Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

Discussion in 'Tips/Tricks/Mods' started by ahrasis, Feb 14, 2017.

  1. webguyz

    webguyz Active Member HowtoForge Supporter

    I was looking at the acme.sh script but not sure about the renewals but looking again I see there is ISPConfig 3.1 api support. Will have to dig into that. Thanks!
     
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    My suggestions are as posted few post above yours if this guide is to be followed as a sample.

    However, you may want to try the approach suggested by @Tuumke which he has opened a thread on how to do it.

    Tuumke approach is basically based on earlier posts / discussions by @sjau (acme.sh approach) which is also technically quite similar to certbot approach by @Jesse Norell.
     
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    [Using Let's Encrypt In ISPConfig Multi Server Setup]

    7A. Let's say that you have a mail server at mail.example.tld different from the main server website of server1.example.tld due to chosing an ISPConfig multiple server setup, so, after following the guide and successfully have Let's Encrypt SSL certs for ISPConfig Control Panel at port 8080, you may extend them to this mail service, even if it is on another server.

    Step A - Keyless Login
    What you need to do, before or after Step #6, is to setup the said mail server and then implement Keyless Login as prescribed in Keyless Login From Server To Server in Cluster Server guide. Please ensure that this is working as it is relied upon by the following steps.

    Step B - Create Alias Domain, Activate & Check LE SSL For It
    Create aliasdomain for the other server mail.example.tld under the main server server1.example.tld. Activate Let's Encrypt SSL for mail.example.tld by untick + save and retick + save SSL + LE buttons in server1.example.tld website setting page. Browse https://mail.example.tld to determine whether the above activation is already successful.

    Step C - Copying Let's Encrypt Folder
    The easiest way is to copy all letLs Encrypt from the main server to the mail server by running:
    Code:
    scp -r /etc/letsencrypt/ [email protected]:/etc/
    You must add the above code accordingly to your le_ispc_pem.sh in the main server if you want it to do an automatic update upon its Let's Encrypt SSL files' renewal. Add -P XX (where xx is port number) after scp if you change your default ssh port from 22 to other number.

    *Note that you ma also copy only the necessary files, by first creating Let's Encrypt SSL folder in the mail server like this /etc/letsencrypt/live/mail.example.tld/ and then from main server terminal, run: "scp -r /etc/letsencrypt/live/$(hostname -f)/*.pem [email protected]:/etc/letsencrypt/live/mail.example.tld/".

    Step D - Follow Step #7
    You may follow step #7 to add Let's Encrypt SSL accordingly to the relevant services that you made available in mail.example.tld server. Do change hostname -f or server1.domain.tld to mail.example.tld where necessary, accordingly, as in multiserver setup, each hostname will be different.

    Important Note:
    1. I already added a note on this on the main guide, updated the one in LE4ISPC github and hope this should already cover Let's Encrypt SSL certs for ISPConfig MultiServer setup for those who intending to or already use this approach.
    2. For securing mysql server, do refer to post #247.

    Reponse To Raised Issue:
    I have read some posts that questioned about scp / resync of the LE SSL certs approach for ISPConfig multi server setup and claimed it might break live servers / websites in a multi server setup.

    In response to that, I'd say scp / resync approach is safe as the certs are normally renewed right after 60 days, and pending that, the old certs will still remain valid and will not break any live servers / websites for another 30 days.

    If there is any hiccup in the certs renewal, there'll be several warning emails before the expiry of 90 days to remind the domain owner provided certbot email was properly setup.
     
    Last edited: Sep 27, 2020
    Taleman likes this.
  4. budgierless

    budgierless Member HowtoForge Supporter

    hi, dose this script support Let's Encrypt SSL joining to postfix email tls/ssl for each domian? or is that i different kind of cert?
     
  5. Tapiocapioca

    Tapiocapioca New Member

    Hello, I am using the procedure at the first page and is working fine but I have many domains on my VPS. I need access at the email by IMAP with differents dns, but all requests are rejected because the certificate in not valid. I try to make one example.

    Main domain: tapiolla.com HTTPS Working
    Main domain: www.tapiolla.com HTTPS Working
    Main email: mail.tapiolla.com SSL Working
    Second domain: tapiocapioca.com HTTPS Working
    Second domain: www.tapiocapioca.com HTTPS Working
    Main email: mail.tapiocapioca.com SSL NOT Working

    This situation make me many trobles, if I use the DNS mail.tapiolla.com to send emails from the domain tapiocapioca.com the email is delivered but happen not recived bacause the verification SPF fail. If i delivery emails from the domain tapiocapioca.com with the dns mail.tapiocapioca.com the emails are directly rejected because the certifiate is valid only for mail.tapiolla.com

    By my self I made the certificate handmade with the command:

    /usr/bin/certbot certonly --standalone --email [email protected] -d tapiolla.com -d www.tapiolla.com -d mail.tapiolla.com -d tapiocapioca.com -d www.tapiocapioca.com -d mail.tapiocapioca.com

    and inside the folder /etc/letsencrypt/live/tapiolla.com/ I found the certificated

    cert.pem
    chain.pem
    fullchain.pem
    privkey.pem

    already valid about all dns i need.
    Following the procedure at the first page all DNS I need are working because the certificate handmade is valid about all DNS available.

    Someone know the way to make the procedure automatic? On the page of the site i have only 3 options to generate the certificate

    tapiolla.com
    www.tapiolla.com
    *.tapiolla.com

    Is it possible modify the templare of this page somewhere or the script automatically generate the certificate about the site tapiolla.com ?? I like if I can write by myself all domain I need. I hope someone can give me one suggestion about.
     
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    Normally you won't connect with the domain of a client to the imap server, instead, you use the server hostname or a central 'mail' subdomain of the provider and for this server hostname subdomain, you create an SSL cert. That's the correct setup and what's described in this thread. Your delivery problems are not related to the SSL cert, if you have an spf error, then check and correct your spf record.
     
    ahrasis likes this.
  7. Tapiocapioca

    Tapiocapioca New Member

    I have a different feedback maybe I wrote bad. Actually with the certificate generate by myself I can connect the client (thunderbird) to the URL mail.tapiocapioca.com to send one email like [email protected] and I have not errors. Google when recive the email recognise spf correctly.
    With the default certificate made by this guide the connection was directly rejected with mail.tapiocapioca.com, and if I connect thunderbird on the URL mail.tapiolla.com gave my one errore, like Firefox, there is one certificate not valid and ask me to acquire one exception. Acquiring the exception I can send one email like [email protected] but, without any kind of modify, google not recognise the spf and show me ? On the icon of the email I recived. I hope I am more clear now.. :)

    Probably i did somenthing wrong
     
  8. till

    till Super Moderator Staff Member ISPConfig Developer

    Ok, so what you claimed in your first that email is failing to be delivered due to an SPF error is not the case. Fine, so there is no SPF issue then.

    Regarding SSL cert in Thunderbird, I explained that in my post. You issue an SSL cert for the hostname of the server and not for each mail subdomain on a server and then you use that hostname to connect with thunderbird and that's the procedure described in this thread. So go back to the first post and follow the instructions that you find there to create an SSL cert for the server hostname of your server. This ssl cert does not have to contain any other domains like you claim in your post.
     
    ahrasis likes this.
  9. Tapiocapioca

    Tapiocapioca New Member

    I found the trouble, I am using Debian so if I use
    /etc/letsencrypt/archive/$(hostname -f)/ IN_MODIFY ./etc/init.d/le_ispc_pem.sh
    inside incrontab -e is not workind. I modified the command and now everything is ok :)
     
  10. Poliman

    Poliman Member

    Is it possible to set up specific certificate for particular domain? On my server I have few domains. Currently postfix/dovecot use LE SSL created for s1.domain.net which is hostname of the server. I can open ISP panel under s1.domain.net:8080. When I try send an email from another domain, example [email protected], postfix/dovecot still use s1.domain.net ssl certificate.
    This is quite huge problem, because Zend application does not allow to send emails from domains which are signed another/self signed certificate.
     
  11. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    You could request certificates with sets of domain names included in therm and then configure postfix and dovecot to use them, but there isn't much support in ISPConfig for that at this time. You will need to use a different IP address for each certificate, as postfix doesn't support SNI. I think there have been examples of the postfix config posted before; I don't know about examples dovecot configure offhand, though I've done that on non-ISPConfig servers and it's not difficult.
     
    Poliman likes this.
  12. Poliman

    Poliman Member

    Thank you for anser. Currently I have only one IP and I am affraid it won't change in the future.

    PS
    Jesse, do you know maybe why after set up MAILTO in crontab (cronjobs in ISP create in etc/cron.d specific file like ispc_webX with cron lines), mail won't send? I tried command
    Code:
    echo Test | mail -s Test [email protected]
    and I got nice email.
     
  13. DylanPedro

    DylanPedro Member

    I think the guide misses out that in order for phpmyadmin to work on an nginx server on port 8081 as default the following has to be added to: Server Config > Web > Apps Vhost Settings > Apps-vhost port :
    Code:
    8081 ssl; ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt; ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key
     
  14. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    You may add it yourselves but I'd prefer to use custom conf for that as I need to add a lot more than just ssl and this way is more effective to me. I would add the /usr/local/ispconfig/server/conf-custom/nginx_apps.vhost.master where its upper part is something like this:
    Code:
    server {
      listen {apps_vhost_ip}{apps_vhost_port} http2;
      listen [::]:{apps_vhost_port} ipv6only=on http2;
    
      # Copied ssl from ispconfig.vhost, if any
      ssl on;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    
      ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
      ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;
    
      ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
      ssl_prefer_server_ciphers on;
    
      # redirect to https if accessed with http
      error_page 497 https://$host:{apps_vhost_port}$request_uri;
      error_log /var/log/ispconfig/ispconfig.log;
    
      server_name {apps_vhost_servername};
    
      root {apps_vhost_dir};
    
      client_max_body_size 100M;
    
      location / {
      index index.php index.html;
      }
    
      # serve static files directly
      # location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt|eot|ttf|otf|woff|woff2|svg)$ {
      location ~* \.(ogg|ogv|svg|svgz|eot|ttf|otf|woff|woff2|mp4|mp3|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|html|xml|txt|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)(\?ver=[0-9.]+)?$ {
      access_log off;
      log_not_found off;
      # expires 365d;
      expires max;
      }
    
      location ~* \.(pdf)$ {
      expires 30d;
      }
    
    
     
    Last edited: Feb 23, 2018
  15. DylanPedro

    DylanPedro Member

    But this is on a single server environment and port 8081 is default on an nginx server for ispconfig apps such as phpmyadmin.

    Following the guide will break the default settings for phpmyadmin on an nginx setup if wanting to use ssl?
     
  16. helmo

    helmo Member HowtoForge Supporter

    Thanks for writing up on this.
     
  17. helmo

    helmo Member HowtoForge Supporter

    ... just for reference, there also is a gitlab issue about integrating support for this.
     
  18. helmo

    helmo Member HowtoForge Supporter

    sorry three posts are needed to get passed the link limit on accounts with less then 2 posts.
     
  19. helmo

    helmo Member HowtoForge Supporter

  20. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Yes but the guide will not break it.
     
    Last edited: Feb 23, 2018

Share This Page