier/pop3d-ssl TLS_CERTFILE=/etc/courier/pop3d.pem TLS_TRUSTCERTS=/etc/courier/mail_myserver_com.ca-bundle Important: In the line above, change mail_myserver_com.ca-bundle to the name of your bundle file. 8.restart pop3d-ssl /etc/init.d/courier-pop-ssl restart Congratulations, you are finished. Hope this helps someone. Please comment if you can make these directions better. ------------------------------------------------------------------------------------- Ownership and permissions on the certificate files are important: -r--r----- 1 root root 1230 Jun 7 18:24 mail_myserver_com.ca-bundle -r--r----- 1 root root 2030 Jun 7 19:29 server.key -------------------------------------------------------------------------------------- sources: https://support.comodo.com/index.php_m=knowledgebase&_a=viewarticle&kbarticleid=264 http://www.instantssl.com/ssl-certificate-support/email-certificate/courier-imap.html http://www.instantssl.com/ssl-certificate-support/email-certificate/postfix.html http://www.howtoforge.com/forums/showthread.phpt=12854&highlight=ispconfig+real+certificate
