I guess that site b and c have not ssl enabled, check their vhost files. You might have troed to enable le there and LE failed to create the cert so that ssl was disabled again due to the missing ssl cert. What you describe is the default behaviour of the nginx webserver in such a case and not related to the use of letsencrypt or ispconfig. Whenno vhost exists on a givem port (443 in this case), then nginx will show the content of the first website that it finds on the same port in alphabetical order.
Hi till, thanks for prompt response. Checked ssl directory in /var/www/<website>/ssl and only have information in A.com for A.com. B.com/ssl and C.com/ssl are both empty. I tried disabling SSL for A.com and generating LE for B.com, but still nothing gets written to B.com/ssl and https still works for A.com. Could you suggest a workaround? (Hide SSL for A.com and generate SSL for B.com). Or is this how it must be? (@ ahrasis - Don't want to share the Certificate, but seems to be what I am getting)
The SSL from a, b and c are not related to each other. So that b and c failed is not related to the fact if a exists or has SSL. To see why B and C fail, take a look at the letsencrypt log file, the most likely reason for failing LE certs are problems with dns (e.g. a subdomain of the website does not exist in dns or points to a different server) or you rewrite requests in that site in a way that LE is not able to reach it's verification token. But please make a new thread for that as it's not related to this old feature request you posted to.
Hi guys, i have a little problem. I'm pretty new in this "world". So i managed to get all my domains on server cerified and full working with certbot. The problem is that i dont know how to make ISPConfig panel be certified too. When i go to: mydomain.com it is OK HTTPS no problem but when i go to mydomain.com:8080 there is no trusted cert. So can you help me with this please?
Hi i'm just following your guide for the installed certbot/letsencrypt client, and i got a problem. When issuing: cat /usr/local/ispconfig/interface/ssl/ispserver.{key,crt} > /usr/local/ispconfig/interface/ssl/ispserver.pem i got cat: /usr/local/ispconfig/interface/ssl/ispserver.key: No such file or directory cat: /usr/local/ispconfig/interface/ssl/ispserver.crt: No such file or directory But ls -al show that they are there: -rwxr-x--- 1 root root 45 Feb 23 00:24 empty.dir.bak lrwxrwxrwx 1 root root 45 Feb 24 14:22 ispserver.crt -> /etc/letsencrypt/live/benchwork/fullchain.pem -rwxr-x--- 1 root root 2069 Feb 23 00:24 ispserver.crt.bak -rwxr-x--- 1 root root 1724 Feb 23 00:24 ispserver.csr.bak lrwxrwxrwx 1 root root 43 Feb 24 14:22 ispserver.key -> /etc/letsencrypt/live/benchwork/privkey.pem -rwxr-x--- 1 root root 3243 Feb 23 00:24 ispserver.key.bak -rwxr-x--- 1 root root 3311 Feb 23 00:24 ispserver.key.secure.bak -rw-r--r-- 1 root root 0 Feb 24 14:45 ispserver.pem
not sure what you mean. By default, if you call port 8080 (or whatever port you use for ISPC), then the ISPC Interface will come. Independant of domain.
I don't know i just responded with question on what have @Vengance said: "Would be great if you could also issue a certificate in the panel for the ispconfig domain." P.S. i got it to work now, thank you very much!
but what is the ispconfig domain? as said, when calling accoridng port the ISPC web config panel shows up.... no matter what domain you use.
You want me to give you one of domains where i have ISPConfig on or what? I don't understand. As you said, whatever domain you call with port 8080 you will get ISPConfig. I don't have any dedicated odmain specific to ISPConfig if that is what you mean.
Hey mate. I have self-signed cert for ISP panel but in /usr/local/ispconfig/interface/ssl I have only empty.dir, ispserver.crt, ispserver.csr, ispserver.key, ispserver.key.secure. There is no ispserver.pem file. Next thing that in /etc/letsencrypt/live/ I have only directory for website which is on my server. There is not directory with name of the name of my server. Second thing that when I checked SSL and Let's Encrypt SSL and click Save and enter in settings of newly created website I haven't checked these two ssl options.
The important files are: Code: /usr/local/ispconfig/interface/ssl/ispserver.key /usr/local/ispconfig/interface/ssl/ispserver.crt /usr/local/ispconfig/interface/ssl/ispserver.bundle With the acme.sh client I run this command to have them updated: Code: acme.sh --installcert -d ispc.domain.tld --certpath '/usr/local/ispconfig/interface/ssl/ispserver.crt' --keypath '/usr/local/ispconfig/interface/ssl/ispserver.key' --fullchainpath '/usr/local/ispconfig/interface/ssl/ispserver.bundle' --reloadcmd 'systemctl reload apache2; systemctl restart dovecot; systemctl reload postfix' Of course I first had to get the cert using: Code: acme.sh --issue --dns dns_ispconfig -d ispc.domain.tld -d mail.domain.tld -d mail.otherdomain.tld -d mail.thirddomain.tld --keylength 4096
You should have all three... what does the ispc vhost file look like? it should reference them all. However it could be possible that the bundle and crt were merged into one file. And why do you quote the full post? Why not just quote the part you refer to?
ISP vhost file (ssl part): Code: # SSL Configuration SSLEngine On SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1 SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key #SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle here is SSLCipherSuite and SSLHonorCipherOrder On
Hi mate, just to add on this, you should consider to disable SSLv3, and probably TLSv1.0. Because of insec. of SSLv3. You can read more on the link below: Code: https://blog.mozilla.org/security/2014/10/14/the-poodle-attack-and-the-end-of-ssl-3-0/
That's what the line: SSLProtocol All -SSLv3 -TLSv1 -TLSv1.1 is doing. Please see the - in front of the protocols that are not allowed.
