Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

Hello,

First, I'm a total newbie using unix

I have installed ISPConfig using the "The Perfect Server - Ubuntu 18.04 (Bionic Beaver) with Apache, PHP, MySQL, PureFTPD, BIND, Postfix, Dovecot and ISPConfig 3.1" tutorial.

ISPConfig has been secured by a self-signed SSL created during the install.

Now I'm trying to follow this tutorial to install a Let's Encrypt Certificate but I'm blocked at the "[Checking LE SSL For ISPConfig 3.1 Control Panel]" step.

In the directory "etc/letsencrypt/live" I do have a directory with my localhost name but ISPConfig still using the self-signed SSL Certificate ?

Any ideas or tips to help a newbie to solve this ?

Thanks
Best Regards
Nexus

 

If you follow the guide step by step it definitely works without any issue with the from you mentioned setup guide (if there happened no mistake).

Start once again at point one here and double check everything

And important, take care about your real folder structure, it is not only copy paste

What do you mean with you are blocked?

 

@Nexus Fred, the above is part of the tutorial. Nothing said to check the folder you mentioned, unless you mean you are using LE4ISPC script which automatically checks that folder, and that is different from the tutorial.

Actually LE4ISPC is quite outdated since there are a lot more codes that have been added while I contributed to ISPConfig for the same purpose.

 

Shouldnt you update LE4ISPC then? i used it the other day, seems to work fine for me?

 

Hello,
thanks all for your help.

I just did again the tutorial and everything worked fine , I have no idea of what I did wrong last time.

 

Good to hear that.

Yes, but I am too lazy...

True it should also still work for most people except those who are using certbot-auto instead of just certbot.

 

Hello,
I was a little quick when I said "everything worked fine"
The ISPConfig on port 8080 dashboard on my subdomain is secure with an Lets Encrypt SSL certificate but the subdomain on the regular port 80 is not.
If I try to regenerate a certificate on the Site Panel it's not working!?
I have done something wrong, but what?
Thanks
Best Regards
Nexus

 

Server subdomain should also work fine with the same LE SSL on other than port 8080, like port 443 (but not port 80 ofcourse) and that all depend on how you set the vhost(s).

 

Thanks @till & @ahrasis.
So that a normal outcome.
Do I need to keep the "ISPConfig Server Hostname FQDN" in the Website List or I can remove it or disabled it ?

 

I would advise maintaining the website if you already have one for it, as the current LE4ISPC script use the standalone approach which is more suitable for non-webserver.

The reason is obvious, you don't want your webserver to be down during the creation / update of the LE SSL for that server.

Until I fully update LE4ISPC to use webroot approach for a webserver, which I do not know when, it is best to follow the tutorial if you ISPConfig server is also a webserver.

If your ISPConfig server is a non-webserver, then the use of standalone approach as in the current LE4ISPC is advisable.

 

Thanks @ahrasis

 

RIGHT, please correct it

 

Kindly note that the codes related to this thread, its tutorial and its advancement thereafter have already been merged with the latest 3.2 beta that should now cover the creating Let's Encrypt SSL certs for any type of ISPConfig server during ISPConfig install or update and the automatic update of the certificates.

Please also note that the bash scripts (namely letsencrypt_pre_hook.sh, letsencrypt_post_hook.sh and letsencrypt_renewal_hook.sh) are customizable thus can be put into conf-custom folder to survive future ISPConfig updates.

The latest Pertect Server Tutorial for Ubuntu 20.04 (Apache) mentioned the steps during ISPConfig install, which should be almost the same during ISPConfig update i.e. if you haven't follow this thread or its tutorial yet.

Those who have followed this thread or its tutorial have a choice to maintain what they have manually done to secure their ISConfig servers but they might not be able to use the latest built in scripts with automatic renewal feature.

To use the said feature via update to ISPConfig 3.2, undoing the manual steps including removing the already obtained Let's Encrypt SSL certs for the servers will likely be necessary.

With these already in the latest ISPConfig, I won't be covering this thread actively anymore and members or users are advised to migrate their servers to 3.2 once the stable version is released to secure them better.

 

Nice work! Thanks

 

I followed the Step, you explained above, when using the Manual Way. I removed the Cron, all Certs, but on Update, no LE Cert will created. It installs only a selfmade Cert.

A look into /etc/letsencrypt/live shows me, that no Cert for the Hostname will created

When i look into update.php, you only create the Symlinks, but not create a (new) Cert

Code:

// Create SSL certs for non-webserver(s)?
if(!file_exists('/usr/local/ispconfig/interface/ssl/ispserver.crt')) {
    if(strtolower($inst->simple_query('Do you want to create SSL certs for your server?', array('y', 'n'), 'y')) == 'y')
        $inst->make_ispconfig_ssl_cert();
}

Here is the Ticket: https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5731

 

Please check your ispconfig log as the code already check for the existing certs if any, and will only offer an option to create new certs if none exists.

There may be various reasons on why your server cannot create LE SSL certs and thus create self-signed certs in their place but only you can check that.

 

You should offer an Option when no Cert is in /etc/letsencrypt. Looks like now you check only /usr/local/ispconfig/interface/ssl

 

That codes you mentioned are already in installer_base.lib.php. The problem was something else.

Before my proposal 911 was merged, there was a request to include ipv6 check and not just ipv4. My original codes svr_ip were modified to become svr_ip4 and svr_ip6 in several lines but they missed to change one line that have svr_ip, thus the codes failed to process your request for LE SSL certs.

Thanks to your report, I have submitted an MR to fix that: https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1147

Hopefully it is accepted and resolve this problem.

 

I found more Errors:
Debian Buster 10
New Install
Latest Nightly from today

Code:

2020-09-14 16:43:06,131:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2020-09-14 16:43:06,131:DEBUG:certbot.plugins.selection:No candidate plugin
2020-09-14 16:43:06,131:DEBUG:certbot.plugins.selection:No candidate plugin
2020-09-14 16:43:06,131:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
2020-09-14 16:43:06,131:INFO:certbot.main:Could not choose appropriate plugin: The requested apache plugin does not appear to be installed
2020-09-14 16:43:06,131:DEBUG:certbot.log:Exiting abnormally:

certbot-apache is needed. I fixed this with

Code:

apt-get install certbot python-certbot-apache

Then i have some warnings:

Code:

PHP Warning:  symlink(): File exists in /tmp/update_runner.sh.KtUcYqFs7D/install/lib/installer_base.lib.php on line 2771
PHP Warning:  symlink(): File exists in /tmp/update_runner.sh.KtUcYqFs7D/install/lib/installer_base.lib.php on line 2774
PHP Warning:  symlink(): File exists in /tmp/update_runner.sh.KtUcYqFs7D/install/lib/installer_base.lib.php on line 2777

and this Error:

Code:

2020-09-14 16:46:23,624:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/letsencrypt", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1242, in certonly
    domains, certname = _find_domains_or_certname(config, installer)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 422, in _find_domains_or_certname
    domains = display_ops.choose_names(installer, question)
  File "/usr/lib/python3/dist-packages/certbot/display/ops.py", line 130, in choose_names
    "No names were found in your configuration files. ")
  File "/usr/lib/python3/dist-packages/certbot/display/ops.py", line 200, in _choose_names_manually
    cli_flag="--domains", force_interactive=True)
  File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 524, in input
    self._interaction_fail(message, cli_flag)
  File "/usr/lib/python3/dist-packages/certbot/display/util.py", line 469, in _interaction_fail
    raise errors.MissingCommandlineFlag(msg)
certbot.errors.MissingCommandlineFlag: Missing command line flag or config entry for this setting:
No names were found in your configuration files. Please enter in your domain name(s) (comma and/or space separated)