Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

See the first error i posted.

Code:

2020-09-14 16:43:06,131:INFO:certbot.main:Could not choose appropriate plugin: The requested apache plugin does not appear to be installed

 

I installed ispconfig3 a second time and i get this Error again:

Code:

2020-09-14 18:34:26,341:DEBUG:certbot.main:certbot version: 0.31.0
2020-09-14 18:34:26,342:DEBUG:certbot.main:Arguments: ['--agree-tos', '--non-interactive', '--expand', '--rsa-key-size', '4096', '--server', 'https://acme-v02.api.letsencrypt.org/directory', '--apache', '--email', '[email protected]', '--renew-hook', 'letsencrypt_renew_hook.sh']
2020-09-14 18:34:26,342:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2020-09-14 18:34:26,346:DEBUG:certbot.log:Root logging level set at 20
2020-09-14 18:34:26,346:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2020-09-14 18:34:26,346:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
2020-09-14 18:34:26,346:DEBUG:certbot.plugins.selection:No candidate plugin
2020-09-14 18:34:26,346:DEBUG:certbot.plugins.selection:No candidate plugin
2020-09-14 18:34:26,346:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
2020-09-14 18:34:26,346:INFO:certbot.main:Could not choose appropriate plugin: The requested apache plugin does not appear to be installed
2020-09-14 18:34:26,346:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/letsencrypt", line 11, in <module>
    load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
    return config.func(config, plugins)
  File "/usr/lib/python3/dist-packages/certbot/main.py", line 1229, in certonly
    installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
  File "/usr/lib/python3/dist-packages/certbot/plugins/selection.py", line 237, in choose_configurator_plugins
    diagnose_configurator_problem("authenticator", req_auth, plugins)
  File "/usr/lib/python3/dist-packages/certbot/plugins/selection.py", line 341, in diagnose_configurator_problem
    raise errors.PluginSelectionError(msg)
certbot.errors.PluginSelectionError: The requested apache plugin does not appear to be installed

Related Ticket: https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5735

 

Original codes use webroot but after several issues raised with regards to default web path of various linux variants, webroot was dropped and changed to apache or nginx to be used if web server is installed and I don't think this will automatically require another plugin.

Do read this where I think he suggested:

According to that the plugin is actually included (apt install python-certbot-apache) and no need extra installation.

To restore original webroot proposal, default web path for all linux variants must be listed and determined, which is not necesarily be /var/www/html as in debian and ubuntu.

I will research on this later on.

 

Thank you for the log as I detected a missing "-d $hostname" on the relevant lines of the codes, so I submitted another MR to fix it:
https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1171

I will check on others soonest.

 

Hello,
May be I will ask a question already asked but inside 20 pages of discussion I didn't find it out.
I have Ispconfig3.2 on multiple servers -2 servers- (ubuntu 18.04)
I ran LE4ISPC on both. It gives me certs for both serv1.domain.tld and serv2.domain.tld.
On serv1.domain.tld:8080, there is an effective cert that is linked with domain.tld cert (in ISPconfig)
I checked that no cert on domain.tld leads to security error on serv1.domain.tld:8080.
Could you explain it to me because it seems that :8080 should be linked with serv1.domain.tld:80 ?

I can't reach my serv1.domain.tld:143 for mails because of security concerns (thunderbird message)
I tried to create a subdomain for website (and vhost) for serv1.domain.tld. Both work : serv1.domain.tld:80, is secured. But, :143 still not secured for thunderbird ! Where should I search to secure port 143 ?

For serv2.domain.tld, I tried subdomain for website, subdomain for vhost, aliasdomain for website, for vhost... It doesn't work.
My understanding is that I am in "for vhost" case and subdomain, not alias... Could you confirm ?
What should I do to secure serv2 ?

it tried 'scp -r /etc/letsencrypt/live/serv1.domain.tld/*.pem [email protected]:/etc/letsencrypt/live/serv2.domain.tld/'
it looked 'ok'
"
root@serv1:/# scp -r /etc/letsencrypt/live/serv1.domain.tld/*.pem [email protected]:/etc/letsencrypt/live/serv2.domain.tld/
[email protected]'s password:
cert.pem 100% 2252 837.1KB/s 00:00
chain.pem 100% 1647 278.0KB/s 00:00
fullchain.pem 100% 3899 2.0MB/s 00:00
privkey.pem 100% 3272 1.5MB/s 00:00
"
But files were not copied ! still symlink to "serv2xx.pem" on serv2 directories

I saw that there are 2 certs for domain.tld on serv1
'
root@serv1:/# ld /etc/letsencrypt/live/*

/etc/letsencrypt/live/domain.tld:
total 4
lrwxrwxrwx 1 root root 34 Oct 25 12:12 privkey.pem -> ../../archive/domain.tld/privkey2.pem
lrwxrwxrwx 1 root root 36 Oct 25 12:12 fullchain.pem -> ../../archive/domain.tld/fullchain2.pem
lrwxrwxrwx 1 root root 32 Oct 25 12:12 chain.pem -> ../../archive/domain.tld/chain2.pem
lrwxrwxrwx 1 root root 31 Oct 25 12:12 cert.pem -> ../../archive/domain.tld/cert2.pem

/etc/letsencrypt/live/serv1.domain.tld:
total 4
lrwxrwxrwx 1 root root 39 Oct 19 18:46 privkey.pem -> ../../archive/serv1.domain.tld/privkey1.pem
lrwxrwxrwx 1 root root 41 Oct 19 18:46 fullchain.pem -> ../../archive/serv1.domain.tld/fullchain1.pem
lrwxrwxrwx 1 root root 37 Oct 19 18:46 chain.pem -> ../../archive/serv1.domain.tld/chain1.pem
lrwxrwxrwx 1 root root 36 Oct 19 18:46 cert.pem -> ../../archive/serv1.domain.tld/cert1.pem

/etc/letsencrypt/live/domain.tld-0001:
total 4
lrwxrwxrwx 1 root root 39 Oct 26 22:23 privkey.pem -> ../../archive/domain.tld-0001/privkey2.pem
lrwxrwxrwx 1 root root 37 Oct 26 22:23 chain.pem -> ../../archive/domain.tld-0001/chain2.pem
lrwxrwxrwx 1 root root 36 Oct 26 22:23 cert.pem -> ../../archive/domain.tld-0001/cert2.pem
lrwxrwxrwx 1 root root 41 Oct 26 22:23 fullchain.pem -> ../../archive/domain.tld-0001/fullchain2.pem
'
when it is not the case for serv2
'
root@serv2:/# ld /etc/letsencrypt/live/*
/etc/letsencrypt/live/serv2.domain.tld:
total 4
lrwxrwxrwx 1 root root 39 Oct 20 18:08 privkey.pem -> ../../archive/serv2.domain.tld/privkey1.pem
lrwxrwxrwx 1 root root 41 Oct 20 18:08 fullchain.pem -> ../../archive/serv2.domain.tld/fullchain1.pem
lrwxrwxrwx 1 root root 37 Oct 20 18:08 chain.pem -> ../../archive/serv2.domain.tld/chain1.pem
lrwxrwxrwx 1 root root 36 Oct 20 18:08 cert.pem -> ../../archive/serv2.domain.tld/cert1.pem
'

As you see, I am quite lost !
Thank you

 

I am sorry but ISPConfig 3.2 use a different approach so I think it is best to undo and remove LE4ISPC before continuing using this version.

Run ISPConfig instructions to update to 3.2 and choose to create SSL certs during that process.

If problems are still thereafter, do read and try the faq, https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/

 

ohh ! Was a good idea to ask !
How can I undo and remove LE4ISPC ? Removing symlink is enough ? updating ispconfig (option 'nightly') is enough ?
Thanks

 

I am not sure about the necessity to remove LE SSL certs symlinks but I think you'll need to at least remove LE certs created, LE4ISPC scripts and what you for it set in incron, then immediately thereafter you'll need to create new LE SSL certs via ISPConfig update to 3.2 to secure your panel and all possible services.

 

I remove incron, symlinks and certs... what a bad idea !
I thought I remove SSL in ISPconfig web interface for all created sites which was not the case (I didn't wait enough to have removal applied everywhere !) I try run certbot certonly, but it created certs -0001 which are not recognized during isp update !
And finally, when running update it always mentions (at least 4 times)
"
Service 'xmpp_server' has been detected (currently disabled) do you want to enable and configure it? (yes,no) [no]: yes
Service 'firewall_server' has been detected (currently disabled) do you want to enable and configure it? (yes,no) [no]: yes
"
I always say yes, but, it is always repeating !! I am not confident in my firewall...
I will reinstall from the beginning. I am discovering... quite hard !!!
thanks a lot for your help

 

I am sorry but I am not sure how you removed your LE SSL certs for your server. I would normally simply run rm -rf /etc/letsencrypt/*/myserver.domain.tld* for a clean deletion.

 

Yes but I did rm -rf /etc/letsencrypt/*
This is where the problem was because I had other websites - thinking their certs removed... !
Now, I re-set up almost all... Redo is always good for beginner !
Only Monit not working when calling serv1.domain.tld:2812... I will troubleshoot that

 

Ok. But do note that I am not advising you to delete all LE SSL certs but just the one for the server. Anyway, with regards to Monit in ISPConfig GUI is a known issue but in port 2812, normally is because we forget to open that port.

 

For SSL removal, that was my beginner mistake !
For Monit, I tried port in ISP with no effect. But, it is not not the right forum to talk about Monit.
I would like to highly thanks you about the GREAT job you are daily doing for us !

 

LE4ISPC STATUS
Obsolete and abandoned since the release of ISPConfig 3.2. It will never be updated. ISPConfig user should rely on default Let's Encrypt client hook in ISPConfig installer or updater in creating and recreating ispserver .crt .key and .pem and restarting all related services, rather than rely on incron, since hook only runs at renewal but incron will definitely use server resources to constantly monitor the ISPConfig server LE SSL Certs renewal and as such might also fail sometimes. Hook will have higher chances of working too since it will only run if the renewal is successful.

I am stopping and removing support for LE4ISPC since 3.2 is quite stable in issuing and maintaining the server LE SSL certs and other services that require them. I hope the forum moderator may unpin this from the board.

Those who need to remove LE4ISPC settings may download and run le4ispc-remover.sh available at: https://github.com/ahrasis/LE4ISPC/blob/master/README.md#how-to-remove-le4ispc

Code:

cd /tmp
wget https://raw.githubusercontent.com/ahrasis/LE4ISPC/master/le4ispc-remover.sh
chmod +x le4ispc-remover.sh
./le4ispc-remover.sh

As for the proper way to use ISPConfig 3.2 to secure the server and all services, one should remove the existing LE SSL certs after running the above remover script.