Let´s Encrypt working with ISPConfig interface, Postfix & Dovecot (TLS), Pure-FTPd & Monit

Discussion in 'Installation/Configuration' started by barbanza, Feb 13, 2017.

  1. barbanza

    barbanza New Member

    This quick guide work fine if you have installed ISPconfig with this guides:

    The Perfect Server - Debian Wheezy (Apache2, BIND, Dovecot, ISPConfig 3)
    The Perfect Server - Debian 8.4 Jessie (Apache2, BIND, Dovecot, ISPConfig 3.1)
    Server Monitoring With munin And monit On Debian Wheezy

    Important: replace domain.name for your domain name and server.domain.name for your full server name.

    This guide generate two Lets Encrypt certificates:
    1.- server.domain.name: for ISPConfig server interface (used in port 8080), TLS and optional Pure-FTPd and/or Monit.
    2.- domain.name: for domain home/site with & without www (used in port 443).
    Recommended DNS setup for it:

    domain.name. A point to your server IP
    server.domain.name. A point to your server IP
    domain.name. MX point to server.domain.name.
    domain.name. TXT "v=spf1 mx ip4:YourServerIPv4 mx:server.domain.name -all"
    www CNAME point to domain.name.
    ftp, imap, mail, pop3 and smtp CNAME point to server.domain.name.
    If you required IPv6 support remember create "AAAA" to your server IPv6 for domain.name, server, ftp, imap, mail, pop3, smtp, www and modify SPF (domain.name. TXT "v=spf1 mx ip4:YourServerIPv4 ip6:YourServerIPv6 mx:server.domain.name -all").

    Note: if you have installed Debian Wheezy first modify postfix master.cf, update your system, update ISPConfig and install certbot (skip this step if you have installed Debian Jessie):

    sudo su
    nano /etc/postfix/master.cf
    smtp      inet  n       -       -       -       -       smtpd
    #smtp      inet  n       -       -       -       1       postscreen
    #smtpd     pass  -       -       -       -       -       smtpd
    #dnsblog   unix  -       -       -       -       0       dnsblog
    #tlsproxy  unix  -       -       -       -       0       tlsproxy
    submission inet n       -       -       -       -       smtpd
      -o syslog_name=postfix/submission
      -o smtpd_tls_security_level=encrypt
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org
      #  -o milter_macro_daemon_name=ORIGINATING
    smtps     inet  n       -       -       -       -       smtpd
      -o syslog_name=postfix/smtps
      -o smtpd_tls_wrappermode=yes
      -o smtpd_sasl_auth_enable=yes
      -o smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org
      #  -o milter_macro_daemon_name=ORIGINATING
    /etc/init.d/postfix restart
    apt-get update
    apt-get upgrade
    mkdir /opt/certbot
    cd /opt/certbot
    wget https://dl.eff.org/certbot-auto
    chmod a+x ./certbot-auto
    No names were found in your configuration files. Please enter in your domain
    name(s) (comma and/or space separated)  (Enter 'c' to cancel): <-- c
    Request and setup server certificate

    Note: if you have an clean install "apache2 stop" work fine, but if you previously have installed Monit or others you can receive a message type "443 in use" when you try request server.domain.name certificate.
    To stop Apache in this case run again "/etc/init.d/apache2 stop" and try again to generate certificate.
    If second try dont resolve this issue repeat "/etc/init.d/apache2 stop" third time.

    sudo su
    /etc/init.d/apache2 stop
    /opt/certbot/certbot-auto certonly --standalone --renew-by-default -d server.domain.name
    mv /usr/local/ispconfig/interface/ssl/ispserver.key /usr/local/ispconfig/interface/ssl/ispserver.key.bak
    mv /usr/local/ispconfig/interface/ssl/ispserver.key.secure /usr/local/ispconfig/interface/ssl/ispserver.key.secure.bak
    mv /usr/local/ispconfig/interface/ssl/ispserver.crt /usr/local/ispconfig/interface/ssl/ispserver.crt.bak
    mv /usr/local/ispconfig/interface/ssl/ispserver.csr /usr/local/ispconfig/interface/ssl/ispserver.csr.bak
    ln -s /etc/letsencrypt/live/server.domain.name/cert.pem /usr/local/ispconfig/interface/ssl/ispserver.crt
    ln -s /etc/letsencrypt/live/server.domain.name/chain.pem /usr/local/ispconfig/interface/ssl/ispserver.bundle
    ln -s /etc/letsencrypt/live/server.domain.name/privkey.pem /usr/local/ispconfig/interface/ssl/ispserver.key
    nano /etc/apache2/sites-available/ispconfig.vhost
      SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
      SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
      SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle
    /etc/init.d/apache2 restart
    mv /etc/postfix/smtpd.cert /etc/postfix/smtpd.cert.bak
    mv /etc/postfix/smtpd.key /etc/postfix/smtpd.key.bak
    ln -s /etc/letsencrypt/live/server.domain.name/fullchain.pem /etc/postfix/smtpd.cert
    ln -s /etc/letsencrypt/live/server.domain.name/privkey.pem /etc/postfix/smtpd.key
    nano /etc/postfix/main.cf
    smtpd_use_tls = yes
    smtpd_tls_auth_only = yes
    /etc/init.d/postfix restart
    /etc/init.d/dovecot restart
    If you like use certificate with PureFTPd you require aditional pem file:

    mv /etc/ssl/private/pure-ftpd.pem /etc/ssl/private/pure-ftpd.pem.bak
    cat /etc/letsencrypt/live/server.domain.name/privkey.pem /etc/letsencrypt/live/server.domain.name/cert.pem /etc/letsencrypt/live/server.domain.name/chain.pem > /etc/letsencrypt/live/server.domain.name/full.pem
    chmod 700 /etc/letsencrypt/live/server.domain.name/full.pem
    ln -s /etc/letsencrypt/live/server.domain.name/full.pem /etc/ssl/private/pure-ftpd.pem
    /etc/init.d/pure-ftpd-mysql restart
    If you like use certificate with Monit you can use same pem file generated for PureFTPd:

    Skip this step only if you have generated full.pem for Pure-FTPd in previous step:

    cat /etc/letsencrypt/live/server.domain.name/privkey.pem /etc/letsencrypt/live/server.domain.name/cert.pem /etc/letsencrypt/live/server.domain.name/chain.pem > /etc/letsencrypt/live/server.domain.name/full.pem
    chmod 700 /etc/letsencrypt/live/server.domain.name/full.pem
    Setup Lets certificate for Monit:

    mkdir /var/certs
    ln -s /etc/letsencrypt/live/server.domain.name/full.pem /var/certs/monit.pem
    nano /etc/monit/monitrc
    set httpd port 2812 and
         SSL ENABLE
         PEMFILE /var/certs/monit.pem
         allow admin:adminpw
    /etc/init.d/monit restart
    /etc/init.d/apache2 restart
    Websites certificate installation:

    1.- Access to your server interface -> Sites -> domain.name.
    2.- Select "SSL" & "Let's Encrypt SSL" and clic "Save".

    Note: dont are required fullfil SSL parameters for certification request, only check "SSL", "Let's Encrypt SSL" and "Save" it and wait a few seconds to complete certificate installation and activation.

    Manual update "full.pem" file (only required if you use certificate with PureFTPd and/or Monit):

    sudo su
    rm /etc/letsencrypt/live/server.domain.name/full.pem
    cat /etc/letsencrypt/live/server.domain.name/privkey.pem /etc/letsencrypt/live/server.domain.name/cert.pem /etc/letsencrypt/live/server.domain.name/chain.pem > /etc/letsencrypt/live/server.domain.name/full.pem
    chmod 700 /etc/letsencrypt/live/server.domain.name/full.pem
    Last edited: Feb 13, 2017
    borekon, Turbanator and Thaddeus like this.
  2. Tuumke

    Tuumke Active Member

    Hm thanks! Was looking for these things.
    Monit doesnt accept the fullchain.pem though.
    SSL: server private key loading failed -- error:0906D06C:pEM routines:pEM_read_bio:no start line
  3. barbanza

    barbanza New Member

    Hi Tuumke,
    Monit and Pure-FTPd dont accept fullchain.pem file from Lets, fullchain.pen only include certificate and chain but not key file. For Monit and Pure-FTPd your required cat key, cert and chain in this order in one new pem file (I name it on my quick guide as full.pem), chmod 700 it (Monit verify it and dont work with <700) and point Monit config to new file.

    Take note full.pem dont auto-renew, you are required to update it when Lets auto-renew certificate for server.domain.name.

    Apache2, Postfix and Dovecot use key, cert and chain provide from Lets and dont require none action, but if you use Lets certificate for Pure-FTPd and/or Monit (pem generate file) you required manual update it when server certificate its auto-renew.
    Last edited: Feb 13, 2017
  4. Tuumke

    Tuumke Active Member

    ah works now :)
    mv /var/certs/monit.pem /var/certs/monit.pem.bak
    cat /etc/letsencrypt/live/server.domain.name/privkey.pem /etc/letsencrypt/live/server.domain.name/cert.pem /etc/letsencrypt/live/server.domain.name/chain.pem > /etc/letsencrypt/live/server.domain.name/full.pem
    ln -fs /etc/letsencrypt/live/quwquw.tsictdiensten.nl/full.pem /var/certs/monit.pem
    chmod 0700 /var/certs/monit.pem
    This is just Monit though.

    I want for every client to be able to have their own ssl cert for pureftpd, mail etc
    I guess i could work with dns records to make this work.. right?
    But how would i do so

    server.domain.tld would be my ISPConfing
    with server.domain.tld:8080 being ISPConfig itself

    How would i setup domain2.tld?
    mail.domain2.tld would point to server.domain.tld?
    Last edited: Feb 13, 2017
  5. sjau

    sjau Local Meanie Moderator

    every client their own ssl cert for pureftpd, mail etc?

    postfix/dovecot can only load one cert. They do not support SNI but they support SAN. So you'd have to generate one cert containing all client domain names in them.
  6. barbanza

    barbanza New Member

    Hi sjau,

    I modify first post and now use directories and files from Apache2, Postfix and Dovecot.

    I think at this time its easy integrated it in one installation script or ISPConfig install script.

    1.- Script verify is certbot its installed if yes use it for generate certificate for server.domain.name from Lets.
    2.- Move old certificate files to *.bak
    3.- Create symbolic links for Apache2 and Postfix/Dovecot.
    4.- Uncoment "ispconfig.bundle" link in Apache2 conf file.

    Note: I dont include Pure-FTPd or Monit because both required special pem file (dont include con Lets certificate), only include Apache2, Postfix and Doivecot because all work fine with original Lets certificate, key and chanin files with simple symbolic links.
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Good guide though I'd prefer using symlink rather than a direct link. Also a good note on full.pem. Maybe you can devise a script that run on LE cert, key and chain update, to change the full.pem as well? Just a thought as this can be very helpful and can ease everyone using it.
  8. barbanza

    barbanza New Member

    Hi ahrasis,

    I have modify first post and now in quick guide rename old certificate files to bak and create symlinks for Apache2, Postfix/Dovecot, Pure-FTPd and Monit.

    My experience with scripts its limited and this quick guide required some special stets (simple for Jessie but not for Wheezy).

    If some member like make script for it, for basic installacion (only for Apache2, Postfix and Dovecot):

    1.- Check if certbot its installed and install it.
    2.- Try to stop Apache2, if Monit or others are installed Apache2 dont stop in fist try and required second or inclusive thirt command execution, script only can continue if Apache2 its full stoped (Lets fail to generate certificate if Apache2 its working).
    3.- Generate certificate and verify if create it.
    4.- Move al certificate related files to .bak.
    5.- Create all required symlinks.
    6.- Uncoment in Apache2 conf file "ispserver.bundle" line.
    7.- Restart Apache2, Postfix and Dovecot.

    If required Pure-FTPd and/or Monit support its some more required steps:

    8.- Create special pem file for Pure-FTPd and Monit (with key crt and chain Lets files in this order).
    9.- Chmod 700 new pem file (this step is required for Monit).
    10.- Move original Pure-FTPd file to .bak
    11.- Make dir for Monit cert.
    12.- Create symlinks for Pure-FTPd and Monit.
    13.- Restar Pure-FTPd and Monit.


    14.- Reboot system.
  9. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I think that will not be so easy as LE is using python. Further I do think that LE or Cerbot should implement this rather than the end user like us hacking into their app files. As such, I open full.pem issue at both LE and Certbot githubs, hopefully, they take note, accept the idea, implement it and in the near future automatically create and update the full.pem when creating LE SSL.

    Edited: There already is such idea proposed earlier but I could not locate a working plugin for it.

    Anyway, following this guide I'd prefer the LE SSL links for other than ISPC be symlinked to ISPC because it will be easier to maintain.

    In the meantime, I will try create a script using inotifywait to execute a new ispconfig.pem file upon renewal of LE SSL files for the server. The script will be checking everyday via daily cron job and execute if LE SSL files are changed.
    Last edited: Feb 14, 2017
  10. barbanza

    barbanza New Member

    Hi ahrasis,

    From years I used certificates from StartSSL, but at this time certificates from it are distrusting from Firefox and from Google and others in the next days. You can search about it: "Distrusting New WoSign and StartCom Certificates".

    If you access to one server or website with one certificate from WoSign/StarCom you receive message about certificate revocation (at this time from Firefox but in the next days from others as Chrome).

    At this time StarSSL certificate are valid for 3 years, but when you access websites certificates from it with Firefox you receive message about certificate revocation, because this I move my server certificates to Lets Encrypt.

    Free alternative to StartSSL for server certificate ? at this time Lets Encrypt and in the next days Symantec Encryption Everywhere.

    Today have receive announce about SSL Lite from Symantec: free 1 certificate x domain, 1 server, 1 year, pay option to wildcard certificate for domain.

    I think in some days or weeks this can sollution this issue and free replace StarSSL at server certificate, we can use Symantec SSL Lite to secure server (server.domain.name) and use Lets Encrypt to secure all websites on it (from ISPConfig interface/Lets Encrypt).

    Note: sorry my bad a lot english.
  11. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Thank you. I know about that already and what you understand is not what I meant. As I said, I'd prefer symlink and from the sample, I'd prefer if symlinks for others ere all made to ISPC instead of LE files. Your ways are symlinking all directly to LE files. In short yours are using LE <--- All symlinks. The guide I referred to is using LE <--- ISPC symlink <--- Others symlinks.
  12. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    dovecot does support SNI, for what it's worth.
  13. sjau

    sjau Local Meanie Moderator

    pretty moot point as long as postfix doesn't support sni and they have no intention to implement that.

Share This Page