Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

Discussion in 'Tips/Tricks/Mods' started by ahrasis, Feb 14, 2017.

  1. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    1. nano /etc/hosts and make sure it is something like e.g. 192.168.0.100 server1.angelright.com server1 (adjust accordingly).
    2. echo server1.angelright.com > /etc/hostname
    3. /etc/init.d/hostname restart
    4. Run hostname and hostname -f to check whether it is now the right one.
    5. If necessary to you, run ispconfig_update.sh and make sure your server is server1.angelright.com during the update process. Note: Choose git-stable if you are already on 3.1.2. You can revert it back to 3.1.2 by running it second time and choosing stable during the process. You don't have to run this if your server is already server1.angelright.com when you installed your ISPC.
    6. Test your nginx with nginx -t and then restart your nginx to make sure it is now working.
    7. Redo this guide wherever necessary and make sure your server website created is server1.angelright.com. The website angelright.com is obviously wrong.
     
  2. LotNoMore

    LotNoMore Member

    The problem is now... I cannot restart the hostname server (I am running apache2)
     
  3. LotNoMore

    LotNoMore Member

    I can restart apache2
     
  4. LotNoMore

    LotNoMore Member

    Running ispconfig_update.sh in git-stable mode went OK - the hostname -f command returns server1.angelright.com correctly
    Should I run ispconfig_update.sh second time and choose the stable mode?
     
  5. LotNoMore

    LotNoMore Member

    OK, I do not have LE for server1.angelright.com but I do have LE for angelright.com. This means that I should do this instead...
    Right?
     
  6. LotNoMore

    LotNoMore Member

    I do not want to do it again and get into trouble. So, should I stop apache2 first? And then restart apache2 afterwards?

    Note that I do NOT have any LE certificate for server1.angelright.com - I do have one for angelright.com. Will the LE for angelright.com work for ISPconfig?
     
    Last edited: Apr 11, 2017
  7. LotNoMore

    LotNoMore Member

    OK. I stopped apache2, did the above, restart apache2 afterwards. Run ispconfig_update.sh in stable mode. I did not let the script create SSL in the process. No problem. Everything was smooth. But the URL to ISPconfig login is still showing the "Not secure" warning: https://server1.angelright.com:8080
    So, it did not work. Good thing is, it did not mess up the apache2 server :)
     
  8. LotNoMore

    LotNoMore Member

    So the issue is truly, how to create LE for server1.angelright.com ?
     
  9. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    So now you have apache server instead of nginx? Fine with me as that is not the cause of your problem.

    The cause is you are using angleright.com LE SSL certs for server1.angelright.com which is obviously wrong. I already note that in step 7 above where I said:
    What you should do based on this guide is:
    1. Create a website for your ISPConfig i.e. server1.angelright.com not angelright.com. This includes creating its DNS if necessary. Make sure server1.angelright.com is publicly accessible by visiting http://server1.angelright.com.
    2. Get LE SSL for server1.angelright.com by ticking SSL and LE in the server1.angelright.com setting page.
    3. Make sure that LE SSL certs are properly issued for server1.angelright.com by visiting https://server1.angelright.com.
    4. Carefully follow steps 6 to 8 of this guide.

    If you follow the steps right, you would normally get your ISPC secured with LE SSL certs.
     
    Last edited: Apr 13, 2017
  10. LotNoMore

    LotNoMore Member

    Thank you for your suggestions.
    I built the server with server1.angelright.com al the way so I thought that domain has already been part of the ISPconfig, or the default website already.
    I tried to create site server1.angelright.com from ISPconfig, but I can access it from this: https://server1.angelright.com but not the normal way. Strange. Why?
     
  11. LotNoMore

    LotNoMore Member

    OK, I created DNS for server1.angelright.com from inside ISPconfig, and then set the reverse DNS setting at datacenter to server1.angelright.com. Hopefully server1.angelright.com can be accessed normally.
    Yes, a website has also been created from within ISPconfig with its domain set as server1.angelright.com I see that it has its own document root: /var/www/clients/client0/web5
     
    Last edited: Apr 12, 2017
  12. LotNoMore

    LotNoMore Member

    This is the screenshot of the domain at my domain registra:
    [​IMG]
    Is this the correct setting? Should I use the wildcard * to replace server1 in the host field?
     
    Last edited: Apr 12, 2017
  13. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Normally, we don't have to create dns in ISPC CP for server1.ourdomain.tld because it should have been pointed to the right ip already.

    If we need to create it, we create a dns under server1.ourdomain.tld and not under ourdomain.tld.

    I also don't know what your datacenter got anything to do with it too, so I cannot advise anything with its regards.

    Do read and follow all the prescribed steps one by one. Do not skip anything unless you know what you are doing.
     
  14. dayjahone

    dayjahone Member

    I had problems right away...
    1) Whenever I check the box for SSL and Let's Encrypt, the boxes won't stay checked. When I go back to the page, they're unchecked, even after saving. It also doesn't populate anything in the SSL tab, which I assumed it would and that's what is meant by "creating files."
    2) I followed a perfect setup, but I don't think I have Nginx setup.
    Thanks in advance for your help.
     
  15. LotNoMore

    LotNoMore Member

    dayjahone, like ahrasis said, you need to make sure the site is accessible first before checking the box for SSL and Let's Encrypt. I had the same problem. But once I get the site up and running, I then go back to enable the settings, it works!
     
  16. dayjahone

    dayjahone Member

    the site has been up and running for years.
     
  17. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    If you site is already publicly accessible and the problem still occurs, do check your LE logs.
     
  18. dayjahone

    dayjahone Member

    The SSL and Let's Encrypt boxes are unchecked after I click on the SSL tab. Is this normal? How do I check to see if any files were created when I check the boxes?
     
  19. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    This is normal. There are few topics/threads with regards to this, so do search.

    As said, your need to check for LE logs which normally somewhere in /var/log/letsencrypt. You can also check /etc/letsencrypt/archive, if your domain folder has been created and if certs have been created for it, inside that folder.
     
  20. dayjahone

    dayjahone Member

    I cannot find either of those directories.
     

Share This Page