Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

I was looking at the acme.sh script but not sure about the renewals but looking again I see there is ISPConfig 3.1 api support. Will have to dig into that. Thanks!

 

My suggestions are as posted few post above yours if this guide is to be followed as a sample.

However, you may want to try the approach suggested by @Tuumke which he has opened a thread on how to do it.

Tuumke approach is basically based on earlier posts / discussions by @sjau (acme.sh approach) which is also technically quite similar to certbot approach by @Jesse Norell.

 

[Using Let's Encrypt In ISPConfig Multi Server Setup]

7A. Let's say that you have a mail server at mail.example.tld different from the main server website of server1.example.tld due to chosing an ISPConfig multiple server setup, so, after following the guide and successfully have Let's Encrypt SSL certs for ISPConfig Control Panel at port 8080, you may extend them to this mail service, even if it is on another server.

Step A - Keyless Login
What you need to do, before or after Step #6, is to setup the said mail server and then implement Keyless Login as prescribed in Keyless Login From Server To Server in Cluster Server guide. Please ensure that this is working as it is relied upon by the following steps.

Step B - Create Alias Domain, Activate & Check LE SSL For It
Create aliasdomain for the other server mail.example.tld under the main server server1.example.tld. Activate Let's Encrypt SSL for mail.example.tld by untick + save and retick + save SSL + LE buttons in server1.example.tld website setting page. Browse https://mail.example.tld to determine whether the above activation is already successful.

Step C - Copying Let's Encrypt Folder
The easiest way is to copy all letLs Encrypt from the main server to the mail server by running:

Code:

scp -r /etc/letsencrypt/ [email protected]:/etc/

You must add the above code accordingly to your le_ispc_pem.sh in the main server if you want it to do an automatic update upon its Let's Encrypt SSL files' renewal. Add -P XX (where xx is port number) after scp if you change your default ssh port from 22 to other number.

*Note that you ma also copy only the necessary files, by first creating Let's Encrypt SSL folder in the mail server like this /etc/letsencrypt/live/mail.example.tld/ and then from main server terminal, run: "scp -r /etc/letsencrypt/live/$(hostname -f)/*.pem [email protected]:/etc/letsencrypt/live/mail.example.tld/".

Step D - Follow Step #7
You may follow step #7 to add Let's Encrypt SSL accordingly to the relevant services that you made available in mail.example.tld server. Do change hostname -f or server1.domain.tld to mail.example.tld where necessary, accordingly, as in multiserver setup, each hostname will be different.

Important Note:
1. I already added a note on this on the main guide, updated the one in LE4ISPC github and hope this should already cover Let's Encrypt SSL certs for ISPConfig MultiServer setup for those who intending to or already use this approach.
2. For securing mysql server, do refer to post #247.

Reponse To Raised Issue:
I have read some posts that questioned about scp / resync of the LE SSL certs approach for ISPConfig multi server setup and claimed it might break live servers / websites in a multi server setup.

In response to that, I'd say scp / resync approach is safe as the certs are normally renewed right after 60 days, and pending that, the old certs will still remain valid and will not break any live servers / websites for another 30 days.

If there is any hiccup in the certs renewal, there'll be several warning emails before the expiry of 90 days to remind the domain owner provided certbot email was properly setup.

 

hi, dose this script support Let's Encrypt SSL joining to postfix email tls/ssl for each domian? or is that i different kind of cert?

 

Hello, I am using the procedure at the first page and is working fine but I have many domains on my VPS. I need access at the email by IMAP with differents dns, but all requests are rejected because the certificate in not valid. I try to make one example.

Main domain: tapiolla.com HTTPS Working
Main domain: www.tapiolla.com HTTPS Working
Main email: mail.tapiolla.com SSL Working
Second domain: tapiocapioca.com HTTPS Working
Second domain: www.tapiocapioca.com HTTPS Working
Main email: mail.tapiocapioca.com SSL NOT Working

This situation make me many trobles, if I use the DNS mail.tapiolla.com to send emails from the domain tapiocapioca.com the email is delivered but happen not recived bacause the verification SPF fail. If i delivery emails from the domain tapiocapioca.com with the dns mail.tapiocapioca.com the emails are directly rejected because the certifiate is valid only for mail.tapiolla.com

By my self I made the certificate handmade with the command:

/usr/bin/certbot certonly --standalone --email [email protected] -d tapiolla.com -d www.tapiolla.com -d mail.tapiolla.com -d tapiocapioca.com -d www.tapiocapioca.com -d mail.tapiocapioca.com

and inside the folder /etc/letsencrypt/live/tapiolla.com/ I found the certificated

cert.pem
chain.pem
fullchain.pem
privkey.pem

already valid about all dns i need.
Following the procedure at the first page all DNS I need are working because the certificate handmade is valid about all DNS available.

Someone know the way to make the procedure automatic? On the page of the site i have only 3 options to generate the certificate

tapiolla.com
www.tapiolla.com
*.tapiolla.com

Is it possible modify the templare of this page somewhere or the script automatically generate the certificate about the site tapiolla.com ?? I like if I can write by myself all domain I need. I hope someone can give me one suggestion about.

 

I have a different feedback maybe I wrote bad. Actually with the certificate generate by myself I can connect the client (thunderbird) to the URL mail.tapiocapioca.com to send one email like [email protected] and I have not errors. Google when recive the email recognise spf correctly.
With the default certificate made by this guide the connection was directly rejected with mail.tapiocapioca.com, and if I connect thunderbird on the URL mail.tapiolla.com gave my one errore, like Firefox, there is one certificate not valid and ask me to acquire one exception. Acquiring the exception I can send one email like [email protected] but, without any kind of modify, google not recognise the spf and show me ? On the icon of the email I recived. I hope I am more clear now..

Probably i did somenthing wrong

 

I found the trouble, I am using Debian so if I use
/etc/letsencrypt/archive/$(hostname -f)/ IN_MODIFY ./etc/init.d/le_ispc_pem.sh
inside incrontab -e is not workind. I modified the command and now everything is ok

 

Is it possible to set up specific certificate for particular domain? On my server I have few domains. Currently postfix/dovecot use LE SSL created for s1.domain.net which is hostname of the server. I can open ISP panel under s1.domain.net:8080. When I try send an email from another domain, example [email protected], postfix/dovecot still use s1.domain.net ssl certificate.
This is quite huge problem, because Zend application does not allow to send emails from domains which are signed another/self signed certificate.

 

Thank you for anser. Currently I have only one IP and I am affraid it won't change in the future.

PS
Jesse, do you know maybe why after set up MAILTO in crontab (cronjobs in ISP create in etc/cron.d specific file like ispc_webX with cron lines), mail won't send? I tried command

Code:

echo Test | mail -s Test [email protected]

and I got nice email.

 

I think the guide misses out that in order for phpmyadmin to work on an nginx server on port 8081 as default the following has to be added to: Server Config > Web > Apps Vhost Settings > Apps-vhost port :

Code:

8081 ssl; ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt; ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key

 

You may add it yourselves but I'd prefer to use custom conf for that as I need to add a lot more than just ssl and this way is more effective to me. I would add the /usr/local/ispconfig/server/conf-custom/nginx_apps.vhost.master where its upper part is something like this:

Code:

server {
  listen {apps_vhost_ip}{apps_vhost_port} http2;
  listen [::]:{apps_vhost_port} ipv6only=on http2;

  # Copied ssl from ispconfig.vhost, if any
  ssl on;
  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

  ssl_certificate /usr/local/ispconfig/interface/ssl/ispserver.crt;
  ssl_certificate_key /usr/local/ispconfig/interface/ssl/ispserver.key;

  ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
  ssl_prefer_server_ciphers on;

  # redirect to https if accessed with http
  error_page 497 https://$host:{apps_vhost_port}$request_uri;
  error_log /var/log/ispconfig/ispconfig.log;

  server_name {apps_vhost_servername};

  root {apps_vhost_dir};

  client_max_body_size 100M;

  location / {
  index index.php index.html;
  }

  # serve static files directly
  # location ~* ^.+.(jpg|jpeg|gif|css|png|js|ico|html|xml|txt|eot|ttf|otf|woff|woff2|svg)$ {
  location ~* \.(ogg|ogv|svg|svgz|eot|ttf|otf|woff|woff2|mp4|mp3|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|html|xml|txt|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)(\?ver=[0-9.]+)?$ {
  access_log off;
  log_not_found off;
  # expires 365d;
  expires max;
  }

  location ~* \.(pdf)$ {
  expires 30d;
  }

 

But this is on a single server environment and port 8081 is default on an nginx server for ispconfig apps such as phpmyadmin.

Following the guide will break the default settings for phpmyadmin on an nginx setup if wanting to use ssl?

 

Thanks for writing up on this.

 

... just for reference, there also is a gitlab issue about integrating support for this.

 

sorry three posts are needed to get passed the link limit on accounts with less then 2 posts.

 

The Gitlab issue about integrating support for this is on https://git.ispconfig.org/ispconfig/ispconfig3/issues/3987

 

Yes but the guide will not break it.