Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

Discussion in 'Tips/Tricks/Mods' started by ahrasis, Feb 14, 2017.

  1. tripp

    tripp New Member

    This worked perfect the first time and without a hitch. Thanks so much.

    How would one use ISPConfig to rewrite the url for the server to make the port ":8080" disappear and use a sub directory like "http://something.something.com/control"?

    Having trouble figuring out how to use rewrites with ISPconfig.
     
  2. Poliman

    Poliman Member

    You could try htaccess:
    RewriteEngine On
    RewriteCond %{HTTP_HOST} ^something.com:8080$
    RewriteRule ^(.*)$ http://something.something.com/control [L,R=301]

    But in /control should be some ISP files.
     
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    You would need to use a reverse proxy setup, not just rewrites. I've posted example config in these forums (last year?) which would proxy a vhost root to port 8080, but don't have such a configuration currently; it would be simple to change that to /control.
     
  4. PARN963

    PARN963 New Member

    Hi ! everybody
    I used your super howto but i found a problem after :
    [Assigning Let's Encrypt SSL For ISPConfig 3 Control Panel]
    Just after :
    ln -s /etc/letsencrypt/live/$(hostname -f)/fullchain.pem ispserver.crt
    I need to add a missing line :
    ln -s /etc/letsencrypt/live/$(hostname -f)/privkey.pem ispserver.key

    Because apache report a problem :
    apachectl -t
    AH00548: NameVirtualHost has no effect and will be removed in the next release /etc/apache2/sites-enabled/000-ispconfig.conf:73
    AH00526: Syntax error on line 64 of /etc/apache2/sites-enabled/000-ispconfig.vhost:
    SSLCertificateKeyFile: file '/usr/local/ispconfig/interface/ssl/ispserver.key' does not exist or is empty

    Voilà ! it's just to inform you !
    By have a nice day !
     
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Sorry. It is already fixed now. Thank you for notifying.
     
  6. Andesh

    Andesh Member

    Thank you for the guide, worked like a charm. It's nice to see the gren padlock for the admin area :)
    How ever I noticed a side effect, I can no longer access the webgui for my IRC-bouncer (ZNC) that runs on port 7001.
    The ZNC webgui runs on the same domain as ISP admin but on port 7001.
    Any proposal how to solve this is very welcome :) I'm not very well versed in the SSL business:)
     
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I haven't tried this but think you should enable ssl and copy ssl settings in your server.domain.tld vhost file and paste them inside the IRC-bouncer (ZNC) vhost file and add ssl accordingly configuration file based on the same.

    You may want to check http://wiki.znc.in/Configuration and other guides.
     
  8. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    Following these guides, I got the LE certificates working on main host. But trying to get certs for email host fail at the above step. LE logs show no activity when I untick, save, wait red ball to disappear, retick, save. Checking the sertificate with SSL Checker does not show the aliasdomain.
    Should I try to force LE to create the certificate again now that there is an aliasdomain?
    Maybe I have made the aliasdomain somehow faulty? I did not alter the redirects, and I have not ticked the "Don't add to Let's Encrypt certificate".
     
  9. Taleman

    Taleman Well-Known Member HowtoForge Supporter

    I removed everything about the certificate under /etc/letsencrypt/(renewal|archive|live), and ticked LE back in website settings. Looking at the letsencrypt.log it seems the aliasdomain is not present in this sertificate request. There is nothing about this other name, tried text search.
     
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Strange. Aliasdomain / subdomain LE SSL rarely has been a problem to me. Do your mail.domain.tld as an aliasdomain has its own dns zone? Dig may help.
     
  11. Poliman

    Poliman Member

    If somebody uses ISP (tested on apache) on the server and host there some node application with ProxyPass directive then Let's Encrypt won't work unless to specific vhost file will add some line exactly under <VirtualHost *:80> and above ProxyPass directive:
    Code:
    Alias /.well-known/acme-challenge /usr/local/ispconfig/interface/acme/.well-known/acme-challenge
    ProxyPassMatch ^/.well-known !
    After this operation need to do service apache2 reload. Then go to ISP panel -> Website -> check SSL and LE SSL and ssl generation should works nicely.

    PS
    I was looking for the solution of providing auto renewal for ispserver.pem file without install any additional software. I perform some script, which after add to cron checks date of fullchain.pem and privkey.pem and compare them to default values. These default values each user has to set on his own for privkey.pem and fullchain.pem from convert their dates (enter directory /etc/letsencrypt/live/s1.example.net/ and simple "ls -l") to epoch format using for example https://www.epochconverter.com/:
    Code:
    #!/bin/bash
    
    #This script is developed for renewing cert used by Monit and other applications,
    #which will have provided Let's Encrypt certs
    #add to cronjob each midnight
    
    
    #epoch format of .key and .crt files - each owner must setup this values manually
    epoch_ispcrt_default=1520924890
    epoch_ispkey_default=1520924890
    
    ispcrt_date_current=`stat -c "%y" /etc/letsencrypt/live/s1.poliman.net/fullchain.pem`
    ispkey_date_current=`stat -c "%y" /etc/letsencrypt/live/s1.poliman.net/privkey.pem`
    
    #epoch format for current files modification dates
    epoch_ispcrt=`date -d "$ispcrt_date_current" +%s`
    epoch_ispkey=`date -d "$ispkey_date_current" +%s`
    
    
    #left value has to be greater than right value
    if [ $epoch_ispcrt -gt $epoch_ispcrt_default ] && [ $epoch_ispkey -gt $epoch_ispkey_default ]
    then
        $epoch_ispcrt_default=$epoch_ispcrt
        $epoch_ispkey_default=$epoch_ispkey
      
        cd /usr/local/ispconfig/interface/ssl
      
        if [ -f "ispserver.pem" ]
        then
            mv ispserver.pem ispserver.pem-`date +"%y-%m-%d-%H:%M:%S"`.bak
        fi
      
        cat ispserver.{key,crt} > ispserver.pem
        chmod 600 ispserver.pem
      
        #restarting required services
        service monit restart
    else
        #log_file.log will be created in path /usr/local/ispconfig/interface/ssl
        echo "Log-->$(date +%y-%m-%d-%H:%M:%S) Compare thinks that variables are even or less, so we don't have to do anything with ispserver.pem." >> log_file.log
    fi 
    Maybe it will be useful for somebody.
     
    Last edited: May 8, 2018
    ahrasis likes this.
  12. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Firstly, thank you for your sharing, though I think it would be better off as a separate topic instead.

    Secondly, as much as I think your script to check if there were any changes before running changes is another executable idea, I think your script also need to be added to the cron job and some time for it to be run need to be specified in it as well as stated on top of the script.

    I still prefer to use incron as shown in this guide as the script will be run immediately on any changes made to
    /etc/letsencrypt/archive/$(hostname -f)/ folder without waiting to run it at a later time.

    In my mind, the gap of time from the changes being made to the time the script is actually run may in my view cause some minor hiccups, if not major problems to your server and/or its covered services.
     
    Last edited: May 8, 2018
  13. Poliman

    Poliman Member

    Thank you for feedback. Do you know maybe how incron knows that something changes to execute some actions?
     
  14. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I honestly don't know.
     
  15. ztk.me

    ztk.me ISPConfig Developer ISPConfig Developer

    https://www.systutorials.com/docs/linux/man/8-incrond/
    https://en.wikipedia.org/wiki/Inotify
    maybe interesting quote:
     
    Last edited: May 10, 2018
    Poliman and ahrasis like this.
  16. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Please note that the /var/spool/incron/root file in LE4ISPC script was reported as not working due to the fact that incron can not read $(hostname-f). Luckily this has been fixed in the github.

    The solution for current users of LE4ISPC is to edit /var/spool/incron/root and change $(hostname -f) to your server FQDN. You can also run these commands:
    Code:
    mv /var/spool/incron/root /var/spool/incron/root-$(date +"%y%m%d%H%M%S").bak
    echo "/etc/letsencrypt/archive/$(hostname -f)/ IN_MODIFY /bin/bash /etc/init.d/le_ispc_pem.sh" > /var/spool/incron/root
    chmod 600 /var/spool/incron/root
    
    The above commands create a backup for your current /var/spool/incron/root and add a proper code to it so it will be /etc/letsencrypt/archive/server1.domain.tld/ instead. You can retrieve any other incron jobs from the backup file, if any.

    And do to many request, I am considering to create a script to automate a website creation for a server hostname (FQDN) and its Let's Encrypt SSL certs issuance. I will make a pull request to the git once this has been successfully tested.
     
    Last edited: May 21, 2018
  17. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    After deeply thinking about the last line I posted above and checking the codes, I realized that there is another easy way of achieving almost the same result via the current LE4ISPC scripts.

    Firstly, when you already have your ISPConfig installed and running, simply check and run these commands in its terminal:
    Code:
    # Basically you need incron or something similar
    apt install -y incron
    # Then allow root user to run it
    echo "root" >> /etc/incron.allow
    # We need to keep the LE4ISPC script somewhere so...
    cd /usr/local/ispconfig/server/scripts
    # Change nginx to apache if you use the later
    wget https://raw.githubusercontent.com/ahrasis/LE4ISPC/master/nginx/le4ispc.sh
    # Make it executable
    chmod +x le4ispc.sh
    # Make the LE4ISPC script run if your server LE folder is created
    echo "/etc/letsencrypt/archive/$(hostname -f)/ IN_CREATE /bin/bash /usr/local/ispconfig/server/scripts/le4ispc.sh" >> /var/spool/incron/root
    #That is from the command line
    Secondly, once you have finished running the above, in ISPConfig control panel (8080), simply create a website under your server FQDN name like server1.domain.tld (this value must be the same as $(hostname -f) output in its terminal).

    Thirdly, when it is successfully created, request Let's Encrypt SSL certs by ticking its box.

    Once LE SSL certs are issued by Let's Encrypt authority, your ISPConfig control panel (8080) should then have proper certs automatically. However, if they are not not issued by LE Authority, you should then check your LE logs and fix whatever errors that were reported.

    So long it is not removed, the LE4ISPC script will be waiting and will do its job after you have fixed the errors. :D
     
    ztk.me likes this.
  18. zicguy

    zicguy Member

    Hello,
    First, many thanks for your work! I use your how to to secure all services of my ISPConfig servers / services and it works well.

    However, I have an issue on one of them. For some days, Monit and Pure FTP seems not have the right Let's Encrypt cert. After renewal of my main LE cert (e.g. myfqdn.com), all services works well and have the new cert except Monit and Pure FTP.
    Of course, just after renewal, I just generated the /usr/local/ispconfig/interface/ssl/ispserver.pem with chmod 600 on it (and restart monit and pure-ftpd-mysql services). The content of this file seems to be OK as I checked it on https://www.sslshopper.com/, and it has the right new date. https://myfqdn.com or myfqdn.com:8080 (for ISP Config Panel) works also well and have the green lock. However, browser for monit and filezilla for pure ftp still says that the certificate is expired... It still take a date of an old certificate.
    I try a lot of things. I changed the pemfile path in the monit config file to point to a new file for example, but after service restart, it is still the wrong date... I also test to delete all certs of myfqdn.com in /etc/letsencrypt folder (archive, live, renewal) and recreate it from ISP Config Panel but without any success... This behavior looks like a cache issue, but I don't know about any cache on SSL cert... This behavior really doesn't make sense for me... Can you help me please?
    Thanks by advance!
     
  19. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    You just need to check (or redo) step 7(d) till the end of step 8 for extending (via symlinks) the same LE SSL to your pure-ftpd-mysql and monit.
     
  20. zicguy

    zicguy Member

    Thanks for your reply!
    Unfortunately, I checked, double checked, and redo the step 7 and same results...
    Code:
    vi /etc/monit/monitrc
    [...]
    set httpd port 2812 and
        ssl enable
        pemfile /etc/ssl/private/pure-ftpd.pem
        allow monitAdmin:XXXXXXXX
    [...]
    
    Code:
    cd /var/ssl/private/
    ls -l
    lrwxrwxrwx 1 root root       48 juin  30 10:44 pure-ftpd.pem -> /usr/local/ispconfig/interface/ssl/ispserver.pem
    lrwxrwxrwx 1 root root       48 juin  30 06:59 pure-ftpd.pem-180630104421.bak -> /usr/local/ispconfig/interface/ssl/ispserver.pem
    -rw------- 1 root root     3107 janv.  2  2014 pure-ftpd.pem.bak
    -rw-r----- 1 root ssl-cert 1708 janv.  2  2014 ssl-cert-snakeoil.key
    /usr/local/ispconfig/interface/ssl/ispserver.pem has private key + fullchain, and content is good with the right date (expired on next
    September 27, 2018). However, https://myfqdn.com:2812/ still shows a SSL red alert with an expired date on May 25, 2018...
     

Share This Page