Let´s Encrypt working with ISPConfig interface, Postfix & Dovecot (TLS), Pure-FTPd & Monit

This quick guide work fine if you have installed ISPconfig with this guides:

The Perfect Server - Debian Wheezy (Apache2, BIND, Dovecot, ISPConfig 3)
The Perfect Server - Debian 8.4 Jessie (Apache2, BIND, Dovecot, ISPConfig 3.1)
Server Monitoring With munin And monit On Debian Wheezy

Important: replace domain.name for your domain name and server.domain.name for your full server name.

This guide generate two Lets Encrypt certificates:
1.- server.domain.name: for ISPConfig server interface (used in port 8080), TLS and optional Pure-FTPd and/or Monit.
2.- domain.name: for domain home/site with & without www (used in port 443).
Recommended DNS setup for it:

Code:

domain.name. A point to your server IP
server.domain.name. A point to your server IP

domain.name. MX point to server.domain.name.
domain.name. TXT "v=spf1 mx ip4:YourServerIPv4 mx:server.domain.name -all"

www CNAME point to domain.name.
ftp, imap, mail, pop3 and smtp CNAME point to server.domain.name.

If you required IPv6 support remember create "AAAA" to your server IPv6 for domain.name, server, ftp, imap, mail, pop3, smtp, www and modify SPF (domain.name. TXT "v=spf1 mx ip4:YourServerIPv4 ip6:YourServerIPv6 mx:server.domain.name -all").

Note: if you have installed Debian Wheezy first modify postfix master.cf, update your system, update ISPConfig and install certbot (skip this step if you have installed Debian Jessie):

Code:

ssh
sudo su

nano /etc/postfix/master.cf

smtp      inet  n       -       -       -       -       smtpd
#smtp      inet  n       -       -       -       1       postscreen
#smtpd     pass  -       -       -       -       -       smtpd
#dnsblog   unix  -       -       -       -       0       dnsblog
#tlsproxy  unix  -       -       -       -       0       tlsproxy
submission inet n       -       -       -       -       smtpd
  -o syslog_name=postfix/submission
  -o smtpd_tls_security_level=encrypt
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org
  #  -o milter_macro_daemon_name=ORIGINATING
smtps     inet  n       -       -       -       -       smtpd
  -o syslog_name=postfix/smtps
  -o smtpd_tls_wrappermode=yes
  -o smtpd_sasl_auth_enable=yes
  -o smtpd_client_restrictions = permit_mynetworks, permit_sasl_authenticated, reject_unknown_client_hostname, check_client_access mysql:/etc/postfix/mysql-virtual_client.cf, reject_rbl_client cbl.abuseat.org, reject_rbl_client b.barracudacentral.org
  #  -o milter_macro_daemon_name=ORIGINATING

/etc/init.d/postfix restart

apt-get update
apt-get upgrade

mkdir /opt/certbot
cd /opt/certbot
wget https://dl.eff.org/certbot-auto
chmod a+x ./certbot-auto
./certbot-auto

No names were found in your configuration files. Please enter in your domain
name(s) (comma and/or space separated)  (Enter 'c' to cancel): <-- c

ispconfig_update.sh

reboot

Request and setup server certificate

Note: if you have an clean install "apache2 stop" work fine, but if you previously have installed Monit or others you can receive a message type "443 in use" when you try request server.domain.name certificate.
To stop Apache in this case run again "/etc/init.d/apache2 stop" and try again to generate certificate.
If second try dont resolve this issue repeat "/etc/init.d/apache2 stop" third time.

Code:

ssh
sudo su

/etc/init.d/apache2 stop

/opt/certbot/certbot-auto certonly --standalone --renew-by-default -d server.domain.name

mv /usr/local/ispconfig/interface/ssl/ispserver.key /usr/local/ispconfig/interface/ssl/ispserver.key.bak
mv /usr/local/ispconfig/interface/ssl/ispserver.key.secure /usr/local/ispconfig/interface/ssl/ispserver.key.secure.bak
mv /usr/local/ispconfig/interface/ssl/ispserver.crt /usr/local/ispconfig/interface/ssl/ispserver.crt.bak
mv /usr/local/ispconfig/interface/ssl/ispserver.csr /usr/local/ispconfig/interface/ssl/ispserver.csr.bak

ln -s /etc/letsencrypt/live/server.domain.name/cert.pem /usr/local/ispconfig/interface/ssl/ispserver.crt
ln -s /etc/letsencrypt/live/server.domain.name/chain.pem /usr/local/ispconfig/interface/ssl/ispserver.bundle
ln -s /etc/letsencrypt/live/server.domain.name/privkey.pem /usr/local/ispconfig/interface/ssl/ispserver.key

nano /etc/apache2/sites-available/ispconfig.vhost

  SSLCertificateFile /usr/local/ispconfig/interface/ssl/ispserver.crt
  SSLCertificateKeyFile /usr/local/ispconfig/interface/ssl/ispserver.key
  SSLCACertificateFile /usr/local/ispconfig/interface/ssl/ispserver.bundle

/etc/init.d/apache2 restart

mv /etc/postfix/smtpd.cert /etc/postfix/smtpd.cert.bak
mv /etc/postfix/smtpd.key /etc/postfix/smtpd.key.bak

ln -s /etc/letsencrypt/live/server.domain.name/fullchain.pem /etc/postfix/smtpd.cert
ln -s /etc/letsencrypt/live/server.domain.name/privkey.pem /etc/postfix/smtpd.key

nano /etc/postfix/main.cf

smtpd_use_tls = yes
smtpd_tls_auth_only = yes

/etc/init.d/postfix restart
/etc/init.d/dovecot restart

If you like use certificate with PureFTPd you require aditional pem file:

Code:

mv /etc/ssl/private/pure-ftpd.pem /etc/ssl/private/pure-ftpd.pem.bak

cat /etc/letsencrypt/live/server.domain.name/privkey.pem /etc/letsencrypt/live/server.domain.name/cert.pem /etc/letsencrypt/live/server.domain.name/chain.pem > /etc/letsencrypt/live/server.domain.name/full.pem

chmod 700 /etc/letsencrypt/live/server.domain.name/full.pem

ln -s /etc/letsencrypt/live/server.domain.name/full.pem /etc/ssl/private/pure-ftpd.pem

/etc/init.d/pure-ftpd-mysql restart

If you like use certificate with Monit you can use same pem file generated for PureFTPd:

Skip this step only if you have generated full.pem for Pure-FTPd in previous step:

Code:

cat /etc/letsencrypt/live/server.domain.name/privkey.pem /etc/letsencrypt/live/server.domain.name/cert.pem /etc/letsencrypt/live/server.domain.name/chain.pem > /etc/letsencrypt/live/server.domain.name/full.pem

chmod 700 /etc/letsencrypt/live/server.domain.name/full.pem

Setup Lets certificate for Monit:

Code:

mkdir /var/certs

ln -s /etc/letsencrypt/live/server.domain.name/full.pem /var/certs/monit.pem

nano /etc/monit/monitrc

set httpd port 2812 and
     SSL ENABLE
     PEMFILE /var/certs/monit.pem
     allow admin:adminpw

/etc/init.d/monit restart

/etc/init.d/apache2 restart

Websites certificate installation:

1.- Access to your server interface -> Sites -> domain.name.
2.- Select "SSL" & "Let's Encrypt SSL" and clic "Save".

Note: dont are required fullfil SSL parameters for certification request, only check "SSL", "Let's Encrypt SSL" and "Save" it and wait a few seconds to complete certificate installation and activation.

Manual update "full.pem" file (only required if you use certificate with PureFTPd and/or Monit):

Code:

ssh
sudo su

rm /etc/letsencrypt/live/server.domain.name/full.pem
cat /etc/letsencrypt/live/server.domain.name/privkey.pem /etc/letsencrypt/live/server.domain.name/cert.pem /etc/letsencrypt/live/server.domain.name/chain.pem > /etc/letsencrypt/live/server.domain.name/full.pem
chmod 700 /etc/letsencrypt/live/server.domain.name/full.pem

reboot

 

Hm thanks! Was looking for these things.
Monit doesnt accept the fullchain.pem though.
SSL: server private key loading failed -- error:0906D06CEM routinesEM_read_bio:no start line

 

Hi Tuumke,
Monit and Pure-FTPd dont accept fullchain.pem file from Lets, fullchain.pen only include certificate and chain but not key file. For Monit and Pure-FTPd your required cat key, cert and chain in this order in one new pem file (I name it on my quick guide as full.pem), chmod 700 it (Monit verify it and dont work with <700) and point Monit config to new file.

Take note full.pem dont auto-renew, you are required to update it when Lets auto-renew certificate for server.domain.name.

Apache2, Postfix and Dovecot use key, cert and chain provide from Lets and dont require none action, but if you use Lets certificate for Pure-FTPd and/or Monit (pem generate file) you required manual update it when server certificate its auto-renew.

 

ah works now

Code:

mv /var/certs/monit.pem /var/certs/monit.pem.bak
cat /etc/letsencrypt/live/server.domain.name/privkey.pem /etc/letsencrypt/live/server.domain.name/cert.pem /etc/letsencrypt/live/server.domain.name/chain.pem > /etc/letsencrypt/live/server.domain.name/full.pem
ln -fs /etc/letsencrypt/live/quwquw.tsictdiensten.nl/full.pem /var/certs/monit.pem
chmod 0700 /var/certs/monit.pem

This is just Monit though.

I want for every client to be able to have their own ssl cert for pureftpd, mail etc
-edit-
I guess i could work with dns records to make this work.. right?
But how would i do so

server.domain.tld would be my ISPConfing
with server.domain.tld:8080 being ISPConfig itself

How would i setup domain2.tld?
mail.domain2.tld would point to server.domain.tld?

 

every client their own ssl cert for pureftpd, mail etc?

postfix/dovecot can only load one cert. They do not support SNI but they support SAN. So you'd have to generate one cert containing all client domain names in them.

 

Hi sjau,

I modify first post and now use directories and files from Apache2, Postfix and Dovecot.

I think at this time its easy integrated it in one installation script or ISPConfig install script.

1.- Script verify is certbot its installed if yes use it for generate certificate for server.domain.name from Lets.
2.- Move old certificate files to *.bak
3.- Create symbolic links for Apache2 and Postfix/Dovecot.
4.- Uncoment "ispconfig.bundle" link in Apache2 conf file.

Note: I dont include Pure-FTPd or Monit because both required special pem file (dont include con Lets certificate), only include Apache2, Postfix and Doivecot because all work fine with original Lets certificate, key and chanin files with simple symbolic links.

 

Good guide though I'd prefer using symlink rather than a direct link. Also a good note on full.pem. Maybe you can devise a script that run on LE cert, key and chain update, to change the full.pem as well? Just a thought as this can be very helpful and can ease everyone using it.

 

Hi ahrasis,

I have modify first post and now in quick guide rename old certificate files to bak and create symlinks for Apache2, Postfix/Dovecot, Pure-FTPd and Monit.

My experience with scripts its limited and this quick guide required some special stets (simple for Jessie but not for Wheezy).

If some member like make script for it, for basic installacion (only for Apache2, Postfix and Dovecot):

1.- Check if certbot its installed and install it.
2.- Try to stop Apache2, if Monit or others are installed Apache2 dont stop in fist try and required second or inclusive thirt command execution, script only can continue if Apache2 its full stoped (Lets fail to generate certificate if Apache2 its working).
3.- Generate certificate and verify if create it.
4.- Move al certificate related files to .bak.
5.- Create all required symlinks.
6.- Uncoment in Apache2 conf file "ispserver.bundle" line.
7.- Restart Apache2, Postfix and Dovecot.

If required Pure-FTPd and/or Monit support its some more required steps:

8.- Create special pem file for Pure-FTPd and Monit (with key crt and chain Lets files in this order).
9.- Chmod 700 new pem file (this step is required for Monit).
10.- Move original Pure-FTPd file to .bak
11.- Make dir for Monit cert.
12.- Create symlinks for Pure-FTPd and Monit.
13.- Restar Pure-FTPd and Monit.

Finally:

14.- Reboot system.

 

I think that will not be so easy as LE is using python. Further I do think that LE or Cerbot should implement this rather than the end user like us hacking into their app files. As such, I open full.pem issue at both LE and Certbot githubs, hopefully, they take note, accept the idea, implement it and in the near future automatically create and update the full.pem when creating LE SSL.

Edited: There already is such idea proposed earlier but I could not locate a working plugin for it.

Anyway, following this guide I'd prefer the LE SSL links for other than ISPC be symlinked to ISPC because it will be easier to maintain.

In the meantime, I will try create a script using inotifywait to execute a new ispconfig.pem file upon renewal of LE SSL files for the server. The script will be checking everyday via daily cron job and execute if LE SSL files are changed.

 

Hi ahrasis,

From years I used certificates from StartSSL, but at this time certificates from it are distrusting from Firefox and from Google and others in the next days. You can search about it: "Distrusting New WoSign and StartCom Certificates".

If you access to one server or website with one certificate from WoSign/StarCom you receive message about certificate revocation (at this time from Firefox but in the next days from others as Chrome).

At this time StarSSL certificate are valid for 3 years, but when you access websites certificates from it with Firefox you receive message about certificate revocation, because this I move my server certificates to Lets Encrypt.

Free alternative to StartSSL for server certificate ? at this time Lets Encrypt and in the next days Symantec Encryption Everywhere.

Today have receive announce about SSL Lite from Symantec: free 1 certificate x domain, 1 server, 1 year, pay option to wildcard certificate for domain.

I think in some days or weeks this can sollution this issue and free replace StarSSL at server certificate, we can use Symantec SSL Lite to secure server (server.domain.name) and use Lets Encrypt to secure all websites on it (from ISPConfig interface/Lets Encrypt).

Note: sorry my bad a lot english.

 

Thank you. I know about that already and what you understand is not what I meant. As I said, I'd prefer symlink and from the sample, I'd prefer if symlinks for others ere all made to ISPC instead of LE files. Your ways are symlinking all directly to LE files. In short yours are using LE <--- All symlinks. The guide I referred to is using LE <--- ISPC symlink <--- Others symlinks.

 

pretty moot point as long as postfix doesn't support sni and they have no intention to implement that.