Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

Hello
Question for Till really, as ispconfig has updated some of these steps are now redundant. Could you point me at the most recent required steps for a new ispconfig installation to do following:
(assuming perfect server setup mysql/ubuntu/letsencrypt, per instructions)
To get ssl working on ispconfig control panel
To get ssl working with mailserver (on same server)
Is it necessary to add a "site" in ISPC for "the control panel" and add ssl via letsencrypt to that ?
What are the absolute requred DNS entries:
AAAA record for this FQDN ?
AAAA records for any of the sites hosted on this server ?
Thanks guys

 

https://www.howtoforge.com/tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/

Hard to say, depends on what hosts you have and what they do. Start with A records for all your hosts and NS records for your name servers. MX records are needed if you have mail server.
You can create AAAA records and any other record if you want.
There is Tutorial on setting up name service with ISPConfig: https://www.howtoforge.com/tutorial/setting-up-your-own-name-service-with-ispconfig/

 

Hello,

I followed www dot howtoforge dotcom/tutorial/perfect-server-debian-9-stretch-apache-bind-dovecot-ispconfig-3-1/ to set up Ispconfig
, which works fine

For installation of Lets encrypt, I followed steps mentioned # 11 of the above guide
cd /usr/local/bin
wget https: //dl . eff . org / certbot-auto
chmod a+x certbot-auto
./certbot-auto --install-only

After that I used this code

cd /etc/ssl
wget raw at githubusercontent dot com/ahrasis/LE4ISPC/master/apache/le4ispc.sh --no-check-certificate
chmod +x le4ispc.sh
./le4ispc.sh

While executing ./le4ispc.sh it throws an error

./le4ispc.sh: line 28: certbot: command not found

whereas the script line 28 reads as
certbot certonly --authenticator standalone -d $(hostname -f) --pre-hook "service $websvr stop" --post-hook "service $websvr start"

My DNS with my VPS provider as well Ispconfig are correct

Please advise

Thanks & regards,

Tom

 

What do the following commands show:

Code:

type -a certbot
apt-cache policy certbot

 

Dear Sir,
Here is output

root@server /tmp# type -a certbot
-bash: type: certbot: not found
root@server /tmp# apt-cache policy certbot
certbot:
Installed: (none)
Candidate: 0.28.0-1~deb9u1
Version table:
0.28.0-1~deb9u1 500
500 http // asi-fs-n contabo net/debian stretch/main amd64 Packages
500 http //ftp us debian org/debian stretch/main amd64 Packages
500 http //asi-fs-n contabo net/debian stretch-updates/main amd64 Packages
root@server /tmp#

Thx!

 

Command certbot is not installed, at least not in the usual paths. Check error messages, the installation commands for error messages or info on where it got installed, if indeed certbot was installed.

 

Sir,
Thank you for your quick reply
This is how I installed certbot earlier
root@server:/usr/local/bin# dir
certbot-auto ispconfig_patch ispconfig_update_from_dev.sh ispconfig_update.sh run-getmail.sh
root@server:/usr/local/bin# ./certbot-auto --install-only
Certbot is installed.

root@server:/usr/local/bin# type -a certbot
-bash: type: certbot: not found
root@server:/usr/local/bin# apt-cache policy certbot
certbot:
Installed: (none)
Candidate: 0.28.0-1~deb9u1
Version table:
0.28.0-1~deb9u1 500
500 http // asi-fs-n contabo net/debian stretch/main amd64 Packages
500 http //ftp us debian org/debian stretch/main amd64 Packages
500 http //asi-fs-n contabo net/debian stretch-updates/main amd64 Packages
root@server:/usr/local/bin#

Thanks!

 

Where does that install the certbot command? Or is it just claiming to install something but actually does nothing?

 

Sir,
It is just claiming to install something but actually does nothing

Thanks

 

I noticed you downloaded the certbot installation files to /usr/local/bin. This may confuse the installer. Try setting work directory to /tmp/FOO, and do the certbot installation again. Or install from Debian repo doing "apt-get install certbot". I believe Debian now has reasonably new version of certbot that works with the current Let's Encrypt servers. If this fails, use the certbot installation instructions from https://certbot.eff.org/docs/install.html .

 

Dear Sir,

Thank you for your advise;

Here is the output
root@server:~# apt-get install certbot
After Installation, next step followed is as under;

root@server:~# type -a certbot
certbot is /usr/bin/certbot
root@server:~# apt-cache policy certbot
certbot:
Installed: 0.28.0-1~deb9u1
Candidate: 0.28.0-1~deb9u1
Version table:
*** 0.28.0-1~deb9u1 500
500 http://asi-fs-n.contabo.net/debian stretch/main amd64 Packages
500 http://ftp.us.debian.org/debian stretch/main amd64 Packages
500 http://asi-fs-n.contabo.net/debian stretch-updates/main amd64 Packages
100 /var/lib/dpkg/status
root@server:~#
cd /etc/ssl
wget https://raw.githubusercontent.com/ahrasis/LE4ISPC/master/le4ispc.sh --no-check-certificate
chmod +x le4ispc.sh

root@server:/etc/ssl# ./le4ispc.sh
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Attempting to parse the version 0.31.0 renewal configuration file found at /etc/letsencrypt/renewal/xxxxx.com.conf with version 0.28.0 of Certbot. This might not work.
Running pre-hook command: service apache2 stop
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for server.xxxxxx.com
Waiting for verification...
Cleaning up challenges
Running post-hook command: service apache2 start

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/server.xxxxxxx.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/server.xxxxxxxx.com/privkey.pem
Your cert will expire on 2019-06-03. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

--2019-03-05 19:57:06-- https://raw.githubusercontent.com/ahrasis/LE4ISPC/master/le4ispc_pem.sh
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.12.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.12.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2479 (2.4K) [text/plain]
Saving to: ‘/etc/init.d/le4ispc_pem.sh’

/etc/init.d/le4ispc_pem. 100%[==================================>] 2.42K --.-KB/s in 0s

2019-03-05 19:57:06 (28.6 MB/s) - ‘/etc/init.d/le4ispc_pem.sh’ saved [2479/2479]

Selecting previously unselected package incron.
(Reading database ... 57814 files and directories currently installed.)
Preparing to unpack .../incron_0.5.10-3+b2_amd64.deb ...
Unpacking incron (0.5.10-3+b2) ...
Setting up incron (0.5.10-3+b2) ...
Adding group `incron' (GID 124) ...
Done.
Created symlink /etc/systemd/system/multi-user.target.wants/incron.service → /lib/systemd/system/incron.service.
Processing triggers for systemd (232-25+deb9u9) ...
Processing triggers for man-db (2.7.6.1-2) ...
root@server:/etc/ssl#

It worked!

Thank you so much!!!
Regards

 

Hi Ahrasis, good work on the script. but i have an issue with the cert for ispc.
My control panel is set up to work for server1.example.com
Now, example.com has its own working cert, when i run your script there appears to be no cert for server1.example.com created, the others look like they are created but not that one.

I previously did this the manual way you previously showed before your scripted version, would this cause the issue described?

LE logs are showing no renewal needed so I cant see where the problem is, ive restarted apache2
The only thing that I can see that might cause the wrong cert is linked to archive/example.com and not in archive/server1.example.com or live/server1.example.com

Regardless these two paths don't actually exist so I am not sure how to fix it.

 

Hostname -f must always resolve to server1.example.com or else, the manual tutorial or the script will not work; so do check and fix this first, if there is anything wrong with its setup.

Secondly, official certbot must be installed, is working and have proper access to your server in order to create the required certs; the tutorial or the script does not support any other unofficial LE clients.

You should do the troubleshooting faq to determine the cause of your LE related problems and share them when asking; as we cannot help you without proper details.

 

I think this might be the problem. The hostname of the server is web.example.com and not server1.example.com but also hostname -f returns example.com only, I will look into this later. and decide which one to change, ispc control panel or the server hostname, it really depends on which will require less changes, I am suspecting though that just changing ispc might be the better of the options as the hostname change affects various websites.

 

All sorted now, I hit the fail threshold because of the attempts to solve it/ but its now working correctly, im able to use web and have a correctly working cert. Thanks for this script, its excellent.

One question however before I go, will this work on a stand alone mail server, the description says it will symlink for major services but this means they are on the same server, so I guess not for multiserver?

 

It can work on multiserver setup. Copying cert files to the other host. There was info on how to do it, when I set it up.

 

Thank you Taleman, so that would be rsync or scp, I can manage that part no problem.

So then to sum up, I will need to use the standalone to create certs on the master, then just copy them over to the mail server and possibly make an edit or two of the config files on the mail services?

Sorry if I seem dumb, I just don't want to make a start then have to scour the net for fixes if things don't go to plan

 

Thank you, I recall doing something like this a couple of years ago via the old guide on this thread I think it was.

Briefly if i may, as the main point was missed. will i need to create the cert for mail.domain.com (as the domain is currently set) on the master using the standalone? if not which cert as the main domain cert only works for the main domain, no extra domains added to that cert.

I ask because if i use $(hostname -f) that would be the masters hostname if i'm not mistaken. Unless im misreading your reply and you mean for ispconfig panel, howver that part is already sorted out and working from web.domain.com

 

For 3.2, I already proposed and it was already merged, that LE certs are to be created via certbot for ISPConfig server, if that is opted during its installation or update.

The proposal is to use certbot standalone approach if no web servers is installed which should be auto renewed via ISPConfig LE cronjob that runs every after midnight.

Edited: This should already be in LE4ISPC. Try simply running the instructions on your mail server.

The credit has to go to @Taleman as I wrote that based on his post about standalone approach some where in this forum.