[SOLVED] Create SSL certificate for ISPConfig's web interface with support for auto renewal

Hi,

Some months ago I manually created a certificate for the web interface because I finally got fed up with that annoying warning browsers display for "hand made" certificates.

I used the standalone approach so I had to stop apache to allow certbot to bind to 80/443. From the top of my head, I did something like shown below (running certbot in interactive mode):

/etc/init.d/apache2 stop
/root/certbot/certbot-auto certonly
/etc/init.d/apache2 start

Then I moved the existing certificate for the web interface to a backup folder:

mkdir /root/ispconfig_ssl_backup
cd /usr/local/ispconfig/interface/ssl
mv ispserver.* /root/ispconfig_ssl_backup/

And finally I created symlinks to the newly created certificate and restarted apache

ln -s /etc/letsencrypt/live/[ISP.DOMAIN.COM]/fullchain.pem /usr/local/ispconfig/interface/ssl/ispserver.crt
ln -s /etc/letsencrypt/live/[ISP.DOMAIN.COM]/privkey.pem /usr/local/ispconfig/interface/ssl/ispserver.key
/etc/init.d/apache2 restart

However, this prevents renewal of the certificate when ISPConfig invokes certbot from /usr/local/ispconfig/server/lib/classes/cron.d/900-letsencrypt.inc.php since it will try to renew it using the standalone approach which is not possible while Apache is binding to port 80/443. It will emit an error like:
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/[ISP.DOMAIN.COM]/fullchain.pem (failure)
At least that's what I assume is the cause of the problem, which seems to be supported by /var/log/letsencrypt/letsencrypt.log.

So I looked though /usr/local/ispconfig/server/lib/classes/letsencrypt.inc.php and found that ISPConfig create certificates using the following command (as far as I was able to gather):

./opt/eff.org/certbot/venv/bin/certbot certonly -n --text --agree-tos --expand --authenticator webroot --server https://acme-v01.api.letsencrypt.org/directory --rsa-key-size 4096 --email postmaster@$domain --domains [DOMAIN HERE] --webroot-path /usr/local/ispconfig/interface/acme

My question is; is it safe for me to create the certificate for ISPConfig's web interface using the exact same command so it can be renewed automatically? Or could it mess things up for ISPConfig? Unfortunately I'm not in a position where I can simply try things out - this is a production server running several important and fairly large websites/shops, and I'm no expert in certificates or certbot.

Thanks in advance.

Jimmy

 

I would recommend the following procedure:
Create a website in ISPConfig that has the hostname that the ISPConfig panel uses and activate LE for this site. Then symlink the cert, bundle and key files to the /usr/local/ispconfig/interface/ssl/ files.

 

Even better! Thanks Croydon

 

This topic is really usefull for that! It doesnt just cover the ISPConfig panel but also PureFTPD, Monit, Postfix and has a script for doing all this when the cert is automaticly renewed
https://www.howtoforge.com/communit...l-port-8080-with-lets-encrypt-free-ssl.75554/