Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

Discussion in 'Tips/Tricks/Mods' started by ahrasis, Feb 14, 2017.

  1. Tastiger

    Tastiger Member HowtoForge Supporter

    good - I shall carry on then - just being very careful......
    Many Thanks
     
  2. Tastiger

    Tastiger Member HowtoForge Supporter

    This is where I messed up before, where you have used `hostname -f` is the "-f" required along with the
    hostname and does that hostname have to be the FQDN as set in original server setup?
     
  3. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    It has to be a fully qualified domain name (FQDN), but though I am using the one set in the original server setup, I am not so sure whether it "has to" be the same.

    The reason is there are two sides of this guide, one of which is access from the web and the other is access via non web.

    So far the web side is concerned, other FQDN will be fine, so long it is the same for the website and ISPC on port 8080.

    But I personally am not sure that is the same for access via non web side. My concerns are mainly on postfix and dovecot which many are using in running their mail server.

    However, I do think it could be possible but I haven't tested it.

    So if you have the luxury (time) to test that, you may do so, as it should be reversible if something went wrong.
     
  4. Tastiger

    Tastiger Member HowtoForge Supporter

    ... and the "-f" is that part of the required input ie:-
    server1.example.com -f
    or should it just be
    server1.example.com
    as I said I'm being very careful :eek:
     
  5. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    You either type in `hostname -f` or server1.example.com. The result is the same because `hostname -f`is server1.example.com.
     
  6. Tastiger

    Tastiger Member HowtoForge Supporter

    any ideas why the images on my sites are not being secured?
    Could it have something to do with my DNS settings as the warning does not show up on another site that is not on my DNS server.

    I am getting really horrible warnings from both Chrome and Edge that are likely to frighten visitors away from the sites.
    At this stage it's looking as though I may have to turn off SSL in Joomla to avoid the warning in chrome and edge

    Also I notice that when I go back to one of my sites in ISPC it has unchecked Let's Encrypt SSL for some unknown reason

    To see warnings visit https://scm-rpg.com.au/ in either edge or chrome
     
    Last edited: Mar 13, 2017
  7. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I already saw the warning and that is due to one of your images (background) is linked to other unsecured domain / site.

    As such, it should not have anything to do with your dns or other sites.

    Some browsers have the ability to check that so you may do necessary replacement. Some Joomla plugins / addons can also secure that kind of images.

    For the unchecked LE SSL, do check you LE log.
     
  8. Tastiger

    Tastiger Member HowtoForge Supporter

    I dug deeper and found the offending items to be in either the template itself or the modules of Joomla.

    Cheers!
     
    ahrasis likes this.
  9. Poliman

    Poliman Member

    Code:
    No LSB modules are available.
    Distributor ID: Ubuntu
    Description:    Ubuntu 14.04.5 LTS
    Release:        14.04
    Codename:       trusty
    But some time ago
    Code:
    apt-get -y install letsencrypt
    this command was working (I have two this same servers with this same - above - Ubuntu). I have one website with LE SSL.
     
  10. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    That is how you install LE in 16.04 guide but you are using 14.04 for this server. So the correct one should be in step 11 here. You should update your ISPC thereafter to let it manage your LE.
     
  11. Poliman

    Poliman Member

    I have newest ISP and I used step 11 from tutorial You posted. Unfortunately I haven't this window on blue background (and no idea how to get this window) but normal letsencrypt installation like in tutorial for ubuntu 16.04. Strange, isn't it? :)
     
  12. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    It is not strange to me at all as I did read some of your earlier postings. ;) For the time being I consider the output of "lsb_release -a" you posted above as the correct one unless you changed your system again.

    Step 11 in the guide I posted above, if you aready did it, you just need to update your ISPC. This doesn't mean that your ISPC is not the latest but I personally think you need to update it so that ISPC can manage your LE creation and renewal properly.
     
  13. Poliman

    Poliman Member

    I am good for beta-testing - said proffessor on my University. I can exploit/break each software. :p All my problems on this forum are on ISP 3.1.2, ubuntu 14.04 lts. All thing updated from aptitude update, aptitude safe-upgrade commands. :)
     
    ahrasis likes this.
  14. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    I consider you do not need any support on this guide and you are all good to go with your servers. All the best then. ;)
     
  15. Poliman

    Poliman Member

    Yes but very soon - 1month 9 days - LE Cert will expire. Then I will find out that renewing cert works. As I said earlier I have one website under ISP on the server. I am curious it will works or not, because I didn't install letsencrypt like tutorial says (I hadn't window on blue background and there was message to put which domain should have generated LE Cert or press 'c' to abort). :)
     
    Last edited: Mar 13, 2017
  16. liane

    liane Member HowtoForge Supporter

    if your cert expires in 1 month and 9 days, you'll know how it works in about 9 days, since LE renews certs 1 month before they expire.
     
    ahrasis likes this.
  17. Poliman

    Poliman Member

    Yes, You have right but I need backup way if cert will not renew automatically. This forum is my mine of knowledge and I think I should know the answer before the problem appear but I know too that people are not on duty here 24/7. :)
     
  18. sjau

    sjau Local Meanie Moderator

    10 days before a cert expires and if it hasn't been renewed, LE servers will send out a notification by email.
     
    ahrasis and Poliman like this.
  19. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    A few weeks back I did test running multiple inotifywait clients and they do all continue running, to the initial "run inotifywait from daily cronjob" is not good; the modified "start inotifywait from init scripts" would be better, as long as it doesn't ever die.

    What I'm actually using for pure-ftpd at the moment is the below script, run from a cronjob; rather than testing file timestamps it actually compares the certificate serial number handed out by the ftp daemon with the most recent file, and recreates the certificate file/restarts pure-ftpd if they differ. Save this as /usr/local/sbin/letsencrypt-for-pure-ftpd.sh:
    Code:
    #!/bin/bash
    
    # letsencrypt-for-pure-ftpd.sh:  compares the ssl certficate/key used by pure-ftpd
    # with the current certificate/key issued by letsencrypt and copy the latter
    # to the former if they differ.
    
    # this can be run as a cronjob to propogate letsencrypt certificate changes
    # to pure-ftpd
    
    PUREFTPD_CERT=/etc/ssl/private/pure-ftpd.pem
    
    LE_DIR=/etc/letsencrypt/live/`hostname -f`
    LE_CA=${LE_DIR}/chain.pem
    LE_CERT=${LE_DIR}/cert.pem
    LE_FULLCHAIN=${LE_DIR}/fullchain.pem
    LE_KEY=${LE_DIR}/privkey.pem
    
    OPENSSL=`which openssl 2>/dev/null | head -1`
    
    # Check if letsencrypt has been setup
    if [ ! -f ${LE_CA} -o ! -f ${LE_CERT} -o ! -f ${LE_FULLCHAIN} -o ! -f ${LE_KEY} ]
    then
        echo "Letsencrypt files not found.  You must setup letsencrypt and issue a certificate first." 1>&2
        exit 0
    fi
    
    # Check openssl binary exists
    if [ ! -f ${OPENSSL} ]
    then
        echo "Cannot find openssl. Exiting." 1>&2
        exit 1
    fi
    
    # setup_certs() copies/formats the letsencrypt files for pure-ftpd
    function setup_cert() {
        cat ${LE_KEY} ${LE_FULLCHAIN} > ${PUREFTPD_CERT}
        chown root:ssl-cert ${PUREFTPD_CERT}
        chmod 640 ${PUREFTPD_CERT}
    }
    
    # restart mysqld if it is running
    function restart_pureftpd_if_running() {
        /etc/init.d/pure-ftpd-mysql status 2>/dev/null >/dev/null
        if [ $? -eq 0 ]
        then
            /etc/init.d/pure-ftpd-mysql restart >/dev/null
        fi
    }
    
    if [ ! -f ${PUREFTPD_CERT} ]
    then
        setup_cert && restart_pureftpd_if_running
    else # check if keys/certificates changed
        le_modulus=`${OPENSSL} rsa -noout -modulus -in ${LE_KEY} | md5sum`
        pureftpd_modulus=`${OPENSSL} rsa -noout -modulus -in ${PUREFTPD_CERT} | md5sum`
    
        le_serial=`${OPENSSL} x509 -noout -serial -in ${LE_CERT}`
        pureftpd_file_serial=`${OPENSSL} x509 -noout -serial -in ${PUREFTPD_CERT}`
        pureftpd_running_serial=`${OPENSSL} s_client -connect localhost:21 -starttls ftp </dev/null 2>/dev/null | ${OPENSSL} x509 -serial -noout`
    
    
        if [ "${le_modulus}" != "${pureftpd_modulus}" -o "${le_serial}" != "${pureftpd_file_serial}" -o "${le_serial}" != "${pureftpd_running_serial}" ]
        then
            setup_cert && restart_pureftpd_if_running
        fi
    fi
    
    exit 0
    
    Make that script executable, and the cronjob is a simple as:
    Code:
    # chmod +x /usr/local/sbin/letsencrypt-for-pure-ftpd.sh
    # echo '25 3 * * *  root  /usr/local/sbin/letsencrypt-for-pure-ftpd.sh' >> /etc/cron.d/letsencrypt-restarts
    
     
    harkman likes this.
  20. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Nice tips @Jesse Norell.

    Note that I changed inotify script from archive and privkey1 to live and privkey, as LE will create new SSL files with new number in archive on each renewal while symlinks in live will also be updated.
     
    Last edited: Mar 17, 2017

Share This Page