[Solved] SSL Cert on ISPConfig 3 (master/master) Multi-server setup

Discussion in 'General' started by dvazart, Dec 10, 2015.

  1. dvazart

    dvazart New Member

    Hello,

    I have some questions about installing a SSL Cert on my ISPConfig 3 (master/master) Multi-server setup.

    I'm running: two OpenVZ containers on Debian 7 x64 with ISPConfig 3.0.5.4p8 in a Master/Master cluster.

    srv1.mycompany.com 123.123.123.123
    srv2.mycompany.com 123.123.123.124

    To let my customers access to the ISPConfig interface, I'm doing Round-robin with two "A" records like:

    https://cp.mycompany.com:8080 --> 123.123.123.123
    https://cp.mycompany.com:8080 --> 123.123.123.124

    and also I have a reseller who's doing the same thing with his own domain name, like:

    https://cp.reseller.com:8080 --> 123.123.123.123
    https://cp.reseller.com:8080 --> 123.123.123.124

    My goal is to avoid the warnings about the self signed certificates when accessing to the ISPConfig interface. For this I want to buy a SSL Cert, but I don't know what kind of SSL Cert is the best advised for my setup: separate SSL Certs for each server or a Wildcard certificate? considering that my reseller want to profit of this feature too.

    Another question: there are posibility to do this with a free SSL solution like https://letsencrypt.org/ ?

    Thanks in advance for your reply,

    Regards !
     
  2. sjau

    sjau Local Meanie Moderator

    ssl certs are name-based. Letsencrypt gives you free certs but no idea how to link those to ispc interface.
     
  3. florian030

    florian030 Well-Known Member HowtoForge Supporter

    install the cert and the key in /usr(local/ispconfig/interface/ssl
     
  4. sjau

    sjau Local Meanie Moderator

    So, will the LE inclusion in ISPC also be extended for ISPC itself?
     
  5. florian030

    florian030 Well-Known Member HowtoForge Supporter

    ??? the ssl-key and cert for the interface are stored in interface/ssl
     
  6. sjau

    sjau Local Meanie Moderator

    There is integration for Let's Encrypt in ISPC planned. But as far as I know the discussion was only about hosted domains with automatic ssl (renewal) through LE. So I wondered if an option will be added also to get certs for ISPC itself.
     
  7. dvazart

    dvazart New Member

    Hello,

    Thanks for your answers ! this is how I did it:

    You have to run the following commands in each server in the cluster, this setup works for Debian 7.0 with Apache or NGINX.

    Install some dependencies:
    Code:
    apt-get install build-essential python-pip git
    pip install virtualenv
    pip install pyopenssl ndg-httpsclient pyasn1
    pip install cryptography
    
    Stop your webserver:
    Code:
    service apache2 stop
    
    Install LetsEncrypt client:
    Code:
    git clone https://github.com/letsencrypt/letsencrypt
    cd letsencrypt
    ./letsencrypt-auto certonly
    
    When asked, add all the domain names from where your ISPConfig can be accessed, in my scenario I put:

    On srv1.mycompany.com:
    Code:
    srv1.mycompany.com, cp.mycompany.com, cp.reseller.com
    
    On srv2.mycompany.com:
    Code:
    srv2.mycompany.com, cp.mycompany.com, cp.reseller.com
    
    Backup the self signed certificates:
    Code:
    mkdir /usr/local/ispconfig/interface/ssl/originales
    mv /usr/local/ispconfig/interface/ssl/isp* /usr/local/ispconfig/interface/ssl/originales
    
    Link the new (letsencrypt) certificates :
    Code:
    ln -s /etc/letsencrypt/live/srv1.mycompany.com/fullchain.pem /usr/local/ispconfig/interface/ssl/ispserver.crt
    ln -s /etc/letsencrypt/live/srv2.mycompany.com/privkey.pem /usr/local/ispconfig/interface/ssl/ispserver.key
    
    Start your webserver:
    Code:
    service apache2 start
    
    You are done !
     
  8. To follow dvazart's instructions, I had to use option 2 (standalone) after executing ./letsencrypt-auto certonly. This option places the certificates' in the /etc/letsencrypt/live/your-domain-here.com/ folder so you can easily place the symbolic links' stated above.

    [​IMG]
     
  9. ahrasis

    ahrasis Well-Known Member

    Last edited: Feb 24, 2018
    Richard Foley likes this.

Share This Page