Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

Discussion in 'Tips/Tricks/Mods' started by ahrasis, Feb 14, 2017.

  1. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    Hello, I was wondering if this has been pulled into the ISPC project or if there are plans for doing so.

    If its not been done I do think it should be considered so that all servers and services and interfaces could be secured by LE at install time without these extra few steps to manually complete.
     
  2. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Tentatively will be in 3.1.16.

    However, the proposed merge doesn't covers all including the re-creation of ispserver.pem file after its LE SSL certs renewal.

    I am still thinking the best way to achieve that using normal cron instead of incron for ISPConfig.
     
    Last edited: Nov 24, 2019
  3. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    It is currently work in progress, there's definitely a lot of interest in it.
     
  4. Chris_UK

    Chris_UK Active Member HowtoForge Supporter

    That's great news. I have servers to set up soon and though it's not a big step to do it now another manual task struck off the installation procedures would be great.
     
  5. gOOvER

    gOOvER Member

    @ahrasis Do you have tested/run this with acme.sh?
     
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Yes but not the tutorial version. There is already requests to merge integrating this with ISPConfig that can use either certbot or acme.sh. It is pending developers' test / check.
     
    gOOvER likes this.
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    As posted at https://www.howtoforge.com/communit...or-ispconfig-servers.80449/page-2#post-391973 those who are interested to test the above said proposed merge can do so by running this code on clean install of ISPConfig server or on top of their testing ISPConfig server:
    Code:
    cd /tmp
    wget http://www.ispconfig.org/downloads/ISPConfig-3-stable.tar.gz
    tar xfz ISPConfig-3-stable.tar.gz
    cd /tmp/ispconfig3_install/server/scripts
    wget https://git.ispconfig.org/ahrasis/ispconfig3/raw/patch-3/server/scripts/letsencrypt_pre_hook.sh
    wget https://git.ispconfig.org/ahrasis/ispconfig3/raw/patch-3/server/scripts/letsencrypt_post_hook.sh
    wget https://git.ispconfig.org/ahrasis/ispconfig3/raw/patch-3/server/scripts/letsencrypt_renew_hook.sh
    cd /tmp/ispconfig3_install/install/lib
    mv installer_base.lib.php installer_base.lib.php-$(date +"%y%m%d%H%M%S").bak
    wget https://git.ispconfig.org/ahrasis/ispconfig3/raw/patch-3/install/lib/installer_base.lib.php
    cd /tmp/ispconfig3_install/install
    mv install.php install.php-$(date +"%y%m%d%H%M%S").bak
    mv update.php update.php-$(date +"%y%m%d%H%M%S").bak
    wget https://git.ispconfig.org/ahrasis/ispconfig3/raw/patch-3/install/install.php
    wget https://git.ispconfig.org/ahrasis/ispconfig3/raw/patch-3/install/update.php
    
    Thereafter run the needed "php -q install.php" or "php -q update.php".
     
    Last edited: Jan 9, 2020
    gOOvER likes this.
  8. girthh

    girthh New Member

    Just found this tutorial, and understand the rest thoroughly, but where does this go?
    --Running nginx, ispconfig3.1--

    I did follow the non-recommended tutorial, but then went back and restored the old ISPconfig backup crt/key, and restarted services.

    Getting a self-signed error with the ones created initially with ISPconfig installation when accessing hostname.website.com:8080.


    My problem is that "/etc/letsencrypt/live/WEBSITE" certs do not match the FQDN with hostname (eg. hostname.website.com) so I am trying to unlink "/etc/letsencrypt/live/WEBSITE" symbolic links from "/usr/local/ispconfig/interface/ssl/" by restoring the original keys created during ISPconfig installation (which are for hostname.website.com), but I am getting a self-signed error now after restoring the original backups in "/usr/local/ispconfig/interface/ssl/" and restarting services.
     
    Last edited: Dec 17, 2019
  9. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I am sorry but the tutorial is still good guide as far as I am concerned provided you understand it properly.

    Also actually there were some further developments to the script as I attempt to merge the same to ISPConfig installer files and the post above yours is what I attempted for others to test.

    For the time being, I don't have the free time to update the script, but if anyone has the ability to code php and bash, do read my latest in ISPConfig and revert it back LE4ISPC script, do PR to my LE4ISPC github.
     
  10. spazio

    spazio Member HowtoForge Supporter

    Hi,
    I just installed ispconfig
    Server: server1 (Debian Buster) ISPConfig 3.1.15p3
    with the new perfect server tutorial
    https://www.howtoforge.com/perfect-server-debian-10-buster-apache-bind-dovecot-ispconfig-3-1/
    and tried the https://github.com/ahrasis/LE4ISPC and I get this:
    root@Server1:/etc/ssl# ./le4ispc.sh
    ./le4ispc.sh: line 28: certbot: command not found
    root@server1:/etc/ssl#

    Is there anything to follow before calling the script ./le4ispc.sh or it should be working as is?

    Thanks
    Spazio
     
  11. till

    till Super Moderator Staff Member ISPConfig Developer

    Certbot should be there when you followed the tutorial. Please run all commands from chapter 11 of the perfect server guide again to install it.
     
  12. spazio

    spazio Member HowtoForge Supporter

    Hi Tim, Thanks for the reply. I ran chapter 11 commands and still get the same error:
    Here they are and the response
    root@server1:/usr/local/bin# wget https://dl.eff.org/certbot-auto
    --2020-02-27 13:10:13-- https://dl.eff.org/certbot-auto
    Resolving dl.eff.org (dl.eff.org)... 151.101.0.201, 151.101.64.201, 151.101.128.201, ...
    Connecting to dl.eff.org (dl.eff.org)|151.101.0.201|:443... connected.
    HTTP request sent, awaiting response... 200 OK
    Length: 80073 (78K) [application/octet-stream]
    Saving to: ‘certbot-auto’

    certbot-auto 100%[========================================================================>] 78.20K --.-KB/s in 0.02s

    2020-02-27 13:10:13 (3.77 MB/s) - ‘certbot-auto’ saved [80073/80073]

    root@server1:/usr/local/bin# chmod a+x certbot-auto
    root@server1:/usr/local/bin# ./certbot-auto --install-only
    Certbot is installed.
    root@server1:/usr/local/bin#
    root@server1:/usr/local/bin# cd /etc/ssl
    root@server1:/etc/ssl# ./le4ispc.sh
    ./le4ispc.sh: line 28: certbot: command not found
    root@server1:/etc/ssl#


    I tried to search if the certbot was in the PATH. Here is the results:
    root@server1:/etc/ssl# echo $PATH
    /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
    root@server1:/etc/ssl# find / -type f -name certbot
    /opt/eff.org/certbot/venv/bin/certbot
    root@server1:/etc/ssl#

    Is certbot supposed to be elsewhere or in the PATH?
    Did I miss something in the perfect server setup?
     
  13. Seems the certain binary is not in the path.
    First try logging out and in again, this will refresh your bash session.
    If that doesn’t work add the path for certbot in your env
     
  14. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig is aware of certbot in path /opt/eff.org/certbot/venv/bin/certbot, so there is no problem with ISPConfig here. But the le4ispc.sh script seems to expect it to be in the path and I'm quite sure that certbot-auto put it tino the path in the path either by using a symlink or adding its path to the PATH variable.

    Or add a symlink to certbot in /usr/local/bin/ folder.
     
  15. spazio

    spazio Member HowtoForge Supporter

    Thanks Till and Rein! That fix the error! I just added the /opt/eff.org/certbot/venv/bin to the path of root user and it work! I was able to succesfully run ./le4ispc.sh

    After thaught:
    I tested the standard user $PATH and the weird thing is this:
    user@server1:~$ echo $PATH
    /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/opt/eff.org/certbot/venv/bin
    Is certbot-auto was not able to add the location to the user root path??? ( I was root when I installed it)
     
  16. till

    till Super Moderator Staff Member ISPConfig Developer

    Might be. Is this Debian 10? If yes, how have you become root, with 'su' or 'su -', or did you login as root by ssh?
     
  17. spazio

    spazio Member HowtoForge Supporter

    Yes it's debian 10 Buster and I log in as root when I followed the tutorial the first time. The other time I log in as a normal user and then "sudo su" since the user is part of the sudo group!
     
  18. till

    till Super Moderator Staff Member ISPConfig Developer

    Try using 'su -' or maybe 'sudo su -'. As mentioned in the perfect server guide and also Debian 10 docs, the path variable is different and therefore is incomplete in Debian 10 when you use su without '-'.
     
  19. spazio

    spazio Member HowtoForge Supporter

    Looks like it was the problem! With the su - the path is added to the user root now!
    user@server1:~$ echo $PATH
    /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/opt/eff.org/certbot/venv/bin
    user@server1:~$ sudo su
    root@server1:/home/user# echo $PATH
    /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/eff.org/certbot/venv/bin
    root@server1:/home/user# exit
    exit
    user@server1:~$ sudo su -
    root@server1:~# echo $PATH
    /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/eff.org/certbot/venv/bin:/opt/eff.org/certbot/venv/bin
    root@server1:~#
     
  20. spazio

    spazio Member HowtoForge Supporter

    Since the script ./le4ispc.sh is now handling the certificate renewal and not ispconfig. How can we handle the alternate name to be added to the certificate for postfix and dovecot use? Before, in the tutorial, it was asking to create a site to the hostname of the server: server1.domain.com and if some aliasdomain were added to ispconfig like mail.domaintest.com, mail.domaintest2.com etc, the generated certificate had all those aliasdomain as alternate name in the certificate. That was handy for the email client iphone and android not to complaint about a certificate being wrong and not containing the domain name of the email config!

    If I create a site in ispconfig to server1.domain.com and add alias domaine like mail.domaintest.com. When the certificate will be renewed. Will it contain the alias domain?
    What will happend since the script ./le4ispc.sh AND ispconfig will try to renew the certificate at different intervals?
    If those won't work, any suggestion as to achieved this?
     

Share This Page