Hello everyone. I have been having difficulty adjusting from a cPanel to ISPConfig migration, and I have put in many hours of troubleshooting into making this happen. However, I think it is very well worth it because ISPConfig is an outstanding product produced by very hard working and talented developers to support the web community. One last step in finalizing my migration is to secure ISPConfig, Pure-FTPD, phpmyadmin, postfix and other services on the server. Server readout htf_report.txt Code: ##### SERVER ##### IP-address (as per hostname): ***.***.***.*** [WARN] could not determine server's ip address by ifconfig [INFO] OS version is Debian GNU/Linux 10 (buster) [INFO] uptime: 09:42:37 up 1:16, 1 user, load average: 0.00, 0.00, 0.06 [INFO] memory: total used free shared buff/cache available Mem: 3.9Gi 1.5Gi 361Mi 14Mi 2.0Gi 2.0Gi Swap: 0B 0B 0B [INFO] systemd failed services status: 0 loaded units listed. Pass --all to see loaded but inactive units, too. To show all installed unit files use 'systemctl list-unit-files'. [INFO] ISPConfig is installed. ##### ISPCONFIG ##### ISPConfig version is 3.2.2 ##### VERSION CHECK ##### [INFO] php (cli) version is 7.3.19-1~deb10u1 ##### PORT CHECK ##### ##### MAIL SERVER CHECK ##### ##### RUNNING SERVER PROCESSES ##### [INFO] I found the following web server(s): Unknown process (nginx:) (PID 2617) [INFO] I found the following mail server(s): Postfix (PID 4727) [INFO] I found the following pop3 server(s): Dovecot (PID 4770) [INFO] I found the following imap server(s): Dovecot (PID 4770) [INFO] I found the following ftp server(s): PureFTP (PID 4811) ##### LISTENING PORTS ##### (only () Local (Address) [localhost]:953 (4819/named) [anywhere]:25 (4727/master) [anywhere]:443 (2617/nginx:) [anywhere]:993 (4770/dovecot) [anywhere]:995 (4770/dovecot) [localhost]:10023 (5713/postgrey) [localhost]:10024 (4757/amavisd-new) [localhost]:10025 (4727/master) [localhost]:10026 (4757/amavisd-new) [localhost]:10027 (4727/master) [anywhere]:587 (4727/master) [localhost]:11211 (28176/memcached) [anywhere]:110 (4770/dovecot) [anywhere]:143 (4770/dovecot) [anywhere]:80 (2617/nginx:) [anywhere]:8080 (2617/nginx:) [anywhere]:465 (4727/master) [anywhere]:8081 (2617/nginx:) ***.***.***.***:53 (4819/named) [localhost]:53 (4819/named) [anywhere]:21 (4811/pure-ftpd) [anywhere]:22 (449/sshd) *:*:*:*::*:953 (4819/named) *:*:*:*::*:25 (4727/master) *:*:*:*::*:443 (2617/nginx:) *:*:*:*::*:993 (4770/dovecot) *:*:*:*::*:995 (4770/dovecot) *:*:*:*::*:10024 (4757/amavisd-new) *:*:*:*::*:10026 (4757/amavisd-new) *:*:*:*::*:3306 (4442/mysqld) *:*:*:*::*:587 (4727/master) [localhost]10 (4770/dovecot) [localhost]43 (4770/dovecot) *:*:*:*::*:80 (2617/nginx:) *:*:*:*::*:8080 (2617/nginx:) *:*:*:*::*:465 (4727/master) *:*:*:*::*:8081 (2617/nginx:) *:*:*:*::*:53 (4819/named) *:*:*:*::*:21 (4811/pure-ftpd) *:*:*:*::*:22 (449/sshd) ##### IPTABLES ##### Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination I have attempted to review the following posts below, but have not yielded any success: howtoforge(dot)com /tutorial/securing-ispconfig-3-with-a-free-lets-encrypt-ssl-certificate/ On the second thread, I have modified the ISPConfig commands for the acme.sh path, replacing the bolded parts to reflect on the new location of the keys: Code: cd /usr/local/ispconfig/interface/ssl/ mv ispserver.crt ispserver.crt-$(date +"%y%m%d%H%M%S").bak mv ispserver.key ispserver.key-$(date +"%y%m%d%H%M%S").bak mv ispserver.pem ispserver.pem-$(date +"%y%m%d%H%M%S").bak ln -s /root/.acme.sh/$(hostname -f)/fullchain.pem ispserver.crt ln -s /root/.acme.sh/$(hostname -f)/privkey.pem ispserver.key cat ispserver.{key,crt} > ispserver.pem chmod 600 ispserver.pem Removing the certificates from any previous requests have been removed and a force update using ispconfig_update.sh --force creates a new self-signed certificate instead of one issued by LE. I believe this thread details that git.ispconfig(dot)org/ispconfig/ispconfig3/-/issues/6016 I am now unable to troubleshoot and secure the portals and postfix to make the migration complete. Any help would be very appreciated!
See here for the steps to find out why LE is not issuing a cert for your server: https://www.howtoforge.com/community/threads/lets-encrypt-error-faq.74179/ and when LE does not issue a cert, a self-signed cert is created.
Hi Till thank you for the response. Having LE working correctly was the easy part- as your FAQ and other tutorials were thorough and setting them up easily. I have all the subdomains and domains secured with acme.sh. I have going through the FAQ as follows: Check that you have Let’s Encrypt (certbot) installed. ISPConfig 3.1.16 and newer will also support acme.sh as client. certbot has not been installed, as 3.2.2 of ISPConfig was installed with acme.sh - Check that the Let's encrypt client 'certbot' is updated (when using certbot). N/A - Check that you run the latest ISPConfig version. Latest stable version 3.2.2 - When your server is behind a NAT router so that the server itself can not reach the hosted domains, then enable the option "Skip Letsencrypt check" under System > Server config > web. Setting was confirmed before first domain was added - Check that all domain names (icl auto subdomain www etc), subdomains and aliasdomains really point to the right website and are working. Open one after another in your browser and test that. All A records and subdomains working with HTTPS - If you still use Apache 2.2, then update your ispconfig to git-stable branch with the ispconfig_update.sh script to get an updated vhost template. After you did that, use Tools > resync to apply the new template to all sites or apply it to a single site by altering a value in the site settings and press save, before you try to activate Let’s Encrypt again. This is only necessary on apache 2.2 systems, newer apache 2.4 or nginx systems are not affected. Server is utilizing NGINX - If you updated to ISPConfig 3.1 and deselected the "reconfigure services" option during update (which is selected by default), then Let’s Encrypt will fail as your server is missing the Let’s Encrypt configuration in the ispconfig apache configuration files. Redo the update and chose to reconfigure services in that case. Reconfigure services was used during ISPConfig force update If I am missing anything, I would really be grateful to hear. Again, this is the last step needed for me to be able to break free from cPanel [/QUOTE]
This is about a very special edge case where certbot and LE are installed on old systems or the certbot or acme.sh installation step from install guides was skipped, so nothing that applies to a common fresh ISPConfig installation that has certbot installed when you followed one of our install guides. This guide is not compatible with ISPConfig 3.2.2 and even altering it to use acme.sh paths will just harm as it may prevent that the ispconfig updater can issue a cert, so better not do that if you want to get an LE cert issued for the other services.
