Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

Discussion in 'Tips/Tricks/Mods' started by ahrasis, Feb 14, 2017.

  1. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    So far that I know, unless you are using HSTS, the browsers won't stop you from accepting/trusting any certificates including the self-signed and opening the website.
     
  2. sjau

    sjau Local Meanie Moderator

    it seems you misunderstand HSTS. It only enforces secured connections and protects against downgrade and cookie attacks. Whatever cert you use doesn't matter to HSTS.
     
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    So far that I am concerned SSL certificates matters to HSTS. You can visit https://server.domain.tld:8080 but you cannot visit https://nottheserver.domain.tld:8080 as both sites, though in the same server, have different LE SSL certificates, the first is together with ISPC and the later is not. You will definitely get HSTS warning. This is even more if one is using OpenSSL self-signed certificate and the other is using LE SSL certificate.
     
    Last edited: Mar 10, 2017
  4. Tuumke

    Tuumke Active Member

    I read you got it working now?
    Nice.


    BTW, did you follow one of the "Perfect Server" guides on installing ISPC?
    I bet your hostname -f is that vpsxxx.ovh.net
    In the Perfect Server guides its pointed out to change the hostname of your machine to whatever your are planning to use.
     
  5. sjau

    sjau Local Meanie Moderator

    That's not related to HSTS... that's related to SSL. Common Name Mismtch. The domain name and the names in the SSL cert do not match. You'll get that warning regardless of whether you use HSTS or not.
     
  6. Poliman

    Poliman Member

    Yes, this one -> https://www.howtoforge.com/perfect-...hp-mysql-pureftpd-bind-dovecot-ispconfig-3-p4 but I didn't change hostname, I left default one provided by ovh. I don't get error which Jesse posted. Maybe somewhere is redirection to 443 port if put https:// before website address and then no matter :80 after website name.

    PS
    One thing about LE. Here - https://www.howtoforge.com/tutorial...pureftpd-bind-postfix-doveot-and-ispconfig/2/ - is newer tutorial than I used. I focus on 9 point "Install Let's Encrypt". Using command posted there require put for which websites LE should be installed. Somewhere on this forum somebody said that there shouldn't be chose any website, which is impossible or ISP won't be able to automatically renew LE cert. Second thing - on another vps:
    Code:
    root@vps456:~# apt-get -y install certbot
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    E: Unable to locate package certbot
    This same with command apt-get -y install letsencrypt from tutorial to earlier Ubuntu version: https://www.howtoforge.com/tutorial...pureftpd-bind-postfix-doveot-and-ispconfig/2/
     
    Last edited: Mar 9, 2017
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    @sjau, I am a learner so let us learn it together, shall we?

    [HSTS Enabled]
    With HSTS enabled, on trying to access ISPC via https://nottheserver.domain.tld:8080, you can never connect to ISPC via other website other than the server website. To quote from Firefox:
    To quote from Chrome:
    To sum up, you will not have an option to add exception or to continue at all if HSTS is enabled. HSTS warning will be given.

    [HSTS Not Enabled]
    However, if HSTS is not enabled, you can choose to continue and won't get HSTS warning. In Firefox, despite the warning, you can simply click advanced and add exception to continue, and no HSTS warning at all. In Chrome you can just proceed though it is warned as unsafe, and no HSTS warning at all. To quote warning from Chrome:
    To sum up, you will have an option to add exception and/or continue if HSTS is not enabled. No HSTS warning at all.
     
    Last edited: Mar 13, 2017
  8. Tastiger

    Tastiger Member HowtoForge Supporter

    OK a question from a dummy, all the above looks daunting - I have setup my 16.04 as per the tutorial for perfect server 16.04 and Lets Encrypt was installed at the time as was ISPconfig 3 - which steps above do I need to follow?.

    Last time I attempted this was prior to a reinstall and I ended up with key error when trying to access iISPC.
     
  9. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Just follow each and every steps. Feel free to ask if you faced any problem(s) at any step.

    And do note that I am using nginx with Ubuntu 16.04 on this guide, so if you use apache, where it states restart/reload nginx, change it to apache2 instead.
     
  10. Poliman

    Poliman Member

    Anybody know answer on question from PS section from my last post? ;)
     
  11. n.rito

    n.rito New Member

    GoodMorning,
    I have to encrypt my scripts on a distribution of linux with Armv5tejl Buildroot , I tried a lot of solutions but none work .
    Someone can help me?
    Thanks,
    Nicola
     
  12. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    @Poliman, install LE / certbot as per the guides / how to's. Don't mix them up.
     
  13. Poliman

    Poliman Member

    I don't mix them up. I used point 9 from tutorial for Ubuntu 16.04. :)
    This is important to me and neither
    Code:
    apt-get -y install certbot
    nor
    Code:
    apt-get -y install letsencrypt
    is not working and generate output like this
    Code:
    root@vps456:~# apt-get -y install certbot
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    E: Unable to locate package certbot
    or
    Code:
    root@vps456:~# apt-get -y install letsencrypt
    Reading package lists... Done
    Building dependency tree
    Reading state information... Done
    E: Unable to locate package letsencrypt
    Can it be problem with repositories in /etc/apt/sources.list?
     
  14. n.rito

    n.rito New Member

    Thanks of the reply, I do not very experienced as you can see, you can advise me a suitable method to My esigienze to encrypt a script ash shell?
     
  15. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    @Poliman, I don't think the first one (certbot) is in 16.04 guide. Anyway, what is the output of: "lsb_release -a"?
     
  16. Tastiger

    Tastiger Member HowtoForge Supporter

    Main reason I am going down this track now is because of the new warnings in the latest release of Firefox which may confuse some people into thinking that it is not OK to login to a site if it is not https:// - see screen grab:- (not certain what Firefox devs were thinking when they put this in)
    [​IMG]

    Here are a couple of shots from the first site i have setup via enabling both SSL options in ISPC- but there seems to be some information missing is this correct?
    If not how do I fix ownership information etc?
    [​IMG]
    [​IMG]
     
  17. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    You might want to check whether you have successfully created your LE SSL certificates for the said website in LE log files.
     
  18. Tastiger

    Tastiger Member HowtoForge Supporter

    I'm finding this in all the log files:-
    Code:
    017-03-10 21:33:26,273:DEBUG:letsencrypt.cli:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v01.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', '[email protected]', '--domains', 'scm-rpg.com.au', '--domains', 'www.scm-rpg.com.au', '--webroot-path', '/usr/local/ispconfig/interface/acme']
    There are also:-
    scm-rpg.com.au-le.key
    scm-rpg.com.au-le.crt
    in /var/www/clients/client0/web3/ssl

    ...and in /etc/apache2/sites-enabled/100-scm-rpg.com.au.vhost
    Code:
    <IfModule mod_ssl.c>
            SSLEngine on
            SSLProtocol All -SSLv2 -SSLv3
            # SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
            SSLHonorCipherOrder     on
            # <IfModule mod_headers.c>
            # Header always add Strict-Transport-Security "max-age=15768000"
            # </IfModule>
            SSLCertificateFile /var/www/clients/client0/web3/ssl/scm-rpg.com.au-le.crt
            SSLCertificateKeyFile /var/www/clients/client0/web3/ssl/scm-rpg.com.au-le.key
                    SSLCertificateChainFile /var/www/clients/client0/web3/ssl/scm-rpg.com.au-le.bundle
                            SSLUseStapling on
            SSLStaplingResponderTimeout 5
            SSLStaplingReturnResponderErrors off
                    </IfModule>
     
    Last edited: Mar 11, 2017
  19. Tastiger

    Tastiger Member HowtoForge Supporter

    not that I could see - the only mention of the site was in what I posted above
     
  20. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    From my side your LE is working for the said website. The warning is due to some images from the said website not the LE SSL files themselves. You should be able to proceed to the next steps from this guide to secure your ISPC and other services.
     
    Last edited: Mar 11, 2017

Share This Page