Hello, everyone! I was able to install the Let's Encrypt SSL certificate on the email server by following this tutorial: https://www.howtoforge.com/securing...server-with-a-valid-lets-encrypt-certificate/ (I needed to change the certificate domain name to my hostname). Could you tell me how to do this with the FTP server? Thank you very much in advance!
ISPConfig creates SSL certificates for the hostname and FTP itself during installation. This guide is for mail systems only, where the hostname shall not be part of the SSL certificate and client domains shall be used for postfix and dovecot. Current ISPConfig versions automatically create a server certificate. Take care not to apply this guide to any recent ISPConfig version if you want to get an SSL cert for the hostname or FTP. If you skipped creating an SSL certificate during installation or if it failed due to a wrong DNS configuration of the hostname, then you can recreate it with: ispconfig_update.sh --force
It is said: Without this change, the certificate verification fails. This error was happening in PHP: Code: Warning: stream_socket_enable_crypto(): SSL operation failed with code 1. OpenSSL Error messages: error:0A000086:SSL routines::certificate verify failed
Then, you missed creating a valid SSL certificate at installation time, or you connected using the wrong domain and not the hostname. The central ISPConfig certificate is used for all services, so if you replaced it with a custom certificate, FTP will also use that one. Maybe you just missed restarting pure-ftpd-mysql service after you replaced the certificate.
If you skipped creating an SSL certificate during installation or if it failed due to a wrong DNS configuration of the hostname, then you can recreate it with: ispconfig_update.sh --force But do not do this with systems where you manually replaced the SSL cert with a website certificate, as this will mess up your config.
Oh, I forgot to mention: I didn't do the "Multiserver nodes without ISPConfig GUI" and "Set up an automatic renewal script" sections of the tutorial.
You can try to run the command: ispconfig_update.sh --force and let the updater create a valid certificate for the hostname, but this might fail now due to the SSL cert changes you made and because you used the hostname in that custom certificate. Alternatively, you must manually change the paths for the ssl certs of the other services to point to your custom certificate.
A Web Domain was created in the ISPConfig panel with the Let's Encrypt SSL option enabled. So, won't the renewal happen automatically? I was getting a verify_peer error in PHP. After I created the new certificate through the Site, using my hostname's Web Domain, in ISPConfig, and updated the symbolic links in Postfix, the error disappeared.
OK. I'll restore the snapshot prior to these certificate changes and run: ispconfig_update.sh --force Thank you, till.
OK. I found a problem... If the /etc/hosts file looks like this: Code: 127.0.0.1 localhost.localdomain localhost 127.0.1.1 server1.example.com server1 The ispconfig_update.sh asks this question: Code: Checking / creating certificate for server1.example.com Discovered acme.sh version 3.1.2 with certificate home /root/.acme.sh Using certificate path /root/.acme.sh/server1.example.com_ecc / /root/.acme.sh/server1.example.com_ecc/server1.example.com.cer Server's public ip(s) (177.xxx.xxx.xxx) not found in A/AAAA records for server1.example.com: 127.0.1.1 Ignore DNS check and continue to request certificate? (y,n) [n]: But if the /etc/hosts file looks like this: Code: 127.0.0.1 localhost.localdomain localhost 177.xxx.xxx.xxx server1.example.com server1 The ispconfig_update.sh asks a different question: Code: Checking / creating certificate for server1.example.com Discovered acme.sh version 3.1.2 with certificate home /root/.acme.sh Using certificate path /root/.acme.sh/server1.example.com_ecc / /root/.acme.sh/server1.example.com_ecc/server1.example.com.cer Using nginx for certificate validation Symlink ISPConfig SSL certs to Postfix? (y,n) [y]: Symlink ISPConfig SSL certs to Pure-FTPd? Creating dhparam file may take some time. (y,n) [y]: So in my case the solution was to put my external IP instead of 127.0.1.1 in the /etc/hosts file. This fixed the verify_peer error in my PHP script for sending emails via SMTP. However, FileZilla keeps complaining about "Insecure FTP data connection"... Is it possible to resolve this without ignoring? NOTE: The host domain used in FileZilla is configured in Cloudflare, so I can't log in through it. When I try using the VPS hostname, FileZilla issues a complaint. Thanks!
NEVER EVER create a website and with it a ssl certificate with the same hostname as your host! It wil screw up your system certificate that was created during installation! And with that will screw up mail and ftp eventually among maybe other things. If you want to access the ispconfig panel over https, create a website with a different hostname and in the settings proxy to the panel. When you want ftp to be able to use your websites certificates too (basically implement SNI) besides the system certificate then have a look here: https://forum.howtoforge.com/threads/pure-ftpd-sni.93295/
