Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

Discussion in 'Tips/Tricks/Mods' started by ahrasis, Feb 14, 2017.

  1. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    No, certbot-apache is not needed for an ISPConfig system, and using it is actually a common way people break their setup. I am not yet familiar with the referenced recent changes in 3.2beta which would aquire a certificate at installation time, but the setup would almost certainly use either the webroot (after apache/nginx is up on port 80) or standalone authenticators, and no installer plugins, as that is all handled by custom scripts within ISPConfig.
     
  2. gOOvER

    gOOvER Member

    See the first error i posted.

    Code:
    2020-09-14 16:43:06,131:INFO:certbot.main:Could not choose appropriate plugin: The requested apache plugin does not appear to be installed
     
  3. till

    till Super Moderator Staff Member ISPConfig Developer

    The certbot apache plugin is indeed not part of ISPConfig setups, if the new code requires it, then we should consider to change the code so that it works without that plugin.
     
    Th0m likes this.
  4. gOOvER

    gOOvER Member

    I installed ispconfig3 a second time and i get this Error again:


    Code:
    2020-09-14 18:34:26,341:DEBUG:certbot.main:certbot version: 0.31.0
    2020-09-14 18:34:26,342:DEBUG:certbot.main:Arguments: ['--agree-tos', '--non-interactive', '--expand', '--rsa-key-size', '4096', '--server', 'https://acme-v02.api.letsencrypt.org/directory', '--apache', '--email', '[email protected]', '--renew-hook', 'letsencrypt_renew_hook.sh']
    2020-09-14 18:34:26,342:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
    2020-09-14 18:34:26,346:DEBUG:certbot.log:Root logging level set at 20
    2020-09-14 18:34:26,346:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
    2020-09-14 18:34:26,346:DEBUG:certbot.plugins.selection:Requested authenticator apache and installer apache
    2020-09-14 18:34:26,346:DEBUG:certbot.plugins.selection:No candidate plugin
    2020-09-14 18:34:26,346:DEBUG:certbot.plugins.selection:No candidate plugin
    2020-09-14 18:34:26,346:DEBUG:certbot.plugins.selection:Selected authenticator None and installer None
    2020-09-14 18:34:26,346:INFO:certbot.main:Could not choose appropriate plugin: The requested apache plugin does not appear to be installed
    2020-09-14 18:34:26,346:DEBUG:certbot.log:Exiting abnormally:
    Traceback (most recent call last):
      File "/usr/bin/letsencrypt", line 11, in <module>
        load_entry_point('certbot==0.31.0', 'console_scripts', 'certbot')()
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1365, in main
        return config.func(config, plugins)
      File "/usr/lib/python3/dist-packages/certbot/main.py", line 1229, in certonly
        installer, auth = plug_sel.choose_configurator_plugins(config, plugins, "certonly")
      File "/usr/lib/python3/dist-packages/certbot/plugins/selection.py", line 237, in choose_configurator_plugins
        diagnose_configurator_problem("authenticator", req_auth, plugins)
      File "/usr/lib/python3/dist-packages/certbot/plugins/selection.py", line 341, in diagnose_configurator_problem
        raise errors.PluginSelectionError(msg)
    certbot.errors.PluginSelectionError: The requested apache plugin does not appear to be installed
    
    Related Ticket: https://git.ispconfig.org/ispconfig/ispconfig3/-/issues/5735
     
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Original codes use webroot but after several issues raised with regards to default web path of various linux variants, webroot was dropped and changed to apache or nginx to be used if web server is installed and I don't think this will automatically require another plugin.

    Do read this where I think he suggested:
    According to that the plugin is actually included (apt install python-certbot-apache) and no need extra installation.

    To restore original webroot proposal, default web path for all linux variants must be listed and determined, which is not necesarily be /var/www/html as in debian and ubuntu.

    I will research on this later on.
     
    Last edited: Sep 15, 2020
  6. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Thank you for the log as I detected a missing "-d $hostname" on the relevant lines of the codes, so I submitted another MR to fix it:
    https://git.ispconfig.org/ispconfig/ispconfig3/-/merge_requests/1171

    I will check on others soonest.
     
  7. francoisPE

    francoisPE Active Member HowtoForge Supporter

    Hello,
    May be I will ask a question already asked but inside 20 pages of discussion I didn't find it out.
    I have Ispconfig3.2 on multiple servers -2 servers- (ubuntu 18.04)
    I ran LE4ISPC on both. It gives me certs for both serv1.domain.tld and serv2.domain.tld.
    On serv1.domain.tld:8080, there is an effective cert that is linked with domain.tld cert (in ISPconfig)
    I checked that no cert on domain.tld leads to security error on serv1.domain.tld:8080.
    Could you explain it to me because it seems that :8080 should be linked with serv1.domain.tld:80 ?

    I can't reach my serv1.domain.tld:143 for mails because of security concerns (thunderbird message)
    I tried to create a subdomain for website (and vhost) for serv1.domain.tld. Both work : serv1.domain.tld:80, is secured. But, :143 still not secured for thunderbird ! Where should I search to secure port 143 ?

    For serv2.domain.tld, I tried subdomain for website, subdomain for vhost, aliasdomain for website, for vhost... It doesn't work.
    My understanding is that I am in "for vhost" case and subdomain, not alias... Could you confirm ?
    What should I do to secure serv2 ?

    it tried 'scp -r /etc/letsencrypt/live/serv1.domain.tld/*.pem [email protected]:/etc/letsencrypt/live/serv2.domain.tld/'
    it looked 'ok'
    "
    root@serv1:/# scp -r /etc/letsencrypt/live/serv1.domain.tld/*.pem [email protected]:/etc/letsencrypt/live/serv2.domain.tld/
    [email protected]'s password:
    cert.pem 100% 2252 837.1KB/s 00:00
    chain.pem 100% 1647 278.0KB/s 00:00
    fullchain.pem 100% 3899 2.0MB/s 00:00
    privkey.pem 100% 3272 1.5MB/s 00:00
    "
    But files were not copied ! still symlink to "serv2xx.pem" on serv2 directories

    I saw that there are 2 certs for domain.tld on serv1
    '
    root@serv1:/# ld /etc/letsencrypt/live/*

    /etc/letsencrypt/live/domain.tld:
    total 4
    lrwxrwxrwx 1 root root 34 Oct 25 12:12 privkey.pem -> ../../archive/domain.tld/privkey2.pem
    lrwxrwxrwx 1 root root 36 Oct 25 12:12 fullchain.pem -> ../../archive/domain.tld/fullchain2.pem
    lrwxrwxrwx 1 root root 32 Oct 25 12:12 chain.pem -> ../../archive/domain.tld/chain2.pem
    lrwxrwxrwx 1 root root 31 Oct 25 12:12 cert.pem -> ../../archive/domain.tld/cert2.pem

    /etc/letsencrypt/live/serv1.domain.tld:
    total 4
    lrwxrwxrwx 1 root root 39 Oct 19 18:46 privkey.pem -> ../../archive/serv1.domain.tld/privkey1.pem
    lrwxrwxrwx 1 root root 41 Oct 19 18:46 fullchain.pem -> ../../archive/serv1.domain.tld/fullchain1.pem
    lrwxrwxrwx 1 root root 37 Oct 19 18:46 chain.pem -> ../../archive/serv1.domain.tld/chain1.pem
    lrwxrwxrwx 1 root root 36 Oct 19 18:46 cert.pem -> ../../archive/serv1.domain.tld/cert1.pem

    /etc/letsencrypt/live/domain.tld-0001:
    total 4
    lrwxrwxrwx 1 root root 39 Oct 26 22:23 privkey.pem -> ../../archive/domain.tld-0001/privkey2.pem
    lrwxrwxrwx 1 root root 37 Oct 26 22:23 chain.pem -> ../../archive/domain.tld-0001/chain2.pem
    lrwxrwxrwx 1 root root 36 Oct 26 22:23 cert.pem -> ../../archive/domain.tld-0001/cert2.pem
    lrwxrwxrwx 1 root root 41 Oct 26 22:23 fullchain.pem -> ../../archive/domain.tld-0001/fullchain2.pem
    '
    when it is not the case for serv2
    '
    root@serv2:/# ld /etc/letsencrypt/live/*
    /etc/letsencrypt/live/serv2.domain.tld:
    total 4
    lrwxrwxrwx 1 root root 39 Oct 20 18:08 privkey.pem -> ../../archive/serv2.domain.tld/privkey1.pem
    lrwxrwxrwx 1 root root 41 Oct 20 18:08 fullchain.pem -> ../../archive/serv2.domain.tld/fullchain1.pem
    lrwxrwxrwx 1 root root 37 Oct 20 18:08 chain.pem -> ../../archive/serv2.domain.tld/chain1.pem
    lrwxrwxrwx 1 root root 36 Oct 20 18:08 cert.pem -> ../../archive/serv2.domain.tld/cert1.pem
    '

    As you see, I am quite lost !
    Thank you
     
  8. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I am sorry but ISPConfig 3.2 use a different approach so I think it is best to undo and remove LE4ISPC before continuing using this version.

    Run ISPConfig instructions to update to 3.2 and choose to create SSL certs during that process.

    If problems are still thereafter, do read and try the faq, https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/
     
  9. francoisPE

    francoisPE Active Member HowtoForge Supporter

    ohh ! Was a good idea to ask !
    How can I undo and remove LE4ISPC ? Removing symlink is enough ? updating ispconfig (option 'nightly') is enough ?
    Thanks
     
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I am not sure about the necessity to remove LE SSL certs symlinks but I think you'll need to at least remove LE certs created, LE4ISPC scripts and what you for it set in incron, then immediately thereafter you'll need to create new LE SSL certs via ISPConfig update to 3.2 to secure your panel and all possible services.
     
  11. francoisPE

    francoisPE Active Member HowtoForge Supporter

    I remove incron, symlinks and certs... what a bad idea !
    I thought I remove SSL in ISPconfig web interface for all created sites which was not the case (I didn't wait enough to have removal applied everywhere !) I try run certbot certonly, but it created certs -0001 which are not recognized during isp update !
    And finally, when running update it always mentions (at least 4 times)
    "
    Service 'xmpp_server' has been detected (currently disabled) do you want to enable and configure it? (yes,no) [no]: yes
    Service 'firewall_server' has been detected (currently disabled) do you want to enable and configure it? (yes,no) [no]: yes
    "
    I always say yes, but, it is always repeating !! I am not confident in my firewall...
    I will reinstall from the beginning. I am discovering... quite hard !!!
    thanks a lot for your help
     
  12. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I am sorry but I am not sure how you removed your LE SSL certs for your server. I would normally simply run rm -rf /etc/letsencrypt/*/myserver.domain.tld* for a clean deletion.
     
  13. francoisPE

    francoisPE Active Member HowtoForge Supporter

    Yes but I did rm -rf /etc/letsencrypt/*
    This is where the problem was because I had other websites - thinking their certs removed... !
    Now, I re-set up almost all... Redo is always good for beginner !
    Only Monit not working when calling serv1.domain.tld:2812... I will troubleshoot that
     
  14. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Ok. But do note that I am not advising you to delete all LE SSL certs but just the one for the server. Anyway, with regards to Monit in ISPConfig GUI is a known issue but in port 2812, normally is because we forget to open that port.
     
  15. francoisPE

    francoisPE Active Member HowtoForge Supporter

    For SSL removal, that was my beginner mistake !
    For Monit, I tried port in ISP with no effect. But, it is not not the right forum to talk about Monit.
    I would like to highly thanks you about the GREAT job you are daily doing for us !
     
    Th0m and ahrasis like this.
  16. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    LE4ISPC STATUS
    Obsolete and abandoned since the release of ISPConfig 3.2. It will never be updated. ISPConfig user should rely on default Let's Encrypt client hook in ISPConfig installer or updater in creating and recreating ispserver .crt .key and .pem and restarting all related services, rather than rely on incron, since hook only runs at renewal but incron will definitely use server resources to constantly monitor the ISPConfig server LE SSL Certs renewal and as such might also fail sometimes. Hook will have higher chances of working too since it will only run if the renewal is successful.

    I am stopping and removing support for LE4ISPC since 3.2 is quite stable in issuing and maintaining the server LE SSL certs and other services that require them. I hope the forum moderator may unpin this from the board.

    Those who need to remove LE4ISPC settings may download and run le4ispc-remover.sh available at: https://github.com/ahrasis/LE4ISPC/blob/master/README.md#how-to-remove-le4ispc

    Code:
    cd /tmp
    wget https://raw.githubusercontent.com/ahrasis/LE4ISPC/master/le4ispc-remover.sh
    chmod +x le4ispc-remover.sh
    ./le4ispc-remover.sh
    
    As for the proper way to use ISPConfig 3.2 to secure the server and all services, one should remove the existing LE SSL certs after running the above remover script.
     
    Th0m likes this.

Share This Page