Hi there, I've been using ISPConfig on a production server for a while now, however I wasn't aware off all it's features , and manually created ssl certificates for my websites. If I'm right, in ISPConfog > site > example-website > domain the two checkboxs SSL ans Let's Encrypt SSL provide an UI to create Let's Encrypt SSL certificates for the example-website. That's awesome ! Now that I'm busy setting up a new VPS folowing the debian perfect server, I would like to deal with SSL and HTTP/HTTPS properly. I've found this tutorial Securing ISPConfig 3.1 With a Free Let's Encrypt SSL Certificate. It seems that my set-up is fine however the creating of the let's encrypt certificates fails It may be due to the domain name I use, but I'm not sure. My host (OVH) provide me with a dumb domain name vpsXXXXXX.ovh.net This domain name will always point toward the IP of my vps, this is beyond my will, but I'm okay with that. Actually I tough it might be clever to use this domain for my server name i.e. hostname -f returns vpsXXXXXX.ovh.net Before creating websites on this server using other domains, I wanted to go through the tutorial Securing ISPConfig 3.1 With a Free Let's Encrypt SSL Certificate Basically I can browse to http://MY.SERVER.IP/ or ttp://MY.SERVER.IP/webmail as well a http://vpsXXXXXX.ovh.net or http://vpsXXXXXX.ovh.net/webmail and get what expected, whitout certificates (connexion not secure) https://MY.SERVER.IP.ovh.net:8080 or https://vpsXXXXXX.ovh.net:8080 and reach ISPConfig after accepting a certificate signed by an unthrusted source (which is normal) I thus considred my instalation allright and created a website named vpsXXXXXX.ovh.net And tried to created Let's Encrypt SSL certificates from here ISPConfog > site > vpsXXXXXX.ovh.net > domain where I checked the two checkboxs SSL ans Let's Encrypt SSL ISPConfig process my request (red dot on top right corner), however it seems that it didn't work out ; if I browse to http://vpsXXXXXX.ovh.net I'm still not having a certificate, if I browse to https://vpsXXXXXX.ovh.net:8080 I'm still advised that the certificate is signed by an unthrusted source, and if I check the webtise settings the two checkboxs are un-checked. I looked in the /var/log/ispconfig/ispconfig.log but it's empty. I would greatly appreciate any guidance to sort this, before trying to create SSL certificates with cerbot directly form the terminal. Thank's in advance.
This means that the Let's encrypt SSL cert could not be issued. See FAQ: https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
Hi till, Thank's for your reply. I'm well aware of the faq and went through yesterday. regarding the various point I do belive I do not have let's encrypt installed but cerbot (which is normal) I don't know wether my vps is behind a NAT, I may ask, in the meantime I checked "Skip Letsencrypt check" under System > Server config > web (> SSL settings) I only have one website, vpsXXXXXX.ovh.net and I set auto-subdomain to none ; however I first created the site with the default settings and only after set auto-subdomain to none I'm using Apache/2.4.25 (Debian) (from a fresh install of the perfect server) I'haven't updated ISPConfig to 3.1 as this is a fresh install of 3.1.13 Not sure if it helps but : I haven't created any client yet, thus I created the website vpsXXXXXX.ovh.net without specifying a client (which is something I've never done before) in ISPConfig > website > vpsXXXXXX.ovh.net, the SSL tab apears, and there is three options for "SSL Domain" : i) vpsXXXXXX.ovh.net ; ii) www.vpsXXXXXX.ovh.net ; and iii) *.vpsXXXXXX.ovh.net ; it might be a relicate of the auto-domain www, and at the moment it is set to its default value, namely the first one. /var/log/letsencrypt/letsencrypt.log contains this : Code: 2018-10-03 10:15:12,531:DEBUG:certbot.main:Root logging level set at 20 2018-10-03 10:15:12,532:INFO:certbot.main:Saving debug log to /var/log/letsencrypt/letsencrypt.log 2018-10-03 10:15:12,533:DEBUG:certbot.main:certbot version: 0.10.2 2018-10-03 10:15:12,533:DEBUG:certbot.main:Arguments: [] 2018-10-03 10:15:12,533:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#webroot,$ 2018-10-03 10:15:12,533:DEBUG:certbot.plugins.selection:Requested authenticator None and installer None 2018-10-03 10:15:12,533:DEBUG:certbot.plugins.selection:No candidate plugin 2018-10-03 10:15:12,534:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None in debug mode in ISPConfig > monitor > System state (all server) > Show system log > filtered with "enc" returns : Code: 2018-10-03 13:11 vpsXXXXXX.ovh.net Warning /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --domains vpsXXXXXX.ovh.net --webroot-path /usr/local/ispconfig/interface/acme 2018-10-03 13:11 vpsXXXXXX.ovh.net Warning Let's Encrypt SSL Cert for: vpsXXXXXX.ovh.net could not be issued. 2018-10-03 13:11 vpsXXXXXX.ovh.net Debug exec: /usr/bin/letsencrypt certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email [email protected] --domains vpsXXXXXX.ovh.net --webroot-path /usr/local/ispconfig/interface/acme 2018-10-03 13:11 vpsXXXXXX.ovh.net Debug Let's Encrypt SSL Cert domains: --domains vpsXXXXXX.ovh.net 2018-10-03 13:11 vpsXXXXXX.ovh.net Debug Create Let's Encrypt SSL Cert for: vpsXXXXXX.ovh.net
A quick guess is there already are too much request for subdomains at ovh.net, so better luck in trying with your own domain?
Hi Thank's for your imput ! Spot on ! I was expecting ovh.net beeing a source of issue. Still I'm a puzzled. Sorry this post is a bit long, but I'm getting there, each time a new step of understanding, thank's to you ! I'll higlight the questions in bold ___ First let's play at : if I browse to --> I get http://vpsXXXXXXX.mydomain.fr --> /var/www/vpsXXXXXX.mydomain.fr/web/index.html, as expected ; still the connexion is not secured https://vpsXXXXXX.mydomain.fr --> /var/www/vpsXXXXXX.mydomain.fr/web/index.html, as expected ; and the connexion is secured so the certificate was granted http://MY.SERVER.IP/webmail --> roundcube http://vpsXXXXXX.ovh.net/webmail --> roundcube http://vpsXXXXXX.mydomain.fr/webmail --> roundcube I indeed expect roundcube for the two first however two things puzzle me here : first about webmail my server hostname -f returns vpsXXXXXX.ovh.net, so I kind expected roundcube ; kind of because I know also have a website vpsXXXXXX.ovh.net whose /var/www/vpsXXXXXX/web folder do not contain a folder named roundcube or webmail however I do not expect roundcube in the third case ; obviously vpsXXXXXX.ovh.net whose /var/www/vpsXXXXXX/web folder do not contain a folder named roundcube or webmail all this is not that bad if we assume that any url directed to my server and ending with /webmail will be redirected toward /var/lib/roundcube ; it wouldn't expect that but OK the second thing which is puzzling me is that none of the above three URLs redirect automatically (forcefuly) towards HTTPS. of course if i replace HTTP by HTTPS, both three URLs will use the certificate. But what's the point of having a certificate if the end client is not redirected toward HTTPS when needed. I may well use ISPConfig > sites > vpsXXXXXX.mydomain.fr (my-website-name) > Redirect (tab) > Rewrite HTTP to HTTPS checkbox ; but it'll redirect every singly request in https, while not every content of vpsXXXXXX.mydomain.fr requires HTTPS, plus I wonder if, it's a good practice to force https for every single request ? I may also define some apaches directives in ISPConfig > sites > vpsXXXXXX.mydomain.fr (my-website-name) > Option (tab) to force redirect like in the FAQ here, and maybe specifiy the folder.s it applies to Finally, I may add an .httaccess file at the root of the roundcube folder to redirect HTTP connexion to HTTPS in this specific folder. All togather I'm still surprised that roundcube do not handle this redirection by himslef. I'm not that experienced in this HTTP/HTTPS domain, but I understood that CMS, and web apps more broadly, usually switch on their own, according to their needs. Any touhght would be greatly appreciated ___ then back to the tutorial Securing ISPConfig 3.1 With a Free Let's Encrypt SSL Certificate I went through the process and now can browse to https://vpsXXXXXX.mydomain.fr:8080 using my certificate from Let's encrypt ! yhaii However I'm still not automatically redirected form http://vpsXXXXXX.mydomain.fr to https://vpsXXXXXX.mydomain.fr I understand that if I redirect vpsXXXXXX.mydomain.fr from ISPConfig > sites > vpsXXXXXX.mydomain.fr > Redirect (tab) > redirect HTTP to HTTPS checkbox, it won't apply to any url with :8080 as this is a diferent vhost based on port and not domain name ?! So as above how should I deal with HTTP to HTTPS redirection ? ___ Finally, the tutorial sugget an alternative method named LE4ISPC I folowed the how to but replace $(hostname -f) with vpsXXXXXX.mydomain.fr The script went thrue However it seems it do not include the auto-renewal ? right ? Is there any way to set the auto renewal with this scritp ? Thank's
LE4ISPC does cover auto renewal using incron. Do report of any failure at its thread. I am not sure why your https is not working though.
Ok great to know that lE4ISPC take care of the renweal ! will it also renew all the certificates I create for others websites out of the box, or do I have to re-run the script, or do it only renew the certificate for the domain of the domain name specified in the script ? Also, regarding roundcube, HTTP should be redirected to HTTPS automatically in the end ? yes or no. Thank's
Roundcube is an apache alias. An alias is basically a virtual 'folder' which means that /webmail/ is redirected to the roundcube folder from any vhost. If this vhost is SSL or not or redirects to SSL or not is basically handled by the website / vhost. Roundcube itself does not do such a redirect.
Hi ! Excellent, thank's This was clear That I wasn't sure Ok so four case possible if my vhost vhost not ssl + no redirection --> http "basic" vhost not ssl + redirection --> https but certificates signed by un-thrusted source vost ssl + no redirection --> http "basic" vhost ssl + redirection --> https with proper certificate Now one pending question I asked above. I wonder if, is it a good practice to force https for every single request ? meaning to ask my vhost to redirect to https (for instance from ISPConfig > site > vpsXXXXXX.mydomain.fr > Redirect (tab) > redirect checkbox) Is yes, then it's sorted. If no, I should redirect for specific folder/pages ; for instance roundcube. In this case I can redirect the folder with an .httaccess file ; ok but can I redirect a specific folder (url) with apache directive from ISPConfig > site > vpsXXXXXX.mydomain.fr > Option (tab) > apache ? Thank's again
