Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

Indeed you can use Monit to monitor file and directory changes.

I didn't suggest to use it for securing ISPConfig conrol panel in this thread since default perfect server tutorials do not cover Monit installation. Those who want to use Monit service will have to follow a separate tutorial for it.

I also think it is safer (if not better) to use separate service like incron to monitor for file changes since securing Monit is part of this thread and LE4ISPC script. Lastly, I think scripting incron to be installed and then work automatically is little bit easier for me.

 

well depends on the target... the casual target wants knobs to push - or if you setup servers for customers, they can have a fixit

 

I have the same problem.
Have you found any solution?

 

I am not sure why you cannot include aliasdomain / subdomain to your main domain LE SSL certs but as I suggested in reply to @Taleman problem, try to dig your other server hostname fqdn and check whether its ip is pointed to your web server.

 

If I do a dig of mail1.example.com it returns the ip of mail1.example.com, not the ip of web1.example.com (is the master in my multiserver setup).
mail1.example.com is the fqdn of my mail server and must point to it.
Either I'm understanding something wrong or I do not know how to do what you say.

 

If mail1 and web1 have different IP addresses,. it is not possible to combine them to the same LE certificate. You must create their own LE certificate for each.

 

OK, and can i create the mail1.example.com certificate in ISPC panel?

 

Yes, follow the instructions in this thread. You have to do some copying of and setup, but it can be done.

 

In my (old) ISPConfig manual, multi servers are linked via internal / LAN ip so I assumed they use same public ip as webserver when posting my suggestion.

Since in your case they use different public ip, you can definitely try @Taleman suggestion.

But as an extra note, I think you can only create a website for other servers if you have (at least minimal) web server function (either nginx or apache2) installed and enabled in them.

In the future we are going to use dns validation so that no nginx or apache2 needs to be installed on servers other than web server, but this will take some times before it can be implemented.

 

Finally i use this method: https://www.howtoforge.com/community/threads/letsencrypt-on-mail-server.73695/

 

Unless you have a web server in your mail server to use certbot standalone instead of webroot, I assumed you were using acme.sh by Neilpang to achieve the same.

If you want to install and fully use certbot, you can issue your LE SSL certs for your mail server by using certbot own dns validation as suggested and discussed in here, or manually using something like this:

Code:

certbot certonly \
  --manual \
  --manual-public-ip-logging-ok \
  --preferred-challenges dns \
  --server https://acme-v02.api.letsencrypt.org/directory \
  --agree-tos \
  --rsa-key-size 4096 \
  -d mail.server.tld

 

Thanks to @Taleman various test and input in his thread and @till, now any one using ISPConfig will only need to run the command below at any time after installing any ISPConfig server to automatically create Let's Encrypt for the ISPConfig server hostname FQDN if none exists; and secure its control panel and other services; if they are available and installed.

Code:

cd /etc/ssl
wget https://raw.githubusercontent.com/ahrasis/LE4ISPC/master/le4ispc.sh --no-check-certificate
chmod +x le4ispc.sh
./le4ispc.sh

Now you do not need to create website for your server, run ispconfig_update to set ssl first or have Lets Encrypt certs in advance; as everything will now be handled by the LE4ISPC scripts.

You can view the code in details at my github/LE4ISPC and give your input here or there.

Cheers everybody.

 

Just tried the script out and am getting the following errors:

Code:

Job for dovecot.service failed because the control process exited with error code.
See "systemctl status dovecot.service" and "journalctl -xe" for details.

systemctl status dovecot.service
● dovecot.service - Dovecot IMAP/POP3 email server
   Loaded: loaded (/lib/systemd/system/dovecot.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Wed 2018-10-10 02:26:40 UTC; 1min 9s ago
     Docs: man:dovecot(1)
           http://wiki2.dovecot.org/
  Process: 7910 ExecStop=/usr/bin/doveadm stop (code=exited, status=0/SUCCESS)
  Process: 11786 ExecStart=/usr/sbin/dovecot (code=exited, status=89)
 Main PID: 874 (code=exited, status=0/SUCCESS)

Oct 10 02:26:40 server1 systemd[1]: Starting Dovecot IMAP/POP3 email server...
Oct 10 02:26:40 server1 dovecot[11786]: doveconf: Fatal: Error in configuration file /etc/dovecot/dovecot.conf line 7: ssl_cert: Can't open file /etc/postfix/smtpd.cert: No such file or directory
Oct 10 02:26:40 server1 systemd[1]: dovecot.service: Control process exited, code=exited status=89
Oct 10 02:26:40 server1 systemd[1]: Failed to start Dovecot IMAP/POP3 email server.
Oct 10 02:26:40 server1 systemd[1]: dovecot.service: Unit entered failed state.
Oct 10 02:26:40 server1 systemd[1]: dovecot.service: Failed with result 'exit-code'.

 

Fixed it by:

Code:

Changing:
ispccrt=ispserver.crt
ispckey=ispserver.key
to:
ispccrt=$ispcssl/ispserver.crt
ispckey=$ispcssl/ispserver.key

 

The above error is already fixed. Thank you for sharing.

 

I didn't get it from all the replies but on an multiserver installation, do you need to execute the script on every server?

 

Only if you need to secure the server with Lets Encrypt and its service(s) on its own. You can also use NFS server to keep your Lets Encrypt certs and make it accessible by all servers.

 

I was following "securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate" and run into problems with wrong SANs being shown and common name from another domain, realized this way to late when i run a cert checker online service, not even sure if i had that ones website activated when i installed your LE script.

Just to clarify, can i plain run the new script with prior removing the incrontab line and init.d script?

 

Well you supposedly can.

It should rewrite the existing incrontab line in /var/spool/incron/root file, if any already existed, and insert the latest line i.e. /etc/letsencrypt/archive/$(hostname -f)/ IN_CREATE, IN_MODIFY /bin/bash /etc/init.d/le4ispc_pem.sh in it for auto renewal of ispserver.pem file.

 

I figured out where the mismatch come from and thanks for letting me know that i can switch that easily in case i need to.