Securing ISPConfig 3 Control Panel (Port 8080) With Let's Encrypt Free SSL

Discussion in 'Tips/Tricks/Mods' started by ahrasis, Feb 14, 2017.

  1. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    As stated in the first post of this guide, since 6 August 2017, there is an alternative added to ease users in using LE SSL for their ISPConfig panel, of which they may want to use LE4ISPC script created for this purpose. The script should support both nginx and apache2 from ISPConfig up to pure-ftpd, except for monit which you should add it manually.

    Before using it, you should already completed the tutorial from step 1 to 5 and have :
    1. Created the website for your server via ISPConfig;
    2. The website is accessible online;
    3. ISPConfig SSL is enabled (via installation or update);
    4. LE SSL is successfully enabled for the website.
     
    Last edited: Sep 19, 2017
    madmucho likes this.
  2. budgierless

    budgierless Member HowtoForge Supporter

  3. sjau

    sjau Local Meanie Moderator

    why would the CAA change anything?
     
  4. budgierless

    budgierless Member HowtoForge Supporter

    I donno about this stuff just checking and asking the question just to be sure, but if not change is needed then fine. thanks
     
  5. Tuumke

    Tuumke Active Member

    Hey guys, im having some issues with this.
    When using Firefox and going to http://panel.domain.com, it redirects to https://panel.domain.com and shows me cert is used for domain.com and www.domain.com
    When using IE, Edge and Chrome, i can open http://panel.domain.com without any issue and the https shows selfsigned cert.
    Any idea whats going on there? SSL/LE wont activate at this point..
    FailedChallenges: Failed authorization procedure. panel.domain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://panel.domain.com/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: Timeout

    -edit-
    Reset firefox, now it does load correctly, retrying LE.
    -edit2-
    Nope, i still get its using wrong certs.. from the main domain.
    I did create a panel.domain.com website without ssl, its available, then turned on SSL/LE.
    -edit3-
    doh..
    There were too many requests of a given type :: Error creating new authz :: Too many invalid authorizations recently.
     
    Last edited: Sep 18, 2017
  6. budgierless

    budgierless Member HowtoForge Supporter

    That seems like some form of wildcard issue. Let's see what the support team has to say!!
     
  7. till

    till Super Moderator Staff Member ISPConfig Developer

    There is no wildcard involved here as far as I ca see and LE does not support wildcard ssl certs anyway. According to the errir messages he posted, there was first an issue that the LE servers were not able to reach his server and then further attempts were blocked by LE as the failure limit was exceeded.
     
    Tuumke likes this.
  8. adamjedgar

    adamjedgar Member

    two things come to mind...
    1.browser caching and
    2. zone records you have setup
     
  9. budgierless

    budgierless Member HowtoForge Supporter

    LE not supporting wildcard, I didn't know that, dose ispconfig have a work around or support LE for sub-domains?
     
  10. till

    till Super Moderator Staff Member ISPConfig Developer

    ISPConfig adds subdomains and alias domains automatically to the LE cert.
     
  11. Tuumke

    Tuumke Active Member

    Yeah but according to this tutorial, i had to create a site for panel.domain.com. Which i did, which is also accessible..
     
  12. till

    till Super Moderator Staff Member ISPConfig Developer

    @Tuumke: Please see post #167 for the answer to your question.
    The question #169 from @budgierless and my answer #170 are not related to this thread topic.
     
  13. Tuumke

    Tuumke Active Member

    Thnx, will try again tomorrow.
    I don;t have to create an additional DNS zone do i? domain.com can is setup, then i can add an a record to panel.domain.com and add a site as panel.domain.com?
    -edit-
    Still having issues..
    FailedChallenges: Failed authorization procedure. panel.tsictdiensten.nl (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://panel.tsictdiensten.nl/.well-known/acme-challenge/yL0qd3xxj69weLPnzffBQ6HNHs-UXsY3VGQutgPAxTY: Timeout
     
    Last edited: Sep 18, 2017
  14. budgierless

    budgierless Member HowtoForge Supporter

    Yes you do, without question!
     
  15. HSorgYves

    HSorgYves Active Member HowtoForge Supporter

    Enable ISPConfig debug and check what happens. The DNS is setup correctly.
     
  16. Tuumke

    Tuumke Active Member

    Holy mess, it works... after creating a zone for panel.domain.com...
    Adjust the tutorial maybe? @ahrasis
     
  17. till

    till Super Moderator Staff Member ISPConfig Developer

    Separate zones for subdomains are not needed. All you have to do is to add the subdomain as a-record to the zone of the domain. If thst did not work your you, then you either had a typo in the subdomain record (like using a fqdn without dot at the end) or you did not wait until the dns changes were propagated to all caching servers (which might take 24 hours).
     
  18. HSorgYves

    HSorgYves Active Member HowtoForge Supporter

    I could access panel.tsictdiensten.nl without trouble when I said that the DNS was setup correctly. Not sure though if this was before or after the zone creation...
     
  19. adamjedgar

    adamjedgar Member

    glad a newbie like myself could be of help. Its surprising sometimes how easily we can get tangled up in coding for solutions, and neglect something as basic as our zone file records.

    years ago, as a teenager who had just left school, i worked for a family friend in his lawn mower repair shop. The first thing he used to always get me to do whenever anyone came in and said "my lawn mower wont start" was to "open the tank and check it had fuel in it".
    You would be surprised how often this is exactly what the problem with a broken lawnmower was ;)
     
  20. Tuumke

    Tuumke Active Member

    Have both A and AAA record, didnt work until i created a zone for panel.domain.com
     

Share This Page