Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

Discussion in 'Tips/Tricks/Mods' started by ahrasis, Feb 14, 2017.

  1. ahrasis

    ahrasis Well-Known Member

    Did you install certbot / letsencrypt? Which distro / perfect server tutorials did you follow?
     
  2. dayjahone

    dayjahone Member

    It is now installed and appears to be working properly. My only question now is about the steps to make it renew automatically. I am running Apache, and I do not have monit installed; therefore, this is the contents of my
    /etc/init.d/le_ispc_pem.sh:

     
    ahrasis likes this.
  3. ahrasis

    ahrasis Well-Known Member

    You missed postfix in that script.
     
  4. dayjahone

    dayjahone Member

    Thanks!
     
    ahrasis likes this.
  5. concept21

    concept21 Active Member

    Can ISPConfig 3.1.2 update ispserver.pem and restart relevant services automatically?
     
  6. ahrasis

    ahrasis Well-Known Member

    I think if you apply @florian030 suggestion for the hook correctly, it may work, even on a multi server setup as he said.

    He suggests to make the full use of ISPC and run an update script via post-hook in the customized 900-letsencrypt.inc.php, while this guide suggests to install and use incron to detect LE SSL certs archive folder for the server and then run its update script.

    Though it comes with a caveat that the customized 900-letsencrypt.inc.php may be overwritten in any of your ISPC update, as stated, this may also be implemented in the future ISPC.

    Both theories are almost the same i.e. at the end, you must have the update script you want to run when the LE SSL certs for ISPC website are updated. This is especially for removing the old ispconfig.pem and creating a new one, and restarting all related services.

    If you wish to test the post-hook, I think you can simply take the script in the last part of this guide removing the first line "while..." as well as the last line "done" (leaving the code in the middle to be used) and it should theoretically work.
     
    Last edited: May 10, 2017
  7. concept21

    concept21 Active Member

    Hello Friend,
    I run /etc/init.d/le_ispc_pem.sh from a command console and it never finishes. If I set it to auto-start at boot time, will it hang up my server? :oops:
     
  8. ahrasis

    ahrasis Well-Known Member

    Check your script contents as it shouldn't be running endlessly. Please note that the script is intended to be run only by incron upon detection of any modification (which includes the creation of any new files) in /etc/letsencrypt/archive/yourserverdomain/ folder, not by running it on its own. You should also be able to use the script with @florian030 suggestion as well.
     
  9. Tastiger

    Tastiger Member HowtoForge Supporter

    Anyone had any issues following this tutorial when one has apache on Ubuntu 16.04.2 (https://www.howtoforge.com/tutorial/perfect-server-ubuntu-16.04-with-apache-php-myqsl-pureftpd-bind-postfix-doveot-and-ispconfig/) installed instead of nginx?
    The reason I ask is that I received an error at step [Using Your ISPConfig Let's Encrypt SSL For Others] namely postfix and dovecot.
    even though the symlinks were there.
     
  10. ahrasis

    ahrasis Well-Known Member

    Can you produce the said dovecot.conf content?
     
  11. Tastiger

    Tastiger Member HowtoForge Supporter

    I actually deleted the symlinks to get dovecot running again and I am a bit hesitant as you may guess to go through the procedure again until I get some verification from someone on a similar platform.
    However without any symlinks anywhere - here is the content of etc/dovecot
     

    Attached Files:

  12. ahrasis

    ahrasis Well-Known Member

    There is no content in that image but a directory with list of files.

    Anyway, if you dovecot works after removing your symlink, that there lies your problem at the first place.
     
  13. Tastiger

    Tastiger Member HowtoForge Supporter

    sorry I misunderstood you what do actually want to see?
    This?
     
  14. Tastiger

    Tastiger Member HowtoForge Supporter

    I agree that it is the problem - the question is why is it a problem if I have followed the steps exactly and the symlinks are there pointing to the correct files (at least as far as the tutorial goes)
     
  15. sjau

    sjau Local Meanie Moderator

    Please provide:
    Code:
    ls -al /etc/postfix
    
     
  16. ahrasis

    ahrasis Well-Known Member

    I can't help you to fix something which is no more there. As said, something could gone wrong when you created the symlinks whether ispserver.crt to fullchain.pem or smtpd.cert to ispserver.crt and that could have caused dovecot to report the said error.

    Sometime it is a simple as not running service dovecot restart. ;)

    Alternatively, you could try other guides to secure ISPC control panel and other services.
     
  17. Tastiger

    Tastiger Member HowtoForge Supporter

     
  18. ahrasis

    ahrasis Well-Known Member

    Remember, the things to be examined are the created symlinks for why they are reported as "missing" by dovecot. Your above list only shows that they are already deleted confirming your previous post, so how can we help you to examine them?
     
  19. Tastiger

    Tastiger Member HowtoForge Supporter

    OK I tried again and got through dovecot this time however when attempting to restart apache I get the following error:
    The output of
    systemctl status apache2.service
    I have managed to get apache restarted by renaming the symlink for the time being.
    Should this line:-
    be just polyoz.net.au as there is no /etc/letsencrypt/archive/server1.polyoz.net.au/
    nor is there a:-
    /etc/letsencrypt/live/server1.polyoz.net.au/privkey.pem

    Which is what the symlink refers to

    Also in addition now I cannot FTP to any sites all I get is:-
    Which is not good as I am expecting a developer to do some changes in one of my Joomla site
     
    Last edited: Jun 1, 2017
  20. ahrasis

    ahrasis Well-Known Member

    You can follow its instruction to see what caused the error (you can also use - service apache2 status).
     
    Last edited: Jun 1, 2017

Share This Page