Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

So far that I know, unless you are using HSTS, the browsers won't stop you from accepting/trusting any certificates including the self-signed and opening the website.

 

it seems you misunderstand HSTS. It only enforces secured connections and protects against downgrade and cookie attacks. Whatever cert you use doesn't matter to HSTS.

 

So far that I am concerned SSL certificates matters to HSTS. You can visit https://server.domain.tld:8080 but you cannot visit https://nottheserver.domain.tld:8080 as both sites, though in the same server, have different LE SSL certificates, the first is together with ISPC and the later is not. You will definitely get HSTS warning. This is even more if one is using OpenSSL self-signed certificate and the other is using LE SSL certificate.

 

I read you got it working now?
Nice.


BTW, did you follow one of the "Perfect Server" guides on installing ISPC?
I bet your hostname -f is that vpsxxx.ovh.net
In the Perfect Server guides its pointed out to change the hostname of your machine to whatever your are planning to use.

 

That's not related to HSTS... that's related to SSL. Common Name Mismtch. The domain name and the names in the SSL cert do not match. You'll get that warning regardless of whether you use HSTS or not.

 

Yes, this one -> https://www.howtoforge.com/perfect-...hp-mysql-pureftpd-bind-dovecot-ispconfig-3-p4 but I didn't change hostname, I left default one provided by ovh. I don't get error which Jesse posted. Maybe somewhere is redirection to 443 port if put https:// before website address and then no matter :80 after website name.

PS
One thing about LE. Here - https://www.howtoforge.com/tutorial...pureftpd-bind-postfix-doveot-and-ispconfig/2/ - is newer tutorial than I used. I focus on 9 point "Install Let's Encrypt". Using command posted there require put for which websites LE should be installed. Somewhere on this forum somebody said that there shouldn't be chose any website, which is impossible or ISP won't be able to automatically renew LE cert. Second thing - on another vps:

Code:

root@vps456:~# apt-get -y install certbot
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package certbot

This same with command apt-get -y install letsencrypt from tutorial to earlier Ubuntu version: https://www.howtoforge.com/tutorial...pureftpd-bind-postfix-doveot-and-ispconfig/2/

 

@sjau, I am a learner so let us learn it together, shall we?

[HSTS Enabled]
With HSTS enabled, on trying to access ISPC via https://nottheserver.domain.tld:8080, you can never connect to ISPC via other website other than the server website. To quote from Firefox:

To quote from Chrome:

To sum up, you will not have an option to add exception or to continue at all if HSTS is enabled. HSTS warning will be given.

[HSTS Not Enabled]
However, if HSTS is not enabled, you can choose to continue and won't get HSTS warning. In Firefox, despite the warning, you can simply click advanced and add exception to continue, and no HSTS warning at all. In Chrome you can just proceed though it is warned as unsafe, and no HSTS warning at all. To quote warning from Chrome:

To sum up, you will have an option to add exception and/or continue if HSTS is not enabled. No HSTS warning at all.

 

OK a question from a dummy, all the above looks daunting - I have setup my 16.04 as per the tutorial for perfect server 16.04 and Lets Encrypt was installed at the time as was ISPconfig 3 - which steps above do I need to follow?.

Last time I attempted this was prior to a reinstall and I ended up with key error when trying to access iISPC.

 

Just follow each and every steps. Feel free to ask if you faced any problem(s) at any step.

And do note that I am using nginx with Ubuntu 16.04 on this guide, so if you use apache, where it states restart/reload nginx, change it to apache2 instead.

 

Anybody know answer on question from PS section from my last post?

 

GoodMorning,
I have to encrypt my scripts on a distribution of linux with Armv5tejl Buildroot , I tried a lot of solutions but none work .
Someone can help me?
Thanks,
Nicola

 

@Poliman, install LE / certbot as per the guides / how to's. Don't mix them up.

 

I don't mix them up. I used point 9 from tutorial for Ubuntu 16.04.

This is important to me and neither

Code:

apt-get -y install certbot

nor

Code:

apt-get -y install letsencrypt

is not working and generate output like this

Code:

root@vps456:~# apt-get -y install certbot
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package certbot

or

Code:

root@vps456:~# apt-get -y install letsencrypt
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package letsencrypt

Can it be problem with repositories in /etc/apt/sources.list?

 

Thanks of the reply, I do not very experienced as you can see, you can advise me a suitable method to My esigienze to encrypt a script ash shell?

 

@Poliman, I don't think the first one (certbot) is in 16.04 guide. Anyway, what is the output of: "lsb_release -a"?

 

Main reason I am going down this track now is because of the new warnings in the latest release of Firefox which may confuse some people into thinking that it is not OK to login to a site if it is not https:// - see screen grab:- (not certain what Firefox devs were thinking when they put this in)


Here are a couple of shots from the first site i have setup via enabling both SSL options in ISPC- but there seems to be some information missing is this correct?
If not how do I fix ownership information etc?

 

You might want to check whether you have successfully created your LE SSL certificates for the said website in LE log files.

 

I'm finding this in all the log files:-

Code:

017-03-10 21:33:26,273:DEBUG:letsencrypt.cli:Arguments: ['-n', '--text', '--agree-tos', '--expand', '--authenticator', 'webroot', '--server', 'https://acme-v01.api.letsencrypt.org/directory', '--rsa-key-size', '4096', '--email', '[email protected]', '--domains', 'scm-rpg.com.au', '--domains', 'www.scm-rpg.com.au', '--webroot-path', '/usr/local/ispconfig/interface/acme']

There are also:-
scm-rpg.com.au-le.key
scm-rpg.com.au-le.crt
in /var/www/clients/client0/web3/ssl

...and in /etc/apache2/sites-enabled/100-scm-rpg.com.au.vhost

Code:

<IfModule mod_ssl.c>
        SSLEngine on
        SSLProtocol All -SSLv2 -SSLv3
        # SSLCipherSuite          ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS
        SSLHonorCipherOrder     on
        # <IfModule mod_headers.c>
        # Header always add Strict-Transport-Security "max-age=15768000"
        # </IfModule>
        SSLCertificateFile /var/www/clients/client0/web3/ssl/scm-rpg.com.au-le.crt
        SSLCertificateKeyFile /var/www/clients/client0/web3/ssl/scm-rpg.com.au-le.key
                SSLCertificateChainFile /var/www/clients/client0/web3/ssl/scm-rpg.com.au-le.bundle
                        SSLUseStapling on
        SSLStaplingResponderTimeout 5
        SSLStaplingReturnResponderErrors off
                </IfModule>

 

not that I could see - the only mention of the site was in what I posted above

 

From my side your LE is working for the said website. The warning is due to some images from the said website not the LE SSL files themselves. You should be able to proceed to the next steps from this guide to secure your ISPC and other services.