ISPConfig : cert ssl and mail server , how ISPCONFIG manage that ?

Discussion in 'Installation/Configuration' started by ledufakademy, Mar 16, 2022.

  1. ledufakademy

    ledufakademy Member

    I don't know how ispconfig manage ssl certificate (LE or not) for dovecot access (port 993,995,587) ?
    this is not clear for me. (Debian 11 + last ispconfig)
     
    ledufakademy, Mar 16, 2022
    #1
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    This is set up automatically during installation, a LE cert is created for the hostname and configured in dovecot, postfix pure-ftpd and the web server. Just follow the installation guide:

    https://www.howtoforge.com/ispconfig-autoinstall-debian-ubuntu/

    and of course, take care that your server hostname exists in DNS and the server is reachable under that hostname before you start installing it.
     
    till, Mar 16, 2022
    #2
    ahrasis likes this.
  3. ledufakademy

    ledufakademy Member

    ok, but if i change my my mail server from free.domain.cloud to ... mx.domain.cloud.(in my MX dns field)
    what must be done ?
     
    Last edited: Mar 17, 2022
    ledufakademy, Mar 16, 2022
    #3
  4. ledufakademy

    ledufakademy Member

    Sorry but when you want to deploy ISPconfig, you don't have any DNS server running at all : the aim is to create your dns , your mail server !
     
    ledufakademy, Mar 17, 2022
    #4
  5. ledufakademy

    ledufakademy Member

    Please consider i want to start from scratch with "domain.com" , just having registrar ready.
    What can we expect with this last "automatic install" how to ?
    Imagine i have my server name with : server.domain.cloud
    BUT : i want my MX record to be ... mx.domain.cloud ...

    automatic install ... just not work ?
     
    Last edited: Mar 17, 2022
    ledufakademy, Mar 17, 2022
    #5
  6. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    In that case you would create a self signed certificate for the control panel and use that to setup DNS so that you could later obtain a let's encrypt certificate for the panel. The are other ways to approach that scenario, too, but that is probably the easiest.
     
    Jesse Norell, Mar 17, 2022
    #6
    ahrasis likes this.
  7. ledufakademy

    ledufakademy Member

    hello jesse, (thank you for answering)
    i think this "automatic" installer is not a very good idea at all.
    really.
    and you don't answer to my initial question (i don't speak about panel LE cert. but ... mail server stuff : dovecot, postfix etc) : with automatic install (last one) , how can i be sure to have the correct LE cert for mx.domain .cloud on my server.domain.cloud , ready after "automatic install" ?
     
    Last edited: Mar 17, 2022
    ledufakademy, Mar 17, 2022
    #7
  8. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    You can install the LE certs in advance using dns challenge and ISPConfig can detect and use it when you choose create SSL as that is possible if that what you want. The only thing is you need to use right parameter or you can its fix renewal config later.
     
    ahrasis, Mar 17, 2022
    #8
  9. till

    till Super Moderator Staff Member ISPConfig Developer

    All services managed by ISPConfig use the same SSL cert. these services are Postfix, Dovecot, pure-ftpd and the ISPConfig UI (if that server has a UI). This SSL cert is issued for the hostname of the server automatically during installation. If you set up DNS correctly so that your server can be reached from the internet on port 80, then a LE cert will get issued. If you failed to set up DNS correctly before you started the installation, then run:

    ispconfig_update.sh --force

    and let the ISPConfig installer create a new cert.

    Btw. As you complain about auto-installer, the SSL cert and it's configuration is done by ISPConfig itself, not the auto installer, and it's exactly the same when you install ISPConfig manually without the auto installer. So if SSL cert creation failed because your server was not reachable for the LE servers, then it would have failed in the exact same way if you would have installed it manually, there is no difference there in any way.
     
    till, Mar 17, 2022
    #9
  10. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    As @ahrasis said, you can setup your own certificate for the server if you the one the installer creates does not meet your needs; if you end up needing that, the paths for the certificate and keys is under /usr/local/ispconfig/interface/ssl/. (You can either place certificate files there directly or put symlinks there pointing to the actual certificate file location. Also if you setup your own certificate, you should arrange to have services (nginx, postfix, dovecot, pure-ftpd) restarted when it is renewed.)
     
    Jesse Norell, Mar 17, 2022
    #10
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Its an issue with ISPConfig itself and is listed her in the issue tracker: https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/6257
     
    till, Mar 17, 2022
    #11
    ledufakademy likes this.
  12. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Other than the certs manually created, don't forget the creation and recreation of ispserver.pem and its symlink as this is vital for the server and because simply restarting services without them will not secure any of that services.

    That is why I said do it manually with the right parameters or fix the renewal config thereafter (after obtaining the needed certs for the hostname FQDN and other alias FQDN that one's required).

    I basically have written part of the code for dns challenge to be integrated with ISPConfig but I do not think it is needed so I did not commit any of them.
     
    ahrasis, Mar 18, 2022
    #12

Share This Page