ISPConfig 3.2 SSL for primary host

I installed ispconfig 3.2 using the Perfect Server Automated installation (https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/).

The first server installation I had to remove the self-signed certificates in /usr/local/ispconfig/interface/ssl and re-run ispconfig_update.sh --force to get Let's Encrypt (via acme.sh) to create a LE signed certificate.

I installed a second server, but I can't get this to work. The ispserver.pem seems to be updating, but I am still getting a self-signed certificate for the server "cp2.mydomain.com" when I reference it in my Monit installation (https://cp2.mydomain.com:2812).

Of course if I try to access the host/server name on Apache, I get the first domain certificate that is installed due to SNI.

Should I create a website for the host of the ISPConfig installation and then link the certs that Let's Encrypt creates for it to the interface/ssl/ directory?

Some background: I have modified the /etc/monit/monitrc to include the following:

And I am reference the cert for Monit there. This worked perfectly on the first/primary and master CP server (that is both Monit and PureFTP are running with the LE certificate).

 

Is both server behind a NAT router? If so check your router configs / settings. If they are already correct and working, check the LE FAQ to troubleshoot why the second server cannot obtain proper LE SSL certs for its hostname FQDN.

If this is a multi server setup, you should follow the relevant tutorials and should not run multiple ISPConfig panel except only one on the master. By LE SSL earlier design in ISPConfig, server not running web server may also obtain LE SSL certs, and I think it is still working the same in the latest ISPConfig.

No and this won't work especially if you are using acme. sh LE Client on your server, plus the renewal config for website is different from renewal config for the server which you may need to modify if you choose pursue with this option.

 

No NAT router. I am not running the panel on the 2nd server. I'm running multiple servers, but the 2nd (and planned future) servers are "slave" servers with one host running the configuration panel. Each additional server is installed via:

Code:

wget -O - https://get.ispconfig.org | sh -s -- --ssh-port=420 --ssh-password-authentication=no --ssh-permit-root=no --no-mailman --use-php=8.0,8.1,7.4 --monit [email protected] --no-dns --use-ftp-ports=40110-40210 --lang=en --unattended-upgrades --interactive

LE is running and generates the certificate for the server, but it does not install it into the /usr/local/ispconfig/interface/ssl directory...and the pure-ftpd, etc. certs are linked to this one, which by default is self-signed.

I had the same problem on the first/primary server. I fixed it by following another thread that had me backup the self-signed certs and --force run the installation again. This technique did not work on the 2nd server.

EDIT: Note that when I created a host for the second server, e.g. cp2.mydomain.com, on the 2nd server, it created a new PEM file that is valid and that created a PEM file with the new LE cert and that replaced the self-signed PEM in /usr/local/ispconfig/interface/ssl/ directory. Now I'm afraid to delete the website :-/

 

How do you know the pem file is created from LE SSL certs now because you said it shows self-signed when you opened monit web, but if it does, why is the question again?

 

I only assumed it was because the same certificate that is located in /root/.acme.sh/cp2.mydomain.com is now in the PEM file.

I had posted my question earlier today and had to move on. So I am trying to learn best practices, but also trying to migrate and get things done.

 

This /etc/ssl/private/pure-ftpd.pem is normally a symlink to /usr/local/ispconfig/interface/ssl/ispserver.pem which means your monit web should work with LE SSL certs if it was using that, but it doesn't. Can you force update ISPConfig again and try to create SSL certs again during the process? Note if the process say it is generating self-signed SSL certs instead.

 

Yes. Until I created a site with the cp hostname, the certs in /usr/local/ispconfig/interfaces/ssl was a self-signed cert created during the initial ISPC server installation.

The same thing happened on the "master" ISPC server. I followed a thread here that helped me resolve this on the master cp server, but this trick did not work on the 2nd server.

Code:

cd /usr/local/ispconfig/interface/ssl/
mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak
mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak
mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak
ispconfig_update.sh —force

The LE log shows that an ssl cert was created, and it ran the post script, but the PEM file still contained the self-signed cert.

 

It will definitely failed since you created website for it.
You said:

I replied:

And though this won't harm your server, you should not do this on the first server too:

ISPConfig installer takes care of that.

 

I didn't create the website for it until everything else I tried didn't work. Now it works, and now I'm afraid to delete it

 

It actually does not work because ISPConfig ispserver.pem will fail to be automatically updated in the future. Anyway, it is your server, do to it whatever you like.

 

As soon as I figure out how the host ssl cert for cp2.mydomain.com got into the PEM file in /usr/local/ispconfig/interface/ssl I will be able to replicate this. There is an issue with the isp server ssl cert generation I just don't know what the problem is, but others here have solved it by forcing the re-install after removing the self-signed certs. That's why I came here for answers. I understand what I did is going to cause issues, but until someone can tell me how to fix the issue I'm stuck.

 

I think I know where my problem lies. I'm on my 5th ISPC server. The DNS is fine. But on a new server, the firewall has not be set up to allow HTTP access on a new installation.

Code:

[Tue Jan 17 04:03:10 PM CST 2023] Please check log file for more details: /var/log/ispconfig/acme.log
Issuing certificate via acme.sh failed. Please check that your hostname can be verified by letsencrypt
Could not issue letsencrypt certificate, falling back to self-signed.

This is a new installation, so no firewall settings have been created during this phase of the installation. Am I doing something in the wrong order?

 

New? Most probably the hostname is not properly propagated yet.

 

The domain was assigned to the server instance weeks ago. DNS resolves locally and externally. In testing, I've reinstalled the base OS (ip addresses/DNS does NOT change). I run the install script. When I say *NEW* I mean NEW to ISPConfig.

EDIT: Can IPv6 be the issue? I noticed just now when I ran the script, it is downloading from get.ispconfig.org via the IPv6 address...I do not have the DNS configured for that, just the IPv4 address.

 

Could be, but it is designed to work for both, so not sure about that. The best is to follow LE FAQ to troubleshoot.

 

Yeah, Ubuntu with our hosting partner Vultr seems to enable ufw by default. This is a clean install--no other software, etc. I let ispconfig do everything, or try anyway.

I'm wrapping up here, thanks for both of your responses and help. A lot of this is understanding how things are supposed to work--that is, things are probably working as designed--just not what I am used to.

I do see that I am asked to create an SSL certificate twice during the ispconfig installation...the first prompt creates a self-signed cert; the 2nd one a few steps later is acme.sh.

So one last lame question to put this thread to bed if I may: the ssl cert created during the server installation is NOT linked to apache, is that correct? That is, if I access https://cp.mydomin.com:8081/rspamd or https://...:2812 we're using the symlnked cert to /usr/local/ispconfig/interface/ssl/ispserver.pem ... but since I don't have a website or vhost defined for the server itself, I don't have ssl?

I would like to be able to redirect traffic coming in at the server to port 80/443 or provide a landing page. From another thread I had, created a vhost for the server itself is not recommended. Is it recommended that I modify the default-ssl.conf and replace the boilerplate ssl-cert-snakeoil.pem to the cert generated by acme?

Thanks again for your and ahrasis' help!

 

Actually I think he means the self-signed for postfix which is the first SSL created by ISPConfig.

The second one is correctly meant for the server where the first attempt is to obtain LE SS certs, but if thay failed, self-signed SSL certs will be created.

The "revamp" of ISPConfig install lib file may be needed to avoid the above "duplicity" since the later will overwrite the former at the end.