Welcome to the tutorial where i want to show you how to setup the web panel from self signed certificate on https://web.domain.tld:8080 to just https://web.domain.tld with LE Certificate and auto-renew. I've checked it on my master server of my 6-7 multi-server-setup which i would post in few days/weeks. In this case its tested with web.domain.tld which is on my side my control.domain.tld. Please - read carefully - i wrote the tutorial from my head and eventually not every single string is written right. 1. Create A-Record Check your nameserver is running correctly and create a A Record for web.domain.tld to the server-ip in the domain.tld zone (If doesnt exist). 2. Edit ISPConfig Web Panel vHost Code: nano /etc/apache2/sites-available/ispconfig.vhost Delete the Line with "Listen 8080" and "NameVirtualServer your.server.ip.adress" Change <VirtualHost _default_:8080> to <VirtualHost web.domain.tld:443> Under the line "ServerAdmin" create the line "ServerName web.domain.tld" without the " " ^^ Save&Exit Code: systemctl restart apache2 3. Start the certbot to create the certificate files Code: cd /opt/certbot/ ./certbot-auto On the first question chose the number for web.domain.tld On the second you can try choose 2 - but it would eventually fail. In my fault i choosed 2, but its not supported. Caution! Its not broken - he just cant set rewrite from http to https - the ssl certificate should automatically imported to the vhost. Here my output: (i've already have rewrite configured cauz i done it in ispconfig install.php for Web Panel (The question about u want to activate ssl for web panel^^) root@control /opt/certbot # ./certbot-auto Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator apache, Installer apache Which names would you like to activate HTTPS for? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: domain.tld 2: control.domain.tld 3: www.domain.tld - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate numbers separated by commas and/or spaces, or leave input blank to select all options shown (Enter 'c' to cancel): 2 Obtaining a new certificate Performing the following challenges: http-01 challenge for control.domain.tld Waiting for verification... Cleaning up challenges Deploying Certificate to VirtualHost /etc/apache2/sites-enabled/000-ispconfig.vhost Please choose whether or not to redirect HTTP traffic to HTTPS, removing HTTP access. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 1: No redirect - Make no further changes to the webserver configuration. 2: Redirect - Make all requests redirect to secure HTTPS access. Choose this for new sites, or if you're confident your site works on HTTPS. You can undo this change by editing your web server's configuration. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Select the appropriate number [1-2] then [enter] (press 'c' to cancel): 2 Failed redirect for control.domain.tld Unable to set enhancement redirect for control.domain.tld Unable to find corresponding HTTP vhost; Unable to create one as intended addresses conflict; Current configuration does not support automated redirection IMPORTANT NOTES: - We were unable to set up enhancement redirect for your server, however, we successfully installed your certificate. - Congratulations! Your certificate and chain have been saved at: /etc/letsencrypt/live/control.domain.tld/fullchain.pem Your key file has been saved at: /etc/letsencrypt/live/control.domain.tld/privkey.pem Your cert will expire on 2018-12-26. To obtain a new or tweaked version of this certificate in the future, simply run certbot-auto again with the "certonly" option. To non-interactively renew *all* of your certificates, run "certbot-auto renew" 4. Setup Cronjob for auto-renew Now we need to set a little cron: Code: crontab -e Just enter in a new line (check if certbot is right there, alternativly just change it in the line to the right): Code: 45 2 * * 6 cd /opt/certbot/ && ./certbot-auto renew && systemctl restart apache2 Save&Exit Reloading crontabs: Code: systemctl reload cron 5. Testing You can test with the following command line what would happen if u try to renew the certificates with the created cronjob: Code: cd /opt/certbot/ && ./certbot-auto renew --dry-run && systemctl restart apache2 Best regards Frankenstein
Just a small note: When your server is not a master only and hosts also websites, then leave out step 4 as this collides with the LE cert renewal from ISPConfig. ISPConfig will renew the manually created cert from step 3 automatically, so no need for that separate cronjob.
This may get a certificate setup one time, but it will fail in the future, as the vhost file will be overwritten at each ISPConfig update. You can work around that, but you would be better off following one of the other guides for how to setup let's encrypt on the control panel, which use symlinks to the certificates from the existing locations, and are a more tested setup The guide by @ahrasis in particular will setup a vhost for the control panel to run on port 443, though in your setup, with a dedicated control panel server, all you need to do is specify using port 443 during ISPConfig's installation.
I'd prefer to use default port 8080 than 443 for ISPConfig but or course you can choose yours, but do take note on @Jesse Norell advise that the vhost file may get overwritten on update if you are not careful. To safeguards your custom ispconfig.vhost, you can try to use conf-custom folder as discussed in https://www.howtoforge.com/community/threads/proxypass-the-ispconfig-panel.78805/.
